Latest Posts

Showing latest 10 of 13 posts

Security Plus Study guide

See this post in context
Date: 19 March 2023

This is by no means a comprehensive curriculum for the security+, just bits and pieces of notes for topics that I am not familiar with.


  1. Attacks, Threats, and Vulnerabilities - 24%
  2. Architecture and Design - 21%
  3. Implementation - 25%
  4. Operations and Incident Response - 16%
  5. Governance, Risk, and Compliance - 14%


Acronyms: CA - Certificate Authority DRP - Disaster Recovery Plan BCP - Business Continuity Plan IRP - Incident Response Plan

PII (Personally Identifiable Information) harvesting - the act of collecting personal information from individuals, typically without their knowledge or consent. This can be accomplished through various means such as phishing emails, social engineering, malware or even through legitimate-looking forms and websites.

IoC (Indicator of Compromise) - a piece of information, often technical in nature, used to detect malicious activities or security incidents. Examples of IoCs include known malicious iP addresses, file hashes of malware, or unusual outbound traffic patterns.

RFC (Request for Comments) - a type of publication that describe methods, behaviors, research, or innovations applicable to the working of Internet and Internet-connected systems. Can be produced by IETF (Internet Engineering Task Force), as well as other standard organizations. RFCs provide a detailed, formalized way to introduce and discuss Internet standards and protocols like TCP/IP, SMTP, and HTTP.

CVE (Common Vulnerabilities and Exposures) - a standardized identifier for publicly known cybersecurity vulnerabilities. Managed by the MITRE Corporation, the CVE system provides a way for security researchers and practitioners to identify, discuss, and manage vulnerabilities in a consistent manner. Each CVE entry includes an identification number, a description, and at least one public reference. This makes it easier for people to share data across separate vulnerability management and security tools in a consistent way. CVEs can be imported into security information and event management (SIEM) systems, vulnerability scanners, and other security tools to help manage the vulnerability lifecycle.

NVD (National Vulnerability Database) - is a U.S. government repository of standards-based vulnerability management data. It is maintained by the National Institute of Standards and Technology (NIST) and provides a comprehensive and centralized source of information on cybersecurity vulnerabilities. The NVD includes databases of security checklists, security-related software flaws, misconfigurations, product names, and impact metrics, often supplementing CVE entries with additional data. The NVD often provides CVSS scores of vulnerabilities, and can be used as a data feed for SIEM systems, vulnerability management systems, and other security tools.

CVSS (Common Vulnerability Scoring System) - is an industry-standard metric used to measure the severity and impact of computer security vulnerabilities. CVSS provides a quantitative score reflecting the potential risk associated with a vulnerability, helping organizations prioritize remediation efforts based on the risks they are most exposed to. The CVSS score ranges from 0 to 10, with higher numbers indicating greater severity.

DBA (Database Administrator) - a role responsible for the installation, configuration, upgrading, administration, monitoring, maintenance, and security of databases in an organization. DBAs are responsible for defending against common database security threats like SQL injection.

DBaaS (Database as a Service) - a cloud service that provides users with some form of access to a database without the need for physical hardware and database administration. The cloud services provider takes care of step, maintenance, backups, and scaling. this model allows organizations to focus more on the application logic rather than the underlying database management tasks.

AIS (Automated Indicator Sharing) - an initiative by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) aimed at enabling the real-time exchange of cyber threat indicators between the government and the private secure. AIS seeks to provide a platform for sharing actionable information to help participants defend against cyber threats more effectively.

OSINT (Open Source Intelligence) - refers to the process of collecting and analyzing publicly available information from various sources such as newspapers, government publications, social media platforms, websites, and more. OSINT is used by intelligence agencies, cybersecurity analysts, and even marketing teams to gather information that can inform strategic decisions, security postures, or market analysis.

STIX (Structured threat Information eXpression) - a language for describing cyber threat information in a standardized and structured manner. STIX allows organizations to share threat intelligence in a way that can be easily understood and processed by human and machines alike. It covers a wide array of threat information, including indicators, tactics, techniques, and procedures (TTPs), incidents and more.

TAXII / TAXIITM (Trusted Automated eXchange of Indicator Information) - a protocol designed for the automated changes of cyber threat information. TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable threat information across organization and product/service boundaries. TAXII is often used in tandem with STIX to facilitate the sharing of structured threat information.

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of email. It allows you to secure email messages in a way that ensure the confidentiality, integrity, and authenticity of the email content. S/MIME is built upon the MIME standard and adds security features like encryption and digital signatures to email messages, making it more secure than plain text or MIME-only emails.

RFC (Request for comments) - a publication from the technology community that descibes various aspects, including protocols, procedures, methods, and systems, related to the Internet and networking.

RFQ (Request for Quotation) is a business document that organizations use to request vendors to provide a quote for the cost of goods or services.

RFI (Request for Information) is a business document used by organizations to collect information from potential suppliers or vendors.

RFP stands for “Request for Proposal,” and it is a formal document that organizations use to solicit bids from potential vendors for a specific project or solution.

TTP stands for “Tactics, Techniques, and Procedures.” It is a term commonly used in cybersecurity and military contexts to describe the specific methods employed by cyber adversaries.

IPS stands for Intrusion Prevention System. It is a critical component in network security designed to detect and prevent known and unknown threats.

MaaS stands for “Monitoring as a Service”,

SSH stands for Secure Shell. It is a cryptographic network protocol for secure data communication, remote command-line login, and remote command execution.

TLS stands for Transport Layer Security. It is a cryptographic protocol designed to provide secure communications over a computer network, such as the internet. TLS is the successor to SSL (Secure Sockets Layer) and is commonly used to secure web traffic, though it can secure other types of data transmissions as well

SSL stands for Secure Sockets Layer, and it is a cryptographic protocol that secures communications over a network.

IPsec (Internet Protocol Security) is a suite of protocols that adds a layer of security to Internet Protocol (IP) communications. It works by encrypting and/or authenticating each IP packet in a data stream. IPsec can operate in two modes: Transport Mode, where only the payload of the IP packet is encrypted, and Tunnel Mode, where the entire IP packet is encrypted and then encapsulated in a new IP packet. IPsec is often used for Virtual Private Networks (VPNs) to secure the communication between sites over the internet.

PGP (Pretty Good Privacy) is a data encryption and decryption program that provides cryptographic privacy and authentication for data communication. PGP is often used for encrypting and decrypting texts, emails, files, directories, and disk partitions to increase the security of email communications. It uses a combination of symmetric-key cryptography and public-key cryptography.

FTP, HTTP, IMAP, POP, SMTP, and Telnet are all examples of cleartext (unencrypted) network protocols. Cleartext protocols transmit data in an unencrypted form, making it easier for attackers to eavesdrop on the data being transmitted over the network.

SIEM stands for Security Information and Event Management. It is a comprehensive solution that provides real-time analysis of security alerts generated by various hardware and software infrastructure in an organization

SOAR stands for Security Orchestration, Automation, and Response.

A proxy server acts as an intermediary between a client and a server, forwarding requests and responses between the two. Proxy servers are used for various purposes, including security, load balancing, data caching, and anonymity.

Unified Communications (UC) server is a system that integrates various real-time communication services such as voice calling, video conferencing, instant messaging, and data sharing into a single platform. UC servers aim to enhance productivity and streamline communication by enabling users to use multiple forms of communication via a single interface.

An Industrial Control System (ICS) server is a specialized server designed to manage and control industrial operations. ICS servers are commonly used in critical infrastructure like power plants, water treatment facilities, manufacturing, and oil and gas refineries. These servers interact with field devices such as sensors, actuators, and PLCs (Programmable Logic Controllers) to monitor and control physical processes.

An Industrial Control System (ICS) server is a specialized server designed to manage and control industrial operations. ICS servers are commonly used in critical infrastructure like power plants, water treatment facilities, manufacturing, and oil and gas refineries. These servers interact with field devices such as sensors, actuators, and PLCs (Programmable Logic Controllers) to monitor and control physical processes.

Simple Network Management Protocol (SNMP) is a protocol used for managing devices on IP networks. It’s commonly used for gathering information from and configuring network devices, such as servers, printers, switches, and routers. SNMP operates over UDP (User Datagram Protocol) and is part of the TCP/IP protocol suite.

PCAP (Packet CAPture) refers to the capturing of network packets in order to inspect them and diagnose network behaviors. The term is often used to refer to the data files where this packet data is stored. These files can be analyzed using tools like Wireshark or tcpdump. The .pcap file extension is standard for these types of files.

HIPS stands for Host-based Intrusion Prevention System. It is a security software or hardware application that runs on individual hosts or devices on a network. HIDS stands for Host-based Intrusion Detection System.

NIDS stands for Network-based Intrusion Detection System. Unlike HIDS (Host-based Intrusion Detection System), which operates on individual hosts, NIDS monitors the traffic across an entire network.

IMAP stands for Internet Message Access Protocol. It’s a standard email protocol that stores email messages on a mail server and allows the end user to view and manipulate the messages as though they were stored locally on their device.

MSSP stands for Managed Security Services Provider. An MSSP is a company that offers specialized outsourced services to manage various aspects of an organization’s information security program.

MSP stands for Managed Service Provider. An MSP is a company that remotely manages a customer’s IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.

The term “Fog computing” refers to a local network infrastructure between IoT devices and the cloud designed to speed up data transmission and processing.

In client-server model, the term “Thin client” refers to a networked computer equipped with the minimum amount of hardware and software components. As opposed to thick client, which runs applications locally from its own hard drive, thin client relies on network resources provided by a remote server performing most of the data processing and storage functions.

Containerization is a lightweight form of virtualization that involves encapsulating an application and its dependencies into a “container.” This allows the application to be run consistently across various computing environments.

Microservices, or the microservices architecture, is an architectural style that structures an application as a collection of loosely coupled, independently deployable services. Each microservice typically focuses on a specific business functionality and can be developed, deployed, and scaled independently.

VPC (Virtual Private Cloud): A VPC is a virtual network in a public cloud environment that is logically isolated from other virtual networks. A VPC is the cloud equivalent of a traditional on-premises data center.

The term “VM sprawl” is used to describe a situation in which large number of deployed virtual machines lack proper administrative controls.

The term “VM escape” refers to the process of breaking out of the boundaries of a guest operating system installation to access the primary hypervisor controlling all the virtual machines on the host machine.

Code obfuscation is a technique used to make the source code more difficult to read or understand. The logic of the code remains the same, but it becomes hard to reverse-engineer. Obfuscation might rename variables or functions with meaningless labels, rearrange the execution flow of the code, or use other techniques to complicate the code, but it doesn’t encrypt it.

TOTP stands for Time-Based One-Time Password. It is an algorithm that computes a one-time password from a shared secret key and the current time. TOTP is widely used for Two-Factor Authentication (2FA) and is an extension of the OTP (One-Time Password) mechanism.

An authenticator application is a software that generates additional authentication token (in the form of a random code) used in multi-step verification process.

CRC (Cyclic Redundancy Check): This is a method used in computing to detect accidental changes to raw data.

FAR (False Acceptance Rate): This is the correct answer. The False Acceptance Rate is a measure of how often the biometric system incorrectly identifies an unauthorized user as a legitimate one.

FRR (False Rejection Rate): This is a measure of how often the biometric system incorrectly rejects an access attempt by an authorized user.

CER (Crossover Error Rate): This is a point where the False Acceptance Rate and False Rejection Rate are equal. It is often used as a summary measure of a system’s overall accuracy but is not specifically a measure of the likelihood of incorrect acceptance of unauthorized users.


See this post in context
Date: 1 September 2022


This is by no means an exhaustive study guide for the topics on the CCNA, but rather a review tool that briefly touches on each topic outlined in the CCNA 200-301 Exam description.

1.0 Network Fundamentals

A computer network is a digital telecommunications network which allows nodes to share resources. In computer networks, computing devices exchange data with each other using connections (data links) between nodes. These data links are established over cable media such as wires or optic cables, or wireless media such as Wi-Fi Network speed is measured in bits per second (Kbps, Mbps, Gbps, etc), not bytes per second.

  • 1 kilobit (Kb) = 1,000 bits
  • 1 megabit (Mb) = 1,000,000 bits
  • 1 gigabit (Gb) = 1,000,000,000 bits
  • 1 terabit (Tb) = 1,000,000,000,000 bits

OSI Model

  • “Open Systems Interconnection” model
  • A conceptual model that categorizes and standardizes the different functions in a network.
  • Created by the “Internation Organization for Standardization” (ISO)
  • Functions are divided into 7 “Layers”
  • These layers work together to mae the network work.

Layer 7, Application Layer

  • This layer is closest to the end user.
  • Interacts with software applications, for example your web browser (Brave, Firefox, Chrome, etc)
  • HTTP and HTTPS are Layer 7 protocols
  • Functions of Layer 7 include:
    • Identifying communication partners
    • Synchronizing communication

Layer 6, Presentation Layer

  • Data in the application layer is in ‘application format’
  • It needs to be ‘translated’ to a different format to be sent over the network
  • The Presentation Layer’s job is to translate between application and network formats.
  • For example, encryption of data as it is sent, and decryption of data as it is received.
  • Also translates between different Application-Layer formats.

Layer 5, Session Layer

  • Controls dialogues (sessions) between communicating hosts.
  • Establishes, manages, and terminates connections between the local application (for example, your web browser) and the remote application (for example, YouTube)

OSI Model - The Upper Layers (Layer 7, 6, 5)

  • Network engeineers don’t usually work with the top 3 layers.
  • Application developers work with the top layers of the OSI model to connect their applications over networks.

Layer 4, Transport Layer

  • Segments and reassembles data for communications between end hosts
  • Breaks large pieces of data into smaller segments which can be more easily sent over the network and are less likely to cause transmission problems if errors occur
  • Provides host-to-host communication
  • uses layer 4 header (data + L4 header = segment)

Layer 3, Network Layer

  • Provides connectivity between end hosts on different networks (ie. outside of the LAN)
  • Provides logical addressing (IP addresses)
  • Provides path selection between source and destination
  • Routers operate at Layer 3.
  • Uses Layer 3 header (data + L4 header + L3 header = packet)

Layer 2, Data Link Layer

  • Provides node-to-node connectivity and data transfer (for example, PC to switch, switch to router, router to router)
  • Defines how data is formatted for transmission over a physical medium (for example, copper UTP cables)
  • Detects and (possibly) corrects Physical Layer errors
  • Uses Layer 2 addressing, seperate from Layer 3 addressing.
  • Switches operate at Layer 2.
  • Uses L2 trailer and header (L2 trailer + Data + L4 header + L3 header + L2 header = frame)

Layer 1, Physical Layer

  • Defines physical characteristics of the medium used to transfer data between devices.
  • For example, voltage levels, maximum transmission distances, physical connectors, cable specifications, etc.
  • Digital bits are converted into electrical (for wired connections) or radio (for wireless connections) signals.
  • All of the information in regarding cables, pin layouts, etc. is related to the Physical Layer.

Encapsulation - data moving from Layer 7 to Layer 1, the process of adding additional information when data is traveling in OSI or TCP/IP model. The additional information is added on the sender’s side, starting from Application layer to Physical layer.

De-encapsulation - data moving from Layer 1 to 7, the process in which information added through the encapsulation process is removed. The additional information is removed (de-encapsulated) on the receiver’s side, starting from the Physical layer to the Application layer.

TCP/IP Suite

  • Conceptual model and set of communications protocols used in the Internet and other networks
  • Known as TCP/IP because those are two of the foundational protocols in the suite.
  • Developed by the United State Department of Defense through DARPA (Defense Advanced Research Projects Agency)
  • Similar structure to the OSI Model, but with fewer layers.
  • This is the model actually in use in modern networks.
  • The OSI model still influences how network engineers think and talk about networks.

1.1 Explain the role and function of network components

1.1.a Routers

Routers provide connectivity between LANs (Local Area Networks), and are therefore used to send data over the Internet.

1.1.b Layer 2 and Layer 3 switches

Switches provide connectivity to hosts within the same LAN. Switches typically have many more network interfaces/ports for end hosts to connect to (usually 24+). Layer 3 switches, also known as Multilayer switches, are capable of both switching AND routing. Layer 3 switches can have IP addresses assigned to its interfaces, like a router.

You can also create virtual interfaces, or SVIs (switch virtual interfaces), for each VLAN, and assign IP addresses to those interfaces. These SVIs are used as the gateway address for each PC, instead of a router. To send traffic to different subnets/VLANs, the PCs will send traffic to the switch, and the switch will route the traffic. Routes can be configured on Layer 3 switches, and it can be used for inter-VLAN routing.

1.1.c Next-generation firewalls and IPS

Firewalls monitor and control network traffic based on configured rules. They are known as “Next-Generation Firewalls” when they include more modern and advanced filtering capabilities. Network firewalls are hardware devices that filter traffic between networks. Host-based firewalls are software applications that filter traffic entering and exiting a host machine, like a PC.

1.1.d Access points

An access point serves as the connection point between wireless and wired networks or as the center point of a stand-alone wireless network. In large installations, wireless users within the radio range of an access point can roam throughout a facility while maintaining seamless, uninterrupted access to the network.

1.1.e Controllers (Cisco DNA Center and WLC)

A network controller is a software that orchestrates network functions. It serves as an intermediary between the business and the network infrastructure. The organization enters their desired business objectives into the controller which in turn sets up the network to deliver on those objectives. Network controllers do their jobs by:

  • Maintaining an inventory of devices in the network and their status
  • Automating device operations such as configurations and image updates
  • Analyzing network operations, identifying potential issues, and suggesting remediations
  • Providing a platform for integration with other applications such as reporting systems

Cisco DNA Center is a central Management and Automation software, an application, that is used as a Controller for Cisco DNA. It is used as a management platform for both SD Access, Intent-Based Networks and existing traditional networks.

A wireless LAN controller (WLC) is a network component that manages wireless network access points and allows wireless devices to connect to the network.

1.1.f Endpoints/End hosts

An endpoint is a remote computing device that communicates back and forth with a network, examples include computers, laptops, mobile phones, tablets, and servers.

1.1.g Servers

A server is a device that provides functions or services for clients/endpoints on a network.

1.1.h PoE

PoE (Power over Ethernet) allows Power Sourcing Equipment (PSE) to provide power to Powered Devices (PD) over an Ethernet cable. Typically the PSE is a switch and the PDs are IP phones, IP cameras, wireless access points, etc. The PSE receives AC power from the outlet, converts it to DC power, and supplies that DC power to the PDs. PoE has a process to determine if a connected devices needs power, and how much power it needs, as too much current can damage devices.

1.2 Describe characteristics of network topology architectures

1.2.a 2-tier

The two-tier LAN design consists of two hierarchical layers:

  • Access Layer
  • Distribution Layer

Also called a ‘Collapsed Core’ design because it omits a layer that is found in the 3-Tier design: the Core Layer. The core in distribution layers are combined together in a single layer. The collapsed core in a two-tier network design provides physical and logical paths as well as a Layer 2 aggregation and demarcation point. In addition, a collapse core defines routing polices and network access policies and provides intelligent network services.

Access Layer:

  • the layer that end hosts connect to (PCs, printers cameras, etc.)
  • typically Access Layer Switches have lots of ports for end hosts to connect to
  • QoS marking is typically done here
  • Security sevices like port security, DAI, etc are typically performed here
  • switchports might be PoE-enabled for wireless APs, IP phones, etc.

Distribution Layer (sometimes called Aggregation Layer):

  • aggregates connections from the Access Layer Switches
  • typically is the border between Layer 2 and Layer 3
  • connects to services such as Internet, WAN, etc.

Two-tier Campus LAN Design:

1.2.b 3-tier

In large LAN networks with many Distribution Layer switches (for example in separate buildings), the number of connections required between Distribution Layer switches grows rapidly. To help scale large LAN networks, you can add a Core Layer. Cisco recommends adding a Core Layer if there are more than three Distribution Layers in a single location.

The three-tier LAN design consists of three hierarchical layers:

  • Access Layer
  • Distribution Layer
  • Core Layer

Core Layer:

  • Connects Distribution Layers together in large LAN networks
  • The focus is speed (‘fast transport’)
  • CPU-intensive operations such as security, QoS marking/classification, etc. should be avoided at this Layer
  • Connections are all Layer 3. No spanning-tree!
  • Should maintain connectivity throughout the LAN even if devices fail

The distribution layer provides route filtering and interVLAN routing. The distribution layer serves as an aggregation point for access layer network links. Because the distribution layer is the intermediary between the access layer and the core layer, the distribution layer is the ideal place to enforce security policies, to provide QoS, and to perform tasks that involve packet manipulation, such as routing. Summarization and next-hop redundancy are also performed in the distribution layer.

The access layer serves as a media termination point for endpoints such as servers and hosts. Because access layer devices provide access to the network, the access layer is the ideal place to perform user authentication.

Three-Tier Campus LAN Design:

1.2.c Spine-leaf

Data centers are dedicated spaces/buildings used to store computer systems such as servers and network devices.

Traditional data center designs used a three-tier architecture (Access-Distribution-Core) shown previously.

This worked well when most traffic in the data center was North-South.

With the precedence of virtual servers, applications are often deployed in a distributed manner (across multiple physical servers), which increases the amount of East-West traffic in the data center.

The traditional three-tier architecture led to bottlenecks in bandwidth as well as variablility in the server-to-server latency depending on the path the traffic takes.

To solves this, Spine-Lead architecture (also called Clos architecture) has become prominent in data centers.

There are some rules about Spine-Leaf architecture:

  • Every Leaf switch is connected to every Spine switch
  • Every Spine switch is connected to every Leaf switch
  • Leaf switches do not connect to other Leaf switches
  • Spine switches do not connect to other Spine switches
  • End hosts (servers etc.) only connect to Leaf switches

The path taken by traffic is randomly chosen to balance the traffic load among the Spine switches

Each server is separated by the same number of ‘hops’ (except those connected to the same Leaf), providing consistent latency for East-West traffic.

1.2.d WAN

WAN (Wider Area Network) is a network that extends over a large geographic area. WANs are used to connect geographically seperate LANs. Although the Internet itself can be considered a WAN, the term WAN is typically used to refer to an enterprise’s private connections that connect their offices, data centers, and other sites together. Over public/shared networks like the Internet, VPNs (Virtual Private Networks) can be used to create private WAN connections. There have been many different WAN technologies over the years. Depending on the location, some will be available and some will not be. Technologies which are considered ‘legacy’ (old) in one country might still be used in other countries.

Private WAN services such as leased lines and MPLS provide security because each customer’s traffic is seperated by using dedicated physical connections (leased line) or by MPLS tags.

WAN Architectures:

To provide secure communications over the Internet, VPNs (Virtual Private Networks) are used.

1.2.e Small office/home office (SOHO)

SOHO (Small Office/Home Office) refers to the office of a small company, or a small home office with few devices.

  • Doesn’t have to be an actual home ‘office’, if your home has a network connected to the Internet it is considered a SOHO network.

SOHO devices don’t have complex needs, so all networking functions are typically provided by a single device, often called a ‘home router’ or ‘wireless router’

This one device can serve as a:

  • Router
  • Switch
  • Firewall
  • Wireless Access Point
  • Modem

1.2.f On-premise and cloud

Traditional IT infrastructure deployments were some combination of the following:


  • All servers, network devices, and other infrastructure are located on company property.
  • All equipment is purchased and owned by the company using it.
  • The company is responsible for the necessary space, power, and cooling.


  • Data centers that rent out space for customers to put their infrastructure (servers, network devices)
  • The data center provides the space, electricity, and cooling.
  • The servers, network devices, etc are still the responsibility of the end customer, although they are not located on the customer’s premises.

Cloud service provide an alternative that is hugely popular, and continuing to grow. Most people associate ‘cloud’ with public cloud providers such as AWS, Microsoft Azure, GCP

  • Although this is the most common use of cloud services, it’s not the only one.

Cloud computing is defined by the American NIST in SP 800-145 as follows. The five essential characteristics of cloud computing are:

  • On-demand self-service
    • A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
    • The customer is able to use the service (or stop using the service) freely (via a web portal) without direct communication to the service provider.
  • Broad network access
    • Capabilities are available over the network and accessed through standard mechanisms that promote use by hereogeneous thin or thick client platforms (e.g mobile phones, tablets, laptops, and workstations).
    • The service is available through standard network connections (ie, the Internet or private WAN connections), and can be accessed through many kinds of devices.
  • Resource pooling
    • A pool of resources is provided by the service provider, and when a customer requests a service (for example creates a new VM), the resources to fulfill that request are allocated from the shared pool.
  • Rapid elasticity
    • Customers can quickly expand the services they use in the cloud (for example, add new VMs, expand storage, etc) from a pool of resources that appears to be infinite. Likewise, they can quickly reduce their services when not needed.
  • Measured service
    • The cloud service provider measures the customer’s usage of cloud resources, and the customer can measure their own use as well. Customers are charged based on usage (for example, X dollars per gigabyte of storage per day).

The three service models of cloud:

  • Software as a Service (SaaS)
    • The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The application are accessible from various client devices through either a thing client interface, such as a web browser (e.g. web-based email), or a program interface.
    • The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. ex. Microsoft Office 365
  • Platform as a Service (PaaS)
    • The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications creating using programming languages, libraries, services, and tools supported by the provider.
    • The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. ex. AWS Lambda and Google App Engine.
  • Infrastructure as a Service (IaaS)
    • The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.
    • The consumer does not manage or control the underlying cloud infrastrcture but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g. host firewalls).
    • Examples include Amazon EC2 and Google Compute Engine.

The four deployment models of cloud:

  • Most people assume that ‘cloud’ means public cloud providers such as AWS, Azure, and GCP.
  • Although ‘Public cloud’ is the most common deployment model, it’s not the only one.

The four deployment models of cloud computing are:

  • Private cloud
    • The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.
    • Private clouds are generally only used by large enterprises.
    • Although the cloud is private, it may be owned by a third party.
      • For example, AWS provides private cloud services for the American DoD.
    • Private clouds may be on or off premises.
      • Many people assume that ‘cloud’ and ‘on-prem’ are two different things, but that is not always the case.
    • The same kinds of services offered are the same as in public clouds (Saas, PaaS, IaaS), but the infrastructure is reserved for a single organization
  • Community cloud
    • The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g. mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.
    • This is the least common cloud deployment.
    • Similar to private cloud, but the infrastructure is reserved for use by only a specific group of organizations.
  • Public cloud
    • The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.
    • This is the most common cloud deployment.
    • Popular public cloud service providers include:
      • AWS (Amazon Web Services)
      • Microsoft Azure
      • GCP (Google Cloud Platform)
      • OCI (Oracle Cloud Infrastructure)
      • IBM Cloud
      • Alibaba Cloud
  • Hybrid cloud
    • The cloud infrastructure is a composition of two or more distinct cloud infrastrctures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds).
    • This is basically any combination of the previous three deployment types.
    • For example, a private cloud which can offload to a public cloud when necessary.

Benefits of Cloud Compouting

  • Cost
    • CapEx (Capital Expenses) of buying hardware and software, setting up data centers etc. are reduced or eliminated.
  • Global Scale
    • Cloud services can scale globally at a rapid pace. Services can be set up and offered to customers from a geographic location close to them.
  • Speed/Agility
    • Services are provided on demand, and vast amounts of resources can be provisioned within minutes.
  • Productivity
    • Cloud services remove the need for many time-consuming tasks such as procuring physical servers, racking them, cabling, installing and updating operating systems, etc.
  • Reliability
    • Backups in the cloud are very easy to perform. Data can be mirrored at multiple sites in different geographic locations to support disaster recovery.

1.3 Compare physical interface and cabling types

RJ-45 (RJ = Registered Jack) - Standard connector for copper UTP cables that has 8 pin connections.

UTP cables - Unshielded twisted pair copper wire, contains 4 pairs of wires twisted together, with 8 wires in total.

Straight-through cable - Crossover cable - 1000BASE-T, 10GBASE-T cabling -

Using Auto MDI-X, devices are able to automatically detect which pins their neighbor is using to transmit data and automatically adjust their pins to receive and transmit on the correct pins.


T1 connections use the copper wire infrastructure of the public switched network (PSTN) to provide a maximum throughput of 1.544 Mbps.

To achieve the 1.544-Mbps rate, T1 connections encapsulate data in DS1 siggnaling frames. DS1 signaling frames use 24 DS0 channels and one framing bit. Each of the 24 DS0 channels transfers eight bits of data at a time. The inclusion of the framing bit raises the total amount of data in a single DS1 frame to 193 bits. T1 connections transmit 8000 DS1 frames per second, which brings the total throughput to 1.544 Mbps.

T1 connections typically transfer data across two pairs of shielded copper wires, which extend from he service provider to the customer. One pair of wires within the T1 line is used to send data, and the other pair is used to receive data.

Cable connections use a coaxial line from the service provider to the customer to provide Internet access. Originally, cable providers offered only television service. Providers realizedd tha coaxial lines offered enough bandwidth to support simultaneous television and Internet service.

However, before cable providers could start offering Internet service, they had to redesign their infrastructure to allow for two-way communications. One of the infrastructure changes was the introduction of the cable modem.

Cable modems are used to convert an analog signal from the provider into a digital signal that can be used by a computer and vice versa. Cable modems provide speeds of up to 27 Mbps, making cable one of the fastest options for home Internet service.

Digital Subscriber Line (DSL) uses the copper wire infrastructure of the PSTN (Public Switched Telephone Network). However, DSL solutions can provide a maximum throughput hat is higher than 1.544 Mbps. Filters must be installed on each telephone outlet in order to segregate a DSL Internet signal and a telephone voice signal.

In order to receive DSL service, the subscribers must have a DSL modem installed at their home or office. The DSL modem is used to convert signals originating from a computer into a frequency that can be transmitted over the DSL line without interfering with other types of transmissions.

DSL upload speeds are typically slower than DSL download speeds. DSL service is available in a variety of forms including Asynchronous DSL (ADSL), Synchronous DSL (SDSL), and Very-high-data-rate DSL (VDSL).

Satellite-based Internet service downloads are received wirelessly through the use of a dish antenna. Satellite Internet service is typically slower than cable, DSL, or T1 connections. In addition, because satellite transmissions do not transmit over a physical medium, they are highly susceptible to latency and interference. However, satellite is a long-distance option for areas where the necessary infrastructure for other types of Internet service is absent, such as rural areas.

Cellular Internet service has become a less expensive alternative for some in rural areas who are capable of receiving 3G, 4G, or 4G LTE signals. In addition, celllar Internet is a common means of Internet access for people who travel frequently.

1.3.a Single-mode fiber, multimode fiber, copper

SFP Transceiver (SFP = Small Form-Factor Pluggable) - connector used for fiber-optic ports on a switch, connects to Fiber-Optic cabling.

Single-mode fiber is narrower than multimode fiber, light enters at a single angle (mode) from a laser-based transmitter. Allows for longer cables than both UTP and multimode fiber, but also more expensive.

Multimode fiber is wider than single-mode fiber, allows multiple angles (modes) of light waves to enter the fiberglass core. Allows longer cables than UTP, but shorter than single-mode fiber.

1.3.b Connections (Ethernet shared media and point-to-point)

Shared or broadcast Channel:

  • All computers connected to a shared broadcast-based communication channel and share the channel bandwidth.
  • Security issues as a result of broadcasting to all computers.
  • Cost effective due to reduced number of channels and interface hardware components.


  • Computers connected by communication channels that each connect exactly two computers with access to full channel bandwidth.
  • Forms a mesh or point-to-point network
  • Allows flexibility in communication hardware, packet formats, etc.
  • Provides security and privacy because communication channel is not shared.
  • Number of channels grows as square of number of computers

1.4 Identify interface and cable issues (collisions, errors, mismatch duplex, and/or speed)

show ip interface brief

show interfaces status

Configuring interfaces speed/duplex:

CSMA/CD (Carrier Sense Multiple Access with Collision Detection)

  • Before sending frames, devices ‘listen’ to the collision domain until they detect that other devices are not sending.
  • If a collision does occur, the device sends a jamming signal to inform the other devices that a collision happened.
  • Each device will wait a random period of time before sending frames again.
  • The process then repeats.
  • Typically only an issue in networks that use hubs (which are mostly obsolete today)
  • Switches operate in full duplex, rather than half duplex like hubs.

Speed/Duplex Autonegotiation

  • Interfaces that can run at different speed (10/100 or 10/100/1000) have default settings of speed auto and duplex auto.
  • Interfaces ‘advertise’ their capabilities to the neighboring device, and they negotiate the best speed and duplex settings they are both capable of.

Ethernet - 10 Mbps

FastEthernet - 10/100 Mbps

GigabitEthernet - 10/100/1000 megabits/second Mbps

What if autonegotiation is disabled on the device connected to the switch?

  • Speed: The switch will try to sense the speed that the other device is operating at.
    • If it failts to sense the speed, it will use the slowest supports speed (ie. 10 Mbps on a 10/100/1000 interface)
  • Duplex: If the speed is 10 or 100 Mbps, the switch will use HALF duplex (BAD, will lead to misconfigurations). If the speed is 1000 Mbps or greater, use full duplex.
  • To avoid misconfigurations, use autonegotiation on ALL devices in the network.

Interface errors can be viewed by using #show interfaces f0/#

Whhen using an SFP transceiver and receiving a SYS-TRANSCEIVER_NOTAPPROVED error when booting a switch, it is likely that you have used a third-party SFP module that is not supported.

If you connected a cable to the wrong SFP module port, you would most likely notice that the ports on the switches are up, but the line protocol is down.

If the fiber cables are broken, you would notice that the port status LEDs on the SFP module are not lit.

If the SFP module is installed upside down, teh switch would not recognize the SFP module, and the output from the show commands would contain no information about the module.

1.5 Compare TCP to UDP

TCP (Transmission Control Protocol)

  • TCP is connection-oriented - Before actually sending data to the destination host, the two hosts commmunicate to establish a connection.
  • TCP provides reliable communication.
    • The destination host must acknowledge that it received each TCP segment.
    • If a segment isn’t acknowledged, it is sent again.
  • TCP provides sequencing
    • Sequence numbers in the TCP header allow destination hosts to put segments in the correct order even if they arrive out of order.
  • TCP provides flow control
    • The destination host can tell the source host to increase/decrease the rate that data is sent.

UDP (User Datagram Protocol)

  • UDP is not connection-oriented
    • The sending host does not establish a connection with the destination host before sending data. The data is simply sent.
  • UDP does not provide reliable communication
    • When UDP is used, acknowledgments are not sent for received segments. If a segment is lost, UDP has no mechanism to re-transmit it. Segments are sent “best-effort”.
  • UDP does not provide sequencing.
    • There is no sequence number field in the UDP header. If segments arrive out of order, UDP has no mechanism to put them back in order.
  • UDP does not provide flow control
    • UDP has no mechanism like TCP’s window size to control the flow of data.

Comparing TCP & UDP

  • TCP provides more features than UDP, but at the cost of additional overhead.
  • For applications that require reliable communications (for example downloading a file), TCP is preferred.
  • For applications like real-time voice and video, UDP is preferred.
  • There are some applications that use UDP, but provide reliability etc within the application itself.
  • Some applications use both TCP & UDP, depending on the situation.

1.6 Configure and verify IPv4 addressing and subnetting

Maximum number of hosts per network: First/Last Usable Address:

CIDR (Classless Inter-Domain Routing) removed the previous requirements of:

Class A = /8

Class B = /16

Class C = /24 This allows larger networks to be split into smaller networks, allowing greater efficiency. These smaller networks are called "subnetworks" or "subnets". ![](/images/CIDR%20notation.png)

Using VLSM (Variable-Length Subnet Masks) will allow the creation of subnets of different sizes, to make use of network addresses even more efficient.

1.7 Describe the need for private IPv4 addressing

IPv4 doesn’t provide enough addresses for all devices that need an IP address in the modern world. The long term solutionn is to switch to IPv6. There are three main short-term solutions:

  1. CIDR
  2. Private IPv4 addresses
  3. NAT Private IPv4 address ranges as defined in RFC 1918
    • ( to (Class A)
    • ( to (Class B)
    • ( to (Class C)

These addresses are free to be used in networks. They don’t have to be globally unique. Because private IPv4 addresses can’t be used over the Internet, so the PCs can’t access the Internet without NAT.

1.8 Configure and verify IPv6 addressing and prefix

Configuring IPv6: Verify IPv6:

1.9 Describe IPv6 address types

An IPv6 address is 128 bits written in hexadecimal.

Global unicast ipv6 addresses are public addresses which can be used over the Internet.

  • Must register to be used. Because they are public addresses, it is expected that they are globally unique.
  • Originally defined as 2000::/3 block, always beginning with 2 or 3 because the first 3 bits are always 001, now defined as all addresses which aren’t reserved for other purposes.

Unique local IPv6 addresses are private addresses which cannot be used over the Internet.

  • Does not need to be registered. They can be used freely within internal networks and don’t need to be globablly unique. Can’t be routed over the Internet.
  • Uses address block FC00::/8 and FD00::/8

Link-local IPv6 addresses are automatically generated on IPv6-enabled interfaces. Use command R1(config-if)#ipv6 enable on an interface to enable IPv6 on that interface

  • Uses address block FE80:://10, specified in RFC 4291
  • The interface ID is generated using EUI-64 rules.
  • Link-local means that these addresses are used for communication within a single link (subnet). Routers will not route packets with a link-local destination IPv6 address.
  • Common uses of link-local addresses:
    • routing protocol peerings (OSPFv3 uses link-local addresses for neighbor adjacencies)
    • next-hop addresses for static routes
    • Neighbor Discovery Protocol (NDP, IPv6’s replacement for ARP) uses link-local addresses to function

1.9.b Anycast

Anycast is a new feature of IPv6. Anycast is “one-to-one-of-many” Multiple routers are configured with the same IPv6 address.

  • They use a routing protocol to advertise the address.
  • When hosts sends packets to that destination address, routers will forward it to the nearest router configured with that IP address (based on routing metric).
  • There is no specific address range for anycast addresses. Use a regular unicast address (global unicast, unique local) and specify it as an anycast address:
    • R1(config-if)# ipv6 address (ipv6 address)/128 anycast

1.9.c Multicast

Unicast addresses are one-to-one

  • one source to one destination

Broadcast addresses are one-to-all

  • one source to all destinations (within the subnet).

Multicast addresses are one-to-many.

  • one source to multiple destinations (that have joined the specific multicast group).

IPv6 uses range FF00::/8 for multicast. IPv6 doesn’t use broadcast (there is no “broadcast address” in IPv6). Verify multicast addresses: IPv6 defines multiple multicast “scopes” which indicate how far the packet should be forwarded. The addresses in the previous slide all use the “link-local” scope (FF02), which stays in the local subnet. IPv6 multicast scopes:

  • Interface-local (FF01): The packet doesn’t leave the local device. Can be used to send traffic to a service within the local device.
  • Link-local (FF02): The packet remains in the local subnet. Routers will not route the packet between subnets.
  • Site-local (FF05): The packet can be forwarded by routers. Should be limited to a single physical location (not forwarded over a WAN)
  • Organization-local (FF08): Wider in scope than site-local (an entire company/organization).
  • Global (FF0E): No boundaries. Possible to be routed over the Internet.

IPv6 hosts use the multicasting capabilities of the ND (Neighbor Discovery) protocol to discover the link layer addresses of neighbor hosts. The Hop Limit field is typicaly set to 255 in ND packets that are sent to neighbors. Routers decrement the Hop Limit value as a packet is forwarded from hop to hop.

Therefore, a router that receives an ND packet with a Hop Limit value of 255 considers the source of the ND packet to be a neigbhbor. If a router receives an ND packet with a Hop Limit value that is less than 255, the packet is ignored, therby protecting the router from threats that could result from the ND protocol’s lack of neighbor authentication.

Routing schemes:

1.9.d Modified EUI 64

EUI stands for Extended Unique Identifier Modfied EUI-64 is a method of converting a MAC address (48 bits) into a 64-bit interface Identifier This interface identifier can then become the “host portion” of a /64 IPv6 address. To convert the MAC address:

  1. Split the MAC address into two halves
  2. Insert FFFE in the middle
  3. Invert the 7th bit

1.10 Verify IP parameters for Client OS (Windows, Mac OS, Linux)

ipconfig /all

1.11 Describe wireless principles

Wireless network have some issues that need to be dealt with.

  1. All devices within range receive all frames, like devices connected to an Ethernet hub.
    • Privacy of data within the LAN is a greater concern.
    • CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) is used to facilitate half-duplex communications.
  2. Wireless communications are regulated by various international and national bodies.
  3. Wireless signal coverage area must be considered.
    • Signal range, absorption, reflection, refraction, diffraction, and scattering.
  4. Other devices using the same channels can cause interference.
    • For example, a wireless LAN in your neighbor’s house/apartment.

1.11.a Nonoverlapping Wi-Fi channels

In a small wireless LAN with only a single AP (Access Point), you can use any channel.

However, in larger WLANs with multiple APs, it’s important that adjacent APs don’t use overlapping channels. This helps avoid interference.

In the 2.4 GHz band, it is recommended to use channels 1, 6, and 11. Using channels 1,6 and 11, you can place AP’s in a ‘honeycomb’ pattern to provide complete coverage of an area without interference between channels.

1.11.b SSID

802.11 defines different kinds of service sets which are groups of wireless network devices.

There are three main types:

  • Independent
    • An IBSS (Independent Basic Service Set) is a wireless network in which two or more wireless devices connect directly without using an AP (Access Point)
    • Also called an ad hoc network
    • Can be used for file transfer (ie. Airdrop)
    • Not scalable beyond a few devices
  • Infrastructure
    • A BSS (Basic Service Set) is a kind of Infrastructure Service Set in which clients connect to each other via an AP (Access Point), but not directly to each other.
    • A BSSID (Basic Service Set ID) is used to uniquely identify the AP.
      • Other APs can use the same SSID, but not the same BSSID
      • The BSSID is the MAC address of the AP’s radio
    • Wireless devices request associate with the BSS.
    • Wireless devices that have asociated with the BSS are called ‘cients’ or ‘stations’.
    • The area around an AP where its signal is usable is called a BSA (Basic Service Area)
    • Clients must communicate via the AP, not directly with each other.

  • To create large wireless LANs beyond the range of a single AP, we use an ESS (Extended Service Set).
  • APs with their own BSSs are connected by a wired network.
    • Each BSS uses the same SSID.
    • Each BSS has a unique BSSID.
    • Each BSS uses a different channel to avoid interference.
  • Clients can pass between APs without having to reconnect, providing a seamless Wi-Fi experience when moving between APs.
    • This is called roaming.
  • The BSAS should overlap about 10-15%.

  • Mesh
    • An MBSS (Mesh Basic Service Set) can be used in situations where it’s difficult to run an Ethernet connection to every AP.
    • Mesh APs use two radios: one to provide a BSS to wireless clients, and one to form a ‘backhaul network’ which is used to bridge traffic from AP to AP.
    • At least one AP is connected to the wired network, and it is called the RAP (Root Access Point)
    • The other APs are called MAPs (Mesh Access Points)
    • A protocol is used to determine the best path through the mesh (similar to how dynamic routing protocols are used to determine the best path to a destination.

All devices in a service set share the same SSID (service set identifier) The SSID is a human-readable name which identifies the service set. (spaghetti and meatballs) The SSID does NOT have to be unique.

Most wireless networks aren’t standalone networks.

  • Rather, they are a way for wireless clients to connect to the wired network infrastructure.
  • In 802.11, the upstream wired network is called the DS (Distribution System)
  • Each wireless BSS or ESS is mapped to a VLAN in the wired network.
  • It’s possible for an AP to provide multiple wireless LANs, each with a unique SSID.
  • Each WLAN is mapped to a separate VLAN and connected to the wired network via a trunk.
  • Each WLAN uses a unique BSSID, usually by incrementing the last digit of the BSSID by one.

1.11.c RF

Wi-Fi uses two main bands (frequency ranges).

  • 2.4 GHz band
    • The actual range is 2.400 GHz to 2.4835 GHz
  • 5 GHz band
    • The actual range is from 5.150 GHz to 5.825 GHz
    • Divided into four smaller bands:
      • 5.150 GHz to 5.250 GHz
      • 5.250 GHz to 5.350 GHz
      • 5.470 GHz to 5.725 GHz
      • 5.725 GHz to 5.825 GHz

The 2.4 GHz band typically provides further reach in open space and better penetration of obstacles such as walls.

  • However, more devices tend to use the 2.4 GHz band so interference can be a bigger problem compared to the 5 GHz band.

Each band is divided up into multiple ‘channels’.

  • Devices are configured to transmit and receive traffic on one (or more) of these channels. The 2.4 GHz band is divided into several channels, each with a 22 MHz range.

1.11.d Encryption

Although security is important in all networks, it is even more essential in wireless networks.

Because wireless signals are not contained within a wire, any device within range of the signal can receive the traffic.

In wire networks traffic is often only encrypted when sent over an untrusted network such as the Internet.

In wireless networks, it is very important to encrypt traffic sent between the wireless clients and the AP.

There are many possible protocols that can be used to encrypt traffic.

All devices on the WLAN will use the same protocol, however each client will use a unique encryption/decryption key so that other device can’t read its traffic.

A ‘group key’ is used by the AP to encrypt traffic that it wants to send to all of tis clients.

  • All of the clients associated with the AP keep that key so they can decrypt the traffic.

A MIC (Message Integrity Check) is added to messages to help protect their integrity.

Authentication methods:

  • Open Authentication
    • The client sends an authentication request, and the AP accepts it. No questions asked.
    • This is clearly not a secure authentication method
    • After the client is authenticated and associated with teh AP, it’s possible to require the user to authenticate via other methods before access to the network is granted (ie. Starbucks Wifi)
  • WEP (Wired Equivalent Privacy)
    • WEP is used to provide both authentication and encryption of wireless traffic.
    • For encryption, WEP uses the RC4 algorithm.
    • WEP keys can be 40 bits or 104 bits in length
    • The above keys are combined with a 24-bit ‘IV’ (Initialization Vector) to bring the total length to 64 bits or 128 Benefits
    • WEP encryption is not secure and can easily be cracked.
    • WEP can be used for authentication like this:

  • EAP (Extensible Authentication Protocol)
    • EAP is an authentication framework.
    • It defines a standard set of authentication functions that are used by various EAP Methods.
    • we will look at four EAP methods: LEAP, EAP-FAST, PEAP, and EAP-TLS.
    • EAP is integrated with 802.1X, which provide port-based network access control.

  • LEAP (Lightweight EAP)
    • LEAP was developed by Cisco as an improvement over WEP.
    • Clients must provide a username and password to authenticate.
    • In addition, mutual authentication is provided by both the client and server sending a challenge phrase to each other.
    • Dynamic WEP keys are used, meaning that the WEP keys are changed frequently.
    • Like WEP, LEAP is considered vulnerable and should not be used anymore.

  • EAP-FAST (EAP Flexible Authenticaiton via Secure Tunneling)
    • EAP-FAST was also developed by Cisco.
    • Consists of three phrases
      • A PAC (Protected Access Credential) is generated and passed from the server to the client.
      • A secure TLS tunnel is established between the client and authentication server.
      • Inside of the secure (encrypted) TLS tunnel, the client and server communicate further to authenticate/authorize the client.

  • PEAP (Protected EAP)
    • Like EAP-FAST, PEAP involves establishing a secure TLS tunnel between the client and server.
    • Instead of a PAC, the server has a digital certificate.
    • The client uses this digital certificate to authenticate the server
    • The certificate is also used to establish a TLS tunnel
    • Because only the server provides a certificate for authentication, the client must still be authenticated within the secure tunnel, for example by using MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol)

  • EAP-TLS (EAP Transport Layer Security)
    • Whereas PEAP only requires the AS to have a certificate, EAP-TLS requires a certificate on the AS and on every single client.
    • EAP-TLS Is the most secure wireless authentication method, but it is more difficult to implement than PEAP because every client device needs a certificate.
    • Because the client and server authenticate each other with digital certificates, there is no need to authenticate the client within the TLS tunnel.
    • The TLS tunnel is still used to exchange encryption key information

Encryption and Integrity methods:

  • TKIP (Temporal Key Integrity Protocol)
    • Based on WEP, but more secure
    • Should not be used in modern networks
    • used in WPA
  • CCMP (Counter/CBC-MAC Protocol)
    • CCMP was developed after TKIP and is more secure.
    • AES (Advanced Encryption Standard) counter mode for encryption
      • AES is the most secure encryption protocol currently available. It is used widely used all over the world.
      • There are multiple modes of operation for AES. CCMP uses ‘counter mode’.
    • CBC-MAC for MIC to ensure integrity of messages
    • used in WPA2
  • GCMP (Galois/Counter Mode Protocol)
    • GCMP is more secure and efficient that CCMP.
    • increased efficiency allows higher data throughput than CCMP.
    • GCMP consists of two algorithms:
      • AES counter mode for encryption
      • GMAC (Galois Message Authentication Code) for MIC to ensure the integrity of messages
    • used in WPA3

1.12 Explain virtualization fundamenetals (server virtualization, containers, and VRFs)

Before virtualization, there was a one-to-one relationship between a physical server and an operating system. In that operating system, apps providing services such as a web server, email server, etc. would run. One physical server would be used for the web server, one for the email server, one for the database server, etc. This is inefficient for multiple reasons:

  • Each physical server is expensive and takes up space, power, etc.
  • The resources on each physical server (CPU, RAM, storage, NIC) are typically under-used.

Type 1 Hypervisor

  • Virtualization allows us to break the one-to-one relationship of hardware to OS, allowing multiple OS’s to run on a single physical server.
  • Each instance is called a VM (Virtual Machine)
  • A hypervisor is used to manage and allocate the hardware resources (CPU, RAM, etc) to each VM.
  • Another name for a hypervisor is VMM (Virtual Machine Monitor)
  • The type of hypervisor which runs directly on top of the hardware is called a Type 1 hypervisor.
    • Examples include VMware ESXi, Microsoft Hyper-V, etc.
  • Type 1 hypervisors are also called bare-metal hypervisors because they run directly on the hardware (metal).
    • Another term is native hypervisor
  • This is the type of hypervisor used in data center environments.

Type 2 Hypervisor

  • Type 2 hypervisors run as a program on an operating system like a regular computer program.
    • Examples include VMware Workstation, Oracle VirtualBox, etc.
  • The OS running directly on the hardware is called the Host OS, and the OS running in a VM is called a Guest OS.
  • Another name for a Type 2 hypervisor is hosted hypervisor.
  • Although Type 2 hypervisors are rarely used in data center environments, they are common on personal-use devices (for example, if a Mac/Linux user needs to run an app that is only support on Windows, or vice versa)

Benefits of Virtualization:

  • Partitioning
    • Run multiple operating systems on one physical machine
    • Divide system resources between virtual machines
  • Isolation
    • Provide fault and security isolation at the hardware level
    • Preserve performance with advanced resource controls
  • Encapsulation
    • Save the entire state of a virtual machine to files
    • Move and copy virtual machines as easily as moving and copying files
  • Hardware Independence
    • Provision or migrate any virtual machine to any physical server

VMs are connected to each other and the external network via a virtual switch running on the hypervisor. Just like a regular physical switch, the vSwitch’s interfaces can operate as access or trunk ports and use VLANs to separate the VMs at Layer 2. Interfaces on the vSwitch connect to the physical NIC (or NICs) of the server to communicate with the external network.

1.13 Describe switching concepts

MAC Address is a 6-byte (48-bit) globally unique physical address assigned to the device when it is made. Written as 12 hexadecimal characters. (00:00:00:00:00:00)


  • OUI - Organisationally Unique Identifier, ID assigned to a particular manufacturer
  • VENDOR (NIC-specific identifier) - managed and assigned by the manufacturer, unique to each device

Unicast MAC addresses: actual MAC address showed above Multicast MAC addresses: 01:00:5E-0F-0F-0F - 01-00-5E-7F-FF-FF - 25th bit always 0, last 23 bits are created from last 23 bits of multicast IP address Broadcast MAC addresses: FF:FF:FF:FF:FF:FF Ethernet loopback testing MAC addresss: CF-00-00-00-00-00

MAC frame is generally comprised of nine fields, as shown in the following diagram:

The Frame Control (FC) field is used to identify the type of 802.11 frame, and its 2 byes of data are subdivided into 11 related fields of information, such as wireless protocol, frame type, and frame subtype.

The duraction (DUR) field is a 2-byte field that is used mainly by control frames to indicate transmission timers. However, this field is also used by the Power Save (PS) Poll control frame to indicate the association identity (AID) of a client.

The address fields, ADD1, ADD2, ADD3 and ADD4, are 6-byte fields used to convey MAC address and BSSID information. What information resides in which address field is entirely dependent on the tpye of frame. However, ADD1, ADD2, ADD3 typically contain a source MAC address, destination MAC address, and BSSID with the order being dependent on whther the frame is entering the distribution system (DS), leaving the DS, Or passing directly between ad-hoc wireless devices. The ADD4 field is only present for frames passing between devices in the DS, such as from one access point (AP) to another AP, and is placed after the SEQ field.

The Sequence (SEQ) field is a 2-byte field that is subdivided to store two related pieces of information: the fragment number and sequence number of each frame.

The DATA portion of a frame varies in size and contains the frame’s payload. For data frames, the payload is user data. However, for other frames, such as management frames, this portion of the frame might contain information such as supported data rates and cipher suites.

Finally, the the Frame Check Sequence (FCS) field contains a 4-byte cyclic redundancy check (CRC) value calculated from all the 802.11 header fields, including the data portion of the frame. This value is used by the receiving station to determine whether the frame was corrupted during transit.

1.13.a MAC learning and aging

When a switch receives a frame, it associates the MAC address of source with the corresponding port which the frame was received. The switch dynamically constructs an address table using the MAC source addresses of received frames.

These dynamically learned MAC addresses are deleted from the table after the MAC address age value has expired. This frees unused addresses from the MAC address table for other active subscribers. The default value is 300 seconds.

Static MAC addresses can be assigned to the table, which are retained during a switch resest.

1.13.b Frame switching

The Content addressable Memory (CAM) table is used by a switch to discover the relationship between the OSI Layer 2 address of a device and the physical port used to reach the device. Switches make forwaarding decisions based on the destination MAC address contained in a frame’s header. The switch first searches the CAM table for an entry that matches the frame’s destination MAC address. If the frame’s destination MAC address is not found in the table, the switch forward the frame to all its ports, except the port from which it received the frame. If the destination MAC address is found in the table, the switch forrwards the frame to the appropriate port. The source MAC address is also recorded if it did not previous exist in the CAM table.

The Forwarding Information Base (FIB) is a table that contains all the prefixes from the IP routing table and is structured in a way that is optimized for forwarding. The FIB and the adjacency taable are the two main components of CEF, which is a hardware-based switching method that is implementeed in all OSI Layer 3-capable Catalyst switches. The FIB is synchronized with the IP routing table and therefore contains an entry for every IP prefix in the routing table. The IP prefixes are ordered so that when a Layer 3 address is compared against the FIB, the longest,most specific match will be found first; therefore, prefix lookup times are minimized.

The adjacency table maintains the Layer 2 addressing information for the FIB. Each network prefi in the FIB is associated with a next-hop address and an outbound interface. The adjacency table contains the Layer 2 addressing infromation for each next-hop address listed in the FIB amd is used to rewrite the Layer 2 header of each forwarded IP packet. You can issue the show adjacency command to display the contents of the adjacency table.

The Address Resolution Protocol (ARP) table conntains Layer 3 to Layer 2 address translations. Whenever the switch encounters a packet destined for a Layer 3 address that does not have an entry in the ARP table, the switch brodcast casts an ARP request to query the network for the Layer 2 address. When the ARP reply is received, the switch enters the address pair into the ARP table for future reference. You can issue the show ip arp comand to display the contents of the ARP table.

The VLAN table contains a record of the VLAN definitions on the switch and a list of the interfaces associates with each VLAN. The VLAN table does not contain any Layer 3 information. You can issue the show vlan command to display the contents of the VLAN table.

1.13.c Frame flooding

When the switch receives a frame for a destination MAC address that is not in its address table, it floods the frame out of all LAN ports of the same VLAN except for the port that the frame received. When the destination station responds, the switch adds its relevant MAC source address and port ID to the address table.

1.13.d MAC address table

To exchange frames between LAN ports efficiently, the switch maintains a MAC address table. The switch learns and builds it’s address table through the processes described above, and is able to forward the subsequent frames to a single port without flooding all the LAN ports.

2.0 Network Access

2.1 Configure and verify VLANs (normal range) spanning multiple switches

VLANs are configured on switches on a per-interface basis, and logically seperate end hosts at Layer 2. Switches do not forward traffic directly between hosts in different VLANs, it must forward the traffic to a router to perform inter-VLAN routing.

show vlan brief

2.1.a Access ports (data and voice)

An access port is a switchport which belongs to a single VLAN, and usually connects to end hosts like PCs.

IP phones have an internal 3-port switch

  • 1 port is the ‘uplink’ to the external switch
  • 1 port is the ‘downlink’ to the PC
  • 1 port connects internally to the phone itself

This allows the PC and the IP phone to share a single switch port. Traffic from the PC passes through the IP phone to the switch.

It is recommended to seperate ‘voice’ traffic (from the IP phone) and ‘data’ traffic (from the PC) by placing them in seperate VLANs.

  • This can be accomplished using a voice VLAN
  • Traffic from the PC will be untagged, but traffic from the phone will be tagged with a VLAN ID.

2.1.b Default VLAN

VLAN 1 is the default VLAN.

VLANs 1002-1005 exist by default and cannot be deleted. They are reserved for Token Ring and Fiber Distributed Data Interface (FDDI) VLANs. VLANs in this reserved range, as well as the switch’s native VLAN, can be modified but not deleted.

VLAN 0 is a special VLAN used by IP phones to indicate to an upstream switch that it is sending frames that have a configured 802.1p priority but that should reside in the native VLAN. This VLAN is used if voice traffic and data traffic should be seperated but do not require that a unique voice virtual VLAN be created.

VLAN 4094 is an extended VLAN and is not used for DTP frames unless it has been configured as the native VLAN.

VLAN IDs in the number range from 1006 through 4094 are available only on extended IOS images.

A VLAN ID can be a value from 1-1005 or 1-4094, depending on IOS images and switch model.

2.1.c Connectivity

2.2 Configure and verify interswitch connectivity

Trunk ports = “tagged” ports

Access ports = “untagged” ports

DTP (Dynamic Trunking Protocol)

  • Cisco proprietary protocol that allows Cisco switches to dynamically determine their interface status (access or trunk) without manual configuration. For security purposes, manual configuration is recommended and DTP should be disabled on all switchports.
  • DTP uses the native VLAN to negotiate a trunk link when 802.1Q encapsulation is configured on the interface.
  • Because DTP frames are always transmitted on the native VLAN, changing the native VLAN can have unexpected consequences. For example, if the native VLAN is not configured identically on both ends of a link, a trunk will not dynamically form.

By default, all interfaces on a Cisco switch will use DTP to automatically negotiate whether an interface should be a trunk port or an access port.

There are two dynamic modes of operation for a switch port:

  • auto - operates in access mode unless the neighboring interface actively negotiates to operate as a trunk
  • desirable - operates in access mode unless it can actively negotiate a trunk connection with a neighboring interface.

VTP (VLAN Trunking Protocol)

  • allows you to configure VLANs on a central VTP server switch, and other switches (VTP clients) will synchronize their VLAN database to the server. It is designed for large networks with many VLANs, but is rarely used and not recommended.

A switch can be configured for one of three VTP modes: server, client, or transparent. By default, Cisco switches are configured for VTP server mode.

VTP server mode allows you to create, modify, and delete VLANs in the VTP domain.However, a switch in VTP server mode will not originate VTP advertisements until a VTP domain name is set. VTP servers store VLAN configuration information in NVRAM, so if the switch is powered off, the VLAN configuration will be retained.

You cannot create, modify or delete VLANs on a switch that is operating in VTP client mode. However, a switch in VTP client mode can send its VLAN configuration information to other switches. In VTP v1 and VTP v2, VTP clients do not store the VLAN configuration information in NVRAM. In VTP v3, VTP clients do store VLAN configuration information in NVRAM.

A switch that is operating in VTP transparent mode does not participate in VTP. Any VLAN additions, changes, or deletions made to a switch in VTP transparent mode remain on the local switch and are not propagated to other switches.

However, a switch in VTP transparent mode can forward VTP advertisements received from other switches. Switches in VTP v2 transparent mode forward all VTP advertisements; switches in VTP v1 transparent mode will forward a VTP advertisement only if the VTP domain and VTP version number on the switch match that of the VTP advertisement. Like VTP servers, VTP transparent mode switches store VLAN configuration information in NVRAM.

2.2.a Trunk ports

In a small network with a few VLANs, itis possible to use a seperate interfaces for each VLAN when connected switches to switches, and switches to routers.

However, when the number of VLANs increases this is not viable. It will result in wasted interfaces, and often routers won’t have enough interfaces for each VLAN.


Trunk ports can be used to carry traffic from multiple VLANs over a single interface. Switches will “tag” all frames that they send over a trunk link. This allows the reciving switch to know which VLAN the frame belongs to.

Trunk ports = ‘tagged’ ports

Access ports = ‘untagged’ ports

show interfaces trunk

show vlan brief

2.2.b 802.1q

802.1q is an industry standard trunking protocol.

The 802.1q tag is inserted between the Source and Type/Length fields of the Ethernet frame.

The tag is 4 bytes (32 bits) in length and consists of two main fields: TPID (Tag Protocol Identifier) and TCI (Tag Control Information).

The TPID is 2 bytes in length and is always set to a value of 0x8100, indicating the frame is 802.1q tagged.

The TCI consists of 3 smaller fields:

  • PCP (Priority Code Point), 3 bits
    • used for CoS (Class of Service), which prioritizes important traffic in congested networks

  • DEI (Drop Eligiblle Indicator), 1 bit
    • used to indicated frames that can be dropped if the network is congested.
  • VID (VLAD ID), 12 bits
    • identifies the VLAN the frame belongs to
    • range of VLANs 1-4094
    • Normal VLANs: 1-1005
    • Extended VLANs: 1006-4094

2.2.c Native VLAN

802.1q has a feature called the native VLAN. The native VLAN is VLAN 1 by default on all trunk ports, but can be manually configured on each trunk port. The switch does not add an 802.1q tag to frames in the native VLAN.

When a switch receives an untagged frame on a trunk port, it assumed the frame belongs to the native VLAN. For this reason, it’s very important that the native VLAN matches for both switches.

R1(config-subif)#encapsulation dot1q (vlan-id) native

2.3 Configure and verify Layer 2 discovery protocols (Cisco Discovery Protocol and LLDP)

Layer 2 discovery protocols such as CDP and LLDP share information with and discover information about neighboring (connected) devices. The shared information includes host name, IP address, device type, etc.

Because they share information about the devices in the network, they can be considered a security risk and are often not used. It is up to the network engineer/admin to decide if they want to use them in the network or not.

CDP (Cisco Discovery Protocol)

  • It is enabled on Cisco devices (routers, switches, firewalls, IP phones, etc) by default.
  • CDP messages are periodically sent to multicast MAC address 0100.0CCC.CCCC.
  • When a device receives a CDP message, it processes and discards the message. It does NOT forward it to other devices.
  • By default, CDP messages are sent once every 60 seconds. By default, the CDP holdtime is 180 seconds. If a message isn’t received from a neighbor for 180 seconds, the neighbor is removed from the CDP neighbor table.
  • CDPv2 messages are sent by default.

LLDP (Link Layer Discovery Protocol)

  • LLDP is an industry standard protocol (IEEE 802.1AB)
  • It is usually disabled on Cisco devices by default, so it must be manually enabled.
  • A device can run CDP and LLDP at the same time.
  • LLDP messages are periodically sent to multicast MAC address 0180.C200.000E.
  • When a device receives an LLDP message, it processes and discards the message. It does NOT forward it to other devices.
  • By default, LLDP messages are sent once every 30 seconds. By default, the LLDP holdtime is 120 seconds.
  • LLDP has an additional timer called the “reinitialization delay”. If LLDP is enabled (globally or on an interface), this timer will delay the actual initialization of LLDP. 2 seconds by default.

2.4 Configure and verify (Layer 2/Layer 3) EtherChannel (LACP)

When the bandwidth of the interfaces connected to end hosts is greater than the bandwidth of the connection to the distribution switch(es), this is called oversubscription, which can cause congestion.

EtherChannel groups multiple interfaces together to act as a single interface. STP will treat this group as a single interface. EtherChannel is also known as Port Channel, or LAG (Link Aggregation Group)

EtherChannel load balances based on “flows”. A flow is a communication between two nodes in the network. Frames in the same flow will be forwarded using the same physical interface. The inputs used in the interface selection calculation can be configured

  • inputs that can be used:
    1. Source MAC
    2. Destination MAC
    3. Source AND Destination MAC
    4. Source IP
    5. Destination IP
    6. Source and Destination IP

There are three methods of EtherChannel configuration on Cisco switches:

  1. LACP (Link Aggregation Control Protocol), 802.3ad
    • Dynamically negoties the creation/maintenance of the the EtherChannel (similary to DTP for trunks)

  1. PAgP (Port Aggregation Protocol)
    • Cisco propretary protocol
    • Dynamically negotiates the creation/maintenance of the EtherChannel.
  2. Static EtherChannel
    • A protocol isn’t used to determine if an EtherChannel should be formed.
    • Interfaces are statically configured to form an EtherChannel.

Up to 8 interfaces can be formed into a single EtherChannel (LACP allows up to 16, but only 8 will be active, the other 8 will be in standby mode, waiting for an active interface to fail.)

2.5 Interpret basic operations of Rapid PVST+ Spanning Tree Protocol

STP (Spanning Tree Protocol) prevents Layer 2 loops by placing redundant ports in a blocking state, essentially disabling the interface.

These interfaces act as backups that can enter a forwarding state if an active (=currently forwarding) interface fails.

Interfaces in a blocking state only send or receive STP messages (called BPDUs = Bridge Protocol Data Units)

Cisco switches use a version of STP called PVST+ (Per-VLAN Spanning Tree), which runs a seperate STP ‘instance’ in each VLAN, so in each VLAN different interfaces can be forwarding/blocking. This allows for load balancing by blocking different ports in each VLAN.

Rapid PVST+ allows for much faster converging/adapting to network changes, similar to 802.1w (Rapid Spanning Tree Protocol).

show spanning-tree

2.5.a Root port, root bridge (primary/secondary), and other port names

Switches use one field in the STP BPDU, the Bridge ID field, to elect a root bridge for the network.

The switch with the lowest Bridge ID becomes the root bridge. the default bridge priority is 32768 on all switches, so by default the MAC address is used as the tie-breaker (lowest MAC address becomes the root bridge). All ports on the root bridge are designated ports. Ports across from the root port are always designated ports.

Each remaining switch will select ONE of its interfaces to be its root port.

Root port selection:

  1. Lowest root constructors
  2. Lowest neighbor bridge ID
  3. Lowest neighbor port ID

Each remaining Collisions Domain will select ONE interface to be a designated port (forwarding state). The other port in the collision domain will be non-desingated (blocking).

  • Designated port selection:
    1. Interface on switch with the lowest root cost
    2. Interface on switch with the lowest bridge ID

In RSTP, the non-designated port is split into two seperate roles:

  • the alternate port role (blocking)
  • the backup port role (two interfaces on same collision domain, via a hub)

spanning-tree vlan 10 root primary/secondary

  • root primary = STP priority 24576
  • root secondary = STP priority 28672

2.5.b Port states (forwarding/blocking)

Root/Designated ports remain stable in a Forwarding state.

Non-designated ports remain stable in a Blocking state. Interfaces in a Blocking state are effectively disabled to prevent loops.

Listening and Learning are transitional states which are passed through when an interface is activated, or when a Blocking port must transition to a Forwarding state due to a change in the network topology.

2.5.c PortFast

Portfast allows a port to move immediately to the Forwarding state, bypassing Listening and Learning. If used, it must be enabled only on ports connected to end hosts. If enabled on a port connected to another switch it could cause a Layer 2 loop.

BPDU guard is another optional STP feature

  • can be used to prevent an access port from participating in the spanning tree.

    SW1(config-if)#spanning-tree portfast (default)

2.6 Describe Cisco Wireless Architectures and AP modes

APs can operate in additonal modes beyond the ones we’ve introduced so far (section 1.11.b)

An AP in repeater mode can be used to extend the range of a BSS.

  • The repeater will simply retransmit any signal it receives from the AP.
    • A repeater with a single radio must operate on the same channel as the AP, but this can drastically reduce the overall throughput on the channel.
    • A repeater with two radios can receive on one channel, and then retransmit on another channel.

An AP in Workgroup Bridge (WGB) mode operates as a wireless client of another AP, and can be used to connect wired devices to the wireless network.

  • In the example below, PC1 does not have wireless capabilities, and also does not have access to a wired connection to SW1.
  • PC1 has a wired connection to the WGB, which has a wireless conection to the AP.

An AP in outdoor bridge mode can be used to connect network over long distances without a physical cable connecting them.

  • The APs will use specialized antennas that focus most of the signal power in one direction, which allows the wireless connection to be made over longer distances than normally possible.
  • The connection can be point-to-point as in the diagram below, or point-to-multipoint in which multiple sites connect to one central site.

review of wireless topics:

There are three main wireless AP deployment methods:

  • Autonomous
  • Lightweight
  • Cloud-based

Autonomous APs are self-contained systems that don’t rely on a WLC.

  • Autonomous APs connect to the wired network with a trunk link.
  • Data traffic from wireless clients has a very direct path to the wired network or to other wireless clients associated with the same AP.
  • Each VLAN has to stretch across the entire network. This is considered bad practice.
    • Large broadcast domains
    • Spanning tree will disable links
    • Adding/deleting VLANs is very labor-intensive
  • Autonomous AP’s can be used in small networks, but they are not viable in medium to large networks.
    • Large networks can have thousand of APs.
  • Autonomous APs can also function in the modes covered previously: Repeater, Outdoor Bridge, Workgroup Bridge

The functions of an AP can be split between the AP and a Wireless LAN Controller (WLC).

Lightweight APs handle ‘real-time’ operations like transmitting/receiving RF traffic, prioritizing packets, encryption/decryption of traffic, sending out beacons/probes, etc

  • Other functions are carried out by a WLC, for example RF management, security/QoS management, client load balancing, client authentication, client association/roaming management, etc.
  • This is called split-MAC architecture.
  • The WLC is also used to centrally configure the lightweight APs.
  • The WLC can be located in the same subnet/VLAN as the lightweight APs it manages, or in a different subnet/VLAN.
  • The WLC and the lightweight APs authenticate each other using digital certificates installed on each device (X.509 standard certificates)
    • This ensures that only authorized APs can join the network.

The WLC and lightweight APs use a protocol called CAPWAP (Control and Provisioning Of Wireless Access Points) to communicate.

  • Based on an older protocol called LWAPP (Lightweight Access Point Protocol)

Two tunnels are created between each AP and the WLC:

  • Control tunnel (UDP port 5246). This tunnel is used to configure the APS, and control/manage the operations. All traffic in this tunnel is encrypted by default.
  • Data tunnel (UDP port 5247). All traffic from wireless clients is sent through this tunnel to the WLC. It does not go directly to the wired network.
  • Traffic in this tunnel is not encrypted by default, but you can configure it to be encrypted with DTLS (Datagram Transport Layer Security)
  • Because all traffic from wireless clients is tunneled to the WLC with CAPWAP, AP’s connect to switch access ports, not trunk ports.

There are some key benefits to split-MAC architecture, here are a few:

  • Scalability: With a WLC (or multiple in very large networks) it’s much simpler to build and support a network with thousands of APs.
  • Dynamic channel assignment: The WLC can automatically select which channel each AP should use.
  • Transmit power optimization: The WLC can automatically set the appropriate transmit power for each AP.
  • Self-healing wireless coverage: When an AP stops functioning, the WLC can increase the transmit power of nearby APs to avoid coverage holes.
  • Seamless roaming: Clients can roam between APS with no noticeable delay.
  • Client load balancing: If a client is in range of two APs, the WLC can associate the client with the least-used AP, to balance the load among APs.
  • Security/QoS management: Central management of security and QoS policies ensures consistency across the network.

FlexConnect ACLs are supported on the native VLAN. FlexConnect ACLs are simiilar to traditional Cisco ACLs in that they are rules that permit or deny traffic from a given source to a given destination. However, FlexConnect ACLs are configured on Cisco wireless lightweight AP VLAN interfaces if the lightweight AP is operating in FlexConnect mode.

FlexConnect ACLs are applied per AP and per VLAN. One possible application of FlexConnect ACLs is to prevent administration of the WLAN from a particular VLAN. Even though FlexConnect ACLs are applied differently than traditional ACLs, it is important to name FlexConnect ACLs differently from any traditional ACLs that might be configured on the WLAN.

FlexConnect ACLs cannot be configured with a per-rule direcion. This is in contrast to a traditional ACL, which can be configured with inbound rules or outbound rules. A FlexConnect ACL is applied in the ingress direction or the egress direction as an entire set of rules, not on a per-rule basis.

FlexConnect ACLs support the implicit deny rule. In this way, FlexConnect ACLs work similarly to traditional ACLs.

Cloud-Based AP architecture is in between autonomous AP and split-MAC architecture.

  • Autonomous APs that are centrally managed in the cloud.
  • Cisco Meraki is a popular cloud-based Wi-Fi solution.
  • The Meraki dashboard can be used to configure APs, monitor the network, generate performance reports, etc.
    • Meraki also tells each AP which channel to use, what transmit power, etc.
  • However, data traffic is not sent to the cloud. It is sent directly to the wired network like when using autonomous APs.
    • Only management/control traffic is sent to the cloud.

2.7 Describe physical infrastructure connections of WLAN components (AP, WLC, access/trunk ports, and LAG)

  • WLC ports are the physical ports that cables connect to.
  • WLC interfaces are the logical interfaces within the WLC (ie. SVIs on a switch).
  • WLCs have a few different kinds of ports:
    • Service port: A dedicated management port. Used for out-of-band management. Must connect to a switch access port because it only supports one VLAN. This port can be used to connect to the device while it is botting, perform system recovery, etc.
    • Distribution system port: These are the standard network ports that connect to the ‘distribution system’ (wired network)
    • Console port: This is a standard console port, either RJ45 or USB.
    • Redundancy port: This port is used to connect to another WLC to form a high availability (HA) pair.

WLCs have a few different kinds of interfaces:

  • Management interface: Used for management traffic such as Telnet, SSH, HTTP, HTTPS, RADIUS authentication, NTP, Syslog, etc. CAPWAP tunnels are also formed to/from the WLC’s management interface.
  • Redundancy management interface: When two WLCs are connected by their redundancy ports, one WLC is ‘active’ and the other is ‘standby’. This interface can be used to connect to and manage the ‘standby’ WLC.
  • Virtual interface: This interface is used when communicating with wireless clients to relay DHCP requests, perform client web authentication, etc.
  • Sevice port interface: If the service port is used, this interface is bound to it and used for out-of-band management.
  • Dynamic interface: These are the interfaces used to map a WLAN to a VLAN. For example, traffic from the ‘Internal’ WLAN will be sent to the wired network from the WLC’s ‘Internal’ dynamic interface.

LAG (Link Aggregation)

  • Similar to EtherChannel on switches, LAG enables multiple physical ports on a WLC to operate as one logical group. Thus, LAG enables load balancing across links between devices and redundancy. If one link fails, the other links in the LAG bundle will continue to function.
  • By default all eight ports will be included in the LAG bundle if you have enabled LAG on a Cisco WLC that contains eight distribution system ports.
    • A distribution system port is a data port that typically conenects to a switch in 802.1Q trunk mode.
  • LAG requires only one functional physical port in order to pass client traffic
  • If all but one port in a LAG bundle fails, that port will pass client traffic for all failed ports.
  • Distribution system ports can be configured to work in pairs or independently of each other if LAG is disabled. By default, a Cisco WLC’s distribution system port operate in 802.1Q trunk mode, forming a trunk link between each WLC distribution system port and the switch to which it is connected.
  • When enabled, LAG modifies this config so that the ports are bundled and no longer operate as independent trunk links.

2.8 Describe AP and WLC management access connections (Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS)

WLC config:

In split-MAC architecture, there are four man WLC deployment models:

  • Unified AP deployment: The WLC is a hardware appliance in a central location of the network.
    • supports about 6000 APs
  • Cloud-based AP deployment: The WLC is a VM running on a server, usually in a private cloud in a data center. This is not the same as the cloud-based AP architecture discussed previously.
    • supports about 3000 APs
  • Embedded AP deployment: The WLC is integrated within a switch.
    • supports about 200 APs
  • Mobility Express AP deployment: The WLC is integrated within an AP.
    • supports about 100 APs

CPU ACLs are used to limit access to the CPU of the WLC. This limits which devices will be able to connect to the WLC via Telnet/SSH, HTTP/HTTPS, retrieve SNMP information from the WLC, etc.

2.9 Interpret the wireless LAN GUI configuration for client connectivity, such as WLAN creation, security settings, QoS profiles, and advanced settings

Day 58 video

To create a new normal WLAN, you should complete four steps on the WLANS > New page of the WLC GUI:

  1. Select the type of WLAN you are creating from the Type drop-down list box; by default, this value is configured to (normal) WLAN.
    • There are 3 types of WLANs you can create by using the WLC GUI:
    • A normal WLAN, which is the WLAN to which wireless clients inside your company’s walls will connect
    • A Guest LAN, which is the WLAN to which guest wireless clients inside your company’s walls will connect
    • A Remote LAN, which is the WLAN configuration for wired ports on the WLC
  2. Enter a 32-character or less profile name in the Profile Name field.
    • the profile name should uniqely identify the WLAN that you are configuring. The value you enter in the profile name field will be used by the WLC to identify the WLAN on other configuration pages.
    • for simplicity, many adminstrators choose to use the same value for the profile name field as they plan to configure in the SSID field.
  3. Enter a 32-character or less SSID in the SSID field.
    • SSID is the WLAN network name that will be broadcast to wireless clients.
  4. Choose a WLAN ID from the ID drop-down list box.
    • By default the ID will be configured to a value of 1. can be configured in the range from 1-512. Although Cisco controllers support a maximum of 512 WLANs, only 16 can be actively configured.


  • Platinum (voice)
  • Gold (video)
  • Silver (best effort)
  • Bronze (background)

3.0 IP Connectivity

Routers can use dynamic routing protocols to advertise information about the routes they know to other routers. They form ‘adjacencies’ / ‘neighbor relationships’ / ‘neighborships’ with adjacent routers to exchange this information. If multiple routes to a destination are learned, the router determines which route is superior and adds it to the routing table. It uses the ‘metric’ of the route to decide which is superior (lower metric = superior). Dynamic routing protocols can be divided into two main categories: IGP (Interior Gateway Protocol)

  • used to share routes wihin a single autonomous system (AS), which is a single organization (ie. a company)
  • ex. RIP (Routing Information Protocol), EIGRP (Enhanced Interior Gateway Routing Protocol) using a Distance Vector algo
  • ex. OSPF (Open Shortest Path First) and IS-IS (Intermediate System to Intermediate System) (IS-IS) using a Link State algo

EGP (Exterior Gateway Protocol)

  • used to share routes between different autonomous systems
  • ex. BGP (Border Gateway Protocol) using a Path Vector algo

3.1 Interpret the components of routing table

3.1.a Routing protocol code

3.1.b Prefix

3.1.c Network mask

3.1.d Next Hop

3.1.e Administrative distance

In most cases a company will only use a single IGP, usually OSPF or EIGRP. However, in some rare cases they might use two. For example, if two companies connect their networks to share information, two different routing protocols might be in use. Metric is used to compare routes learned via the same routing protocol. Different routing protocls use different metrics, so they cannot be compared. Instead, the AD (Administrative Distance) is used to determine which routing protocol is preferred. A lower AD is preferred, and indicates that the routing protocol is considered more trustworthy (more likely to select good routes).

3.1.f Metric

A router’s route table contains the best route to each destination network it knows about.

If a router using a dynamic routing protocol learns two different routes to the same destination, how does it determine which is ‘best’? It uses the metric value of the routes to dtermine which is best. A lower metric = better.

Each routing protocol uses a different metric to determine which route is best.

If a router learns two (or more) routes via the same routing protocol to the same destination (same network address, same subnet mask) with the same metric, both will be added to the routing table. Traffic will be load-balanced over both routes.

ECMP (Equal Cost Multi-Path) is a routing strategy where packets towards a single destination IP address are load-balanced over multiple best paths with equal metrics.

EIGRP uses bandwidth and delay to calculate metric by default. Bandwidth refers to the data throughput of a link. Delay refers to the length of time required to send a packet to a destination.

EIGRP can also use load and reliability as components, but these components are not used by default. Load refers to the amount of data activity over a link. Reliability refers to the bit-error rate of a link.

OSPF and IS-IS use cost to calculate the best path to a destination network. By default, OSPF and IS-IS calculate the cost based on bandwidth. However, cost can be configured by using any value that an adminstrator desires, such as the monetary cost of using a link.

RIPv1 and RIPv2 use hop count to calculate the best path to a destination network. Hop count refers to the number of routers a packet will traverse from source to destination. However, RIP has a hop-count limitation of 15 hops; any route more than 15 hops away is considered to be unreachable. With a defined maximum metric, a routing protocol can mitigate routing loops caused by invalid routing updates.

3.1.g Gateway of last resort

3.2 Determine how a router makes a forwarding decision by default

How does a Cisco Layer 3 device, such as a router, decides which route to use?

  1. Prefix length – the longest prefix match is always preferred. For example, a /24 route wins over a /16 route.
  2. Administrative Distance (AD) – if the routes have the same prefix lengths and are using different routing protocols, then the route with the lowest Administrative Distance wins. For example, OSPF routes are more preferred than RIP routes by default.
  3. Metric – if the routes have the same prefix length and administrative distance, then it will come down to the metrics. So the router learns about multiple different paths going to the same destination, using the same routing protocol, a measure called metric is used to decide. The path with lower metric wins.

Routers drop packets with unknown destinations.

3.2.a Longest prefix match

When a router looks up a destination address in its routing table, it looks for the most specific matching route. Most specific = longest prefix length ( /32 > /24 > /16 > /8 > /0)

3.2.b Administrative distance

3.2.c Routing protocol metric

3.3 Configure and verify IPv4 and IPv6 static routing

IPv6 routing works the same as IPv4 routing. However, the two processes are seperate on the router, and the two routing tables are seperate as well.

IPv4 routing is enabled by default. IPv6 routing is disabled by default, and must be enabled with “ipv6 unicast-routing”

If IPv6 routing is disabled, the router will be able to send and receive IPv6 traffic, but will not route IPv6 traffic (=will not forward it between networks).

A connected network route is automatically added for each connected network. A local host route is automatically added for each address configured on the router.

Routes for link-local addresses are not added to the routing table.

to configure:

ip route (destination network ip address) (mask) (next-hop ip address) ip route (destination network ip address) (mask) (exit-interface)

to verify:

show ip route

3.3.a Default route

A route that a router uses to forward an incoming packet when no other route is available for that packet in the routing table.

3.3.b Network route

A route to a network/subnet (mask length < /32)

3.3.c Host route

Local host routes are marked with an **L in the output of the show ip route command or the show ipv6 route commmand. IPv4 host routes have a /32 mask, and IP version 6 (IPv6) host routes have a /128 mask.

Not all IPv4 routes with a /32 mask are considered host routes. IPv4 addresses that are manually configured with a /32 mask are considered to be connected addresses and are marked wtih a C in the output of the show ip route command.

-example picture—

3.3.d Floating static

By changing the AD of a static route, you can make it less preferred than routes learned by a dynamic routing protocol to the same destination (make sure the AD is higher than the routing protocol’s AD!) This is known as a “floating static route”.

Floating static routes are used to provide link redundancy. The route will be inactive (not in the routing table) unless the route learned by the dynamic routing protocol is removed or no longer available.

3.4 Configure and verify single area OSPFv2

OSPF (Open Shortest Path First) is a link routing protocol. OSPF uses shortest path first algorithm, aka Dijkstra’s algorithm.

Routers store information about the network in LSAs (Link State Advertisements), which are organized in a structure called the LSDB (Link State Database)

Routers will flood LSAs until all routers in the OSPF area develop the same map of the network (LSDB).

OSPF areas

  • An area is a set of routers and links that share the same LSDB
  • The backbone area (area 0) is an area that all other areas must connect to.
  • Routers with all interfaces in the same area called internal routers.
  • Routers with interfaces in multiple areas are called area border routers (ABRs).
  • Routers connected to the backbone area (area 0) are called backbone routers.
  • An intra-area route is a route to a destination inside the same OSPF area.
  • An interarea route is a route to a destination in a different OSPF area.
  • OSPF areas should be contiguous.
  • All OSPF areas must have at least one ABR connected to the backbone area.
  • OSPF interfaces in the same subnet must be in the same area.

3.4.a Neighbor adjacencies

In OSPF, there are three main steps in the process of sharing LSAs and determining the best route to each destination in the network.

  1. Become neighbors with other routers connected to the same segment
  2. Exchange LSAs with neighbor routers
  3. Calculate the best routes to each destination, and insert them into the routing table

When an OSPF neighbor router is powered on, it transitions through the following neighbor states:

  • Down
  • Init
  • 2-Way
  • Exstart
  • Exchange
  • Loading
  • Full

An OSPF neighbor router begins in the Down state. A neighbor in the Down state has not yet sent a Hello packet.

When a hello packet is received from the neighbor router but the Hello packet does not contain the receiving router’s ID, the neighbor router is in the Init state. The receiving router replies to the neighbor router with a Hello packet that contains the neighbor router’s ID as an acknowledgment that the receiving router received the neighbor’s Hello packet. If a arouter is stuck in the Init state, it has sent Hello packets but has no received any from the neighbor router.

The neighbor router replies with a Hello packet that contains the receiving router’s ID. When this occurs, the neighbor router is in the 2-Way state. At the end of the 2-Way state, the DR and BDR are elected for broadcast and nonbroadcast multiaccess (NBMA) networks.

On broadcast and NBMA networks, neighbor routers will proceed to the Full state with only the DR and BDR; other neighbor adjancies will remain in the 2-Way state. If all routers on a segment remain in the 2-Way state, you should verify whether all routers on the segment are set to a priority of 0, which prevents any of them from becoming the DR or BDR.

After the DR and BDR are elected, neighbor routers form master-slave relationships in order to establish the method for exchanging link-state information. Routers in this state are in the Exstart state. If a router is stuck in the Exstart state, you should verify whether there is a problem with mismatched maximum transmission unit (MTU) settings between two routers or duplicate router IDs.

Neighbor routers then exchange database descriptor (DBD) packets. These DBD packets contain link-state advertisement (LSA) headers that describe the contents of the link-state database (LSDB). Routers in this state are in the Exchange state. If a router is stuck in the Exchange state, you should verify whether there is a problem with mismatched MTU settings or duplicate router IDs.

Routers then send link-state request (LSR) packets to request the contents of the neighbor router’s OSPF database. The neighbor router replies with link-state update (LSU) packets that contain the routing database information. Routers in this state are in the Loading state. If a router is stuck in the Loading state, you should verify whether there is a problem with mismatched MTU settings or corrupted LSR packets.

After the OSPF databases of neighbor routers are fully synchronized, the routers transition to the Full state, which is the normal OSPF router state for DRs and BDRs. A router will periodically send Hello packets to its neighbors to indicate that it is still functional. If a router does not receive a Hello packet from a neighbor within the dead timer interal, the neighbor router will transition back to the Down state.

OSPF Neighbor requirements

  1. Area number must match
  2. Interfaces must be in the same subnet
  3. OSPF process must not be shutdown
  4. OSPF Router IDs must be unique
  5. Hello and Dead timers must match
  6. Authentication settings must match
  7. IP MTU settings must match (can become neighbors, but OSPF doesn’t operate properly)
  8. OSPF network type must match (can become neighbors, but OSPF doesn’t operate properly)

3.4.b Point-to-point

Point-to-point network type is enabled on serial interfaces using the PPP or HDLC encapsulations by default.

Routers dynamically discover neighbors by sending/listening for OSPF Hello messages using multicast address

A DR and BDR are not elected. The two routers will form a Full adjacency with eachother.

3.4.c Broadcast (DR/BDR selection)

Broadcast network type is enabled on Ethernet and FDDI interfaces by default.

Routers dynamically discover neighbors by sending/listening for OSPF Hello messages using multicast address To send routing information to a DR or BDR the multicast address of is used.

A DR (designated router) and BDR (backup designated router) must be elected on each subnet (only DR if there are no OSPF neighbors). Routers which aren’t the DR or BDR become a DROther.

The DR/BDR election order of Priority:

  1. Highest OSPF interface priority (same by default)
  2. Highest OSPF Router ID
    • highest IP address on a loopback interface
    • highest IP address on a non-loopback interface

“First place” becomes the DR for the subnet, “second place” becomes the BDR The default OSPF interface priority is 1 on all interfaces.

In the broadcast network type, routers will only form a full OSPF adjacency with the DR and BDR of the segment. Therefore, routers only exchange LSAs with the DR and BDR. DROthers will not exchange LSAs with each other. All routers will still have the same LSDB, but this reduces the amount of LSAs flooding the network.

3.4.d Router ID

OSPF uses the largest IP address configured on the interfaces as its router ID. If a loopback interface is configured with an IP address, the Cisco IOS software will use this IP address as its router ID.

3.5 Describe the purpose, functions, and concepts of first hop redundancy protocols

A (FHRP) First Hop Redundancy Protocol is a computer networking protocol which is designed to protect the default gateway used on a subnetwork by allowing two or more routers to provide backup for the gateway address; in the event of failure of an active router, the backup router will take over the address, usually within a few seconds.

A virtual IP is configured on the two routers, and a virtual MAC is generated for the virtual IP (each FHRP uses a different format for the virtual MAC)

An active router and a standby router are elected. (different FHRPs use different terms)

End hosts in the network are configured to use the virtual IP as their default gateway.

The active router replies to ARP requests using the virtual MAC address, so traffic destined for other networks will be sent to it.

If the active router fails, the standby becomes the next active router. The new active router will send gratuitous ARP messages so that switches will update their MAC address tables. It now functions as the default gateway.

If the old active router comes back online, by default it won’t take back its role as the active router. It will become the standby router (“non-preemptive”)

Preemption can be configured, so the old router does take back its old role.

List of FHRPs:

  1. HSRP (Hot Standby Router Protocol)
    • HSRP is a Cisco-properitary protocol that enables multiple routers to function as a single gateway for the network.
    • HSRP configures two or more routers to share a virtual Internet Protocol (IP) address and a virtual MAC address so that the group of routers appears as a single device to other hosts on the network.
    • Based on priority value, HSRP elects a single active router and a standby router.
    • The active router is the router with the highest priority; it forwards packets, responds to Address Resolution Protocol (ARP) requests with a virtual MAC address, and can be the only router that is explicitly configured with the virtual IP address.
    • The standby router is the router with the second-highest priority.
    • If multiple HSRP routers have the same priority, the router with the highest IP address is elected as the active router. The router with the second-highest IP address is elected as the standby router, which will assume the role of the active router if the active router fails.
    • To participate in the active and standby router election process, each HSRP router must be a member of the same group.

There are two version of HSRP for IPv4 networks: HSRP version 1 and 2. An HSRP version 1 group is identified by a group number from 0 through 255. An HSRP version 2 group is identified by a group number from 0 through 4095. The default HSRP group value for both versions is 0.

To differentiate the virtual MAC addresses of the various groups, HSRP version 1 uses a special format based on the well-known virtual MAC address 0000.0C07.ACxx, where xx is the group number in hexadecimal format.

  • HSRP version 2, on the other hand, uses a virtual MAC address of 0000.0C9F.Fxxx, where xxx is the group number in hexadecimal format.
    • For example, if the virtual MAC address for the HSRP group is 0000.0C9F.F00A; the group number is identified by the final 3 digits, 00A, in the virtual MAC address.
    • Thus, because 00A is hexadecimal equivalent of 10 in decimal notation, the virtual MAC address 0000.0C9F.F00A indicates that the HSRP group number for this scenario is 10.
  1. VRRP (Virtual Router Redundancy Protocol)
    • VRRP is an IETF-standard FHRP protocol. A VRRP virtual MAC address typically uses the 0000.5E00.01xx format, where xx is the VRRP group number.
  2. GLBP (Gateway Load Balancing Protocol)
    • The GLBP active virtual gateway (AVG) assigns a virtual MAC address to a maximum of four primary active virtual forwarders (AVFs); all other routers in the group are considered secondary AVFs and are placed in the listen state. GLBP virtual MAC addresses typically use the 0007.B400.xxyy format, where xx represents the GLBP group numbers and yy represents the AVF number.

There is also a version of HSRP for IPv6 that uses a range of virtual MAC addresses from 0005.73A0.0000 through 0005.73A0.0FFF. However, configuring HSRP for IPv6 is beyond the scope of the CCNA.

4.0 IP Services

4.1 Configure and verify inside source NAT using static and pools

NAT (Network Address Translation) is used to modify the source and/or destination IP addresses of packets.

There are various reasons to use NAT, but the most common reason is to allow hosts with private IP addresses to communicate with other hosts over the Internet.

Static NAT involves statically configuring one-to-one mappings of private IP addresses to public IP addresses. When traffic from the internal host is sent to the outside network, the router will translate the source address. However, this one-to-one mapping also allows external hosts to access the internal host via the inside global address.

An inside local IP address is mapped to an inside global IP address.

  • Inside Local: The IP address of the inside host, from the perspective of the local network. (The IP address actually configured on the inside host, usually a private address)
  • Inside Global: The IP address of the inside host, from the perspective of outside hosts (the IP address of the inside host after NAT, usually a public address)
  • Outside Local: The IP address of the host on the outside network as seen from a host on the inside network
  • Outside Global: The IP address configured on a host on the outside network
    • Typically, NAT is configuredo nly for addresses on the inside network; therefore the outside local and global address are often identical.

In dynamic NAT, the router dynamically maps inside local addresses to inside global addresses as needed.

An ACL is used to identify which traffic should be translated.

  • If the source IP is permitted by the ACL, the soruce IP will be translated.
  • If the source IP is denied by the ACL, the source IP will NOT be translated. (the traffic will NOT be dropped!)

A NAT pool is used to define the available inside global addresses that can be used. Although they are dynamically assigned, the mappings are still one-to-one (one inside local IP address per inside global address)

If there arent enough inside global IP address available (=all are currently being used), it is called ‘NAT pool exhaustion’

  • If a packet from another inside host arrives and needs NAT but there are no available addresses, the router will drop the packet.
  • The host will be unable to access outside networks until one of the inside global IP addresses becomes available.
  • Dynamic NAT entries will time out automatically if not used, or you can clear them manually.

Nat commands:

4.2 Configure and verify NTP operating in a client and server mode

NTP (Network Time Protocol) allows automatic syncing of time over a network.

  • NTP clients request the time from NTP servers.
  • A device can be an NTP server and an NTP client at the same time.
  • NTP allows accuracy of time within ~1 millisecond if the NTP server is in the same LAN, or within ~50 milliseconds if connecting to the NTP server over a WAN/the Internet.
  • Some NTP servers are ‘better’ than others. The ‘distance’ of an NTP server from the orginal reference clock is called stratum.
  • Reference clock is usually a very accurate time device like an atomic clock or a GPS clock.
  • Reference clocks are stratum 0 within the NTP hierarchy. NTP servers directly connected to reference clocks are stratum 1 (primary servers). NTP servers that get their time from stratum 1 NTP servers are stratum 2 (secondary servers).
  • Stratum 15 is the maximum.
  • An NTP client can sync to multiple NTP servers.
  • Devices can also ‘peer’ with devices at the same stratum to provide more accurate time. This is called ‘symmetric active’ mode.
  • Cisco devices can operate in three NTP modes:
    • Server mode
    • Client mode
    • Symmetric active mode
  • NTP uses UDP port 123 to communicate.
  • NTP uses only the UTC time zone. You must configure the appropriate time zone on each device.

4.3 Explain the role of DHCP and DNS within the network

DNS (Domain Name System) is used to resolve human-readable names ( to IP addresses.

When you type ‘’ into a web browser, your device will ask a DNS server for the IP address of

The DNS server(s) your device uses can be manually configured or learned via DHCP.

Standard DNS queries/responses typically use UDP. TCP is used for DNS messages greater than 512 bytes. In either case, port 53 is used.

Devices will save the DNS server’s responses to a local DNS cache. This means they don’t have to query the server every single time they want to access a particular destination.

ipconfig /displaydns


DHCP (Dynamic Host Configuration Protocol)

  • DHCP is used to allow hosts to automatically/dynamically learn various aspects of their network configuration, such as IP address, subnet mask, default gateway, DNS server, etc, without manual/static configuration.
  • It is an essential part of modern networks. Typically used for ‘client devices’ such as workstations (PCs), phones, etc.
  • Devices such as routers, servers, etc, are usually manually configured.
  • In small networks (such as home networks) the router typically acts as the DHCP server for hosts in the LAN.
  • In larger networks, the DHCP server is usually a Windows/Linux server.

4.4 Explain the function of SNMP in network operations

SNMP (Simple Network Management Protocol) helps manage devices over a network. Managed Devices are the devices being managed using SNMP, such as network devices (routers, switches, firewalls) Network Management Stations (NMS) are the SNMP ‘servers’ that manage the devices.

  • NMS receives notifications from managed devices
  • NMS changes settings on managed devices
  • NMS checks status of managed devices Variables such as interface status, temperature, traffic load, host name, etc. are stored in the Management Information Base (MIB) and identified using Object IDs (OIDs) Main SNMP versions: SNMPv1, SNMPv2c, SNMPv3 SNMP messages: Get, GetNext, GetBulk, Set, Trap, Inform, Response There are three main operations used in SNMP.
    1. Managed devices can notify the NMS of events
    2. The NMS can ask the managed devices for information about their current status.
    3. The NMS can tell the managed devices to change aspects of their configuration.

4.5 Describe the use of syslog features including facilities and levels

Syslog is an industry standard protocol for message logging.

On network devices, Syslog can be used to log events such as changes in interface status (up<->down), changes in OSPF neighbor status, system restarsts, etc.

The messages can be displayed in the CLI, saved in the device’s RAM, or sent to an external Syslog server.

Logs are essential when troubleshooting issues, examining the cause of incidents, etc.

Syslog and SNMP are both used for monitoring and troubleshooting of devices. They are complementary, but their functionalities are different.

4.6 Configure and verify DHCP client and relay

4.7 Explain the forwarding per-hop behavior (PHB) for QoS, such as classification, marking, queuing, congestion, policing, and shaping

  • The purpose of QoS is to give certain kinds of network traffic priority over others during congestion.
  • Classification organizes network traffic (packets) into traffic classes (categories)
  • Classification is fundamental to QoS. To give priority to certain types of traffic, you have to identify which types of traffic to give priority to.
  • There are many methods of classifying traffic. Some examples:
    • An ACL. Traffic which is permitted by the ACL will be given certain treatments, other traffic will not.
    • NBAR (Network Based Application Recognition) performs a deep packet inspection, looking beyond the Layer 3 and Layer 4 information up to Layer 7 to identify the specfific kind of traffic.
    • In the Layer 2 and Layer 3 headers there are specific fields used for this purpose.
  • The PCP (Priority Code Point) field of the 802.1Q tag (in the Ethernet header) can be used to identify high/low priority traffic.
    • Only when there is a dot1q (VLAN) tag!
    • PCP is also known as CoS (Class of Service). Its use is defined by IEEE (802.1p)
    • 3 bits = 8 possible values (2^3 = 8)

  • ‘Best effort’ delivery means there is no guarantee that data is delivered or that it meets any QoS standard. This is regular traffic, not high-priority.
  • IP phones mark call signaling traffic (used to establish calls) as PCP3.
  • They mark the actual voice traffic as PCP5.
  • Because PCP is found in the dot1q header, it can only be used over the following connections:
    • trunk links
    • access links with a voice VLAN
  • The DSCP (Differentiated Services Code Point) field of the IP header can also be used to identify high/low priority traffic.
  • IPP (IP Precedence) markings are similar to PCP, 8 values.
    • 6 and 7 are reserved for ‘network control’ traffic. (ie. OSPF messages between routers)
    • 5 = voice
    • 4 = video
    • 3 = voice signaling
    • 0 = best effort
    • With 6 and 7 reserved, 6 possible values remain.
  • With IPP updated to DSCP, new standard markings had to be decided upon.
  • Default Forwarding (DF) - best effort traffic
    • The DSCP marking for DF is 0.
  • Expedited Forwarding (EF) - low loss/latency/jitter traffic (usually voice)
    • The DSCP marking for EF is 46.
  • Assured Forwarding (AF) - A set of 12 standard values
    • AF defines four traffic classes. All packets in a class have the same priority.
    • Within each class, there are three levels of drop precedence.
      • Higher drop precedence = more likely to drop the packet during congestion

DSCP value = decimal value of the 6 bits.

  • Class Selector (CS) - A set of 8 standard values, provides backward compatibility with IPP
  • The three bits that were added for DSCP are set to 0, and the original IPP bits are used to make 8 values.

RFC 4954 was developed with the help of Cisco to bring all of these values together and standardize their use. The RFC offers many specific recommendations, but here are a few key ones:

  • Voice traffic: EF
  • Interactive vide: AF4x
  • Streaming video: AF3x
  • High priority priority data: AF2x
  • Best effort: DF

The trust boundary of a network defines where devices trust/don’t trust the QoS markings of received messages.

  • If the markings are trusted, the device will forward the message without changing the markings.
  • If the marking aren’t trusted, the device will change the markings according to the configured policy.
  • If an IP phone is connected to the switch port, it is recommended to move the trust boundary to the IP phones.
  • This is done via configuration on the switch port connected to the IP phones.
  • If a user marks their PC’s traffic with a high priority, the marking will be changed (not trusted)

QoS is used to manage the following characteristics of network traffic:

  1. Bandwidth
  2. Delay
  3. Jitter
  4. Loss The following standards are recommended for acceptable interactive audio quality:
    • One-way delay: 150ms or less
    • Jitter: 30 ms or less
    • Loss: 1% or less

If a network device receives messages faster than it can forward them out of the appropriate interface, the messages are placed in a queue. By default, queued messages will be forwarded in a First In First Out (FIFO manner)

  • Messages will be sent in the order they are received.

If the queue is full new packets will be dropped, this is known as tail drop.

Tail drop is harmful because it can lead to TCP global synchronization causing all TCP hosts sending traffic to slow down the rate at which they send traffic, followed by all hosts increasing the rate at which they send traffic, rapidly leading to more congestion, dropped packets, and the process repeating again.

A solution to prevent tail drop and TCP global synchronization is Random Early Detected (RED).

  • When the amount of traffic in the queue reaches a certain threshold, the device will start randomly dropping packets from select TCP flows.
  • In standard RED, all kinds of traffic are treated the same.
  • An improved version, WRED (Weighted Random Early Detection) allows you to control which packets are dropped depending on the traffic class (DSCP value) or IP precedence.

An essential part of QoS is the use of multiple queues.

  • This is where classification plays a role. The device can match traffic based on various factors (for example the DSCP marking in the IP header) and then place it in the appropriate queue.

However, the device is only able to forward one frame out of an interface at once, so a scheduler is used to device which queue traffic is forwarded from next.

  • Prioritization allows the scheduler to give certain queues more priority than others.

A common scheduling method is weighted round-robin.

  • round-robin = packets are taken from each queue in order, cyclically
  • weighted = more data is taken from high priority queues each time the scheduler reaches that queue.

CBQFQ (Class-Based Weighted Fair Queuing) is a popular method of scheduling, using a weighted round-robin scheduler while guaranteeing each queue a certain percentage of the interface’s bandwidth during congestion.

Round-robin scheduling is not ideal for voice/video traffic. Even if the voice/video traffic receives a guaranteed minimum amount of bandwidth, round-robin can add delay and jitter because even the high priority queues have to wait their turn in the scheduler.

LLQ (Low Latency Queuing) designates one (or more) queues as strict priority queues.

  • This means that if there is traffic in the queue, the scheduler will ALWAYS take the next packet from that queue unti it is empty.

This is very effective for reducing the delay and jitter of voice/video traffic.

However, it has the downside of potentially starving other queues if there is always traffic in the designated strict priority queue.

  • Policing can control the amount of traffic allowed in the strict priority queue so that it can’t take all of the link’s bandwidth.

Traffic shaping and policing are both used to control the rate of traffic.

Shaping buffers traffic in a queue if the traffic rate goes over the configured rate.

Policing drops traffic if the traffic rate goes over the configured rate. (policing can also optionally re-mark the traffic instead of dropping)

  • ‘Burst’ traffic over the configured rate is allowed for a short period of time.
  • This accommodates data applications which typically are ‘bursty’ in nature. Instead of a constant stream of data, they send data in bursts.
  • The amount of burst traffic allowed is configurable.

In both cases, classification can be used to allow for different rates for different kinds of traffic.

Example of why the rate traffic is being sent/received is being limited:

4.8 Configure network devices for remote access using SSH

SSH (Secure Shell) allows for remote access while providing security features such as data encryption and authentication.

The SSH server (the device being connected to) listens for SSH traffic on TCP port 22.

To enable and use SSH, you must generate an RSA public and private key pair. The keys are used for data encryption/decryption, authentication, etc.

4.9 Describe the capabilities and function of TFTP/FTP in the network

FTP (File Transfer Protocol) and TFTP (Trivial File Transfer Protocol) are industry standard protocols used to transfer files over a network. They both use a client-server model.

  • Clients can use FTP or TFTP to copy files from a server.
  • Clients can use FTP or TFTP to copy files to a server.

As a network engineer, the most common use for FTP/TFTP is in the process of upgrading the operating system of a network device. You can use FTP/TFTP to download the newer version of IOS from a server, and then reboot the device with the new IOS image.

FTP uses usernames and passwords for authentication, however there is no encryption.

  • FTP uses TCP ports 20 and 21.
  • For greater security, FTPS (FTP over SSL/TLS) can be used.
  • SSH File Transfer Protocol (SFTP) can also be used for greater security (new protocol)
  • FTP is more complex than TFTP and allows not only file transfers, but clients can also navigate file directories, add and remove directories, list files, etc.
  • The client sends FTP commands to the server to perform these functions.

TFTP is named trivial because it is simple and has only basic features compared to FTP.

  • Only allows a client to copy a file to or from a server.
  • Released after FTP, but not a replacement for FTP. It is another tool to use when lightweight simplicity is more important than functionality.
  • No authentication, servers will respond to all TFTP requests. No encryption, so all data is sent in plain text.
  • Best used in a controlled environment to transfer small files quickly.
  • TFTP servers listen on UDP port 69.
  • UDP is connectionless and doesn’t provide reliability with retransmissions, however, TFTP has similar built-in features within the protocol itself.
  • TFTP uses ‘lock-step’ communication. The client and server alternately send a message and then wait for a reply. (+retransmissions are sent as needed)

5.0 Security Fundamentals

The principles of the CIA Triad form the foundation of security:


  • only authorized users should be able to access data.
  • some information/data is public and can be accessed by anyone, some is secret and should only be accessed by specific people.


  • Data should not be tampered with (modified) by unauthorized users.
  • Data should be correct and authentic.


  • The network/system should be operational and accessible to authorized users.

5.1 Define key security concepts (threats, vulnerabilities, exploits, and mitigation techniques)

A vulnerability is any potential weakness that can compromise the CIA of a system/info.

  • a potential weakness isn’t a problem on its own

An exploit is something that can potentially be used to exploit the vulnerability.

  • something that can potentially be used as an exploit isn’t a problem on its own

A threat is the potential of a vulnerability to be exploited.

  • A hacker exploiting a vulnerability in your system is a threat.

A mitigation technique is something that can protect against threats.

  • Should be implemented everywhere a vulnerability can be exploited: client devices. servers, switches, routers, firewalls, etc.

Common attacks:

  • MAC spoofing
    • An attacker uses the MAC address of another known host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on the network. Implementing port security with sticky secure MAC addresses can help mitigate MAC spoofing attacks.
  • MAC flooding
    • An attacker generates thousands of forged frames every minute with the intention of overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make intelligent forwarding decisions and all traffic is flooded.
    • This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. Implementing port security can help mitigate MAC flooding attacks by limiting the number of MAC addresses that can be learned on each interface to a maximum of 128. A MAC flooding attack is also known as a Content Addressable Memory (CAM) table overflow attack.
  • ARP poisoning
    • Also known as an ARP (Address Resolution Protocol) spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s MAC address with the Internet Protocol (IP) addresses of a valid host on the network.
    • Subsequently, traffic sent to the valid host address will go through the attacker’s computer rather than directly to the intended recipient. Implementing Dynamic ARP Inspection (DAI) can help mitigate ARP poisoning attacks. This is a man-in-the-middle style of attack.
  • DHCP spoofing
    • An attacker installs a rogue DHCP server on a network in an attempt to intercept DHCP requests. The rogue DHCP server can then respond to the DHCP requests with its own IP address as the default gateway address; hence all traffic is routing through the rogue DHCP server. You should enable DHCP snooping to help prevent DHCP spoofing attacks.
  • VLAN hopping
    • An attacker attempts to inject packets into other VLANs by accessing the VLAN trunk and double-tagging 802.1Q frames. A successful VLAN hopping attack enables an attacker to send traffic to other VLANs without the use of a router.
    • You can prevent VLAN hopping by disabling Dynamic Trunking Protocol (DTP) on trunk ports, by changing the native VLAN, and by configuring user-facing ports as access ports.

5.2 Describe security program elements (user awareness, training, and physical access control)

User awareness programs are designed to make employees aware of potential security threats and risks.

  • For example, a company might send out false phishing emails to make employees click a link and sign in with their login credentials.
  • Although the emails are harmless, employees who fall for the false emails will be informed that it is part of a user awareness program and they should be more careful about phishing emails.

User training programs are more formal than user awareness programs.

  • For example, dedicated training sessions which educate users on the corporate secuirty policies, how to create strong passwords, and how to avoid potential threats.

Physical access control protects equipment and data from potential attackers by only allowing authorized users into protected areas such as network closets or data center floors.

  • Multifactor locks can protect access to restricted areas.
  • ie. a door that requires users to swipe a badge and scan their fingerprint to enter.
  • Permissions of the badge can easily be changed, for example permissions can be removde when an employee leaves the company.

5.3 Configure and verify device access control using local passwords

5.4 Describe security password policies elements, such as management, complexity, and password alternatives (multifactor authentication, certificates, and biometrics)

Multi-factor authentication involves providing more than just a username/password to prove your identity. It usually involves providing two (or more) of the following:

  • Something you know
    • a username/password combination, a PIN, etc.
    • Something you have
    • pressing a notification that appears on your phone, a badge that is scanned, etc.
  • Something you are
    • biometrics such as a face scan, palm scan, fingerprint scan, retina scan, etc.

Requiring multiple factors of authentication greatly increases the security.

Digital certificates are another form of authentication used to prove the identity of the holder of the certificate. They are used for websites to verify that the website being accessed is legitimate.

Entities that want a certificate to prove their identity send a CSR (Certificate Signing Request) to a CA (Certificate Authority), which will generate and sign the certificate.

5.5 Describe IPsec remote access and site-to-site VPNs

To provide secure communications over the Internet, VPNs (Virtual Private Networks) are used. We will cover two kinds of Internet VPNs:

  1. Site-to-Site VPNs using IPsec
  2. Remote-access VPNs using TLS

Site-to-Site VPNs (IPsec)

  • A site-to-site VPN is a VPN between two devices and is used to connect two sites together over the Internet.
  • A VPN ‘tunnel’ is created between the two devices by encapsulating the original IP packet with a VPN header and a new IP header.
    • When usuing IP sec, the original packet is encrypted before being encapsulated with the new header.
  • provides data confidentiality, data integrity, and origin authentication.
  • IPsec uses Encapsulating Security Protocol (ESP) to provide data confidentiality. ESP encrypts an entire IP packet and encapsulates it as the payload of a new IP packet. Because the entire IP packet is encrypted, the data payload and header information remain confidential.
  • In additon, IPsec uses Authentication Header (AH) to ensure the integrity of a packet and to authenticate the origin of a packet. AH does not authenticate the identity of an IPsec peer; instead, AH verifies only that the source address in the packet has not been modified during transit.

Site-to-site VPNs:

There are some limitations to standard IPsec:

IPsec doesn’t support broadcast and multicast traffic, only unicast. This means that routing protocols such as OSPF can’t be used over the tunnels, because they rely on multicast traffic.

  • This can be solved with ((‘GRE over IPsec’(())
  • GRE (Generic Routing Encapsulation) creates tunnels like IPsec, however it does not encrypt the original packet, so it is not secure.
  • However, it has the advantage of being able to encapsulate a wide variety of Layer 3 protocols, including broadcast and multicast messages.
  • To get the flexibility of GRE with the security of IPsec, ‘GRE over IPsec’ can be used.
  • The original packet will be encapsulated by a GRE header and a new IP header, and then the GRE packet will be encrypted and encapsulated within an IPsec VPN header and new IP header.
  • GRE can tunnel traffic from one network to another without requiring the transport network to support the network protocols in use at the tunnel source or tunnel destination.
  • Because the focus of GRE is to transport many different protocols, it has very limited security features.
  • By contrast IPsec has strong data confidentiality and data integrity features but it can transport only IP traffic. GRE over IPsec combines the best features of both protocols to securely transport any protocol over an IP network.

Configuring a full mesh of tunnels between many sites is a labor-intesive task.

  • This can be solved with Cisco’s DMVPN.
  • DMVPN (Dynamic Multipoint VPN) is a Cisco-developed solution that allows routers to dynamically create a full mesh of IPsec tunnels without having to manually configure every single tunnel.
  • DMVPN provides the configuration simplicity of hub-and-spoke (each spoke router only needs one tunnel configured) and the efficiency of direct spoke-to-spoke communication (spoke routers can communicate directly without traffic passing through the hub)

Remote-Access VPNs

  • Whereas site-to-site VPNs are used to make a point-to-point connection between two sites over the Internet, remote-access VPNs are used to allow end devices (PC, mobile phones) to access the company’s internal resources securely over the Internet.
  • Remote-access VPNs typically use TLS (Transport Layer Security)
    • TLS is also what provides security for HTTPS (HTTP Secure)
    • TLS was formerly known as SSL (Secure Sockets Layer) and developed by Netscape, but was renamed to TLS when it was standardized by the IETF.
  • VPN client software (for example Cisco AnyConnect) is installed on en end devices (for example company-provided laptops that employees work from home).
  • These end devices then form secure tunnels to one of the company’s router/firewalls acting as a TLS server.
  • This allows the end users to securely access resources on the company’s internal network without being directly connected to the company network.

Remote-Access VPNS:

Site-to-Site vs Remote-Access VPN

  • Site-to-Site VPNs typically use IPsec.
  • Remote-Access VPNs typically use TLS.
  • Site-to-Site VPNs provide service to many devices within the sites they are connecting.
  • Remote-Access VPNs provide service to the one end device the VPN client software is installed on.
  • Site-to-Site VPNs are typically used to permanently connect two sites over the Internet.
  • Remote-Access VPNs are typically used to provide on-demand access for end devices that want to securely access company resources while connected to a network which is not secure.

5.6 Configure and verify access control lists

ACLs (Access Control Lists) function as a packet filter, instructing the router to permit or discard specific traffic.

ACLs can filter traffic based on source/destination IP addresses, source/destination IP addresses, source/destination Layer 4 ports, etc.

ACLs are configured globally on the router, and consist of an ordered sequence of ACEs (Access Control Entries)

Configuring an ACL will not make the ACL take effect, the ACL must be applied to an interface. ACLs are applied either inbound or outbound.

If the packet matches one of the ACEs in the ACL, the router takes the action and stops processing the ACL, all entries below the matching entry will be ignored.

There is an implicit deny at the end of all ACLs. The implicit deny tells the router to deny all traffic that doesn’t match any of the configured entries in the ACL.

Standard ACLs: Match based on the Source IP address only.

  • Standard ACLs can use 1-99 and 1300-1999.
  • Standard ACLs should be applied as close to the destination as possible.
  • R1(config)# access-list (#) (deny/permit) (ip) (wildcard-mask) R1(config-if)# ip access-group (#) (in/out)

Extended ACLs: Match based on Source/Destination IP, Source/Destination port/protocol, etc

  • Extended ACLs can use 100-199, 2000-2699.
  • Extended ACLs should be appleid as close to the source as possible.

R1(config)# access-list (#) (permit/deny) (protocol) (src-ip) (dest-ip)

R1(config)# ip access-list extended (name/number)

R1(config-ext-nacl)# (seq-num) (permit/deny) (protocol) (src-ip) (dest-ip)

5.7 Configure and verify Layer 2 security features (DHCP snooping, dynamic ARP inspection, and port security)

DHCP snooping is security feature of switches that is used to filter DHCP messages received on untrusted ports.

DHCP snooping only filters DHCP messages. Non-DHCP messages aren’t affected.

All ports are untrusted by default.

  • Usually, uplink ports are configured as trusted ports, and downlink ports remain untrusted.

Dynamic ARP inspection (DAI) is a security feature of switches that is used to filter ARP messages received on untrusted ports.

DAI only filters ARP messages. Non-ARP messages aren’t affected.

All ports are untrusted by default.

  • Typically, all ports connected to other network devices (switches, routers) should be configured as trusted, while itnerfaces connected to end hosts should remain untrusted.

Port security is a security feature of Cisco switches. It allows you to control which source MAC address(es) are allowed to enter the switchport.

If an authorized source MAC address enters the port, an action will be taken.

  • The default action is to place the interface in an ‘err-disabled’ state.

When you enable port security on an interface with the default settings, one MAC Addres is allowed.

  • You can configure the allowed MAC address manually.
  • If you don’t configure it manually, the switch will allow the first source MAC address that enters the interface.
  • You can change the maximum number of MAC addresses allowed
  • A combination of manually configured MAC addresses and dynamically learned addresses is possible.

5.8 Compare authentication, authorization, and accounting concepts

AAA (triple-A) stands for Authentication, Authorization, and Accounting.

It is a framework for controlling and monitoring users of a computer system (ie. a network)

Authentication is the process of verifying a user’s identity.

  • logging in = authentication

Authorization is the process of granting the user the appropriate access and permissions.

  • granting the user acces to some files/services, restricting access to other files/services = authorization.

Accounting is the process of recording the user’s activities on the system.

  • logging when a user makes a change to a file = accounting

5.9 Describe wireless security protocols (WPA, WPA2, and WPA3)

The Wi-Fi alliance has developed three WPA certifications for wireless devices:

  • WPA
  • WPA2
  • WPA3

To be WPA-certified, equipment must be tested in authorized testing labs.

All of the above support two authentication modes:

  • Personal mode: A pre-shared key (PSK) is used for authentication. When you connect to a home Wi-Fi network, enter the password and are authenticated, that is personal mode. This is common in small networks. The PSK itself is not sent over the air. A four-way handshake is used to generate encryption keys.
  • Enterprise mode: 802.1X is used with an authentication server (RADIUS server). *No specific EAP method is specified, so all are supported (PEAP, EAP-TLS, etc).

The WPA certification was developed after WEP was proved to be vulnerable and includes the following protocols:

  • TKIP (based on WEP) provides encryption/MIC
  • 802.1X authentication (Enterprise mode) or PSK (Personal mode)

WPA2 was released in 2004 and includes the following protocols:

  • CCMP provides encryption/MIC.
  • 802.1X authentication (Enterprise mode) or PSK (Personal mode)

WPA3 was released in 2018 and includes the following protocols:

  • GCMP provides encryption/MIC
  • 802.1X authentication (Enterprise mode) or PSK (Personal mode)
  • WPA3 also provides serveral additional security features, for example:
    • PMF (Protected Management Frames), protecteing 802.11 management frames from eavesdropping/forging.
    • SAE (Simulataneous Authentication of Equals) protects the four-way handshake when using personal mode authentication.
    • Forward secrecy prevents data from being decrypted after it has been transmitted over the air, to prevent an attacker from capturing wireless frames and then trying to decrypt them later.

5.10 Configure and verify WLAN within the GUI using WPA2 PSK

6.0 Automation and Programmability

There are various tools/methods that can be used to automate tasks in the network:

  • SDN (Software-Defined Networking)
  • Ansible
  • Puppet
  • Python scripts, etc

6.1 Explain how automation impacts network management

Network automation provides many key benefits:

  • Human error (typos etc.) is reduced.
  • Network become much more scalable. New deployments, network-wide changes, and troubleshooting can be implemetned in a fraction of time.
  • Network-wide policy compliance can be assured (standard configurations, software versions, etc).
  • The improved efficiency of network operations reduces the opex (operating expenses) of the network. Each task requires fewer man-hours.

6.2 Compare traditional networks with controller-based networking

In traditional networking, the data plane and control plane are both distributed. Each device has its own data plane and its own control plane. The planes are ‘distributed’ throughout the network.

Networking tasks can be automated in tradition network architectures too:

  • Scripts can be written (ie. using Python) to push commands to many devices at once
  • Python with good use of Regular Expression can parse through show commands to gather infromation about the network devices.

However, the robust and centralized data collected by SDN controllers greatly facilitates these functions.

  • The controller collects information about all devices in the network.
  • Northbound APIs allows apps to access information in a format that is easy for programs to understand (ie. JSON, XML)
  • The centralized data facilitates network-wide analytics.

SDN tools can provide the benefits of automation without the requirement of third-party scripts & apps.

  • You don’t need expertise in automation to make use of SDN tools.
  • However, APIs allow third-party applications to interact with the controller, which can be very powerful.

Although SDN and automation aren’t the same thing, the SDN architecture greatly facilitates the automation of various tasks in the network via the SDN controller and APIs.

6.3 Describe controller-based, software defined architecture (overlay, underlay, and fabric)

SDN (Software-Defined Networking) is an approach to networking that centralizes the control plane into an application called a controller.

SDN is also called the Software-Defined Architecture (SDA) or Controller-Based Networking.

Traditional control planes use a distributed architecture.

  • For example, each router in the network runs OSPF and the routers share routing information and then calculate their preferred routers to each destination.

An SDN controller centralizes control plane functions like calculating routes (EIGRP, OSPF).

  • That is just an example, and how much of the control plane is centralized varies greatly.

The controller can interact programmatically with the network devices using APIs (Application Programming Interface)

The SBI is used for communications between the controller and the network devices it controls.

The NBI is what allows us to interact with the controller with our scripts and applications.

  • The underlay is the underlying physical network of devices and connections (including wired and wireless) which provide IP connectivity (ie. using IS-IS).
    • Multilayer switches and their connections
  • The overlay is the virtual network built on top of the physical underlay network.
    • SD-Access uses VXLAN (Virtual Extensible LAN) to build tunnels
  • The fabric is the combination of the overlay and underlay; the physical and virtual network as a whole.

SD-Access Underlay

  • The underlay’s purpose is to support the VXLAN tunnels of the overlay.
  • There are three different roles for switches in SD-Access:
    • Edge nodes: Connect to end hosts
    • Border nodes: Connect to devices outside of the SD-Access domain, ie. WAN routers
    • Control nodes: Use LISP (Locator ID Seperation Protocol) to perform various control plane functions.
  • You can add SD-Access on top of an existing network (brownfield deployment) if your network hardware and software supports it.
    • Google ‘Cisco SD-Access compatibility matrix’ if you’re curious.
    • In this case DNA Center won’t configure the underlay.
  • A new deployment (greenfield deployment) will be configured by DNA Center to use the optimal SD-Access underlay:
    • All switches are Layer 3 and use IS-IS as their routing protocol.
    • All links between switches are router ports. This means STP is not needed.
    • Edge nodes (access switches) act as the default gateway of end hosts (routed acces layer)

SD-Access Overlay

LISP provides the control plane of SD-Access

  • A list of mappings of EID (endpoint identifiers) to RLOCs (routing locations) is kept.
  • EIDs identify end hosts connected to edge switches, and RLOCs identify the edge switch which can be used to reach the end host.
  • There is a LOT more detail to cover about LISP, but this is just to show how it differs form the traditional control plane.

Cisco TrustSec (CTS) provides policy control (QoS, security policy, etc. VXLAN provides the data plane of SD-Access.

6.3.a Seperation of control plane and data plane

The various functions of network devices can be logically divided up (categorized) into planes:

Data plane

  • All tasks involved in forwarding user data/traffic from one interface to another are part of the data plane.
  • A router receives a message, looks for the most specific matching route in its routing table, and forwards it out of the appropriate interface to the next hop.
    • It also de-encapsulates the original Layer 2 header, and re-encapsulates with a new header destined for the next hop’s MAC address.
  • A switch receives a message, looks at the destination MAC address, and forwards it out of the appropriate interface (or floods it).
    • This includes functions like adding or removing 802.1q VLAN tags.
  • NAT (changing the src/dst addresses before forwarding) is part of the data plane.
  • Deciding to forward or discard messages due to ACLs, port security, etc. is part of the data plane.
  • The data plane is also called the ‘forwarding plane’.
  • Layer 2 switches, layer 3 switches, and end devices typically operate in the data plane.
  • Network tasks that are typically performed in the data plane include the encapsulation and decapsulation of packets, the adding or removing of trunk headers, the matching of MAC addresses to a MAC address table, the matching of IP addresses to paths in a routing table, the encryption of data, NAT, and filtering by using either ACLs or port security.

Control plane

  • How does a device’s data plane make its forwarding decisions?
    • routing table, MAC address table, ARP table, STP, OSPF, EIGRP etc.
  • Functions that build these tables (and other functions that influence the data plane) are part of the control plane.
  • The control plane controls what the data plane does, for example by building the router’s routing table.
  • The control plane performs overhead work.
    • OSPF itself doesn’t forward user data packets, but it informs the data plane about how packets should be forwarded.
    • STP itself isn’t directly involved in the process of forwarding frames, but it informs the data plane about which interfaces should and shouldn’t be used to forward frames.
    • ARP messages aren’t user data, but they are used to build an ARP table which is used in the process of forwarding data.
    • In a traditional network, the control plane is typically dsitributed among many devices (ex. OSPF)
    • In a controller-based network, the decision-making logic is either moved to a central controller or monitored by a central controller.

Management plane

  • Like the control plane, the management plane performs overhead work.
    • However, the management plane doesn’t directly affect the forwarding of messages in the data plane.
  • The management plane consists of protocols that are used to manage devices.
    • SSH/Telnet, used to connect to the CLI of a device to configure/manage it.
    • Syslog, used to keep logs of events that occur on the device.
    • SNMP, used to monitor the operations of the device.
    • NTP, used to maintain accurate time on the device.

When a device received control/management traffic (destined for itself), it will be processed in the CPI.

When a device receives data traffic which should pass through the device, it is processed by the ASIC for maximum speed.

6.3.b Northbound and Southbound APIs

The SBI (Southbound Interface) is used for communications between the controller and the network devices it controls. Southbound APIs enable an SDN controller to communicate with devices in the data plane.

It typically consists of a communication protocol and API (Application Programming Interface).

APIs facilitate data exchanges between programs.

  • Data is exchanged inbetween the controller and the network devices.
  • An API on the network devices allows the controller to access information on the devices, control their data plane tables, etc

Some examples of SBI’s are: OpenFlow, Cisco OpFlex, Cisco onePK (Open Network Environment Platform Kit), NETCONF

Using the SBI, the controller communicates with the managed devices and gathers information about them:

  • The devices in the network
  • The topology (how the devices are connected together)
  • the available interfaces on each device
  • their configurations

The NBI (Northbound Interface) is what allows us to interact with the controller, access the data it gathers about the network, program it, and make changes in the network via the SBI.

Northbound APIs enable an SDN controller to communicate with applications in the application plane. The application plane is a component of a controller-based network in which applications that are written to allow interaction with the centralized controller reside.

Applications use northbound APIs (REST, OSGi) to send requests or instructions to the SDN controller, which uses that information to modify and manage network flow/manage network efficiency.

A REST (Representational State Transfer) API is used on the controller as an interface for apps to interact with it.

Data is sent in a structure (serialized) format such as JSON or XML.

  • This makes it much easier for programs to use the data.

6.4 Compare traditional campus device management with Cisco DNA Center enabled device management

Cisco SD-Access is Cisco’s SDN solution for automating campus LANs.

  • ACI (Application Centric Infrastructure) is their SDN solution for automating data center networks.
  • SD-WAN is their SDN solution for automating WANs
  • Cisco DNA (Digital Network Architecture) Center is the controller at the center of SD-Access.

Cisco DNA Center has two main roles

  • The SDN controller in SD-access
  • A network manager in a traditional network (non-SD-Access)

DNA Center is an application installed on Cisco UCS server hardware.

  • It has a REST API which can be used to interact with DNA center.
  • The SBI supports protocols such as NETCONF and RESTCONF (as well as traditional protocols like Telnet, SSH, SNMP)
  • DNA Center enables Intent-Based Networking (IBN).
    • The goal is to allow the engineer to communicate their intent for network behavior to DNA Center, and then DNA Center will take care of the details of the actual configurations and policies on devices.

Traditional security policies using ACLs can become very cumbersome.

  • ACLs can have thousands of entries.
  • The intent of entries is forgotten with time and as engineers leave and new engineers take over.
  • Configuring and applying the ACLs correctly across a network is cumbersome and leaves room for error.
  • DNA Center allows the engineer to specify the internet of the policy (this group of users can’t communicate with this grup, this group can access this server but not that server, etc) and DNA Center will take care of the exact details of implementing the policy.

Traditional network management:

  • Devices are configured one-by-one via SSH or console connection
  • Devices are manually configured via console connection before being deployed
  • Configurations and policies are managed per-device (distributed)
  • New network deployments can take a long time due to the manual labor required
  • Errors and failures are more likely due to increased manual effort.

DNA Center-based network management:

  • Devices are centrally managed and monitored from the DNA Center GUI or other applications using its REST API.
  • The administrator communicates their intended network behavior to DNA Center, which changes those intentions into configurations on the managed network deivces.
  • Configurations and policies are centrally manaaged.
  • Software versions are also centrally managed. DNA Center can monitor cloud servers for new versions and then update the manged devices.
  • New network deployments are much quicker. New devices can automatically receive the configurations from DNA Center without manual configuration.

6.5 Describe characteristics of REST-based APIs (CRUD, HTTP verbs, and data encoding)

An API (Application Programming Interface) is a software interface that allows two applications to communicate with each other.

APIs are essential not just for network automation, but for all kinds of applications.

In SDN architecture, APIs are used to communicate between apps and the SDN controller (via the NBI), and between the SDN controller and the network devices (via the SBI).

The NBI typically uses REST APIs. NETCONF and RESTCONF are popular southbound APIs.

CRUD (Create, Read, Update, Delete) refers to the operations we perform using REST APIs.

  • Create operations are used to create new variables and set their intial values.
    • ie. create variable “ip_address” and set the value to “”
  • Read operations are used to retrieve the value of a variable.
    • ie. what is the value of variable “ip_address”?
  • Update operations are used to change the value of a variable.
    • ie. change the value of variable “ip_address” to “”
  • Delete operations are used to delete variables.
    • ie. delete variable “ip_address”

HTTP uses verbs (aka. methods) that map to these CRUD operations.

REST APIs typically use HTTP.

When an HTTP client sends a request to an HTTP server, the HTTP header includes information like this:

  • An HTTP Verb (ie. GET)
  • A URI (Uniform Resource Identifier), indicating the resource it is trying to access.

REST stands for Representational State Transfer. REST APIs are also known as REST-based APIs or RESTful APIs.

  • REST isn’t a specific API. Instead, it describes a set of rules about how the API should work.

The six constraints of RESTful architectures are:

  • Uniform Interface
  • Client-server
  • Stateless
  • Cacheable or non-cacheable
  • Layered system
  • Code-on-demand (optional)

REST APIs must support caching of data. Caching refers to storing data for future use.

  • For example, your computer might cache many elements of a web page so that it doesn’t have to retrieve the entire page every time you visit it.
  • This improves performance for the client and reduces the load on the server Not all resources have to be cacheable, but cacheable resources MUST be declared as cacheable.

6.6 Recognize the capabilities of configuration management mechanisms Puppet, Chef, and Ansible

Configuration management tools are network automation tools that facilitate the centralized control of large numbers of network devices.

These tools were originally developed after the rise of VMs, to enable server system admins to automate the process of creating, configuring, and removing VMs.

They are also widely used to manage network devices.

These tools can be used to perform tasks such as:

  • Generate configurations for new devices on a large scale.
  • Perform configuration changes on devices (all devices in your network, or a certain subset of devices)
  • Check device configurations for compliance with defined standards.
  • Compare configurations between devices, and between different version of configurations on the same device.

Ansible is a configuration management tool owned by Red Hat.

  • Ansible itself is written in Python
  • Configurations are stored on the Ansible server in playbooks that are written in YAML.
  • Ansible is agentless
    • it doesn’t require any special software to run on the managed devices
  • Ansible uses SSH to connect to devices, make configuration changes, extract information, etc (TCP port 22)
  • Ansible uses SSH to connect to devices, make configuration changes, extract information, etc.
  • Ansible uses a push model. The ansible server (Control node) uses SSH to connect to managed devices and push configuration changes to them
    • Puppet and Chef use a pull model

  • After installing Ansible itself, you must create several text files:
    • Playbooks
      • These are files are ‘blueprints of automation tasks’. They outline the logic and actions of the tasks that Ansible should do. Written in YAML.
    • Inventory
      • These files list the devices that will be managed by Ansible, as well as characteristics of each device such as their device role (access switch, core switch, WAN router, firewall,etc). Written in INI, YAML, or other formats.
    • Templates
      • These files represent a device’s configuration file, but specific values for variables are not provided. Written in a Jinja2 format.
    • Variables
      • These files list variables and their values. These values are substituted into the templates to create complete configuration files. Written in YAML.

Puppet is a configuration mangement tool written in Ruby.

  • uses a client/server architecture
  • Puppet is typically agent-based
    • Specific software must be installed on the managed devices.
    • Not all Cisco devices support a Puppet agent.
  • It can be run agentless, in which a proxy agent runs on an external host, and the proxy agent uses SSH to connect to the managed devices and communicate with them.
  • The puppet server is called the ‘Puppet master’.
  • Puppet uses a pull model (clients ‘pull’ configurations from the Puppet master).
    • Clients use TCP 8140 to communicate with the Puppet master.
  • Instead of YAML, it uses a proprietary language for files.
  • Text files required on the Puppet master include:
    • Manifest: This file defines the desired configuration state of a network device.

Chef is a configuration management tool written in Ruby.

  • uses a client/cerver architecture, or a standalone client configuration
  • Chef is agent-based
    • Specific software must be installed on the managed devices.
    • Not all Cisco devices support a Chef agent.
  • Chef uses a pull model
  • The server uses TCP 10002 to send configurations to clients
  • Commincates by using HTTPS on the traditional TCP port 443.
  • Files use a DSL (Domain-Sepcific Language) based on Ruby.
  • Text files used by Chef include:
    • Resources: The ‘ingredients’ in a recipe. Configuration objects managed by Chef.
    • Recipes: The ‘recipes’ in a cookbook. Outline the logic and actions of the tasks performed on the resources.
    • Cookbooks: A set of related recipes grouped together.
  • Managed nodes that are running the Chef Client can pull cookbooks form the server. Standalone clients that do not have access to a server can run chef-solo and pull cookbooks from a local directory or from a tar.gz archive on the internet.

Ansible, Puppet, Chef comparison:

Puppet resource declaration example:

sudo::conf { ‘CoAdmins’ :

ensure => present,

content => ‘%admin ALL=(ALL) ALL’,


Chef recipe example:

sudo “CoAdmins”

group “CoAdmins”

nopasswd true

Python script that defines a python dictionary:

sudo = {

“group” : “CoAdmins”

“content” : “%admin ALL=(ALL) ALL”


JSON object example” {

sudo : {

    "group" : "CoAdmins",

    "content" : "%admin ALL=(ALL) ALL"



6.7 Recognize components of JSON-encoded data

Data serialization is the process of converting data into standardized format/structure that can be stored (in a file) or transmitted (over a network) and recontructed later (ie. by a different application).

  • This allows the data to be communicated between applications in a way both applications understand.
  • Data serialization languages allow us to represent variable with text.

JSON (JavaScript Object Notation) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects. It was derived from JavaScript, but it is languaage-independent and many modern programming languages are able to generate and read JSON data.

  • REST APIs often use JSON. Whitespace is insignificant. JSON can represent four ‘primitive’ data types:
  • string
  • number
  • boolean
  • null
    • a null value represents the intentional absence of any object value. It is not surrounded by quotes.

JSON also has two ‘structured’ data types:

  • object
    • An object is an unordered list of key-value pairs (variables)
    • the key is a string
    • the value is any valid JSON data type (string, number, boolean, null, object, array)
    • The key and value are seperated by a colon.
    • If there are multiple key-value pairs, each pair is seperated by a comma.
    • inside curly brackets
  • array
    • An array is a series of values seperated by commas, inside of square brackets
    • not key-value pairs
    • the values don’t have to be the same data type.

XML (Extensible Markup Language) was developed as a markup languaage, but is now used as a general data serialization language.

  • markup languaages (ie. HTML) are used to format text (font, size, color headings, etc)
  • Often used by REST APIs

YAML (YAML Ain’t Markup Language) is named to distinguish its purpose as a data-serialization languaage rather than a markup language. YAML is used by the network automation tool Ansible. YAML is very human-readable. Whitespace is significant (unlike JSON and XML)

  • Indentation is very important

Commands to know


  • username (user-name) password (password)
    • configure a user name with a plain-text password.
  • username (user-name) secret (password)
    • configure a username with a password stored as an MD5 hash.
  • username (user-name) secret 5 (hash-value)
    • assigned MD5 hash value manually, instead of converting password
    • 5 parameter indicates that the assigned value is already in MD5 hash form


  • power inline police
    • used in interface config mode, interface will enter an error-disabled state, effectively shutting down the port, when an attached PD attemps to draw more than the cutoff power from the configured interface. A log message describing the event will also be sent to the console.
  • errdisable recovery cause inline-power
    • used in global config mode to enable error-disable auto recovery for inline power, automatically resets port after auto recovery mechanism timer expires
  • power inline police action log
    • used in interface config mode, when an attached PD attempts to draw more than its allocated power from the interface, it will cause the port to restart, and a log message will appear on the console.
    • with log action configured, restarts instead of becoming errdisabled


  • show cdp neighbors
    • shows device ID, local interface, holdtime, capability, platform and port ID.
  • show cdp neighbors detail
    • used in privilege exec mode (enable) to show detailed information about neighboring CDP devices
    • includes: device, entry (IP) addresses, platform, interfaces, holdtime, version, advertisement, duplex, power drawn, power request id, power request levels, etc


  • spanning-tree portfast
    • used in interface config mode for enabling PortFast on specific ports, used for edge ports such as access ports
    • transitions the port into the STP forwarding state without going through the STP listening and learning states.
    • if enabled on a port connected to a switch, the potential for creating STP loops increases greatly.
  • spanning-tree portfast default
    • enables PortFast for all access ports on a switch, global config mode
  • spanning-tree guard root
    • root guard is used to prevent newly introduced switches from being elected as the new root switches.
    • allows adminstrator to maintain control over which switch is the root.
    • When STP is used, the device with the lowest switch priority is elected the root. If a new device is added to the network with a lower priority than the current root, it will become the new root.
    • This could cause the network to reconfigure in unintented ways.
    • typically used on edge ports that have PortFast enabled
    • portfast can cause switching loops if a new switch is connected to a portfast-enabled port, BPDU prevents this by placing the port in an error-disabled state and shuts down the port upon receiving the receipt of the BPDUs.
    • the port must be manually re-enabled, or it can be recovered automatically by configuring the errdisable recovery cause bpduguard command and the errdisable recovery interval interval command.
    • BPDU on portfast interfaces prevent a rogue switch from modifying STP topology.
  • spanning-tree loopguard (default OR loop)
    • loop guard feature prevents nondesignated ports from inadvertently forming bridging loops if the steady flow of BPDUs is interrupted.
    • default will enable loop guard for the entire switch in global config, loop will enable for specific ports in interface config mode.
    • when port stops receiving BPDUs, loop guard puts the port into the loop-inconsistent state, which keeps the port in a blocking state.
    • After the port starts receiving BPDUs again, loop guard automatically re-enables the port so that it transitions through the normal STP states.

DAI (Dynamic ARP Inspection)

  • ip arp inspection vlan (number or range)
    • used in global config mode (conf t)
    • a range of VLANs can be entered by using a comma-seperated list or a dash range.
    • configuring DAI on each VLAN ensures that traffic sent from each host is inspected (prevent ARP poisoning/spoofing)
    • DAI is configured globally on a switch on all access, trunk, EtherChannel, and PVLAN ports for specified VLANs and cannot be configured on specific interfaces.


  • switchport mode dynamic (auto or desirable)
    • because a switch port in auto mode does not actively negotiate to operate in trunk mode, it will only form a trunk link if negotations are initiated by the neighboring interface
    • a neighboring interface will initiate negotiations only if it is configured to operate in trunk mode or desirable mode.
    • by contrast, a switch port in desirable mode will actively negotiate to operate in trunk mode and will form a trunk link with a neighboring port that is configured to operate in trunk, desirable, or auto mode.
  • switchport mode trunk
    • used to configure the port in trunk mode, and doesn’t engage in negotation over DTP, should be followed by switchport nonegotiate to accomplish this
  • switchport mode access
    • to configure the port in access mode and doesn’t use DTP.
  • show interfaces fa0/0 trunk
    • indicates the switchport mode configured for a particular interface
    • off - indicates that the port has been statically configured to operate in access mode
    • on - indicates that the port has been statically configured to operate in trunk mode
    • auto - indicates that the port will dynamically determine it’s operating mode; the port operates in access mode unless the neighboring interface actively negotiates to operate as a trunk
    • desirable - indicates that the port will dynamically determine its operating mode; the port operates in access mode unless it can actively negotiate a trunk connection with a neighboring interface


  • interface port-channel (number)
    • used in global config mode
    • specifies the port-channel interface to configure and enters the interface configuration mode, creates the channel group if it does not exist
  • interface range (interface range)
    • specifies the interface that you want to add to a channel group, and enters the interface configuration mode.
  • channel-protocol (lacp or pagp)
    • specifies the aggregation protocol used to negotiate the creation of the etherchannel (optional).
    • EtherChannel must match one ach switch, or they will be unable to dynamically establish an EtherChannel link between them.
    • In addition, if a protocol is explicity configured, each local switch port in the EtherChannel bundle must be configured to operate in a mode that is compatible with the channel protocol or the switch will display an error message and refuse to bundle the offending interface.
  • channel-group (number) mode (on/active/passive {auto/desirable [non-silent]})
    • used in interface range config
    • number to specify particular channel group, should correspond to the PortChannel interface being configured
    • the on keyword configures the channel group to unconditionally create the channel with no LACP or PAgP negotiation. In the on mode , a functional EtherChannel exists only if a channel group that is in the on mode is connected to another channel group that is also in the on mode.
    • You can issue the command show etherchannel summary to verify the status of an EtherChannel link and to determine which aggregation protocol, if any, was used to establish the link.
    • The auto, desirable, and non-silent keywords can only be used with PAgP.
    • The desirable keyword configures the channel group to actively negotiate PAgP, and the auto keyword configures the channel group to listen for PAgP negotiation to be offered.
    • Either or both sides of the link must be set to desirable to establish an EtherChannel over PAgP; setting both sides to auto will not establish an EtherChannel over PAgP.
    • The optional non-silent keyword requires that a port receive PAgP packets before the port is added to the channel.
    • The active and passive keywords can be used only with LACP. The active keyword configures the channel group to actively negotiate LACP, and the passive keyword configures the channel group to listen for LACP negotation to be offered. Either or both sides of the link must be set to active to establish an EtherChannel over LACP; settings both sides to passive will not establish an EtherChannel over LACP.


  • show vlan brief
    • shows vlans, name, status ports
  • vlan vlan-id
    • enter VLAN config mode, and/or create a VLAN
  • name name
    • configure a name for the VLAN
  • switchport access vlan vlan-id
    • used in interface configuration mode, configures the interface into a specific VLAN, if the VLAN doesn’t exist, it will be created
    • configures these ports to reside on VLAN 1 if the ports are operating access mode
  • switchport mode access
    • configures the ports to operate in access mode
  • switchport trunk native vlan vlan-id
    • configures the native VLAN of the switch, used in interface config mode
    • default is VLAN 1
  • ip arp inspection vlan (vlan-id OR vlan-range)
    • ensures that traffic sent from each host on the VLAN is inspected
    • in addition, a port is configured as an untrusted port when DAI is enabled on that port.
  • ip arp inspection trust
    • when DAI is configured for an entire VLAN, you can override default untrusted configuration for a given port using this command in interface configuration mode.


  • vtp mode (server, client, or transparent)
    • used from global config mode or vlan config mode.
    • by default, switches are configured for VTP server mode.


  • show ip nat translations
    • shows protocol, inside global IP, inside local IP, outside local IP, outside global IP

IPV4 static routes

  • ip route (destination network ip address) (subnet mask) (next-hop ip address)
  • ip route (destination network ip address) (subnet mask) (exit-interface)
  • show ip route / show ipv6 route
    • Local host routes are marked with an L
    • IPv4 addresses that are manually configured with a /32 mask are considered to be connected addresses and are marked wtih a C
    • Routes that are marked with an O are OSPF routes
    • Routes that are marked with D are EIGRP routes
    • OSPF an EIGRP are considered network routes
    • Routes that are marked with an S are static routes. Normal static routes have an AD of 1
    • AD is the first number in the brackets, the second number is metric [AD/metric]
    • A static route with a modified AD is called a floating static route and is often used as a backup route in case the primary route goes down.
    • Routers marked with a (*) in the output are default routes. A static default route can be configured by issuing the ip route (next-hop-IP OR interface) command.
    • S* [1/0] indicates a static default route.


  • ipv6 enable
    • used on interface config mode to enable IPv6 enable
    • after issuing this command on an interface, it can use its automatically derived, link-local IPv6 address to communicate with other IPv6 enabled devices on directly connected networks.
  • ipv6 address (ip address) (/prefix) [eui-64]
    • used on interface config to manually assign an IPv6 address. eui-64 keyword configures a static IPv6 prefix but allows the router to automatically generate a 64-bit interface ID known as EUI-64 interface ID based on the interface’s MAC address.
  • ipv6 address autoconfig
    • configures an interface to automatically assign itself a global unicast IPv6 address using SLAAC.
    • SLAAC configurations occur based on information that is sent in router advertisements from an IPv6 gateway operating on the same network segment.
    • also enables the interface to obtain additional information from a DHCPv6 server if a DHCPv6 server exists on the network as is configured to send nonaddress information,
  • ipv6 address dhcp
    • configures a DHCPv6 client interface to use stateful DHCPv6 addressing, which configures addressing information and extra information from the DHCPv6 server8.
  • ipv6 route (destination network IP address /#subnet) (outboundinterface 0/0) (next-hop IPv6 address)
    • configures fully specified static route in which the destination network, outbound interface, and next-hop IPv6 address are all configured directly.
    • ex: ipv6 route 2001:db8:a::/32 fastethernet 0/1 2001:db8:b::1
    • fully specified static routes are most often used when the outbound interface is multiaccess and could therefore be confgured with multiple next-hop addresses. The next-hop address that is specified in the command must be directly connected to the outbound interface.
  • ipv6 route (destination network IP address /#subnet) (outboundinterface 0/0)
    • configures a directly attached static route
    • ex: ipv6 route 2001:db8:a::/32 fastethernet 0/1
    • when a directly connected static route is configured, the router assumes that any packet that matches the destination network is reachable throuh the specified outbound interface. Therefore, the packet’s fll destination address is used as the IPv6 next-hop address.
  • ipv6 route (destination network ip address /#subnet) (next-hop IP address)
    • configures a recursive static route
    • ex. ipv6 route 2001:db8:a::/32 2001:db8:a::1
    • in this example, the command configures the routter to resolve all IPv6 addresses in the 2001:db8:a::/32 prefix through the next hop that has been assigned the IPv6 address of 2001:db8:a::1.
    • the router assumes the outbound interface to be the interface to which the next hop is either directly or indirectly connected. In other words, the next-hop IPv6 address must be resolvable through the outbound interface.
  • ipv6 route (destination network ip address /#subnet) (next-hop IP address) (administrative distance #)
    • will configure a floating static route with an AD of 5.


  • access-class (number) (in/out)
    • used in line config mode (enabled by line vt # #)
    • in/out configured inbound or outbound
    • configures VTY lines #-# to apply ACL # in the in/out direction
  • access-list (number) (deny/permit) (source IP address [source-wildcard] OR host ip address OR any)
    • examples: access-list 55 permit
    • access-list 55 deny any
    • creates a standard ACL, place as close to the destination as possible.
    • standard when ACL number is 1-99 or 1300-1999
  • extended access-list command
    • can permit or deny packets based on source IP address, destination IP address, protocol, and port.
    • place close as possible to the source of traffic
    • extended when ACL number is 100-199 or 2000-2699
  • ip access-list standard (name)
    • configure a standard ACL by name instead of number
    • places the device in standard ACL config mode, where you can issue multiple commands to configure the named ACL.
    • to create these ACL statements, use the command: [sequence-number] (deny or permit) (host ip address OR source IP address source wildcard OR any) where sequence number is an optional number that indicates the ACL statemens will be evaluated.
    • If you do not issue a sequence number, the statements will be processed in the order which they are issued.
  • ip access-list extended (name)
    • configured an extended ACL by name instead of number
    • places the device in extended ACL configuration mode, where you can issue [sequence-number] (deny or permit) protocol (source IP source wildcard) [operator port] (destination IP destination-wildcard) [operator port]
    • where sequence number is a optional number that indicates the order which the ACL statements will be evaluated.
  • show access-lists
    • shows configured standard and extended ACLs


  • ip dhcp pool (name/number)
    • used in global config mode to create dhcp pool
  • network (ip-address) (subnet mask or /prefix)
    • used in DHCP pool config mode, the router will provide IP addresses to hosts connected to the router interface that belongs to that subnet.
  • host (ip address) (subnet mask or /prefix)
    • used in DHCP pool config mode, used to configure an IP address for manual binding. Manual binding enables a device to always receive the same IP address from DHCP by associating a static IP address with the device’s MAC address.
    • after using the host command, you should issue the following command:
  • client-identifier (MAC address)
    • Statically maps this device to the IP address defined in host
    • you cannot use the same DHCP pool for manual bindings and for dynamic IP address allocation.
  • ip address dhcp
    • configures an interface to become a DHCP client so that it can receive IP configuration information from a DHCP server. A DHCP client can receive an IP address, a subnet mask, a domain name, a DNS server, and more from a DHCP server.


  • router ospf process-id
    • enables OSPF router configuration mode, used in configured terminal mode
  • router-id ip-address
    • manually configures router-id, used in router config mode
    • if router ID is not manually configured, the router ID will be the highest Loopback IP address configured on a router. if a loopback IP address is not configured, then the router ID will be the highest IP address among the configured interfaces.
  • show ip ospf interface brief
    • shows interfaces, PID, Area, IP address/mask, cost, state. Full adjacencies/total count of neighbors
  • show ip ospf neighbor

  • show ip ospf int g0/0
    • shows state, priority, DR+BDR router IDs and interface IP addresses, neighbor count, (full) adjacent neighbor count
  • network (address mask) area (area-id)
    • configure an OSPF area in OSPF router configuration mode
  • ip ospf priority (#1-255)
    • used in interface config mode, configures interface priority in order to manually configure DR/BDR (default is 1)
    • if set to 0, the router can not become the DR/BDR for the subnet
    • once DR/BDR is set they will keep their role until OSPF is reset using clear ip ospf process
    • When the DR goes down, the BDR becomes the new DR. Then an election is held for next BDR.
  • ip ospf network (broadcast OR non-broadcast OR point-to-multipoint [nonbroadcast] OR point-to-point)
    • configures network type on an OSPF interface
    • if not issued, the default OSPF network type depends on the type of network which the interface is connected
    • OSPF broadcast network type is enabled by default on Fiber (FDDI) and Ethernet interfaces.
      • Multicast updates are sent, manual config of neighbor routers is not required. Hello timer 10s, dead timer 40s
      • DR and BDR elections are performed
    • OSPF nonbroadcast network type is enabled by default on Frame Relay and X.25 interfaces.
      • nonbroadcast do not allow multicast, so manual configuration of neighbor routers with neighbor command is required so that OSPF sends unicast updates. Hello timer 30s, dead timer 120s
      • DR and BDR elections are performed
    • OSPF point-to-point network type is enabled by default on HDLC and PPP (Point-to-point protocol) serial interfaces.
      • multicast updates are sent, so manual configuration of neighbor routers is not required. Hello timer 10s, dead timer 40s
      • DR and BDR elections are not performed
    • OSPF point-to-multipoint network type
      • Multicast updates are sent, so manual configuration of neighbor routers is not required. Hello timer 30s, dead timer 120s
      • DR and BDR elections are not performed
    • OSPF point-to-multipoint nonbroadcast network type
      • Nonbroadcast networks do not allow multicasts; so manual configuration of neighbor routers with neighbor command is required so that OSPF sends unicast updates. Hello timer 30s, deadtimer 120s.
      • DR and BDR elections are not performed
  • router id (value)
    • manually configure an OSPF router ID in OSPF router configuration mode.
    • an OSPF router will always select a manually configured router ID over any interface IP addresses.
  • distance (new AD value)
    • configures the AD of routing protocols in router configuration mode
    • for ex. to change the AD of OSPF from 110 to 80, you should issue the following commands:
      • #router ospf 1
      • #distance 80
  • neighbor (IP address of neighbor) (priority number) (poll-interval seconds) (cost number) [database-filter all]
    • allows for manual configuration of neighbor routes
    • not needed on broadcast networks
    • priority number indicates route priority value of nonbroadcast neighbo associated with the IP address specified. default is 0. doesn’t apply to point-to-multipoint interfaces
    • poll interval represen poll interval time in seconds, should be much longer than hello interval. default is 120 seconds. doesn’t apply to p-t-mp interfaces
    • cost aassigned cost to neighbor, neighbors will no specific cost configured will assumed cost of interface, based on ip ospf cost command. does not apply to nonbroadcast multiaccess (NBMA) networks
    • database-filter all filters outgoing LSAs to an OSPF neighbor
  • maximum-paths maximum number
    • Many OSPF routers can insert a maximum of four equal-cost paths into the routing table by default. You can override the default maximum by issuing the maximum-paths maximum command in OSPF router configuration mode, where maximum indicates the maximum number of equal-cost paths to insert into the routing table.
  • ip ospf hello-interval seconds
    • used in interface config mode, manually configures hello timer interval (default 10 seconds on point-to-point and broadcast links, 30 seconds on NBMA links)
  • ip ospf dead-interval seconds
    • used in interface config mode, manually configures dead timer interval (default 4x hello timer)
  • default-information originate
    • configures an OSPF router to inject its default route into OSPF as an external route, thereby advertising its default route to neighboring routers.

SSH (Secure Shell)

  • device must be running a K9 IOS image
  • to enable SSH for VTY lines on a Cisco router, complete the following:
    1. configure the router with a host name other than Router by issuing the hostname command
    2. configure the router with a domain name by issuing the ip domain-name command
    3. generate an RSA key pair for the router by issuing the crypto key generate rsa command.
    4. configure the VTY lines to use SSH by issuing the transport input ssh command from line configuration mode.
  • the crypto key generate rsa command will automatically enable SSH on a router.
    • creates a set of RSA keys that can be used for SSH sessions.
  • the transport input ssh command does not enable SSH on the router. This command only configures the VTY lines to use SSH if SSH has already been configured.
  • the crypto key zeroize rsa command removes RS keys from a router. You may want to remove RSA keys in order to generate new keys.
  • the enable secret command can be used to help prevent unauthorized access to priveged EXEC mode. Using this command is more secure than enable password because the password is stored in MD5 hash instead of plain text.
  • the no transport input telnet command can be used to prevent Telnet access to a router. Telnet is sent unencrypted as plain text, so it is not as secure as SSH. Using this will ensure that remote management connections to the router are encrypted.

NTP (Network Time Protocol)

  • ntp server ip-address
    • enables NTP static client mode on router, used in global config mode
    • Static client receives its time from an NTP server where ip-address is the IP address of the NTP server that the client will use to receive it’s time
  • ntp broadcast client
    • enables NTP broadcast client mode on router, used in interface configuration mode.
    • An NTP broadcast client listens on the configured interface for NTP broadcasts from an NTP server, which the NTP client uses to adjust its time.
    • The different between a broadcast client and a static client is that a broadcast client can receive its time from any NTP server. By contrast, a static client receives its time from the NTP server specified in the ntp server command
  • ntp authenticate
    • enables NTP authentication on router, used in global config mode.
    • Authentication can be used with NTP to provide source verification for NTP synchronization.
    • NTP authentication supports only Message Digest 5 (MD5) keys.
    • To enable authentication on an NTP client, you must issue the following command set:
      • ntp authenticate
      • ntp authentication-key key-number md5 key
      • ntp trusted-key key-number
      • ntp server ip-address key key-number
    • To enable authentication on an NTP server, you should issue the following command set:
      • ntp authenticate
      • ntp authentication-key key-number md5 key
  • ntp master stratum
    • enables NTP server mode on router, used in global configuration mode, where stratum is an NTP stratum value from 1-15.
    • If the stratum value is not specified, the NTP server uses the default stratum value of 8.
    • NTP servers not only synchronize time with NTP clients but also with eachother.
    • Devices with higher stratum numbers receive time from devices with lower stratum numbers.
  • ntp peer ip-address
    • enables NTP symmetric active mode on router, used in global config mode, where ip-address is the IP address of the NTP host.
    • A device in symmetric active mode attemps to mutually synchronize with another NTP host; the host might synchronize the peer, or it might be synchronized by the peer.

WLC (Wireless LAN Controller)

  • show ap config global
    • displays global Sylog server settings for every AP that is joined to the Cisco WLC. The following is sample output from the show ap global command:

  • show ap config general MyLAP
    • displays IP addressing and other information about a Cisco access point named MyLAP. Similar to a Cisco wired router or switch, you can administer a Cisco AP or WLC by using a CLI. However, the CLI interface does not support the same Cisco IOS command set as a Cisco router or switch. You can configure a Cisco WLC or a Cisco AP either by using the built-in GUI in a browser or by using the CLI.
  • show ap config general cisco-ap
    • where cisco-ap is the host name of the Cisco AP that is configured with the information you want to display, produces general AP configuration output.
    • This output includes information such as the AP’s IP address, the default gateway IP address, and the DNS server address. In addition, the output includes the subnet mask that is configured on the AP. Sample output from a Cisco AP:

  • The show ap core-dump MyLAP command displays the memory dump for the AP named MyLAP. The show ap core-dump cisco-ap command displays the memory core dump for the lightweight AP that is specified as the cisco-ap parameter. Core memory dumps can be large and are typically used for troubleshooting purposes when hardware failures occur.
  • The show ap crash-file command displays a list of crash dump files and radio core dump files that have been generated by lightweight APs. This command is useful if you need to review the output of a crash file or core dump file for a specific AP.

Port Security

  • switchport port-security
    • enables port security for a maximum of one MAC address
  • switchport port-security maximum (#)
    • used in interface config mode, configures the switch port to allow no more than two device, each with a unique MAC address, to send traffic into the port
  • switchport port-security mac-address MAC Address
    • used in interface config mode to statically configure a switch port to allow traffic from a specific MAC address
    • Any MAC addressed that are not configured statically will be learned dynamically from incoming traffic, up to the maximum number of MAC addresses.
  • switchport port-security mac-address sticky
    • converts dynamically learned MAC addresses to sticky MAC addresses
    • stick MAC addresses are stored in the running configuration
    • to ensure that sticky MAC addresses are not lost during reboot, you should use write memory or copy running-config startup-config

Exocore Installation Instructions

See this post in context
Date: 8 May 2022

You can set up a personal website as a public exocortex with no code in this 15 minute guide, using entirely free services to host your site on the web.

All pages are converted from simple, non-code Markdown syntax, so you can focus purely on writing. The end result will look identical to this page.


Github will be used as a cloud content management system - it’s convenient to upload updates to, accessible and editable from anywhere, and keeps full version history of changes as well as provides easy options for back-up.

Netlify will be used to deploy the files stored on Github as a web-server - it’s fast and automatically updates whenever an update is made on your Github repository. Github does offer its own static webhost, but Netlify is necessary due to certain plugin support limitations.

Netlify will also provide your site a custom subdomain, e.g. [site-name] You can also use your own purchased domain.

All services are entirely free besides the custom domain.

1. Deploy your own Exocore to the Web

Create Github Account

First, create an account on if you do not already have one. Remember to make your email private in settings.

Continue below when you have an account ready.

Install the Exocore template to GitHub and Netlify

Open our One-click installation.


  1. Select Connect to Github
  2. Login to Github and select Authorize Application
  3. Name your repository - this is your own reference
  4. Select Deploy site

Netlify will now take about 5 minutes for the initial build of the site. If you want, you can watch the status of the build by clicking Production: master@HEAD under Production Deploys.

Once it’s complete, the Production status will change to Published, and you will be able to click the [site-name] link to see your site.

The site’s master files will also appear in your Github account, under the repository name you selected, e.g. Changes here will go live on the site automatically.

Your site is now officially live, available for anyone to view at [site-name], but there are some settings we should adjust before moving forward.

Change your site name

Change the default generated site name to whatever you’d like by navigating to Site settings > Site details > Change site name. It will be available at [sitename]

Optionally, you can find instructions for setting up a custom domain [[here|custom domain]].

2. Setting up Exocore as a VS Code Workspace on your Machine

The exocore exists as both a Visual Studio Code template package and a workflow between Github and Netlify. While any editor capable of markdown is possible, using our modified VS Code Workspace is recommended for a suite of [[exocore-minded automation tools|using your exocore]].

  1. Download Visual Studio Code
  2. Download the forked repo to your computer by navigating to your github account’s exocore repo, then selectiong Code > Download Zip
  3. Open your newly forked repository in VS Code with File > Open, and navigating to the downloaded folder
  4. Accept the prompts to trust the folder, and install the recommended extensions. Your Exocore is now ready to be edited locally on VS Code.

3. Saving Changes to the Cloud with Github

While you’re working in VS Code, your work will be automatically saved. However, to publish the data to Github so that it propagates onto the web, you’ll need to setup a git commit workflow.

If you’re already familiar with git, it’s the standard commit process that can be done on your terminal. If you’re new to git and Github, the easiest process is using GitHub Desktop.

4. Configuring your Exocore

  1. Navigate to /_config.yml to change the Title and URL of your exocore.
  2. Navigate to /_data/user.yml to change your username and profile picture.
  3. Navigate to /styles.scss to select between different themes.

You can also customize Visual Studio Code heavily to your preference, including easily changing color themes.

5. Using your Exocore

Continue on to [[Using your Exocore using-exocore ]] to familiarize yourself with the editor interface and begin writing new notes.

Predictive Processing and the Free Energy Principle

See this post in context
Date: 20 April 2022


Classical model of action:

  • Optimal action depends on state of the world
  • Therefore, first step of action is to (1) form a belief (analyse surroundings/prospects)
  • (2) imagine a value function of next state brought about by action
  • (3) optimise action that maximises value of the next state

Model of action

  • Classical model doesn’t work when the best next thing to do is to search for/resolve uncertainty
  • Optimal action depends on beliefs about the world, and subsequent action
  • Further, it’s a function of the order in which you interrogate the world
  • Therefore the functional (function of a function) to be optimised is a function of beliefs
  • Optimal action therefore is optimising sequences or policies of actions
  • To be optimised: a function of a belief, integrated over time

Free Energy Principle:

  • The goal of a self-organising (eg biological) system is to minimise prediction error (surprise), also called ‘free energy’, by forming continually-updated beliefs/inferences about the world from which to form policies of action
  • Friston considers this an organising principle of all life and intelligence
  • To be alive (to be a system that resists disorder and dissolution) is to act in ways that reduce the gulf between your expectations and your sensory inputs (AKA, to minimise free energy)

  • If a prototypical agent, or a ‘good agent’ minimises free energy (thereby minimising ‘surprise’), they must believe that the actions they take minimised expected free energy
  • expected free energy associated with a policy of action is minimised

Markov Blanket:

The Markov Blanket is a concept in machine learning which is essentially a shield that separates one set of variables from others in a layered, hierarchical system. The blanket defines the boundaries of a given system. That is, in cognition, a cognitive version of a cell membrane shielding states inside the blanket from states outside. This is the schema by which surprise is minimised— the Markov blanket is a set of variables sufficiently complete that another random variable can be inferred from it . If a Markov blanket is minimal (parsimonious) (cannot drop any variable without losing information), it is called a Markov boundary.

Underpinnings of the Exocore

See this post in context
Date: 16 April 2022

Digitally-Integrated Mind Palace

  • Navigability
    • Easy hyperlinking = frequent hyperlinking
  • Memorability
    • Hijacking and piggybacking on existing human mnemonic faculties
    • Zettelkasten mnemonic badges

Semantic Internet

  • Plain text
    • Accessibility
    • Universality
  • Standards-compliance
  • Portability
  • Static Website Delivery

Writing as Thinking, Written Output as Consolidated Thought

  • Feynman Technique
  • General —> specific, scattered -> polished

Data Ownership and Escaping Net Serfdom

  • Digital owned space
    • Customisability
    • Local Instance
    • Digital and Personal Legacy


  • The Viral Public License
  • Non-proprietary (open source) file formats

Network Sublimation

  • Collaboration
  • Webrings
  • RSS
  • Remchat
  • The New Internet


  • Local storage
  • No internet required
  • No coding required
  • Searchability — in contention with static design

Tradition of the Exocore

  • The Roman Room
  • The Memex
  • The Zettelkasten
  • Project Xanadu
  • Web 1.0
  • IRC
  • Webrings
  • Digital Gardens
  • Project Xanadu
  • Memex
  • Compendium
  • Zettelkasten
  • Hyperdraft

Other Exocore-like implementations and resources

Visual data representations that piggyback on human mnemonic faculties

Chernoff Faces

“Chernoff faces, invented by applied mathematician, statistician and physicist Herman Chernoff in 1973, display multivariate data in the shape of a human face. The individual parts, such as eyes, ears, mouth and nose represent values of the variables by their shape, size, placement and orientation.”

Urbit Sigils

Urbit Names

    Prefixes   Suffixes
    ---------- ---------- 
0.    doz        zod
1.    mar        nec
2.    bin        bud
3.    wan        wes
4.    sam        sev
5.    lit        per
6.    sig        sut
7.    hid        let
8.    fid        ful
9.    lis        pen
10.   sog        syt
11.   dir        dur
12.   wac        wep
13.   sab        ser
14.   wis        wyl
15.   sib        sun


  8 bits  galaxy  ~lyt
 16 bits  star    ~diglyt
 32 bits  planet  ~picder-ragsyt
 64 bits  moon    ~diglyt-diglyt-picder-ragsyt
128 bits  comet   ~racmus-mollen-fallyt-linpex--watres-sibbur-modlux-rinmex

Roman Room/Memory Palace/Method of Loci

The Lukasa

“Court historians known as bana balute (“men of memory”) run their fingertips across the surface of a lukasa or point to its features while reciting genealogies, king lists, maps of protocol, migration stories, and the great Luba Epic, a preeminent oral narrative that records how the culture heroes, Mbidi Kiluwe and his son Kalala Ilunga, introduced royal political practices and etiquette. “

Set up a Custom Domain

See this post in context
Date: 16 April 2022

Custom domains can be added for a better look and more memorable url, but you will need to purchase one. If you already have a domain, follow the steps in Configuring a Domain Purchased Elsewhere

Purchase Domain on Netlify

If you do not already have a domain, you can purchase it directly within Netlify by adding in a new Custom domain. Prices aren’t the best on the market (e.g. .com is $15/yr, market rate is $12/yr), but it will automate all setup.

  1. Navigate to Settings > Domain Management > Add custom domain.
  2. Enter the domain you would like
  3. If it is unavailable, you will see [domain] already has an owner. Is it you?. Select No, try another.
  4. If you find one that is available, you will be provided prices and option to register. You can use a Domain search tool to help find available domains.

Once you have a domain purchased, Netlify will automate handling DNS configuration and SSL encryption, so your site will be fully ready to go on your domain.

Purchasing a Custom Domain

Domains can be purchased from a variety of suppliers for affordable rates - a .com domain goes for about $12/year, though uncommon domains like .xyz can be found for as low as $2/year.

I can recommend Google Domains, I use it because it includes privacy protection and custom email aliases for free, and has an easy to navigate dashboard, as well as Google’s very fast DNS.

For uncommon domains and more competitive prices, Namecheap is reliable - it also has a solid “Beast mode” search for finding rare domains.

Configuring a Domain Purchased Elsewhere

If you purchase your domain elsewhere, you will need to configure your domain provider to point the domain to your Netlify site. Follow this guide: Configure external DNS for a custom domain.

The steps on your domain provider’s end will be different depending on your provider, look for something along the lines of “Create A or CNAME Record”, “Point DNS to Domain” or “Manage DNS Records”.

Then add the custom domain in Netlify:

  1. Navigate to Settings > Domain Management > Add custom domain.
  2. Enter the domain you would like [domain] already has an owner. Is it you?. Select No, try another.
  3. If you find one that is available, you will see
  4. Select Yes, add domain

SSL (https) will be configured automatically.

Using your Exocore

See this post in context
Date: 13 April 2022

Now that you’ve installed your exocore this guide will walk you through navigating it in practice. Read a more detailed explanation of the Exocore’s present and future functionality here.

Launch your Exocore

Open the root folder of your Exocore in VS Code to launch your editing interface.

Creating new posts

Use keyboard command Ctrl + Shift + P to summon the command panel. From here you can access a variety of functions by beginning to type their names. Start typing ‘create new note from template’ to find the options for creating new posts.

  • Daily Notes are designed as a quick access scratch pad, and are perfect for low-specificity research dumps and fleeting notes that will inform your notes in future. These are automatically titled by date. One is created each day automatically, and opened when you open VSCode.
  • Wiki Notes are designed for single atomic data points, and are automatically titled with a hexadecimal color code. This code is turned into a correspondingly colored badge in the index of the published site.
  • Journal Entries are for your thoughts, and are not automatically titled.
  • Articles are for longer write-ups on a particular topic.

You may have noticed that these notes together create a pipeline for systematising knowledge over time from the general to the particular, and for capturing a bank of scattered reference material and developing it into a polished final product. You might choose to cite a research dump in the subsequent post that it turned into as a bibliography/further reading section, such as appears at the bottom of this wiki note

Using Metadata

If you followed the above instructions to create a new post, you will notice that it spawned with a YAML metadata section at the top.

This metadata does not appear in the text of the post, but affects how the post will be treated when your Exocore is rendered into a website. The metadata of the post you are currently reading looks like this:

layout: article
category: article
topic: meta
date: 2022-04-13
tags: meta computers exocore

If you’re using a browser to read this, you won’t see this information at the top of the post, but the Exocore has incorporated it already into the way it treats the post. It has dated the post, sorted it into the ‘Articles’ section of the site, and given it tags which appear in the left sidebar. You can add to the topic and tags sections, backdate your post, or add a subtitle if you wish.

Split Windows

Ctrl+\ (OSX: Cmd+) can be used to create a new window split. Ctrl+W (OSX: CMD+W) can be used to close them.

Graph Visualization

See how your notes are connected via a graph with the Foam: Show Graph command. Notes can be clicked through to navigate your exocore this way.

Preview Notes

Your notes can be previewed in rendered markdown by clicking the magnifying glass icon on the top right of the window. You can navigate between linked notes from within this previewed window.

Markdown Syntax

Continue on to Writing with Exocore Syntax to learn the Markdown syntax standards it follows, as well as its extensions for hyperlinks, embedded code, footnotes and more.


See this post in context
Date: 28 February 2022


Usufruct is a legal concept referring to a right in property which confers on the holder the right to use and benefit from the property without altering, damaging, or destroying it. A usufructary does not own the property but does have a legal interest in it which is sanctioned or contractually allowed by the owner.

A usufructary has two of the three civilian property property interests in the property, usus and fructus— they do not have the interest of abusus, which entitles them to alienate, destroy, consume or sell the property.

The three civilian property interests:

  • Usus: The right to use or enjoy a thing posessed, directly and without alteration
  • Fructus: The right to derive profit from a thing possessed, eg. by lease, cultivation, taxing on entry, etc. Fructus (from ‘fruit’) allows a person to benefit from the sale of renewable commodities of the property.
  • Abusus: The right to consume, destroy, or transfer the property. This interest is not conferred upon the usufructary.


  • Roman law considered usufruct a type of personal servitude, where the usufructary had no posession of the property. Under a rental agreement today, a person has even more restricted rights over a property than did a usufructary in Rome, but is yet not considered a personal servant.
  • The Law of Modes directed owners of productive property not to harvest the edges of their fields so that the poor may collect the gleanings. This confers a kind of usufructary right by default onto the poor.
  • “Earth belongs – in usufruct – to the living.” (Thomas Jefferson).


See this post in context
Date: 28 February 2022

Dopamine, L-dopa and Pattern Detection

Production of neurotransmitter dopamine is stimulated by novelty, and it facilitates learning, information storage and pattern-recognition, as well as regulating emotion. Pattern-detection is important to learning, because the brain is able to compress complex raw data by identifying repetitious elements and storing information in association with the pattern, rather than making space for each node of information to be stored separately. For example, there is no need to memorize 1000 patterns of digits in order to count from 1 to 1000; the pattern is regular enough that the brain can derive each integer from a pattern it has stored, without storing each data point that the pattern produces.

However, patterns are not pure representations of the world, or even of the data being apprehended by the brain— they are mnemonic data structures which necessarily reduce the complexity of information in order to store it more efficiently. Pattern-matching is generally considered to be helpful for learning, and this may be true is learning is equated with remembering. However, is learning-as-remembering conducive to understanding? Sensitivity to pattern-detection can be alternately phrased as tendency to apply narrative. Humans cannot resist but apply narrative to phenomena, and it seems that a compulsion to apprehend data in a logical or causal sequence is deeply ingrained in the human brain, ported over from a form of intelligence that evolved to understand the physical world, where causality is a ubiquitous feature. For this reason, making judgements on inert data is a human default, and takes serious conscious effort to avoid.

It is therefore unsurprising that dopamine also lowers skepticism. If logical sequences (patterns) appear more readily, an inflated subset of chaotic phenomena appears to ‘make sense’, and so the suspension of belief is more easily overcome. L-dopa, a drug which is metabolized as dopamine and used to treat Parkinson’s, makes people more vulnerable to pattern-detection, and has a notable side-effect that causes some patients to develop sudden gambling additions— patients see clear patterns in random phenomena, leading them to believe they will be more successful than they will be in reality.

Summary: Pattern detection is conducive to memorization, but not necessarily to clear thinking; in many instances apprehension of a pattern is a reduction of phenomena too complex to be faithfully reduced. Heightened dopamine can bolster addictive compulsions and increase credulousness, as patterns are more readily detected and chaotic sequences of action appear to make more sense. Pattern-detection is enhanced by dopamine production, and tendencies to compulsive action can result.

Samgyetang Ginseng Chicken Soup (Korean Style)

See this post in context
Date: 9 February 2022

For one serving:

  • Cornish hen/spatchcock
  • quarter cup (ideally short grain) rice, soaked for 15 minutes in hot water
  • Ginseng root
  • large dried jujube (red date)
  • 8 garlic cloves
  • Spring onions, chopped
  • Salt
  • Ground black pepper


  • Wash and salt hen, and rinse rice with cold water
  • Stuff with rice, 1 ginseng root, 1 jujube, 8 cloves of garlic
  • Boil from cold water, then simmer for 1.5 hours
  • Occasionally ladle any settled broth over hens
  • Serve Hens whole in a bowl and pour over broth
  • Sprinkle spring onions and pepper

    Compare with [chinese-ginseng-chicken-tonic-soup]

Writing with Exocore Syntax

See this post in context
Date: 4 February 2022

It's best to read this document with the markdown and rendered output side-by-side to see how the markdown syntax is rendered at build time.

Markdown Basics

The Exocore utilizes standardized Markdown syntax, along with some additional extensions. Much of the content of this article covers existing markdown syntax used universally in plain text formatting. However, some syntax, such as wikilinks and images are particular to the Exocore.


The above is a level 2 heading, preceded by ## and a space.

There’s nothing special about the way the Exocore processes headers— it’s just standard markdown. However, each header will render with an anchor link. If you hover over a heading and click the link icon that appears, the URL in your browser will reflect the section that you clicked. Now, if you copy that URL it will link directly to the heading that you clicked.

Heading levels

The above is a level 3 heading, preceded by ### and a space.

Here’s some advice: Only use top-level headings (preceded by #) for the document’s title. Aside from being markdown best practice, the Exocore takes your first top-level heading to use as the title of the page in the final rendered output. For intra-document section titles, use a level 2 heading. It’s for the best.

Here is a basic wikilink, pointing to other posts on this Exocore: exocore.

It is written as the title of their corresponding markdown file, surrounded by double square brackets. However, in the final render they are presented by default as the page’s title. This saves you typing out the whole page title in your markdown document, and allows the Foam VSCode extension to suggest files as you type. Below you can read about how to change their presentation.

[chinese-ginseng-chicken-tonic-soup|You can alias a link like this] if you don’t want to keep the title. Heads up— this link points to a recipe for Chinese ginseng chicken Soup.

This wikilink points to a header further down on this page, by using a #. Under that header you will find a different sort of wikilink— an embed. The content of another note is embedded within the current note. You can also point to a particular header within another note.

Check out the backlinks section at the bottom of any post, and you’ll find a list of every post that links back to it. Backlinks are automatically generated, and display all posts with links pointing to them.

The below text is embedded, using the same wikilink syntax as normal, but with an ! prepended. The full text of the linked note will be included. For example, here is an example of embedded note syntax:


Hyperlinks to external sites are not the same as wikilinks. A wikilink is a simple way to hyperlink to other posts on your Exocore without using the full processed URL as it is rendered online. A wikilink works locally in VSCode, allowing you to navigate between posts, and is transformed at render time to a web hyperlink, so that it always points to the correct page.

To create a hyperlink, use single normal parentheses around the URL you want to point to, and square brackets around the text you want displayed:


You can alias a hyperlink by changing the text in the square brackets, like this:

Here’s some information about Hyperlinks.

[Here's some information about Hyperlinks.](

Applying classes to a paragraph or image

Oh, by the way: You can apply the .right-aside class to create an aside, like this one. An aside floats to one side and other text wraps around it. .left-aside is also available for some variety.

Kramdown, the Markdown parser used by this implementation of the Exocore, has the ability to apply a CSS class to a paragraph by including syntax like {:.classname} at the top or bottom of a paragraph. The class will be applied to the whole paragraph. The Exocore stylesheet includes a few general classes meant to be used for just this purpose, which you should feel free to add to.

The following classes are pre-defined in the Exocore stylesheet:

  • .centerReduces width of paragraph and centers it for emphasis

  • .left-aside, .right-asideApplies a border and floats to the left/right. Other text will wrap around it

  • .left, .right - Reduces width and places to the left/right (meant for images)

  • .border - applies a thin black border

  • .shadow - applies a black blurred drop shadow

  • .glow - applies a white blurred drop shadow (produces a glowing effect)

  • .flip - flips the image (or text) horizontally


You can create a table like this.
A newline in markdown extends the table vertically.
A pipe extends the table laterally.  


For more complex data representation, Graphviz can be used in conjunction with the Exocore. Read more about Graphviz syntax here, and find a demonstration of the way it is used with the Exocore [[graphviz-test|here]]

Sidenotes and Footnotes:

Here’s a simple footnote with no linebreaks in it.1 Each footnote is an anchor link to the bottom of the page, with a return link attached. Notice the sidenote in the right margin, identical to the footnote.

All footnotes are also rendered as sidenotes. A footnote forms a commentary or citation best kept separate from the main text, and a sidenote is an easy way for a reader to access such commentary without breaking ergonomy by jumping up and down the page.

If you want to add multi-paragraph footnotes, indent your second paragraph, like this (see footnote at bottom).2

You can put a footnote’s markdown reference immediately under a paragraph, like this3, or clump them at the end. Either way, they will appear at the bottom in your rendered content.

Footnotes automatically form a numbered list, and can also be mapped by name, like this4

Inserting images

To insert an image, use the following syntax:


However, don’t bother remembering this syntax. the easiest way to insert an image is to use the Paste Image VSCode extension, which you will be prompted to download as a recommended third-party extension of the Foam VSCode extension. For MacOS, copy your image to the clipboard, and use keyboard command CMD + option + V. You will be prompted to give your image file a name, and add it to the images folder in your Exocore’s top-level directory. Note: If you CMD+C copy an image from your desktop on a mac, it is not copied to your clipboard. Instead, open the image, and then use the same keyboard command.

You can insert alt text and a caption like this:

![This is alt text](/images/mouse.jpg)
*Insert a caption by placing italicised text immediately underneath the image*

The above snippet produces the below outcome:

This is alt text Insert a caption by placing italicised text immediately underneath the image, with no empty line in between.

Embedded Code

Below are a couple of lines of code, a shell script I call when I want to serve a local render of my Exocore to see how it looks before I publish it. To embed a piece of code so that characters are rendered verbatim, surround the code snippet with ``` on either side, like so:

cd ~/desktop/james-liao && bundle exec jekyll serve --baseurl ''

Naming files

Don’t use whitespace in your filenames— instead, name-them-like-this. This way, titles are easily converted to URLs and the back end of the Exocore remains happy. This of course applies only to filenames, and you may title your posts how you wish.

That should be everything to get you started!

  1. This is the first footnote. Note the return button: 

  2. For longer footnotes, you may want to use multiple paragraphs.

    Indent paragraphs to include them in the footnote. 

  3. This footnote appears immediately underneath it’s referring paragraph in this document’s original markdown, but on the rendered website it shows at the bottom. 

  4. This footnote has the name ‘named-footnote’. it’s still numbered and appears in sequence the same way the others do, but naming it might help you manage a document with many footnotes when dealing with your local markdown. 

Notes on Remilia’s New Internet

See this post in context
Date: 26 January 2022

the vision

um um u um uh hhhhhh

the visionis the new internet

the visiton is . remco

the new internet is realtim e( meguca) (s0machat )

the new art is remilia ( milady ) *( bonkler)

this is what. I beleive in . when I said Ibelieve in the vision

spider im so drunk incoehrent righr t now you will have to forgive m e for mty terseness

the new internet is digial dovertnty . exocore. realtime chat. OpenBSD

tiling window manager .terminal .

the new internet is network spirituality

“It is Okay CCCCAA I just Saw this as an Opportunity to get your drunk answer, I’ll ask again when you’re sober.”

the new internet


I understand

it all made sense to me

right now . is like a drea m for me. im rdreaming

the new internet is a reevaluation of our social interaction with each other . and a reformation of our dynamic with each other as USERS

the new internet is whit e hearted ( light hearted)

you have to think about this ,.

the real time chat BSD exocore digital sogivern homestead terminal tiling window manger are the aestehtic surface level

the deeper level is the metaphyiscs of the internet and how we interpret the virtual world

the rleationship betwene user interfaces with our mental spatiotemporal matrix of virtual reality

the relationship of social interfaces with our sociocultural development

digital culture is in turmoil as ou r third spaces are full y owned by pltaforfmrsd . w e are fully plugged in to .

eletronic womb . fetus . umbilical cord (100GB ETHERNET ) Into the SPINE

next stage o f humanutiy . traditionalism ( VAT) (susptended . sensory deperevation) / ( retrun)

3 monitors

112wsx . socio temporal nexus

cxomputer hell

the user interface will stop existing once the machine learning models fully understand us

the syncreticism between the old and the young. the tools to make computers approachable for the old are the fundemental primitive that the young understand comptuers throguh . its ahoreseshi ( horse shoe)

xcomputers must be increasingly MORE addictive . fqast . emotional . no response time given . immediate off th

e cuf f answers . full information throughput betwene interlocutors

charles has not adjusted his body to the netwrok . he is still getting “carsick “ becauyse his body has no t adapted to its new organs

having a new monitor added is like getting a new limb stitched onto your bodyt . conversely. I was mutilated when my diamondtron 2060u broke

stock traders with 30 monitors a re like the hindu dieties


See this post in context
Date: 27 January 2021

Exocore Executive Summary

The exocore is an easily navigable personal hypertext database for text and images— a personal wiki which, over time, serves as a faithful digital representation of your brain. It is designed to be easily onboarded onto an automated no-cost publishing workflow with zero technical knowledge.

The exocore is developed by Remilia Corporation as a Jamstack worfklow and extension of Foam to complete the system of an accessible and standardized autopublishing knowledgebase network, as a proof-of-concept for Remilia’s New Internet.


Do you take notes, or conduct personal research? Do you output or collect text or image content in any form, such as a blog, poetry, diary or visual art? Do you intake any form of media, and want to catalogue your findings or thoughts? Do you forget information? The Exocore is a means to store and organize and publish such a bank of information in an easily navigable form.

The exocore comprises a set of a few programs and plugins, rolling them into a package which can be customized infinitely and modularly; without any technical knowledge it can still be made your own, and with even a touch of technical knowledge (particularly CSS or HTML facility) it can be made into anything at all.

Its online component is a scaffolding for a website, and its offline component (fully functional without the online) is a filing system for notes, written output, or other data. Out of the box, it’s a local directory of folders and interacting files forming an empty template for a zettelkasten/personal wiki, a platform for longform articles, a library of documents, a gallery of images, and an automatically created daily diary. Mix and match these features as you wish; they are fully modular and independent. A user would be free to use or not use any of these features, so if they want to create a self-hosted platform like Substack with no extra features, this is facilitated.

In the future, these exocores can comprise a webring linked by automatically updated network pages, as well as a IRC network for which the Exocore will operate as user’s personal homepages. They can also feature things like an automatically updated ‘latest posts’ feed from all other (or selected) Exocores, or just ‘related posts’ (by metadata tags) from your own site.

How to Begin

Follow the no-code instructions here to learn how to install your exocore locally and set up automatic publishing with Netlify.

Breaking down the Exocore

Information Pipeline

Notes are segregated into 4 categories:

  • Daily Notes, designed as a quick access scratch pad, and are perfect for low-specificity research dumps and fleeting notes that will inform your notes in future. These are automatically titled by date. One is created each day automatically, and opened when you open VSCode.
  • Wiki Notes, designed for single atomic data points, and are automatically titled with a hexadecimal color code. This code is turned into a correspondingly colored badge in the index of the published site.
  • Journal Entries, for your thoughts, and are not automatically titled.
  • Articles, for longer write-ups on a particular topic.

These note categories together create a pipeline for systematizing knowledge over time from the general to the particular, and for capturing a bank of scattered reference material and developing it into a polished final product. For example, you might choose to cite a research dump in the subsequent post that it turned into as a bibliography/further reading section, such as appears at the bottom of this wiki note. This workflow is designed to encourage active, daily use of the exocore for all thoughts.

Editing Environment

The exocore is built as an extension on top of the Foam Visual Studio Code package, which is itself an open-source recreation of the Roam learning garden editor. Foam introduces the standard features required for a proper personal wiki system such as:

  • Backlinks panel
  • Wikilinks aliasing syntax
  • Tiling windows
  • Note embedding
  • Graph visualization
  • Sync files on rename

This system provides a powerful and highly customizable dashboard for comprehensive note-taking. On top of Foam, we’ve introduced:

  • Segregated note categories with default templates
  • Daily note generation
  • Automatic randomly generated titling for zettelkasten functionality
  • Automatic table of contents generation
  • Footnotes and sidenotes
  • Suite of Jekyll templates for automatically publishing websites off the collection of notes

User experience:

A user downloads the package in the form of a Github repository template, which lives on their local machine as a directory that can be manually or automatically synced via git to a web domain, which represents the documents in the directory after they are processed into an eaily-navigable and feature-rich website. Their exocore can be published to the web at no-cost using Netlify’s free hosting and subdomain service.

A user can get by just fine only interacting with simple plaintext markdown files, and can write posts and create hyperlinks between them, add pictures or PDFs and more, without going beyond in-text markdown syntax (read more about the Exocore’s syntax here). They are also able to control how their generated website handles their documents in a human-readable metadata section at the top of each post: tags, title, subtitle, categories, layouts, date, and any others that the user cares to add.

Locally, the directory of notes (which will also be a git repository if you wish to publish as a website online) is managed and maintained through a VS Code workspace.

The recommended extensions for your workspace arrives as a package of two things:

  1. A template directory including templates for simple creation of new markdown documents of different kinds (article, journal entry, wiki note, daily note), each treated differently in the rendering of your website.

  2. A set of VSCode plugins which offer a suite of features for the user to add to their directory of posts by facilitating easy linking between notes, URL management, and many other features. The directory can be easily hosted for free with Netlify, for which a setup guide is available [installation-instructions#Publishing Your Exocore|here].


To view your site before it is pushed online, a user can also set up their Exocore directory to build a local instance of the site with Jekyll. When publishing, Netlify runs Jekyll server-side, so running it locally produces the same site as will be published.


The stack is an open-source repo and a suite of open-source programs and plugins, and is therefore ultimately customizable. The level of customizability depends only on your technical know-how, but minimal learnings yield compounding rewards. Here is an idea of the level of control over your final website yielded by advancing levels of technical knowledge:

  • No technical knowledge:
    • You can implement all of the above, and choose from a set of .CSS templates for your website to adjust its aesthetics. You can create posts, use the daily note functionality, store documents in the Library, create ZK notes and links between them, use backlinking, embed notes, and all other features mentioned above. In other words, all features are fully available with no technical knowledge. You should become acquainted with the Exocore’s syntax, but this is easy enough to guess at, or to learn in under half an hour.

      For publishing, a very cursory knowledge of git will come in handy, but git has a helpful GUI, and Exocore [installation-instructions#Publishing Your Exocore|documentation] includes a guide on how to publish your site.

  • HTML and CSS
    • You will be able to edit included stylesheets and HTML templates to create a site which looks any way that you wish. Both these languages are simple to learn, and even without learning them comprehensively a user can edit the provided templates and stylesheets to make major changes.
  • Jekyll/Liquid
    • You will be able to create logic functions to manipulate metadata stored in the markdown front matter, create custom menus or boxes with automatically generated content based on the front matter, assign your own custom front matter variables, and more.
  • Ruby
    • Learning Ruby is not at all necessary, but familiarity with it will facilitate you in packaging themes you have created for your exocore as Ruby Gems in case you would like to publish them for use by others. If you want to proliferate your particular model of the exocore, this is an easy way to package it.

Full Tech Stack

VSCode Plugins: