Search Results

Up 1.1 Network Components Routers A router's main goal is to forward traffic between networks. Routers are devices that sit in the Layer 3 portion of the OSI model. A typical home router will typically only send traffic out of your home network and into the wider internet. It acts as the edge point between your local network and the wide area network. Across the internet, tens of thousands of routers are found which point traffic to the next network so that ultimately, your traffic can reach it's endpoint. Routers maintain route-tables which allow for decisions to be made on how to best reach the destination. Let's see an example, on your device open your terminal utility (Command Prompt/PowerShell on Windows) and type the following command: ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Looking at the number on the left hand side, this denotes the hop. Each hop is a router that is making a routing decision based on it's routing table, on which hop to send it to next. On the right hand side you can see either the IP address or the hostname of the router that the packet has landed on. We can see from this output that to reach 8.8.8.8 (dns.google), 11 routers processed the packets. Hops 1 & 2 are the routers are our internal routers, hops 3 to 7 were routers within BT's infrastructure, and hops 8 to 11 were routers within Google's infrastructure. ​ Layer 2 and Layer 3 switches A switch is usually a device that connects a large number of devices to the network into one single broadcast domain. Forwarding decisions are based on the layer 2 physical address (MAC address) connected to each port. As the frame arrives at the switch, it will look at the destination MAC address against the MAC address table it has populated, and forward out of the correct port as required. If a frame with a broadcast MAC address arrives at the switch, it will flood the frame out of all ports (example protocol of this is ARP). Multiple switches can be combined together and is commonly referred to as switch stacking. Let's look at the typical process for frame switching: Phil's PC is plugged into port 1 on the switch, and Sally's PC is also plugged into the same switch. The switch has learnt the MAC addresses of each device and stored this information within it's MAC address table. The MAC address table on the switch is below: Port Number // MAC Address 1 // 53-55-8D-D2-2B-B1 2 // 06-79-54-F9-84-AA 3 // A7-FE-F7-CE-33-06 4 // A1-15-A6-54-CC-CB 5 // 20-EC-1A-0B-68-22 ​ Phil's PC wants to send some data to Sally's PC, and sends a frame into the network via the switch. Within the frame, there is a destination MAC address as Phil's PC has learnt Sally's PC's MAC address already via ARP. The destination MAC address is A1-15-A6-54-CC-CB, which port do you think the switch will forward the frame out of? While Layer 2 switches make forwarding decisions based on the destination MAC address within the frame header, Layer 3 switches also make routing decisions based on the destination IP address found in the packet header (just like a router). ​ You may also come across the term "un-managed switch". This is just a device that operates only in the layer 2, and doesn't allow any configuration such as VLANs etc. Next-generation firewalls and IPS A firewall is essentially a device that will allow or deny traffic dependant on a set of rules. These rules are implemented by the network administrator and usually placed on the edge of a network to reduce the attack surface. If the traffic does not match any rules, it will be dropped by the implicit deny rule. Below we will compare the key difference between a stateful and next-generation firewall. A next-generation firewall (NGFW) is a network security appliance that goes beyond the traditional capability of a stateful firewall. While stateful firewalls will usually pass or deny traffic based on port numbers, source and destination IPs and the protocols used (ICMP, SNMP etc), an NGFW allows for the network administrator to detect and apply a ruleset to the modern threat landscape. NGFWs are able to inspect the upper layers of the OSI model to detect malware and application level attacks. NGFWs are typically capable of: Stateful traffic inspection (protocols, ports and source/destination IPs) URL filtering and denying blacklisted URLs Deep-packet inspection for malware code (Intrusion Prevention) Application layer identification and inspection SSL and SSH inspection by decrypting traffic Blocking geo-graphical region IP addresses And much more... An IPS (Intrusion Prevention System) on the other-hand can either be standalone or part of the NGFW UTM (Unified Threat Management). An IPS will perform deep-packet inspection on every packet that transgresses the appliance. It is found in-line with the network traffic, and this referred to as an inline sensor. As traffic passes the sensor, it analyses the traffic based on: Signature - identifying a pattern within packet/s and is the most commonly found method Anomaly - malicious network activity can be different to legitimate streams of traffic Reputation - using global data and blacklists to filter and prevent malicious IPs, DNS responses etc Policy - an administrator created ruleset to filter and process traffic flows If one of the above analysis rules is marked as true positive, one of the following actions will be performed: Deny connection or packet Reset TCP connection packet sent to source Alert Log victim or attacker traffic based on IP addresses in the packet header Log traffic It's important to note that while an IPS will actively analyse and attempt to prevent attacks, an IDS (Intrusion Detection System) will simply log the traffic for future review. ​ Access points An access point (AP) is in the simplest terms, a device that allows wireless end user devices to connect to the network. It is sometimes referred to as WAP (Wireless Access Point). The below diagram denotes a very basic setup of the typical topology of how wireless devices would connect to the internet. It's important to ensure that the access point is secure by ensuring that the passkey is of the latest type (currently WPA3 AES) to minimise a bad actor gaining access to your network wirelessly. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Controllers (Cisco DNA Centre and WLC) Cisco DNA is a single pane of glass solution to allow for network administrators to manage the network from a single platform. It provides administrators to automate tasks relating to network management and security. It also provides the capability to analyse the network from a simple dashboard to allow for quicker remediation of issues. WLC (Wireless LAN Controller) allows for management of APs from a single point. When using APs within a unified environment with a WLC, the APs are referred to as LAPs (Lightweight Access Points), as the heavy lifting is completed by the WLC. In a large office there may be 100s of LAPs, which managing each individually will be a massive manual task. The WLC allows a LAP to connect to the network and pull down configuration automatically. Authentication of client devices is handled directly by the WLC in a unified deployment. ​ Endpoints Endpoints are commonly referred to as end user (EU) devices. These are the devices we use every day to complete our jobs or enjoy media such as video/music streaming. Typical EU examples are: Phones Laptops Tablets Workstations IoT ​ Servers Servers are also technically an endpoint, however their primary purpose is to serve information to EU devices when requested. For example, on a file server, the user may request a document that is stored on a storage array within a data centre. The file server allows the EU device to pull down the document and it's content across the network. Common servers are: Print server File server Web server Application server Database server Domain Controller And many more... ​ PoE PoE stands for Power over Ethernet. It allows low power devices such as IP Phones, CCTV cameras or APs to pull power directly over the Ethernet cable. Two of the 4 pairs of copper with a typical Ethernet cable a for power, with the other two being used for data. A PoE switch is required to power the devices on the other end of the cable.

Up 1.2 Describe characteristics of network topology architectures What is a network topology? A network topology is simply how a network is designed. Different use cases and different organisations will require a topology that provides the best resilience and availability, performance and security. The topology consists of nodes (such as routers, switches, firewalls etc) to facilitate the transmission of traffic across the chosen media. There are two classes of topologies, the physical and the logical. The physical topology is how the nodes are linked together using cabling/radio/optical transmission media. Whereas the logical topology is how the data is forwarded across the network. We will explore some of the most common network topologies found in the real world below. ​ Network Topologies (Basic Overview) Looking at the below diagrams, these are some of the most common high-level logical topologies that you may come across. Please note however that some designs are now very rarely found unless in old infrastructure. See below quick explanations for each: 3-tier The three-tier topology consists of three layers. The core layer, distribution layer and access layer. See below: Now we have an idea of what each layer is responsible for, lets look at an example 3-tiered network design below for two office buildings within the same business. Different departments are on different subnets, so how can we design a network to allow EU devices to reach not only users within different subnets, but also the users at the different site? Note that the core layer will allow for connectivity to the wider internet or any servers that the business may use in a datacentre. What are some of the benefits of a 3-tiered topology: ​ Scalable, allowing for sites to be added and removed as required Top-down management of the network, providing management of access or distribution layer nodes from the core Resilient connectivity What are some of the downsides of a 3-tiered topology: ​ Larger node footprint meaning more devices to manage if not using a centralised management platform Not as cost-efficient due to the number of links required for a fully resilient network 2-tier A 2-tier network takes a similar approach to the multi-layered design of a 3-tiered network, however it combines the core and distribution layers into a single layer. This is called the collapsed core layer. The key reason behind using a 2-tier network is due to the network design or organisation being less complex, and increasing cost efficiency. If the organisation does not have a large number of sites, or even just the one location, having a separate core layer becomes an unnecessary expense. Below outlines a typical network design of a 2-tier architecture. What are some of the benefits of a 2-tiered topology: Much cheaper as less nodes are required Simpler, less complex design Resilient connectivity What are some of the downsides of a 2-tiered topology: Not as scalable as a 3-tiered design, if another location is to be added there is a larger administrative overhead ​ WAN A WAN (Wide Area Network) can be used to define the internet, or the network between an organisations sites. A WAN allows for geographically separated LANs to be connected together. There are a number of protocols that allows for transmission across the wide area network, and service providers typically use protocols like PPP (Point-to-Point Protocol) to allow customers to access the provider network. See below simplified diagram which shows how the edge between a LAN and a WAN is defined: On the WAN side of the routers, the interfaces will typically have a publicly routed IP address, allowing connectivity into the wider internet. On the LAN side you will usually see a private addressing scheme for devices to connect to the network. Leased Line Customers who require dedicated, unshared physical circuits to one or more sites. The service provider will rent out these circuits (usually fibre optic) and can offer customers a guaranteed speed alongside matching download/upload bandwidth. Leased Lines will encapsulate traffic in HLDC (High-Level Data Link Control) or PPP (Point-to-Point) protocols to segregate customer traffic on the provider network when serial/copper media are used. Serial leased lines are being replaced by fibre optics using Ethernet WAN technologies such as Metro-Ethernet. Hub and Spoke A hub and spoke topology is not dissimilar to a star topology, where sites use leased lines to connect back to a central point. In most hub and spoke networks, an ISP is used to connect to the hubs and spokes respectively. Typically hub and spoke networks allow internet facing traffic straight out to the internet from the spoke routers, however any internal traffic will transit over IPSec VPNs between the hub and other spokes. Example below: Redundancy There are a number of ways to ensure high uptimes for an organisation, and we can increase the reliability of the network by using more than one ISP or circuit. Of course the more redundancy in place, the higher the cost and administration required. Spine-leaf This topology is found most commonly in datacentres. Due to the requirement of highly scalable and resilient connectivity, ensuring that each server has multiple paths (and easy access) to the network is key. For the purpose of this explanation, we will focus on a datacentre implementation of the spine-leaf design. Let's start with a diagram. Working our way from top to bottom, in the red bar we have the spine layer. This will comprise of a number of multi-layer switches which facilitate routing of traffic between the ToR (Top of Rack) switches and the wider network. The ToR switches themselves are typically L2 capable only, however in complex environments point to point links can be used to allow routing to take place between the spine and leaf layers. The racks themselves contain a number of physical servers, in this case there are no virtual machines. The servers are normally found to have redundant connections to the ToR switch. Let's say that SERVER 5 of RACK 4 wants to send traffic to SERVER 3 of RACK 1: Traffic will egress out of one of the two network ports on the physical host from SERVER 5 (RACK 4) Traffic will reach ToR S4 and be forwarded to a spine layer switch The spine layer switch will forward the frame to ToR S1 SERVER 3 (RACK 1) will receive and de-encapsulate the traffic There are protocols that allow servers to sit on the same subnet across different racks. An example is VxLAN (Virtual eXtensible Local Area Network), which stretches layer 2 protocols across the routed ports of the spine layer. VxLAN tunnels are established between ToR switches, with each end of the tunnel being called a VTEP (Virtual Tunnel EndPoint). The VLAN ID of the port is mapped to the VNI (VxLAN Network Identifier). This allows broadcast packets such as ARP to be forwarded across the tunnel to the other VTEPs to reach to allow the source device to learn the MAC of the destination device. A VNI tag is added to allow the required VTEP to receive the frame. Small office/home office (SOHO) Small offices or home environments typically need a much simpler network design compared to an enterprise network. Usually, multiple roles of the networking devices seen are bundled into one appliance. The provides DHCP, routing, LAN switching and wireless access for all devices to reach the internet/local resources. Below is a diagram depicting a very simple network, with 5 devices connected to the router using both Ethernet wired and wireless technology. These routers are plug and play, and require little setup from the user. Of course, dependant on the business requirements additional devices may be required such as wireless access points, switches and dual-router solutions etc. On-premise and cloud Firstly, lets explain what we mean by On-Premise and Cloud. On-Premise is infrastructure hosted privately by the organisation, such as file stores, or DNS servers. Cloud on the other hand, denotes "as-a-service" hosting. For example, using DNS in the cloud as a service means less management and operational overheard for the organisation. Datacentres typically follow the spine and leaf design, using ToR switches within each rack to provide resilient and scalable connectivity. Please see the Spine and Leaf architecture diagram for a view into how datacentres are connected. EoR (End of Rack) switches may be used in place of ToR switches to allow servers to connect to switchports at the END of a row of racks. There are different levels of as-a-service cloud products, for example: ​ IaaS: Infrastructure as a Service PaaS: Platform as a Service SaaS: Software as a Service There are some further cloud models you need to be aware of: Hybrid - A mix of On-Premise infrastructure and cloud Private Cloud - An organisation rents space from a hosting provider that no other customer can access (typically at the physical level) Public Cloud - Offerings from Microsoft Azure, AWS and Google Cloud provide access to shared infrastructure.

Up 1.3 Compare physical interface and cabling types Compare physical interface and cabling types In this section we will explore the physical media (interfaces and cabling) used in networking, the purpose behind them and the key specifics. There are two key methods of transmitting data across a link which are either light, or electricity (wireless transmission will be discussed in further articles). You will commonly see the term Ethernet when looking at Layer 1 equipment (cabling or interfaces). Ethernet in it's simplest definition is a family of technologies and protocols that standardise how frames are forwarded through a network. This is called the IEEE 802.3 protocol suite. ​ Physical Interfaces The interface is the physical socket that is used to connect network appliances to one another. The following table outlines the interface types found on most Cisco appliances: Fibre Optics Fibre optic cables use an extremely small glass or plastic core (as thin or thinner than a human hair) to transmit a beam of light between two nodes. These nodes must have optical transmission capability, or a converter such as an SFP (Small Form-Factor Pluggable) to turn the light signals into electrical signals. There are multiple ways of transmitting data using light, we will explore these in the next section. ​ Single-mode Fibre A single-mode fibre optic cable allows for a single beam of light to be sent into the wire. These cables have very small cores which reduces the degradation of the signal over longer distances, with 1Gbps transmit speeds seen up to 40 miles between nodes. Multi-mode Fibre Multi-mode fibre cables are similar in design to single-mode with one key difference, the core is much larger. With this larger core it is possible to send light signals at different angles where they will refract off of the cladding surrounding the core. Due to this refraction multi-mode cables cannot transmit light the lengths seen with single-mode. Multi-mode fibre media has a larger amount of attenuation as compared to Single-mode, therefore the distances covered are greatly impacted. This is because energy is lost each time the light signal refracts off the outer core wall. Key Differences Below are some of the key differences between single-mode and multi-mode cable types. Interfaces Below are some of the key differences between single-mode and multi-mode cable types. SFPs An SFP (Small Form-Factor Pluggable) is found on the vast majority of enterprise/business level networking appliances. They provide a hot-plug in which a number of different fibre-optic connectors can be used. SFPs provide for flexibility within the hardware layer of the network topology, removing constraints of being bound to one type of physical media. To the right is an example of a typical duplex LC SFP. Copper Typically, most Ethernet networks use twisted pair wiring with RJ45 connector blocks at each end. Within the twisted pair wire, there are 8 wires of which makes 4 pairs of twisted wires. The wires are twisted together to minimise the effects of electromagnetic interference and noise as reliable transmission of bits across the wire. These wires are allotted into categories as improvements have been made and features added: STP (Shielded Twisted Pair) These wires are best used over longer distances or where there may be increased electromagnetic interference from lights or electrical wiring. Each pair of wires is contained within an aluminium foil providing additional protection over UTP. STP cabling carries a higher cost due to the additional materials and manufacturing processes. UTP (Unshielded Twisted Pair) This is the most common twisted pair found in most networks due to their low cost. Like STP, there are 4 twisted pairs made up from 8 individual wires. RJ45 At the end of each side of the copper cable, an RJ45 (Registered Jack 45) is used to terminate to the network or end user appliance. The RJ45 plug has 8 pins and a locking tab to minimise network issues due to accidental removal. There are two configurations for which the order of the pins are housed (T568A and T568B which will be explored below). You may hear the term patch lead/cable, which is a popular term to describe a copper Ethernet cable with an RJ45 jack at each end of the wire. T568A / T568B Pin Layouts Looking at the below image, you can see that pins 1,2,3 and 6 are different between the T568A and B pin layouts. These pins are used for the transmission of data between network appliances. Pins 4,5,7 and 8 are used solely for (PoE) Power over Ethernet which allows low power consuming devices such as desk phones to connect to the network and be powered from a single cable. Crossover Cable The network interface on network appliances and EU devices can differ between the transmit and receive pins. Because of this, depending on the requirement either a straight through or crossover cable will be needed. A straight through cable will have the same T568 plug at each end, whereas a crossover cable will have T568A at one end, and T568B at the other. A crossover cable is only required where each interface on the network appliances have matching transmit (and receive) interface pins. Below are some examples of where a crossover cable is required: Straight-Through Cable A straight through cable on the other hand does not need to hand the pins differ on each end of the copper wire. This is because the network devices themselves have differing pins within the interfaces for receive and transmit. For example a network switchport has a different internal pin layout as opposed to an end user device such as a laptop or wireless access point. 1.3.b Connections (Ethernet shared media and point-to-point) Ethernet Shared Media Prior to point - to - point networks with layer 2 switches etc, most networks used a share media topology such as a bus network or a hub to transmit data. Due to the nature of the shared media, it was highly likely that collisions would occur on either a hub or bus network. For this reason, half-duplex is used alongside CSMA/CD (Carrier Sense Multiple Access with Collision Detection). Hubs - hubs operate at half-duplex and traffic is flooded out of ALL ports, meaning that all devices connected to that hub are part of the same collision domain. The more devices connected to the same hub, the greater the degradation of network performance. Should two devices attempt to transmit data at the same time, a collision will occur and the data will be dropped. CSMA/CD will detect this and provide the necessary workflow to re-transmit the data. Bus Topology - EU devices connected to a single bus cable will be sharing the transmission with other devices. Again like with a hub, this introduces the collision problem by there being only a single collision domain. ​ Point - to - Point Network Modern networks have done away with Ethernet shared media, and most of the issues that were present with older networks. With the introduction of switches (L2 & L3) each port is it's own collision domain. This therefore allows devices to transmit and receive at full-duplex. This has improved network stability and performance massively. Collisions in a modern switched Ethernet network are virtually impossible if everything is configured correctly.

Up 1.13 Describe switching concepts MAC Addresses and Ethernet Frames MAC Address So far we have covered IP addressing which is a layer 3 protocol to allow transmission of data between networks. Devices which are linked together using say a Cat5e cable will use Ethernet protocols to transmit data between the two devices. In most modern Ethernet LANs, the layer 2 traffic is managed using a switch, and traffic is forwarded to the relevant device using the MAC address learnt during frame switching. Remember that at layer 2 (where switching occurs) the PDU (Protocol Data Unit) is referred to as a frame. In order for traffic to be forwarded to the correct device, the sender needs to know the destination MAC (Media Access Control) address for the recipient device. The MAC address is a 48-bit globally unique address represented using 12 hexadecimal values. Note the hexadecimal conversion below: Every device that accesses the network will have a MAC address assigned by the manufacturer, and is sometimes referred to as the physical address or BIA ('burnt-in' address). The MAC address is split into two parts, the OUI (Organisationally Unique Identifier) being the first 24 bits which identifies the manufacturer (e.g.Cisco, or Dell etc) and the final 24 bits being the unique device identifier. MAC addresses are physically assigned to the network interface at the point of manufacture however it is possible (on some devices) to spoof the MAC address to be different from the original address. The 7th bit of a MAC address is called the U/L (Universal/Local) identifier. When the bit is set to 0, it is a UAA (Universally Administered Address), meaning the MAC address was assigned by the manufacturer. If it is set to 1, it means that the MAC address is an LAA (Locally Administered Address) which indicates that the MAC address was manually assigned by an engineer. MAC addresses look different on different devices: Windows : 8E-8D-28-35-FE-67 Cisco : 0032.6612.fefe Linux : 08:00:27:d9:0d:5b ​ To complement broadcasting in IPv4, layer 2 MAC addresses have a broadcast address of ff:ff:ff:ff:ff:ff. Any frames with a destination MAC of ff:ff:ff:ff:ff:ff will be processed by the receiving device. For example, in ARP (Address Resolution Protocol), the sender knows the IP address but not the layer 2 MAC address to facilitate link-layer communication. In this case the broadcast MAC is used for the destination and the device with the corresponding IP address will send an ARP reply back. Ethernet (Layer 2) Frames In order for data to be forwarded across a network it needs to be encapsulated to allow this transmission to occur. As we've already covered at layer 4 the data is encapsulated into a segment with a TCP/UDP header. Then the segment is encapsulated again into a packet with an IP header at layer 3. Then at layer 2 the packet is encapsulated into a frame with a frame header and footer. See below: Preamble - made up of 7 octets of "10101010" to allow bit-level synchronisation SFD - marks incoming new frame (Start Frame Delimiter), uses 1 octet of "10101011" Destination MAC - destination layer 2 address of the recipient Source MAC - sender's own physical address EtherType - marks the upper layer protocol or the size of the payload (if less than 1500) Payload - this is all of the data that has been encapsulated within the frame (including L3 and L4 headers) FCS - Frame Check Sequence uses CRC (Cyclic Redundancy Check to detect corruption in the frame Interpacket Gap - After the frame has been transmitted a further minimum of 12 octets are transmitted of idle line state before sending the next frame MAC Address Table On layer 2 devices such as switches, they keep track of MAC addresses by way of a table. The table includes the MAC address itself, how it was learnt and the port it is accessible from the switch. See below example: nbswitch1#sh mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0090.0cd4.e1d4 DYNAMIC Fa0/24 1 00d0.973b.ae01 DYNAMIC Fa0/1 1 00d0.ff00.003a DYNAMIC Fa0/23 ​ All layer 2 switches maintain a MAC address table to ensure efficient transmission of frames across the local network. ​ MAC learning and aging MAC Address Learning In order for switches to maintain MAC address tables it needs to not only build them but also clear them down to reduce the number of stale records. So how do switches learn the MAC addresses of devices on the network? Using the source MAC address of an incoming frame like below: PC1 has just joined the network and been plugged into interface Fa0/24 on SW1. The user on PC1 is attempting to ping PC3. PC1 already has an ARP cache so it can already populate the the destination MAC address of PC3, however, SW1 doesn't not have PC1's MAC address in its MAC Address Table. So PC1 generates a packet which is encapsulated into a frame and forwarded onto the switch (SW1), once the frame arrives at the switch (SW1). SW1 notes that the MAC address in the source field of the frame header is missing and thus adds the MAC address to the MAC address table as below. The frame is then forwarded via interface Fa0/1 as the destination MAC address is listed in the table. Notice that SW2 also populates the source MAC address from the frame into it's own MAC Address Table. The frame then arrives at PC3 for de-encapsulation and processing. Should it respond back to PC1 both of the switches now have the MAC address of PC1 in their MAC address table. The above diagrams have shown how a switch dynamically learns MAC addresses by passively inspecting and storing the source MAC address. It is also possible to statically map MAC addresses to an interface. MAC Address Aging As devices may change regularly on a network, switches need to be up to date with layer 2 addressing information. By default Cisco devices will remove a MAC address entry from the table if that MAC address has shown no activity for 5 minutes. Frame switching (Known Unicast) When the destination MAC address is known to the switch and listed in the MAC address table, the frame is forwarded directly out of the mapped port. For example, say a frame with destination MAC address of 00:d0:97:3b:ae:01 arrives at nbswitch1. Looking at the below MAC address table for nbswitch1, the frame will be forwarded out of Fa0/1. nbswitch1#sh mac-address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 1 0090.0cd4.e1d4 DYNAMIC Fa0/24 1 00d0.973b.ae01 DYNAMIC Fa0/1 1 00d0.ff00.003a DYNAMIC Fa0/23 This type of forwarding is only done with known unicast frames (the switch knows the location of the destined device). Frame flooding (Broadcast/Unknown Unicast) Frame flooding occurs when an unknown unicast frame (the switch doesn't list the destination MAC address in it's MAC address table) or broadcast frame arrives at the switch. Flooding is the method of sending a frame out of all switchports expect for the port where the frame was input. Broadcast MAC If the switch receives a frame with destination MAC address ff:ff:ff:ff:ff:ff, then it will flood the frame out of all ports except the port the frame was input. See below diagram. In this example, PC1 sends an ARP packet into the network. The ARP frame uses the layer 2 MAC address of ff:ff:ff:ff:ff:ff as PC1 is attempting to learn the MAC address of another device on the network. Highlighting in green, PC1 forwards the frame into SW1. SW1 subsequently floods the frame out of all ports on itself and SW2. Note that the frame isn't flooded back to PC1. Once the PC with the matching IP address processes the packet, it responds with a unicast frame back to PC1. Unknown Unicast Like with broadcast frames, the switch floods unknown unicast frames out of all ports (expect the port where the frame was input). A frame is an unknown unicast frame if the switch does not have the destination MAC address listed within it's MAC address table. See below diagram. This example shows PC1 attempting to ping PC2. SW1 does not have the MAC address for PC2 listed in it's MAC address table, so it will forward the frame out of all ports expect the port the frame was input.

Up 1.12 Explain virtualization fundamentals Virtual Machines To increase capacity and reduce expensive hardware costs we can run multiple virtual servers/PCs on top of a single device. Virtual machines share network, CPU, storage and RAM of the underlying hardware known as the host. Note that VMs are typically called guests, and the physical hardware they run on is called the host. In order for virtual machines to work, the host needs to be running hypervisor software (otherwise known as a VMM (Virtual Machine Monitor). There are two types of hypervisors, see below: Type-1 (Bare-metal) This type of hypervisor sits directly on the host's hardware, allowing virtual machines (VMs) to be run directly on top. Looking at the below image there are 3 virtual machines running on 1 physical host. The host itself does not have an operating system but uses a hypervisor for the VMs to run and for management. A popular hypervisor is ESXi from VMWare. This type of hypervisor is commonly found in datacentres. Type-2 (Hosted Hypervisor) A type-2 hypervisor runs on the operating system of the physical host. For example Oracle VirtualBox or VMWare Player. A type-2 hypervisor is commonly found in personal-use situations only. Containers Containers are essentially software packages that contain all of the application software code, required libraries and other dependencies for the code to run. Containers are lightweight and are run on a Container Engine such as Docker. Because there can be 100s or 1000s of containers, automation is required to manage the containerised estate. This can be done using a Container Orchestrator. Containers have a number of advantages over VMs: Containers boot up in milliseconds as opposed to minutes for VMs VMs use more storage due to having a full OS, containers are typically in the Megabytes Containers use less hardware resource as compared to VMs as they aren't each running their own OS VMs are portable between the same hypervisor however containers are even more portable and can run on nearly any container service One disadvantage to containers over VMs is that should the underlying OS which is hosting the containerised instances crash then all of the apps running within the containers are affected. VRFs VRF stand for Virtual Routing and Forwarding, and it is essentially a way of applying virtualisation to a router. With VRFs, routers can have a number of different routing tables for each individual instance. VRFs are most commonly found within Internet Service Providers where a number of customers will connect to a router within the ISP's infrastructure. Using VRFs allows for customer network traffic to be segregated. VRFs also allow the same router to use the same IP address within different VRFs as they are segregated, duplicate IP addressing is not a concern between VRFs. The CCNA doesn't require a full understanding of how VRFs work, just that you need to be aware of them. Just remember that VRFs allow for multiple virtual routing tables.

Up 1.6 Configure and verify IPv4 addressing and subnetting (Part 1) What is an IPv4 address? Found within layer 3 of the OSI model, an IPv4 (Internet Protocol Version 4) address is a logical 32 bit address represented in a dotted decimal number format assigned to network devices to allow for host identification and it's location within a network. This allows for a route to be established between two network nodes to send/receive traffic. To compare against a MAC address, an IP address allows for traffic to pass over many network devices whereas a MAC address is only used between on those links between the devices. To re-iterate, an IP address is a logical addressing scheme which allows devices to talk to hosts on their own network (LAN), or to devices within other remote networks (WAN). The IP address always comes with a subnet mask, which we will explore later in the article. To use an analogy, the IP address is not dissimilar to your own personal address, with the street name being the network portion and the house number being the host portion. IP addresses are split into octets, with each octet containing 8 binary bits to make up the 32 bit address. These octets are separated by a full-stop and there are 4 octets in total, each having a maximum numerical value of 255. This is referred to as dotted decimal. Let's take a look at an example IP address 192.168.0.1. A 1 or a 0 is used to denote whether the decimal value is on or off. So 1 = ON, and 0 = OFF. These 1's and 0's essentially energise or take no action on the transistors within computer processors. To make up the total dotted decimal value of the 2nd octet 168 of the IP address, we add together the individual decimal values like this: 128 + 32 + 8 = 168 To break it down even further we can check whether the decimal value fits within the total dotted decimal value per the below: Does 128 fit within 168? Yes , binary value on. 1 Does 64+128 fit within 168? No, binary value off. 0 Does 32+128 fit within 168? Yes , binary value on. 1 Does 16+32+128 fit within 168? No, binary value off. 0 Does 8+32+128 fit within 168? Yes , binary value on. 1 Does 4+8+32+128 fit within 168? No, binary value off. 0 Does 2+4+8+32+128 fit within 168? No, binary value off. 0 Does 1+2+4+8+32+128 fit within 168? No, binary value off. 0 So, to summarise, an IP address is presented to us in dotted decimal format split into 4 octets. Each octet contains 8 binary values or "bits", which translate on the device to either power on, or power off to calculate the octet's total value. The total value if all bits were set to 1 is 255, so the maximum possible IP address is 255.255.255.255, however there is more to IPv4 addressing as two IP addresses are reserved for the network ID and broadcast address, see below. ​ Network ID and Broadcast Address The network ID is always the first IP address in the address range, and is used to identify the network usually for routing purposes. The broadcast address is always the last IP address in the range and is used when traffic needs to be sent to all devices on the local subnet. This is also referred to as the broadcast domain. The CCNA requires the following to be calculated from a network address and subnet, depending on the question: Number of available networks Number of IP addresses Number of host usable IP addresses Network ID IP address First usable IP address Last usable IP address Broadcast IP address ​ What is a subnet mask? Now we have an understanding of what an IP address is, and how it is used for network routing and host identification, a key element of the IPv4 protocol is how do we identify what portion of the network is used for the network subnet and what portion is available for host addressing. For this we use something called the Subnet Mask. The subnet mask is always present with the IP address and typically you will see it like below: Subnet Mask - Broken Down With the subnet mask, if the binary value is set to 1, then this denotes the network portion of the IP address. Always starting from the left until the binary value of 0 is seen. This then denotes the host portion of the IP address. 255 is the maximum binary value of an octet. So looking at the below we know the first three octets are designated for the network, and the final fourth octet is for host allocation. This example mask will allow for a total of 253 usable IP addresses for the hosts (192.168.0.1 - 192.168.0.254). It's not 255 usable IP addresses as the first IP (192.168.0.0) is used for the network ID, and the final IP (192.168.0.255) is used for the broadcast IP. Changing the Subnet Mask A key element of the subnet mask is it allows us to change the size of the network, where we can reduce or increase the number of available hosts. If we change the binary values of the network portion to 0, we add more hosts. Conversely, if we change the host portion bits to 1 we reduce the number of hosts. Note that the changes are always made left to right. This is known as subnetting which we will learn how to calculate later in this article. Looking at the above example, we have changed a number of bits within the third octet to 0. This has increased the number of available usable host IP addresses to 8190 (8190 is including the network ID and broadcast IP). Classful IP Addressing While the classful IP addressing method is no longer in use within the public IP address scheme, it is still referred to today and therefore is something we need to understand. Classful IP addressing was replaced in 1993 due to the unexpected (at the time) popularity of the internet. Classful addressing was replaced by Classless Inter-Domain Routing to allow for better scalability of the internet with the limited number of IP addresses available. There are 5 different classes of IP addresses, per the below: Prior to the move away from classful addressing, network classes were identified using the first 4 bits of the IP address seen in the above table. These were referred to as the leading bits. For example, for IP address 130.58.41.89 , we know this is a Class B network because the binary string for the first octet is 1 0 0 0 0 0 1 0. As we now know this is Class B network, the subnet mask will be 255.255.0.0. Another example such as 200.54.88.57 would be a Class C network, because the binary string of the first octet is 1 1 0 0 1 0 0 0, and the subnet will be 255.255.255.0. Due to the growing size number of interconnected devices, restricting subnet masks to 3 would prove to be a massive limiting factor in the success of the internet. Today we still sometimes use the classful naming convention, but this is typically only used to quickly describe what subnet mask is used in a specific network. For example if we see an IP address with subnet mask of 255.255.255.0, this is known as a Class C network. See the table below for reference: Classless Inter-Domain Routing (CIDR) Addressing When it was realised that using the classful addressing scheme would limit the scale of the internet, the Internet Engineering Task Force (IEFT) introduced the Classless Inter-Domain Routing (CIDR) scheme back in 1993. Following this change we now append the IP address of a network with something called a CIDR Notation. The CIDR Notation is a number which starts at 0 and ends at 32. This is because there are 32 bits in the subnet mask (same number as in an IP address). The notation is the total count of network bits within the subnet mask. For example, with an IP address of 192.168.0.1 255.255.255.0, the CIDR notation will be 24 because the first 3 octets of bits within the subnet mask are binary value 1, so 8 x 3 is 24. The IP address is then presented as 192.168.0.1/24. See below for another example of 172.78.23.5/30: If we look at the IP address in the image above and it's subnet mask, we can see the first 3 octets of the subnet mask are 255, therefore all the binary values or bits will be set to 1. So 8+8+8=24. Then looking at the final 4th octet, the decimal value is 252, therefore when converted to binary there are 6 bits set to 1. 24+6=30, so in total with 30 network bits, the CIDR notation with the IP address will be 172.78.23.5/30. The flexibility of CIDR allows IANA and organisations to better control public IP address assignment. If we look at an example in reverse for IP address 192.168.54.5/28, we know there are 28 total network bits. Always work left to right when calculating subnet masks and because the value is more that 24, the first 3 octets will be 255. To calculate the final 4th octet we need to convert to binary, as 28-24=4, we set the first 4 bits to on, then add up the decimal values to obtain the final octet in the subnet mask, see below. So, 128+64+32+16= 240, therefore the full subnet mask for network 192.168.54.5/28 will be 255.255.255.240. IPv4 Header IP operates at Layer 3, so in order to send data across or between a network we need to encapsulate the payload within an IPv4 header. The IPv4 header is always at least 20 bytes in size and can be used to change the way a packet is handled by a router. https://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml#ip-parameters-1

Up 1.11 Describe wireless principles What is a Wireless Network? A wireless network is a network by which communication between devices is performed over the air (OTA). For the CCNA you are expected to understand some of the fundamentals of IEEE 802.11 which is the underlying standard for which wireless networks are built. The 802.11 standard was introduced in 1997 and over time has been revised to increase the throughput and reliability of the signal. You will see the term Wi-Fi denoted in a lot of wireless networks. The Wi-Fi Alliance was introduced shortly after the introduction of the 802.11 standard to provide a means for testing and approving products that are compatible with the 802.11. Going forwards we will refer to a wireless network as 802.11 WLAN (Wireless Local Area Network). There are some issues with wireless transmission of which the 802.11 standard overcomes: If more than one station transmits are the same time, interference is caused and transmission fails All devices within the range of the wireless AP (Access Point) receive the frame (similar to an Ethernet hub) causing a privacy issue Wireless communications are governed/regulated by numerous international and national bodies which means that wireless frequencies can vary between countries Below is a list of the current 802.11 standards including their revisions: RF (Radio Frequency) 802.11 WLAN technologies use radio frequencies to transmit over the air. To do this, the sender applies an alternating current to the antenna of the device creating electromagnetic fields that propagate as waves. These waves are measured in frequency and amplitude. Amplitude Amplitude is the measure of the maximum strength of the electromagnetic field. Looking at the below animation, the green wave has a lesser amplitude where as the red wave has a larger wave. Frequency This is the measure of up/down cycles of the wave over a unit of time. The most common measure of cycles is hertz (Hz). Looking at the below animation, we can see that the green wave has a higher frequency as compared to the red wave. The following list shows how frequencies of a wave are written: Hz - Cycles per second KHz - 1000 cycles per second (Kilohertz) MHz - 1,000,000 cycles per second (Megahertz) GHz - 1,000,000,000 cycles per second (Gigahertz) THz - 1,000,000,000,000 cycles per second (Terahertz) Looking at the below image, we can see that there are 4 cycles within a 1 second capture of the wave. Therefore, the below wave is 4Hz and the period (amount of time per cycle) is 0.25. Signal Coverage Issues ​ Absorption This is where a signal is absorbed by a material (say the bricks in a wall) and turned into heat. The effects of the absorption causes a weakened signal. Scattering This is where the wave hits an uneven surface but also dust/smog. The signal hits the surface and bounces off of the surface in multiple, scattered waves. Reflection This is typically only seen with metal surfaces, where the signal is bounced back. When you go into a warehouse typically your mobile phone will lose all signal as the metal roof/walls are reflecting the waves from the mast away. Refraction When the wave is passed through a material it can sometimes be 'bent' by the medium due to the changing speed. For example when you put a straw in a glass of water it appears bent due to the light being refracted. The same thing happens with a wave passing through materials such as glass or water. Diffraction This happens when the wave hits an object and travels around it, causing blind spots for any devices that are behind that object. Wi-Fi channels and RF Bands ​ RF Bands for 2.4GHz/5GHz For 802.11 WLAN radio frequencies, the following bands are in use: 2.4 GHz - 2.400GHz to 2.4835GHz ​ 5GHz - 5.150GHz to 5.825GHz however, this is split into 4 separate bands: 5.150GHz to 5.250GHz 5.250GHz to 5.350GHz 5.470GHz to 5.725GHz 5.725GHz to 5.825GHz The 2.4GHz band can penetrate walls and other materials better than 5GHz, however, because 2.4GHz is used by more devices than 5GHz it is more prone to interference from neighbouring WLANs. The RF bands are divided up as channels and devices can communicate on one or more of these channels at a time. 2.4GHz Channels The 2.4GHz band is split into a number of channels, each with a 22MHz range. Note that 2.4GHz bands overlap. In a small WLAN configuration with a single access point, any channel can be used. However, in larger designs with multiple access points any adjacent access points must use a non-overlapping channel to avoid interference. It is recommended to use channels 1, 6 and 11, see below: 5GHz Channels Unlike 2.4GHz channels, the channels within the 5GHz band do not overlap which reduces the possibility of interference from neighbouring access points. Each channel is 20MHz in size, and there are gaps in the band between U-NII-2 and U-NII-2 Extended as these frequencies are reserved for other non 802.11 WLAN purposes. Best Practices (2.4GHz) Because of the overlapping nature of the 2.4GHz band, it is important to ensure that APs that are in range of one another are not using the same channel (with the exception of a repeater) to avoid causing interference which will result in collisions. You can also amend the antenna power to reduce the range of the RF being emitted from the AP. The below depicts a warehouse with a number of access points to provide wireless connectivity to mobile devices. Looking at the top down view of the warehouse's AP placements, if we were to use the same channel on all access points there would be a huge amount of interference. By using different channels 1, 6 and 11 we have removed any concern of interference by not using overlapping channels. ​ Service Sets Any device with wireless capabilities can send and receive frames. Therefore it is crucial to control the way that devices can connect to a certain 802.11 WLAN and also so ensure that the data sent over the air is secure. We use service sets to group devices together into a logical network segment where we devices can share frequencies, security settings and so on. 802.11 defines a number of different service set types which can be used to group devices together. SSID (Service Set Identifier) is a human-readable string is used to identify service sets and is broadcast as beacon packets to be seen by users on their devices. Each service set can either be BSS (Basic Service Set) or ESS (Extended Service Set) of which we will look into below: BSS - Independent This is a wireless network in which two or more devices connect directly to one another without using an AP. Examples of an independent BSS include services such as Apple's AirDrop feature to share files between devices. Note that IBSS is limited to a small number of devices ideal for features such as nearby file sharing. The below diagram shows an IBSS (Independent Basic Service Set) connected directly to share content: BSS - Infrastructure This BSS allows for clients to connect to each other via an access point and is the most common type of service set seen. A BSSID (Basic Service Set Identifier) is used to uniquely identify the AP using the MAC address of the AP's radio module. Other APs can share the SSID however the BSSID will always be unique. Devices associated with the BSS are referred to as "clients" or more commonly "stations". Be careful not to confuse BSS with BSA (Basic Service Area) as this is only used to define the area around the AP where the signal is usable. Note that devices within a BSS can only communicate via the AP and not directly with each other. ESS An ESS (Extended Service Set) allows us to create larger WLANs by connecting APs together using a wired network. Each AP has the same SSID but a unique BSSID which allows clients/stations to pass between APs without having to reconnect (roaming). Each BSA should overlap with one another by around 10-15%. Each AP must use a different channel to avoid interference. BSS - Mesh A mesh basic service set can be used when it is difficult to place Ethernet wiring to each AP like with ESS. MAPs (Mesh Access Points) use two radios, one for the BSS to provide wireless access to clients and the other for creating a backhaul wireless network between each MAP. At least one AP is connected to the wired network and is referred to as the RAP (Root Access Point). Going back to what we know about mesh topologies a meshed WLAN allows for a highly redundant and stable WLAN. The tablet in the bottom right of the above diagram has multiple paths to use to reach the RAP, and a protocol is used to determine the best path (similar to dynamic routing protocols in a wired network). Distribution System Wireless APs are an extension to a wired network to allow wireless clients to access the network. The wired network that is upstream to the WLAN is called a DS (Distribution System). APs translate the frames from wireless media into frames suitable for transmission across a wired Ethernet network. Another key component of the DS is the mapping of VLANs within the APs. APs can provide multiple VLANs each with their own SSID. The wired connection will then be configured as a trunk to allow VLAN tagged frames to be correctly forwarded. We haven't covered VLANs yet but this will be in later articles, so don't worry about VLAN concepts right now. The below diagram defines the demarcation point between the DS, BSS and the internet. Note there is only one VLAN in this topology so the port on the L3 switch will be an access port for VLAN 10. If multiple VLANs are required for different networks, say a Guest network and a Management network. We can use a 802.1Q trunk port on the wired link between the switch and the AP. The AP can then be configured with a number of SSIDs mapped to the specific VLAN IDs. Note that the BSSID increments for each additional SSID. Encryption As we have covered, 802.11 WLAN connected devices transmit over the air using RF bands. These RF bands are picked up by every device with wireless capability. This makes a WLAN particularly susceptible to a sniffing attack where a malicious user listens in on wireless transmissions. If the data being transmitted was not encrypted, it could easily be re-assembled by the malicious user. 802.11 has a number of technologies within the standard to combat possible attacks by implementing encryption within the AP-client relationship. See below: WEP (Deprecated) Released in 1997, WEP (Wired Equivalent Privacy) was quicky found to be easily broken. This was ultimately replaced by WPA/TKIP. WEP should not be used on a wireless network. WPA/TKIP (Deprecated) WPA (Wi-Fi Protected Access) was released in 1999 to replace WEP however was not standardised for wireless hardware until 2003. WPA introduced a new encryption method, TKIP (Temporal Key Integrity Protocol) and was intended to be an interim fix to the easily broken WEP encryption. WPA/TKIP is now deprecated as of 2012. The new standard introduced a number of additional features to help secure the WLAN per the below: Temporal Keys - used to defect social engineering attacks Sequencing - to defeat replay and injection attacks Key Mixing - to defeat known IV collisions and weak-key attacks Enhanced Data Integrity (MIC) - to defeat bit-flipping and forgery attacks TKIP Countermeasures - to address constraints of TKIP MIC Longer initialisation vector (IV) - The IV size is doubled from 24 bits to 48 bits, making brute force attacks on all WEP keys virtually impossible ​ WPA2/AES Introduced in 2004, WPA2 implemented the AES (Advanced Encryption Standard) based encryption which uses a block cipher to encrypt data between two wireless devices. The key-length is 128 bits which provides further security over TKIP. WPA2 uses AES-CCMP (Counter Mode CBC-MAC Protocol). ​ WPA3 /AES Introduced in 2018, WPA3 includes the AES-CCMP protocol however introduces a new one, AES-GCMP (Galois/Counter Mode Protocol). This consists of two encryption algorithms which provides even further security over AES-CCMP. The key length for AES-GCMP is 256 bits. Stream Cipher vs Block Cipher A stream cipher encrypts a data stream one bit (or byte) at a time. A block cipher on the other hand encrypts a block of plaintext and is used to produce a "ciphertext" block of equal length. Stream Cipher : WEP & WPA Block Cipher : WPA2 & WPA3

Up 1.8 Configure and verify IPv6 addressing and prefix Part 2 NDP (Neighbour Discovery Protocol) We touched on broadcast traffic in section 1.6 Part 1 and how it is used for ARP (Address Resolution Protocol). ARP uses the broadcast IPv4 address to send a packet to all devices in the subnet requesting if they have a certain IPv4 address then to respond with the corresponding MAC address. In IPv6, the concept of broadcast is removed however we still need to learn the layer 2 MAC address to forward frames to. So how do IPv6 enabled hosts learn the MAC addresses of neighbouring devices? Using multicast and NDP. Multicast traffic is a one to many (if they have joined the multicast group) transmission, and we'll go into multicast groups and scopes further in section 1.9. For now you just need to know the multicast group address ff02::1 which is the all hosts multicast address. All IPv6 devices join this group by default and will process any packets it receives. Solicited-Node Multicast Addresses In ARP, the ARP request packet (which is sent to all devices on the broadcast domain) states "Who has 192.168.1.1?" of which the corresponding device will send an ARP response back to the sender with it's MAC address. The device receiving the ARP request packet knows who it is for because it states the IP address in the packet itself. With IPv6 and the NDP packet, it is sent to all devices but how does the IPv6 device know if the packet is destined for them? It uses something called a solicited-node multicast address. We use this address rather than the all hosts multicast address of ff02::1 to make NDP more efficient and remove the requirement for all devices to process traffic not destined to them. The solicited-node multicast address is automatically generated on every IPv6 device from link-local/unicast addresses. It uses the ff02::1:ff00:0/104 network prefix and the last 6 values from the IPv6 address. A solicited-node multicast address is created for every IPv6 address on the device. See the process for solicited-node multicast address generation below: Take a look at the below output from a Windows PC with IPv6 enabled: PS C:\Users\nbpc> netsh interface ipv6 show joins Interface 1: Loopback Pseudo-Interface 1 Scope References Last Address ---------- ---------- ---- --------------------------------- 0 2 Yes ff02::c Interface 5: Ethernet Scope References Last Address ---------- ---------- ---- --------------------------------- 0 0 Yes ff01::1 0 0 Yes ff02::1 0 2 Yes ff02::c 0 4 Yes ff02::fb 0 1 Yes ff02::1:3 0 1 Yes ff02::1:ff10:adce 0 1 Yes ff02::1:ff12:d7ea 0 1 Yes ff02::1:ff5f:5887 ​ PS C:\Users\nbpc> netsh interface ipv6 show addresses Interface 5: Ethernet Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Public Preferred 29m27s 29m27s fd57:205d:eb73:4f8a:2745:8fd1:565f:5887 Temporary Preferred 29m27s 29m27s fd57:205d:eb73:4f8a:3441:9bcb:f812:d7ea Other Preferred infinite infinite fe80::2ef2:ba89:3a10:adce%5 ​ Looking at the two outputs above, you can see the 3 IPv6 addresses highlighted in orange, and the 3 solicited-node multicast addresses in blue. ICMPv6 Types for NDP NDP uses the ICMPv6 (Internet Control Message Protocol version 6) framework to discover devices on the local subnet. The following extensions of ICMPv6 are used for NDP: Discovering Neighbour Link Addresses In order to forward traffic across a local network the sending device still needs to know the MAC address of the destination. Once this is learnt it is stored in the NDP neighbours table (similar to an ARP cache) which is simply a list of IPv6 addresses and their mapped MAC addresses. If a device isn't listed in the NDP neighbour table, it will need to learn it using NDP. The process is as follows: Send NS packet to the solicited-node multicast address of the destination. Device with matching solicited-node multicast address processes the packet, all other devices drop the packet The device with the matching solicited-node multicast address responds with an NA packet containing MAC address and IPv6 address Device which originally sent the NS packet receives the NA packet and adds the details to the NDP neighbour table See below for a simplified operation of NDP example when PC1 attempts to ping PC2: SLAAC (Stateless Address Auto-Configuration) RS - Router Solicitation RA - Router Advertisement ​ IPv6 adds the ability to configure IPv6 addresses to hosts without using a server to keep a track of IPv6 addressing on a network. This is called SLAAC and it is an efficient and mostly configuration-less method of address generation on hosts. How does it work? Administrator enables auto-configuration on the host device Host device send an RS packet into the network with destination all routers multicast (ff02::2) Router receives RS message and responds with RA containing network prefix and link-local address (fe80) Host device calculates an IPv6 address using the network prefix from the RA and configures the default gateway as the link-local address of the router Host performs DAD check (more on this in the next section) twice to confirm if the IPv6 address is not in use elsewhere If the "other-config" flag is set to on, the host will use DHCPv6 to learn other details such as DNS servers etc Simplified process below: DAD (Duplicate Address Detection) DAD is performed during the SLAAC process to ensure that the IPv6 address the device is generating isn't in use elsewhere. Here's how it works: SLAAC is performed (see above) Device sends an NS packet with the destination IPv6 address of it's own tentative solicited-node multicast address with an undefined source address of :: If there is another device on the network with the same IPv6 address that SLAAC is attempting to assign, an NA from that host will be received and the device performing DAD will use another IPv6 address. Because the source address is ::, should an NA be sent it'll be forwarded to the all-nodes multicast group If there are no other devices on the network with the same IPv6 address, no NA will be received and the IPv6 address is considered unique The device performing the DAD check will perform the check twice in case there were any transmission issues on the network Note that DAD is typically only performed during SLAAC or when an interface comes up to avoid issues caused by duplicate IP addresses on the same subnet. See below a simplified overview of the DAD process:

Up 1.10 Verify IP parameters for Client OS (Windows & Linux) Verifying IP Configuration on Windows To identify what IP configuration is set on a Windows PC, the simplest method is to use the command "ipconfig /all" within Command Prompt or PowerShell. We specify the "/all" flag to ensure that all network devices attached to the PC are displayed in the output. Let's explore some of the details shown in the above screenshot. There are lots of commands available to run on a Windows PC to confirm how the NIC is configured, such as: ping | used to test reachability to another IP address either inside or outside the local subnet tracert | used to check the path that packets take across a network, also useful for identifying latency at certain hops netstat -rn | displays the PC's routing table netstat | lists the current TCP/UDP sessions created by the PC with source and destination ports and IP addresses netsh interface ipv6 show | lists some of the available commands to confirm IPv6 configuration (such as multicast groups etc) ​ Verifying IP Configuration on Linux As with Windows there are specific commands to run on different operating systems. For Linux we can use the commands "ip address" or "ifconfig". To show the default gateway we need to run the "ip route" command. See below: networkingbasicsvm2@networkingbasicsvm2:~$ ifconfig enp0s3: flags=4163 mtu 1500 inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255 ether 08:00:27:d9:0d:5b txqueuelen 1000 (Ethernet) RX packets 232 bytes 223788 (223.7 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 237 bytes 23817 (23.8 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 83 bytes 8465 (8.4 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 83 bytes 8465 (8.4 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 networkingbasicsvm2@networkingbasicsvm2:~$ ip address 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:d9:0d:5b brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3 valid_lft 86334sec preferred_lft 86334sec networkingbasicsvm2@networkingbasicsvm2:~$ ip route default via 10.0.2.2 dev enp0s3 proto dhcp metric 100 10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15 metric 100 169.254.0.0/16 dev enp0s3 scope link metric 1000 Please see a below list of useful commands for network configuration checks on Linux: ping | used to test reachability to another IP address either inside or outside the local subnet traceroute | used to check the path that packets take across a network, also useful for identifying latency at certain hops (may need to be installed via apt) ip route | displays the PC's routing table netstat | lists the current TCP/UDP sessions created by the PC with source and destination ports and IP addresses

Up 1.9 Describe IPv6 address types Global unicast 2000::/3 These are IPv6 addresses that can be obtained from an RIR, and are routable across the internet. They are globally unique and should only be used by the organisation that has registered them. Global unicast addresses are available from the 2000::/3 address block, which allows for a huge number of networks to be provided worldwide. This has now been changed to include all addresses that aren't reserved for other purposes. See at the end of this article for a table to reference IPv6 reservations. Typically organisations are provided with a /48 address block which is known as the Global Routing Prefix. Normally organisations will subnet this down to a /64 block allowing for over 65,000 networks. Unique local FD00::/7 A unique local address is a private address space. Similar to how 10.0.0.0/8, 172.0.0.0/12 and 192.168.0.0/16 were reserved for private address use in IPv4. These IPv6 addresses cannot be routed over the internet and are solely for use within a LAN. Any unique local addresses do not need to be registered with the RIR. Unique local addresses start with FD00::/7, so wherever you see an IPv6 address beginning with FD, you can easily identify it as a unique local address. The 40 bit global ID should always be randomly generated because if two organisations merge and say both global IDs are all 0s, then it will be a huge task to renumber all of the networks. Link Local fe80::/10 These addresses are using only for directly connected interfaces and routers will not route packets with link local destination addresses. Link local addresses are used by NDP (Network Discovery Protocol) and as a next hop address. These addresses use the address block fe80::/10. Note that the 54 bits after fe8 are set to 0, so the remaining 64 bits are unique. For example: Devices typically either auto-generate their link local addresses via EUI 64 methodology, or via randomisation. We'll go into EUI 64 in more depth later on in this article. The zone identifier is for the device only and requires no manual configuration. It simply identifies the interface that the link local address is bound to. On a PC you may have multiple interfaces so you'll see this zone identifier appended to the end of the address. Anycast Anycast is a newer feature of IPv6, and allows for one to one of many communication. There is no defined address block for anycast addresses but will use a unique global or unique local address. When IPv6 addresses are configured on a Cisco router, add the word "anycast" to the IPv6 address being added to the interface. Such as: nbRTR1(config)#intGi0/1 nbRTR1(config-if)#ipv6 address 2001:db80::5612/64 anycast Routers will forward the packets to the closest router based on routing metrics. Multicast Multicast is used by IPv6 instead of broadcast which is used in IPv4. The address block for multicast addresses is FF00::/8. Multicast allows traffic to be forwarded to a number of devices (one to many) if they have joined the multicast group. Some key multicast groups to know are below: IPv6 also defines multicast scopes. These scopes determine how far a multicast packet should be forwarded. Some scopes require additional configuration to put multicast boundaries in place. Below are the relevant scopes that you need to be aware of: Modified EUI 64 The modified EUI 64 address is method of creating the IPv6 address from the network prefix and the device's 48 bit MAC address. The process for creating the modified EUI 64 address is done automatically on the router, however we need to understand what is happening behind the scenes to generate the IPv6 address. Note that most modern operating systems do not use modified EUI 64 due to security and privacy concerns. The steps to create modified EUI 64 address are as below: Split the MAC address into two Insert FFFE in between the two halves Invert the 7th bit and add colons Add the network prefix to the start of the interface identifier and format for IPv6 Why do we invert the 7th bit? This is because the 7th bit of a MAC address is called the U/L (Universal/Local) identifier. When the bit is set to 0, it is a UAA (Universally Administered Address), meaning the MAC address was assigned by the manufacturer. If it is set to 1, it means that the MAC address is an LAA (Locally Administered Address) which indicates that the MAC address was manually assigned by an engineer.

Up 1.8 Configure and verify IPv6 addressing and prefix Part 1 What is IPv6? IPv6 started development in 1998 within the IETF with a look to counter the known concern of IPv4 exhaustion. More and more Service Providers and organisations have made the change to IPv6 as the number of available IPv4 address have declined, and ultimately, run out. IPv5 was a group of protocols never intended for public use. This experimental group of policies was called the Internet Stream Protocol. In order to avoid confusion with this older protocol the IETF named the new IP protocol IPv6. In IPv6, there are a total of 128 bits, as compared to IPv4's 32 bit address scheme. This larger address size allows for a much larger address pool as every added bit doubles the available networks. IPv6 goes even further to increase the available address by using hexadecimal (0-f). See below for the total number of available IP addresses under IPv4 and IPv6: IPv6 is represented differently to IPv4 due to the number of bits and the use of hexadecimal. The 128 bit address is broken up into 8 16-bit fields, separated by a colon such as 2001:ff56:1fad:0051:42db:2054:db31:0025. This may look like a random string of numbers so lets break it down. The below table shows the hexadecimal to binary values. With binary in IPv6 there are only 4 bits per hexadecimal (8, 4, 2, 1). ​ IPv6 Conver sion Chart You'll notice that once we reach a hexadecimal value of more than 9 we can't use double digits. So instead we replace it with a letter like this: 10 = a 11 = b 12 = c 13 = d 14 = e 15 = f ​ Let's take what we now know from the table above and apply it to the IPv6 address 2001:ff56:1fad:0051:42db:2054:db31:0025. Clearly the IPv6 address is a lot longer and more complicated to remember than IPv6, however there are ways to shorten the total length and simplify the address to make it easier to read. We'll explore these techniques in the next section below. ​ Abbreviating IPv6 addresses :: & leading zeroes Remembering or even using a full IPv6 address is difficult as there are 32 values to remember as compared to IPv4's maximum of 12. There are two key ways to shorten the length of the IPv6 address and it all lies in the 0s. ​ Step One - Replacing hexadecimal fields with all zeroes with :: We are given an IPv6 address of 2001:db00:f438:0000:0000:0000:63ef:2a04. With IPv6, we can remove fields containing all zeroes and replacing them with "::" to denote the missing fields. So 2001:db00:f438:0000:0000:0000:63ef:2a04 becomes 2001:db00:f438::63ef:2a04. We know that there are a total of 8 fields, so we can easily work out how many 0000 fields are needed to fully populate the address. Let's see some examples below. Did you notice on the last example that we are unable to remove the last two fields of 0000. This is because if there are multiple concurrent 0000 fields, we only compress the left-most string. If we are given an IPv6 of 2001:db63:0000:0000:ffed:0000:0000:0000, even though the last 3 fields are all 0s, we only compress the left-most fields. In this example the IPv6 address shortened would be 2001:db63::ffed:0000:0000:0000. ​ Step Two - Removing leading zeroes from hexadecimal fields The second way we can shorten the IPv6 address length is to remove any leading 0s from each hexadecimal field. For example, if you have a field of :002d:, it would be represented as :2d:. Again we work from left to right, so we can't remove any 0s from say :2200:. Lets look at some examples (we'll also combine step one): As you can see we can shorten IPv6 addresses right down. Going forwards we will be using the abbreviated IPv6 address scheme. See some broken down examples below: IPv6 Prefixing As with IPv4, we need to know which portion of the IPv6 address is the network prefix, and which is the host identifier. IPv6 does away with the subnet mask from IPv4 and simply appends the number of bits used for the network prefix, known as the prefix length. The most common prefix length you'll see on a network is a /64. The IPv6 address contains 128 bits, so that means that for a /64 address the first 64 bits are used for the network prefix, and the remaining 64 bits are used for the interface identifier. Typically, organisations are given a /48 IPv6 address. This allows the organisation to create over 65000 /64 IPv6 subnets. To calculate the network prefix we change all of the interface identifier bits to 0. Because of the size of each IPv6 subnet we do not need to work out the number of hosts and networks that can be created. For the CCNA we only need to be able to identify the network prefix from a given IPv6 address. Let's work through some examples: Example 1 - Multiple of 16 We have been given a /64 network address 2001:ff56:1fad:51:42db:2054:db31:25 and we need to identify the network prefix. This is the most common prefix size and can be easily identified as the prefix and interface portions are exactly half. See below: Example 2 - Not a multiple of 16 but a multiple of 4 In this example we will use the same IPv6 address as above, but the prefix has been moved to a /40. This time the prefix sits in the middle of the hexadecimal field as it isn't a multiple of 16. However because /40 is a multiple of 4 then the prefix doesn't sit within one of the binary strings that make up the hexadecimal value. See below: Did you see that the third hexadecimal field has changed from :1fad: to :1f00:? This is because again like example 1 the network prefix is the address with all interface identifiers set to 0. If we changed it to :1f: then this would denote that we have removed the leading bits, giving us the wrong network prefix :001f:. Example 3 - Neither multiple of 16 or 4 Here we have been given a /90 address. Because 90 isn't a multiple of 16 or 4 this means the network prefix ends in the middle of the binary value, so in order to work out the prefix we would need to set all the bits after the 90th bit to 0. So looking at the above, the 90th bit falls within the binary string that creates hexadecimal value 5 (0101) highlighted in orange. We need to change the bits to 0 after the 90th bit, so the new binary string will be 0100. Therefore, we have changed the hexadecimal value from 5 to 4. The new network prefix field will be 2040. IPv6 Header IPv6 uses a different header to IPv4 and simplifies the total overhead allowing for more efficient routing of packets. As with IPv4, the header allows the router to poll and correctly process each packet dependant on the field values set. IPv6 headers are 320 bits in length. See below: IPv6 enabled routers do not fragment packets unlike IPv4. Hosts are expected to limit the packet size to the path MTU (Maximum Transmissible Unit) using Path MTU Discovery. If a packet arrives at the router and the payload size is too big, the packet is usually dropped. Configure and Verify IPv6 addressing on Cisco Equipment Please see lab 3 here.

Up 1.7 Describe the need for private IPv4 addressing Why do we need private IPv4 addressing? During the beginning deployment of IP addressing and the wider internet in the late 80s/early 90s the original design was to give every networked device a public IP address. IANA (Internet Assigned Numbers Authority) would give organisations huge address blocks of the public IP address space. For example, Apple was provided with 17.0.0.0/8 which allowed for over 16 million IP addresses. The internet grew rapidly and the IETF (Internet Engineering Task Force) directed IANA to reserve 3 address blocks from the global pool which can be used in the private networks (LANs) under RFC (Request for Comments) 1918. You can read the RFC here: https://www.rfc-editor.org/rfc/rfc1918.html. To quote an excerpt below: "The Internet has grown beyond anyone's expectations. Sustained exponential growth continues to introduce new challenges. One challenge is a concern within the community that globally unique address space will be exhausted." Due to the 32-bit size of an IP address, there are only 4,294,967,296 available. While this may seem like a large number, imagine if every device in your home was assigned a publicly routed IP address, then multiply those devices to the number of households and businesses across the world and you can quickly see why the IETF saw an IP address exhaustion as a big issue. The following 3 IP address blocks were marked by IANA as private address space, and packets with an IP address within these ranges is not routed across the internet. IANA delegates IP address assignment to 5 RIRs (Regional IP Registries) across the world of which they are responsible for giving public IP addresses to Service Providers and organisations alike. The five RIRs are as below, I've also included the date of when the IPv4 address space for that RIR became exhausted: AFIRNIC (African Network Information Centre) - https://stats.afrinic.net/ipv4/exhaustion/ipv4_pool ARIN (American Registry for Internet Numbers) - 24/11/15 exhausted IPv4 address pool APNIC Asia-Pacific Network Information Centre) - https://www.apnic.net/manage-ip/ipv4-exhaustion/ LACNIC (Latin America and Caribbean Network Information Centre) - 21/08/20 exhausted IPv4 address pool RIPE (Réseaux IP Européens Network Coordination Centre) - 25/09/19 exhausted IPv4 address pool There are 3 key implementations to solve the IPv4 exhaustion: NAT The allocation of private address spaces by IANA IPv6 (Covered in the next articles) ​ NAT (Network Address Translation) Let's look at how a typical home would connect to the internet. You buy internet connectivity from a Service Provider, which they in turn have a pool of public IP addresses they have obtained from their most local RIR. This pool of public IP addresses is then used to assign out to the Service Provider's customers' home routers. While the WAN (Wide Area Network) port is configured with a single public IP address, the router uses private IP addresses on the LAN (Local Area Network) side. Using NAT allows the devices on the private address network to access the internet via the router. See the below diagram: If we look at the above diagram the router is acting as a gateway (hence why it's called the Default Gateway) as it sits on the edge of the LAN. We can see the LAN interface of the router is configured with 192.168.1.254, and the WAN interface is configured with 215.15.69.212. Instead of giving each device on the LAN a public IP address, the router performs an action called NAT for every packet that needs to route out to the internet. In it's simplest definition NAT replaces the source IP address of the packet with the IP address of the WAN interface. If NAT was not enabled in this scenario, the packet will be dropped.