Network PC World

Multicast Overview Multicast is a network communication method that delivers a single stream from a source to multiple destinations. It optimizes network bandwidth usage, especially in applications like video conferencing, IPTV, and stock tickers. The Internet Group Management Protocol (IGMP) is used in Layer 2 networks, while Protocol Independent Multicast (PIM) handles Layer 3 communication. Technical Tip : Multicast is UDP-based, which lacks the reliability mechanisms of TCP, such as windowing and error correction, potentially leading to duplicate packets and out-of-order delivery. Multicast Addressing Multicast addresses are in the Class D range (224.0.0.0 to 239.255.255.255) . These addresses are not assigned to individual devices but represent groups. Well-known Multicast Address Types : Local network control block (224.0.0.0/24) : Protocol control traffic within a broadcast domain. Internetwork control block (224.0.1.0

IPv6 Addressing IPv6 addresses are 128-bit long and written in hexadecimal format. To simplify the address, leading zeros can be omitted, and consecutive groups of zeros can be replaced with "::" (only once in an address). Technical Tip : Always remember that "::" can be used only once in an IPv6 address to avoid ambiguity. Example: Full: 2001:0db8:0000:0000:0000:ff00:0042:8329 Shortened: 2001:db8::ff00:42:8329 IPv6 Address Types Unicast : Identifies a single interface (Global, Link-Local, Unique-Local). Multicast : Packets sent to all interfaces in the group (e.g., FF00::/8). Anycast : Address assigned to multiple interfaces, routing the packet to the nearest device. Technical Tip : IPv6 doesn't support broadcast; multicast is used for similar purposes. IPv6 Stateless Autoconfiguration (SLAAC) With Stateless Address Autoconfiguration (SLAAC), hosts can configure their own IP addresses based o

First Hop Redundancy Protocols (FHRP) HSRP, GLBP, VRRP HSRP (Hot Standby Router Protocol) : Provides redundancy by allowing one router to be active while others are standby. Technical Tip : Always configure preempt to allow a higher priority router to become active automatically when it comes back online. Use authentication to prevent rogue routers from taking over as active routers. Example: standby 1 ip 10.1.25.22 standby 1 priority 200 standby 1 preempt standby 1 authentication md5 key-string Cisco GLBP (Gateway Load Balancing Protocol) : Adds load balancing to FHRP by distributing traffic among multiple routers using virtual MAC addresses. Technical Tip : Prioritize the selection of Active Virtual Gateway (AVG) using the priority command, and use authentication for security. Example: glbp 1 ip 10.1.1.100 glbp 1 priority 255 glbp 1 authentication md5 key-string Cisco VRRP (Virtual Router Redundancy Protocol) : Similar to HSRP but is an open standard. Allows rou

  Quality of Service Overview QoS is crucial for managing bandwidth, latency, jitter, and packet loss, which impact application performance, especially for real-time services like voice and video. Key quality issues include lack of bandwidth, latency (packet delay), jitter (variability in delay), and packet loss (lost data during transmission). Technical Tip : Keep latency under 150 ms for real-time traffic and packet loss below 1%. End-to-End Layer 3 QoS using MQC DiffServ QoS Model DiffServ is scalable and classifies traffic into classes, marking it for varying levels of priority. Technical Tip : Use DiffServ for efficient traffic management at the network edge for classification and marking, while relying on Per-Hop Behavior (PHB) in the core network. CoS and DSCP Mapping CoS marks traffic in Layer 2 headers, while DSCP marks it at Layer 3 for end-to-end traffic prioritization. Technical Tip : DSCP is more versatile for end-to-end QoS as CoS is limited to Layer 2 domains

  Device Management Console and VTY Console and VTY provide access to the device CLI for configuration and troubleshooting. Console is used for local access. VTY allows remote access via Telnet or SSH. TCP Keepalives : Use service tcp-keepalives-in to avoid dead Telnet or SSH sessions occupying VTY lines. Router1(config)#service tcp-keepalives-in Technical Tip : To prevent being locked out of a router due to exhausted VTY lines, configure an access list restricting VTY access. access-list 9 permit 172.25.1.1 line vty 0 4   access-class 9 in Source Interface for Telnet : Set the router to use a specific IP for outgoing Telnet connections using: ip telnet source-interface loopback0 SSH and SCP SSH : Use Secure Shell (SSH) to securely access the device. Configure SSH with RSA keys. ip domain-name example.com crypto key generate rsa modulus 1024 SCP (Secure Copy Protocol) : SC

Switch Security Features Cisco SAFE Framework Cisco SAFE is a security architectural framework designed to protect against evolving threats like phishing, malware, and ransomware. It ensures comprehensive security across the network in various "places in the network" (PINs). Next-Generation Intrusion Prevention System (NGIPS) NGIPS is an advanced system for detecting and preventing intrusion attacks. It can log, analyze, and block malicious activities. NGIPS is available in physical appliances, virtual machines, or integrated with other Cisco systems like ISR. Firepower appliances provide dedicated hardware for intrusion prevention. NGIPS Virtual (NGIPSv) is available for virtualization environments. Technical Tip : NGIPS should be strategically deployed in areas with high traffic, such as edge devices or data centers, to monitor for anomalies effectively. Next-Generation Firewall (NGFW) N

Device Security on Cisco IOS XE Control Plane Policing and Protection Control Plane Policing (CoPP) : Protects routers/switches from DoS attacks by managing control plane traffic through a separate interface (punt/inject). QoS rules are applied to control the rate of traffic, ensuring consistent performance. Example Configuration : A QoS policy for Telnet traffic limits unwanted traffic while allowing trusted hosts unrestricted access. Terminal Lines and Password Protection Access Methods : Devices can be accessed through console ports (local), auxiliary ports (remote via modem), or virtual terminals (Telnet/SSH). Password Types : Type 0 : Unencrypted, insecure. Type 5 : Stronger encryption (MD5), used with enable secret. Type 7 : Weak encryption, easily cracked. Type 8/9 : Secure passwords using modern hashing (PBKDF2, SCRYPT). Configuring Local Password Authentication Commands

  DMVPN (Dynamic Multipoint Virtual Private Network) DMVPN enables dynamic and scalable VPN connections, primarily using mGRE (Multipoint Generic Routing Encapsulation) , NHRP (Next Hop Resolution Protocol) , and optionally, IPsec for encryption. It supports hub-and-spoke topologies, with the ability to evolve into a fully meshed network. DMVPN Phases Phase 1 : Basic hub-and-spoke topology where spokes communicate through the hub. mGRE is configured on the hub, and point-to-point GRE on the spokes. Limitation : No direct spoke-to-spoke communication; all traffic passes through the hub. Routing : Spokes register their IP with the hub, and no spoke-to-spoke tunnels are formed. Phase 2 : Introduces spoke-to-spoke communication using mGRE at both the hub and spokes. Next-hop reachability is maintained, and spokes dynamically form tunnels to communicate directly. No route sum

  MPLS Overview MPLS (Multiprotocol Label Switching) is a transport technology that efficiently forwards packets using labels rather than traditional IP-based routing. MPLS is integral to modern VPNs and service provider networks, enabling more efficient routing and scalability. MPLS VPNs MPLS VPNs use PE (Provider Edge) routers to manage customer routes and VRFs (Virtual Routing and Forwarding) to store customer routing tables. Each customer’s routes are isolated in separate VRFs to handle overlapping IP prefixes. PE routers exchange routes with CE (Customer Edge) routers using external protocols like BGP, RIP, OSPF, or EIGRP. Label Stack : MPLS packets carry two labels: Outer label directs the packet to the egress PE. Inner label directs the packet to the correct VRF. Technical Tip : Use the mpls ip command to enable MPLS label forwarding on interfaces. VPN Types MPLS VPN supports several types of VPNs: Remote Acc

  BGP Overview – RFC 4271 BGP (Border Gateway Protocol) is an Exterior Gateway Protocol (EGP) that exchanges routing information between autonomous systems (AS), distinguishing it from IGPs (e.g., RIP, EIGRP, OSPF). It relies on TCP (port 179) for communication and can establish peering relationships between routers across multiple hops. BGP is ideal for managing routes in a multi-homed environment, offering fine control over route selection through its robust best path algorithm, which considers various Path Attributes (PAs) like AS_PATH, LOCAL_PREF, and more. Autonomous System (AS) An AS is a connected group of one or more IP prefixes managed by one or more network operators with a single routing policy. BGP uses the AS Path (a unique identifier) to track the number of ASs a route passes through. Each AS is identified by a unique ASN (Autonomous System Number). When to Use BGP BGP is most useful when there are at least two Internet connections and you want to co