Wendell Odom, CCIE No. 1624 Emeritus, has been in the networking industry since 1981. He has worked as a network engineer, consultant, systems engineer, instructor, and course developer; he currently works writing and creating certification study tools. This book is his 29th edition of some product for Pearson, and he is the author of all editions of the CCNA Cert Guides about Routing and Switching from Cisco Press. He has written books about topics from networking basics, certification guides throughout the years for CCENT, CCNA R&S, CCNA DC, CCNP ROUTE, CCNP QoS, and CCIE R&S. He maintains study tools, links to his blogs, and other resources at [...]

Introduction xxvii

Part I IP Access Control Lists 3

Chapter 1 Introduction to TCP/IP Transport and Applications 4

Do I Know This Already? Quiz 4

Foundation Topics 6

TCP/IP Layer 4 Protocols: TCP and UDP 6

Transmission Control Protocol 7

Multiplexing Using TCP Port Numbers 7

Popular TCP/IP Applications 10

Connection Establishment and Termination 12

Error Recovery and Reliability 13

Flow Control Using Windowing 15

User Datagram Protocol 16

TCP/IP Applications 16

Uniform Resource Identifiers 17

Finding the Web Server Using DNS 18

Transferring Files with HTTP 20

How the Receiving Host Identifies the Correct Receiving Application 21

Chapter Review 22

Chapter 2 Basic IPv4 Access Control Lists 24

Do I Know This Already? Quiz 24

Foundation Topics 26

IPv4 Access Control List Basics 26

ACL Location and Direction 26

Matching Packets 27

Taking Action When a Match Occurs 28

Types of IP ACLs 28

Standard Numbered IPv4 ACLs 29

List Logic with IP ACLs 29

Matching Logic and Command Syntax 31

Matching the Exact IP Address 31

Matching a Subset of the Address with Wildcards 31

Binary Wildcard Masks 33

Finding the Right Wildcard Mask to Match a Subnet 33

Matching Any/All Addresses 34

Implementing Standard IP ACLs 34

Standard Numbered ACL Example 1 35

Standard Numbered ACL Example 2 36

Troubleshooting and Verification Tips 38

Practice Applying Standard IP ACLs 39

Practice Building access-list Commands 39

Reverse Engineering from ACL to Address Range 40

Chapter Review 41

Chapter 3 Advanced IPv4 Access Control Lists 44

Do I Know This Already? Quiz 44

Foundation Topics 46

Extended Numbered IP Access Control Lists 46

Matching the Protocol, Source IP, and Destination IP 46

Matching TCP and UDP Port Numbers 48

Extended IP ACL Configuration 51

Extended IP Access Lists: Example 1 51

Extended IP Access Lists: Example 2 53

Practice Building access-list Commands 54

Named ACLs and ACL Editing 54

Named IP Access Lists 54

Editing ACLs Using Sequence Numbers 56

Numbered ACL Configuration Versus Named ACL Configuration 58

ACL Implementation Considerations 59

Additional Reading on ACLs 60

Chapter Review 61

Part I Review 64

Part II Security Services 67

Chapter 4 Security Architectures 68

Do I Know This Already? Quiz 68

Foundation Topics 70

Security Terminology 70

Common Security Threats 72

Attacks That Spoof Addresses 72

Denial-of-Service Attacks 73

Reflection and Amplification Attacks 75

Man-in-the-Middle Attacks 76

Address Spoofing Attack Summary 77

Reconnaissance Attacks 77

Buffer Overflow Attacks 78

Malware 78

Human Vulnerabilities 79

Password Vulnerabilities 80

Password Alternatives 80

Controlling and Monitoring User Access 82

Developing a Security Program to Educate Users 83

Chapter Review 84

Chapter 5 Securing Network Devices 86

Do I Know This Already? Quiz 86

Foundation Topics 88

Securing IOS Passwords 88

Encrypting Older IOS Passwords with service password-encryption 89

Encoding the Enable Passwords with Hashes 90

Interactions Between Enable Password and Enable Secret 90

Making the Enable Secret Truly Secret with a Hash 91

Improved Hashes for Cisco's Enable Secret 92

Encoding the Passwords for Local Usernames 94

Controlling Password Attacks with ACLs 95

Firewalls and Intrusion Prevention Systems 95

Traditional Firewalls 96

Security Zones 97

Intrusion Prevention Systems (IPS) 99

Cisco Next-Generation Firewalls 100

Cisco Next-Generation IPS 102

Chapter Review 103

Chapter 6 Implementing Switch Port Security 106

Do I Know This Already? Quiz 106

Foundation Topics 108

Port Security Concepts and Configuration 108

Configuring Port Security 109

Verifying Port Security 112

Port Security MAC Addresses 113

Port Security Violation Modes 114

Port Security Shutdown Mode 115

Port Security Protect and Restrict Modes 117

Chapter Review 119

Chapter 7 Implementing DHCP 122

Do I Know This Already? Quiz 122

Foundation Topics 124

Dynamic Host Configuration Protocol 124

DHCP Concepts 125

Supporting DHCP for Remote Subnets with DHCP Relay 126

Information Stored at the DHCP Server 128

Configuring DHCP Features on Routers and Switches 129

Configuring DHCP Relay 130

Configuring a Switch as DHCP Client 130

Configuring a Router as DHCP Client 132

Identifying Host IPv4 Settings 133

Host Settings for IPv4 133

Host IP Settings on Windows 134

Host IP Settings on macOS 136

Host IP Settings on Linux 138

Chapter Review 140

Chapter 8 DHCP Snooping and ARP Inspection 144

Do I Know This Already? Quiz 144

Foundation Topics 146

DHCP Snooping 146

DHCP Snooping Concepts 146

A Sample Attack: A Spurious DHCP Server 147

DHCP Snooping Logic 148

Filtering DISCOVER Messages Based on MAC Address 150

Filtering Messages that Release IP Addresses 150

DHCP Snooping Configuration 152

Configuring DHCP Snooping on a Layer 2 Switch 152

Limiting DHCP Message Rates 154

DHCP Snooping Configuration Summary 155

Dynamic ARP Inspection 156

DAI Concepts 156

Review of Normal IP ARP 156

Gratuitous ARP as an Attack Vector 157

Dynamic ARP Inspection Logic 158

Dynamic ARP Inspection Configuration 160

Configuring ARP Inspection on a Layer 2 Switch 160

Limiting DAI Message Rates 163

Configuring Optional DAI Message Checks 164

IP ARP Inspection Configuration Summary 165

Chapter Review 166

Part II Review 168

Part III IP Services 171

Chapter 9 Device Management Protocols 172

Do I Know This Already? Quiz 172

Foundation Topics 174

System Message Logging (Syslog) 174

Sending Messages in Real Time to Current Users 174

Storing Log Messages for Later Review 175

Log Message Format 176

Log Message Severity Levels 177

Configuring and Verifying System Logging 178

The debug Command and Log Messages 180

Network Time Protocol (NTP) 181

Setting the Time and Timezone 182

Basic NTP Configuration 183

NTP Reference Clock and Stratum 185

Redundant NTP Configuration 186

NTP Using a Loopback Interface for Better Availability 188

Analyzing Topology Using CDP and LLDP 190

Examining Information Learned by CDP 190

Configuring and Verifying CDP 193

Examining Information Learned by LLDP 194

Configuring and Verifying LLDP 197

Chapter Review 199

Chapter 10 Network Address Translation 202

Do I Know This Already? Quiz 202

Foundation Topics 204

Perspectives on IPv4 Address Scalability 204

CIDR 205

Private Addressing 206

Network Address Translation Concepts 207

Static NAT 208

Dynamic NAT 210

Overloading NAT with Port Address Translation 211

NAT Configuration and Troubleshooting 213

Static NAT Configuration 213

Dynamic NAT Configuration 215

Dynamic NAT Verification 217

NAT Overload (PAT) Configuration 219

NAT Troubleshooting 222

Chapter Review 223

Chapter 11 Quality of Service (QoS) 226

Do I Know This Already? Quiz 226

Foundation Topics 228

Introduction to QoS 228

QoS: Managing Bandwidth, Delay, Jitter, and Loss 228

Types of Traffic 229

Data Applications 229

Voice and Video Applications 230

QoS as Mentioned in This Book 232

QoS on Switches and Routers 233

Classification and Marking 233

Classification Basics 233

Matching (Classification) Basics 234

Classification on Routers with ACLs and NBAR 235

Marking IP DSCP and Ethernet CoS 236

Marking the IP Header 237

Marking the Ethernet 802.1Q Header 237

Other Marking Fields 238

Defining Trust Boundaries 238

DiffServ Suggested Marking Values 239

Expedited Forwarding (EF) 240

Assured Forwarding (AF) 240

Class Selector (CS) 241

Guidelines for DSCP Marking Values 241

Queuing 242

Round-Robin Scheduling (Prioritization) 243

Low Latency Queuing 243

A Prioritization Strategy for Data, Voice, and Video 245

Shaping and Policing 245

Policing 246

Where to Use Policing 246

Shaping 248

Setting a Good Shaping Time Interval for Voice and Video 249

Congestion Avoidance 250

TCP Windowing Basics 250

Congestion Avoidance Tools 251

Chapter Review 252

Chapter 12 Miscellaneous IP Services 254

Do I Know This Already? Quiz 254

Foundation Topics 256

First Hop Redundancy Protocol 256

The Need for Redundancy in Networks 257

The Need for a First Hop Redundancy Protocol 259

The Three Solutions for First-Hop Redundancy 260

HSRP Concepts 261

HSRP Failover 261

HSRP Load Balancing 262

Simple Network Management Protocol 263

SNMP Variable Reading and Writing: SNMP Get and Set 264

SNMP Notifications: Traps and Informs 265

The Management Information Base 266

Securing SNMP 267

FTP and TFTP 268

Managing Cisco IOS...