Spanning-Tree Algorithm

Posted: 13th December 2020 by ccna7guru in ITN

STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. A switch port is considered blocked when network traffic is prevented from entering or leaving that port.


STP uses the spanning-tree algorithm (STA) to determine which switch ports on a network need to be blocking in order to prevent loops from occurring. The STA designates a single switch as the root bridge and uses it as the reference point for all subsequent calculations. Switches participating in STP determine which switch has the lowest bridge ID (BID) on the network. This switch automatically becomes the root bridge.


A bridge protocol data unit (BPDU) is a frame containing STP information exchanged by switches running STP. Each BPDU contains a BID that identifies the switch that sent the BPDU. The lowest BID value determines which switch is root.
After the root bridge has been determined, the STA calculates the shortest path to the root bridge. If there is more than one path to choose from, STA chooses the path with the lowest path cost.
When the STA has determined the “best” paths emanating from the root bridge, it configures the switch ports into distinct port roles. The port roles describe their relation in the network to the root bridge and whether they are allowed to forward traffic:

Root ports: Switch ports closest to the root bridge
Designated ports: Non-root ports that are still permitted to forward traffic on the network
Nondesignated ports: Ports in a blocking state to prevent loops
Disabled port: Ports that are administratively shut down

After a switch boots, it sends BPDU frames containing the switch BID and the root ID every 2 seconds. Initially, each switch identifies itself as the root bridge after bootup.

Port Cost in STP

NEW CCNA 200-301 PATTERN IN EXAMINATION

  1. Network Fundamentals: Includes basic fundamentals of networking 20%
  2. Network Access: How to connect to a network 20%
  3. IP Connectivity: Basics of Routing and Switching 25%
  4. IP Services: Includes services DNS, DHCP, FTP… 10%
  5. Security Fundamentals: Foundational knowledge 15%
  6. Automation and Programmability: Importance, basics and application 10%

Port Address Translation

Posted: 17th November 2020 by ccna7guru in ITN

Port Address Translation (PAT), also known as NAT overload, maps multiple private IPv4 addresses to a single public IPv4 address or a few addresses. This is what most home routers do. The ISP assigns one address to the router, yet several members of the household can simultaneously access the internet. This is the most common form of NAT for both the home and the enterprise.

With PAT, multiple addresses can be mapped to one or to a few addresses, because each private address is also tracked by a port number. When a device initiates a TCP/IP session, it generates a TCP or UDP source port value, or a specially assigned query ID for ICMP, to uniquely identify the session. When the NAT router receives a packet from the client, it uses its source port number to uniquely identify the specific NAT translation.

PAT ensures that devices use a different TCP port number for each session with a server on the internet. When a response comes back from the server, the source port number, which becomes the destination port number on the return trip, determines to which device the router forwards the packets. The PAT process also validates that the incoming packets were requested, thus adding a degree of security to the session.

Click Play in the figure to view an animation of the PAT process. PAT adds unique source port numbers to the inside global address to distinguish between translations.

As R2 processes each packet, it uses a port number (1331 and 1555, in this example) to identify the device from which the packet originated. The source address (SA) is the inside local address with the TCP/UDP assigned port number added. The destination address (DA) is the outside global address with the service port number added. In this example, the service port is 80, which is HTTP.

For the source address, R2 translates the inside local address to an inside global address with the port number added. The destination address is not changed but is now referred to as the outside global IPv4 address. When the web server replies, the path is reversed.

Dynamic NAT

Posted: 17th November 2020 by ccna7guru in ITN
Dynamic NAT

Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. When an inside device requests access to an outside network, dynamic NAT assigns an available public IPv4 address from the pool.

In the figure, PC3 has accessed the internet using the first available address in the dynamic NAT pool. The other addresses are still available for use. Similar to static NAT, dynamic NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.

Static NAT

Posted: 17th November 2020 by ccna7guru in ENSA

Now that you have learned about NAT and how it works, this topic will discuss the many versions of NAT that are available to you.

Static NAT uses a one-to-one mapping of local and global addresses. These mappings are configured by the network administrator and remain constant.

In the figure, R2 is configured with static mappings for the inside local addresses of Svr1, PC2, and PC3. When these devices send traffic to the internet, their inside local addresses are translated to the configured inside global addresses. To outside networks, these devices appear to have public IPv4 addresses.

Static NAT CCNA200-301

Static NAT is particularly useful for web servers or devices that must have a consistent address that is accessible from the internet, such as a company web server. It is also useful for devices that must be accessible by authorized personnel when offsite, but not by the general public on the internet. For example, a network administrator from PC4 can use SSH to gain access to the inside global address of Svr1 (209.165.200.226). R2 translates this inside global address to the inside local address 192.168.10.10 and connects the session to Svr1.

Static NAT requires that enough public addresses are available to satisfy the total number of simultaneous user sessions.

Selección de las unidades ópticas

Posted: 10th November 2020 by ccna7guru in ITN

Los factores que deben tenerse en cuenta al adquirir una unidad óptica se enumeran en la Figura 1.

En la tabla de la Figura 2 se resumen las funcionalidades de las unidades ópticas.

Los DVD pueden almacenar una cantidad de datos mayor que el CD y los discos Blu-Ray (BD) pueden almacenar una cantidad de datos mayor que el DVD. Los DVD y BD también pueden tener doble capa para los datos de registro; prácticamente se duplica la cantidad de datos que se pueden registrar en los medios.

Selección de las unidades ópticas

Cómo acceder al material del curso CISCO Netacad

Posted: 2nd November 2020 by ccna7guru in ITN

Cómo acceder al material del curso CISCO Netacad

después de la compra, obtenga una cuenta netacad, viva con un instructor. chat en vivo sobre el curso. acceso completo al curso con una cuenta oficial de Cisco Netacad como estudiante. Podrás acceder al curso de por vida. Se encuentran disponibles asignaciones, laboratorios, comentarios del curso y exámenes finales.

Curso CCNA1: Introducción a las Redes (ITN)
Curso CCNA2: Conmutación, enrutamiento y Wireless Essentials (SRWE)
Curso CCNA3: Redes empresariales, seguridad y automatización (ENSA)

3 Certificado de Cisco.
3 insignia digital de Cisco.
Soporte de instructor en vivo.
Mesa de ayuda disponible.
este curso es mas que un pdf

comprar curso ccna v7.

Interface Verification Commands

Posted: 31st October 2020 by ccna7guru in ITN

There is no point in configuring your router unless you verify the configuration and connectivity. This topic covers the commands to use to verify directly connected networks. It includes two Syntax Checkers and a Packet Tracer.

There are several show commands that can be used to verify the operation and configuration of an interface. The topology in the figure is used to demonstrate the verification of router interface settings.

The following commands are especially useful to quickly identify the status of an interface:

  • show ip interface brief and show ipv6 interface brief – These display a summary for all interfaces including the IPv4 or IPv6 address of the interface and current operational status.
  • show running-config interface interface-id – This displays the commands applied to the specified interface.
  • show ip route and show ipv6 route – These display the contents of the IPv4 or IPv6 routing table stored in RAM. In Cisco IOS 15, active interfaces should appear in the routing table with two related entries identified by the code ‘C’ (Connected) or ‘L’ (Local). In previous IOS versions, only a single entry with the code ‘C’ will appear.

Verify Interface Status

The output of the show ip interface brief and show ipv6 interface brief commands can be used to quickly reveal the status of all interfaces on the router. You can verify that the interfaces are active and operational as indicated by the Status of “up” and Protocol of “up”, as shown in the example. A different output would indicate a problem with either the configuration or the cabling.

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up
Serial0/1/1            unassigned      YES unset  administratively down down
R1# show ipv6 interface brief
GigabitEthernet0/0/0   [up/up]
    FE80::7279:B3FF:FE92:3130
    2001:DB8:ACAD:1::1
GigabitEthernet0/0/1   [up/up]
    FE80::7279:B3FF:FE92:3131
    2001:DB8:ACAD:2::1
Serial0/1/0            [up/up]
    FE80::7279:B3FF:FE92:3130
    2001:DB8:ACAD:3::1
Serial0/1/1            [down/down]     Unassigned

Verify IPv6 Link Local and Multicast Addresses

The output of the show ipv6 interface brief command displays two configured IPv6 addresses per interface. One address is the IPv6 global unicast address that was manually entered. The other address, which begins with FE80, is the link-local unicast address for the interface. A link-local address is automatically added to an interface whenever a global unicast address is assigned. An IPv6 network interface is required to have a link-local address, but not necessarily a global unicast address.

The show ipv6 interface gigabitethernet 0/0/0 command displays the interface status and all of the IPv6 addresses belonging to the interface. Along with the link local address and global unicast address, the output includes the multicast addresses assigned to the interface, beginning with prefix FF02, as shown in the example.

R1# show ipv6 interface gigabitethernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::7279:B3FF:FE92:3130
  No Virtual link-local address(es):
  Global unicast address(es):
    2001:DB8:ACAD:1::1, subnet is 2001:DB8:ACAD:1::/64
  Joined group address(es):
    FF02::1
    FF02::1:FF00:1
    FF02::1:FF92:3130
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 30000)
  ND advertised reachable time is 0 (unspecified)
  ND advertised retransmit interval is 0 (unspecified)
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  ND advertised default router preference is Medium

Verify Interface Configuration

The output of the show running-config interface command displays the current commands applied to the specified interface as shown.

R1 show running-config interface gigabitethernet 0/0/0
Building configuration...
Current configuration : 158 bytes
!
interface GigabitEthernet0/0/0
 description Link to LAN 1
 ip address 192.168.10.1 255.255.255.0
 negotiation auto
 ipv6 address 2001:DB8:ACAD:1::1/64
end
R1#

The following two commands are used to gather more detailed interface information:

  • show interfaces– Displays interface information and packet flow count for all interfaces on the device.
  • show ip interface and show ipv6 interface – Displays the IPv4 and IPv6 related information for all interfaces on a router.

Verify Routes

The output of the show ip route and show ipv6 route commands reveal the three directly connected network entries and the three local host route interface entries, as shown in the example. The local host route has an administrative distance of 0. It also has a /32 mask for IPv4, and a /128 mask for IPv6. The local host route is for routes on the router that owns the IP address. It is used to allow the router to process packets destined to that IP.

R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       
Gateway of last resort is not set
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0/0
L        192.168.10.1/32 is directly connected, GigabitEthernet0/0/0
      192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.11.0/24 is directly connected, GigabitEthernet0/0/1
L        192.168.11.1/32 is directly connected, GigabitEthernet0/0/1
      209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        209.165.200.224/30 is directly connected, Serial0/1/0
L        209.165.200.225/32 is directly connected, Serial0/1/0
R1# show ipv6 route
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       
C   2001:DB8:ACAD:1::/64 [0/0]
     via GigabitEthernet0/0/0, directly connected
L   2001:DB8:ACAD:1::1/128 [0/0]
     via GigabitEthernet0/0/0, receive
C   2001:DB8:ACAD:2::/64 [0/0]
     via GigabitEthernet0/0/1, directly connected
L   2001:DB8:ACAD:2::1/128 [0/0]
     via GigabitEthernet0/0/1, receive
C   2001:DB8:ACAD:3::/64 [0/0]
     via Serial0/1/0, directly connected
L   2001:DB8:ACAD:3::1/128 [0/0]
     via Serial0/1/0, receive
L   FF00::/8 [0/0]
     via Null0, receive
R1#

A ‘C’ next to a route within the routing table indicates that this is a directly connected network. When the router interface is configured with a global unicast address and is in the “up/up” state, the IPv6 prefix and prefix length are added to the IPv6 routing table as a connected route.

The IPv6 global unicast address applied to the interface is also installed in the routing table as a local route. The local route has a /128 prefix. Local routes are used by the routing table to efficiently process packets with the interface address of the router as the destination.

The ping command for IPv6 is identical to the command used with IPv4 except that an IPv6 address is used. As shown in the example, the ping command is used to verify Layer 3 connectivity between R1 and PC1.

R1# ping 2001:db8:acad:1::10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:1::10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Filter Show Command Output

Commands that generate multiple screens of output are, by default, paused after 24 lines. At the end of the paused output, the –More– text displays. Pressing Enter displays the next line and pressing the spacebar displays the next set of lines. Use the terminal length command to specify the number of lines to be displayed. A value of 0 (zero) prevents the router from pausing between screens of output.

Another very useful feature that improves the user experience in the CLI is the filtering of show output. Filtering commands can be used to display specific sections of output. To enable the filtering command, enter a pipe (|) character after the show command and then enter a filtering parameter and a filtering expression.

There are four filtering parameters that can be configured after the pipe.

section

Shows the entire section that starts with the filtering expression, as shown in the example.

R1# show running-config | section line vty
line vty 0 4
 password 7 110A1016141D
 login
 transport input all

include

Includes all output lines that match the filtering expression, as shown in the example.

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up
Serial0/1/1            unassigned      NO  unset  down                  down
R1#
R1# show ip interface brief | include up
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up

exclude

Excludes all output lines that match the filtering expression, as shown in the example.

R1# show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up
Serial0/1/1            unassigned      NO  unset  down                  down
R1#
R1# show ip interface brief | exclude unassigned
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.10.1    YES manual up                    up
GigabitEthernet0/0/1   192.168.11.1    YES manual up                    up
Serial0/1/0            209.165.200.225 YES manual up                    up

begin

Shows all the output lines from a certain point, starting with the line that matches the filtering expression, as shown in the example.

R1# show ip route | begin Gateway
Gateway of last resort is not set
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/0/0
L        192.168.10.1/32 is directly connected, GigabitEthernet0/0/0
      192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.11.0/24 is directly connected, GigabitEthernet0/0/1
L        192.168.11.1/32 is directly connected, GigabitEthernet0/0/1
      209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        209.165.200.224/30 is directly connected, Serial0/1/0
L        209.165.200.225/32 is directly connected, Serial0/1/0

Command History Feature

The command history feature is useful because it temporarily stores the list of executed commands to be recalled.

To recall commands in the history buffer, press Ctrl+P or the Up Arrow key. The command output begins with the most recent command. Repeat the key sequence to recall successively older commands. To return to more recent commands in the history buffer, press Ctrl+N or the Down Arrow key. Repeat the key sequence to recall successively more recent commands.

By default, command history is enabled and the system captures the last 10 command lines in its history buffer. Use the show history privileged EXEC command to display the contents of the buffer.

It is also practical to increase the number of command lines that the history buffer records during the current terminal session only. Use the terminal history size user EXEC command to increase or decrease the size of the buffer.

An example of the terminal history size and show history commands is shown in the figure.

R1# terminal history size 200
R1# show history
  show ip int brief
  show interface g0/0/0
  show ip route
  show running-config
  show history
  terminal history size 200

Limitar y Aprender MAC Addresses

Posted: 30th October 2020 by ccna7guru in ITN

Para poner el numero máximo de direcciones MAC permitidas en un puerto, utilice el siguiente comando

Switch(config-if)# switchport port-security maximum value 

El valor predeterminado de port security es 1. EL numero maximo de direcciones MAC seguras que se puede configurar depende del switch y el IOS. En este ejemplo, el maximo es 8192.

S1(config)# interface f0/1 
S1(config-if)# switchport port-security maximum ? 
  <1-8192> Maximas direcciones
S1(config-if)# switchport port-security maximum 

El switch se puede configurar para aprender direcciones MAC en un puerto seguro de tres maneras:

1. Manually Configured

El administrador configura manualmente una(s) direccion MAC estatica usando el siguiente comando para cada direccion MAC en el puerto:

Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned

Cuando se ingresa el comando switchport port-security, la fuente MAC actual para el dispositivo conectado al puerto se asegura automáticamente pero no se agrega a la configuración de inicio. Si el switch es reiniciado, el puerto tendrá que re-aprender la direccion MAC del dispositivo.

3. Dynamically Learned – Sticky

El administrador puede configurar al switch para que aprenda la direccion MAC automáticamente a la “pegue” a la configuración en ejecución usando el siguiente comando:

Switch(config-if)# switchport port-security mac-address sticky 

Al guardar la configuración en ejecución la direccion MAC aprendida automaticamente se quedara en NVRAM.

EL siguiente ejemplo muestra una configuración completa de port security en la interfaz FastEthernet 0/1. El administrador especifica una cantidad máxima de 4 direcciones MAC, configura una direccion MAC segura, y luego configura el puerto para que aprenda mas direcciones MAC de manera automática hasta un máximo de 4 direcciones MAC. Use los comandos show port-security interface y show port-security address para verificar la configuración.

S1(config)# interfaz fa0/1
S1(config-if)# switchport mode access
S1(config-if)# switchport port-security
S1(config-if)# switchport port-security maximum 4
S1(config-if)# switchport port-security mac-address aaaa.bbbb.1234
S1(config-if)# switchport port-security mac-address sticky 
S1(config-if)# finalizar
S1# show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 4
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
S1# show port-security address
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
                                                                   (mins)    
--- ----------- --- ----- -------------
   1 aaaa.bbbb.1234 SecureConfigured Fa0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192S1#

The output of the show port-security interface command verifies that port security is enabled, there is a host connected to the port (i.e., Secure-up), a total of 2 MAC addresses will be allowed, and S1 has learned one MAC address statically and one MAC address dynamically (i.e., sticky).

The output of the show port-security address command lists the two learned MAC addresses.

El método más simple y eficaz para evitar ataques por saturación de la tabla de direcciones MAC es habilitar la sport security.

La seguridad de puertos limita la cantidad de direcciones MAC válidas permitidas en el puerto. Permite a un administrador configurar manualmente las direcciones MAC para un puerto o permitir que el switch aprenda dinámicamente un número limitado de direcciones MAC. Cuando un puerto configurado con port security recibe un frame, la dirección MAC de origen del frame se compara con la lista de direcciones MAC de origen seguro que se configuraron manualmente o se aprendieron dinámicamente en el puerto.

Al limitar a uno la cantidad de direcciones MAC permitidas en un puerto, la seguridad de puertos se puede usar para controlar la expansión no autorizada de la red, como se muestra en la figura.

Mitigación de ataques por saturación de tabla de direcciones MAC