CCIE R&S Advanced

1. CCIE R&S Advanced

2. Agenda

3. Housekeeping • Restrooms • Kitchen - Softdrinks and snacks available • Cellphones - PLEASE put them on vibrate or turn them off. If you need to take/make a call, please exit the classroom. • Smoking - out side in front of building

4. SESSION 1 CCIE R&S Program Overview 4 4 4

5. CCIE R&S Program Overview • CCNA/CCNP Certification (Optional) • CCIE Written Exam • CCBOOTCAMP’s R&S Foundation Course • Develop a Study Plan and Timeline to Prepare for LAB • Review CCIE Blueprint • Purchase and Download recommended reading from Cisco Press and CCO web site • Purchase LAB workbooks • Purchase and Setup Home Lab • Reserve Online Rack rentals • Save money or work out a deal with your employer to budget for multiple lab attempts • Schedule a Lab Date commensurate with the Timeline • Study, Practice, Practice some more, and then study • CCIE Advanced Bootcamp • CCIE Mock LAB Bootcamp

6. CCIE LAB Overview A 8-hour, hands-on, 100-point lab exam. Candidates must score 80 or above to pass. Students builds a network to supplied specifications on a provided Cisco equipment rack. Lab questions can be completed in any order, although some questions depends on the completion of previous part of the exam. Physical cabling is done. Some of the basic functionality is preconfigured. Some of the equipment you can not configure such as the Backbone routers.

7. Cisco R&S Equipment List • 3725 series routers - IOS 12.4 mainline – Advanced Enterprise Services • 3825 series routers - IOS 12.4 mainline – Advanced Enterprise Services • Catalyst 3550 series switches running IOS version 12.2 – IP Services • Catalyst 3560 Series switches running IOS version 12.2 - Advanced IP Services

8. Pre-lab Checklist • Remove the Variables, increase your chances, and get your body physically and mentally ready! • Get to the testing city/location at least one day prior to your exam. If your time zone is plus/minus more than six hours different than the time zone of the Cisco office you are taking your exam, plan on getting there at least two days prior to the exam. • Drive over to the facility where your lab exam will be held. Make sure you know how long it will take you to get to the testing location. • Look for a good place to eat breakfast near the facility. • Eat a healthy dinner consisting of protein and complex carbohydrates. Stay away from greasy, fatty, and sugary foods. Also, if you want to eat meat, try and eat chicken or fish (avoid red meat as it takes your body longer to digest). • Get a good night’s rest. Do not stay up the entire night trying to cram or study last minute materials. Do NOT take any type of sleep aid that could still be in your system the following day. • Wake up at least ninety minutes before your exam start time. Get showered, dressed, and go out for breakfast. • At breakfast, eat only healthy foods. No greasy, fatty, or sugary items should be consumed. Eat fruits, vegetables, oatmeal, etc. • Arrive at the facility at least fifteen minutes prior to your exam.

9. CCIE R&S Blueprint • Bridging and Switching • Frame relay • Catalyst configuration: VLANs, VTP, STP, MSTP, RSTP, Trunk, Etherchannel, management, features, advanced configuration, Layer 3 • IP IGP Routing • OSPF • EIGRP • RIPv2 • IPv6: Addressing, RIPng, OSPFv3 • GRE • ODR • Filtering, redistribution, summarization and other advanced features • BGP • iBGP • eBGP • Filtering, redistribution, summarization, synchronization, attributes and other advanced features

10. CCIE (R&S) Blueprint Cont. These topics would be covered in the Advanced Boot camp • IP and IOS Features • IP addressing • DHCP • HSRP • IP services • IOS user interfaces • System management • NAT • NTP • SNMP • RMON • Accounting • IP Multicast • PIM, bi-directional PIM • MSDP • Multicast tools, source specific multicast • DVMRP • Anycast • QoS • Quality of service solutions • Classification • Congestion management, congestion avoidance • Policing and shaping • Signaling • Link efficiency mechanisms • Modular QoS command line • Security • AAA • Security server protocols • Traffic filtering and firewalls • Access lists • Routing protocols security, catalyst security • CBAC • Other security features

11. SESSION 2 CCIE Advanced Bootcamp Overview 11 11 11

12. Advanced Class Hours - Instructor • Monday 9:00 AM till your head hurts • Tuesday 9:00 AM till your head hurts • Wednesday 9:00 AM till your head hurts • Thursday 9:00 AM till your head is spinning • Friday 9:00 AM till 3-ish [Mock Lab] Lunch Break at 1:00 PM to 2:00 PM (60 minutes)

13. CCBOOTCAMP R&S Rack Layout

14. SESSION 3Switching 14 14

15. First Things First (Ping Script) tclsh foreach address { 150.10.1.1 150.10.2.2 150.10.3.3 150.20.5.5 150.20.35.35 } {ping $address}

16. On a switch

17. Things You should already know (not covered) Interface Commands VTP Spanning Tree SPAN Strom Control Protected Ports 802.1X authentication Trunking MAC Address expiration Templates

18. Topics Covered • Ether-channel and Load Balancing • MST spanning tree • Rapid Spanning Tree • Advanced Switch Security • Switch QoS

19. Ether channel • PAgP can automatically groups interfaces with the same speed, duplex, mode, native VLAN, VLAN range, and trunking status and type. • The Ether Channel group looks like a single switch port to Spanning tree. • PAgP modes: auto, desirable, on • The first port in the channel that comes up provides its MAC address to the EtherChannel

20. Link Aggregation Control Protocol • LACP is defined in IEEE 802.3ad and enables Cisco switches to manage Ethernet channels between switches • Similarly configured ports are grouped based on hardware, administrative, and port parameter constraints such as same speed, duplex mode, native VLAN, VLAN range, and trunking status and type • A port in the active mode can form an EtherChannel with another port that is in the active or passive mode. • A port in the passive mode cannot form an EtherChannel with another port that is also in the passive mode because neither port starts LACP negotiation. • Can have 8 active and 8 standby ports per ether channel. (16) *Note on mode configured manually on both ends of the EtherChannel must have the same configuration. If the group is misconfigured, packet loss or spanning-tree loops can occur.

21. Load Balancing and Forwarding • Reduces part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel. • EtherChannel load balancing can use MAC addresses or IP addresses, source or destination addresses, or both source and destination addresses.

22. Source/destination MAC load balancing • The PCs uses different ports on sw1 • The router will use different ports to reply to the PCs

23. Switch Security • MAC Flood Attacks • Port Security • ARP Inspection • MAC ACLs • VACLs • Private VLANs

24. Rapid Spanning Tree Protocol (RSTP)

25. RSTP Port Roles

26. RSTP Port States • RSTP provides rapid convergence of the spanning tree. • Reconfiguration of the spanning tree can occur in less than 1 second (in contrast to 50 seconds with the 802.1D • Only non-edge ports moving to the forwarding state cause a topology change.

27. Rapid PVST

28. 802.1s (Multiple Spanning Tree) • MSTs (IEEE 802.1s) combine the best aspects from both the PVST+ and the 802.1q. • When you enable MST you enable 802.w (RSTP) • The idea is that several VLANs can be mapped to a reduced number of spanning tree instances because most networks do not need more than a few logical topologies. • There is no need to run 1000 instances. If you map half of the 1000 VLANs to a different spanning tree instance, as shown in this diagram, these statements are true: • The desired load balancing scheme can still be achieved, because half of the VLANs follow one separate instance. • The CPU is spared because only two instances are computed.

29. MST Configuration

30. MAC Flood Attacks • Affects Transparent Switches • Switches Learn and populate the CAM table based on Source MAC addresses • If to many MAC addresses are sent – open fail mode • The switch forwards out every frame on every port • This allows hackers to sniff other clients uni-cast information.

31. Preventing MAC Flooding with Port Security

32. Port Security - Aging • Static- enables timer to static entries • Time - <1-1440> Aging time in minutes • Type – • absolute Absolute aging (default) • inactivity Aging based on inactivity time period

33. Mac-address • Can manually input the actual Mac address • Also can store dynamically learned Mac addresses with Sticky

34. Maximum • The total amount of Mac addresses allowed on a port

35. Violations • The action to take if port security is violated • protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. (no syslogs/snmp) • restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. • shutdown—The interface is error disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments

36. Apply Port Security and Verify • If more than 3 mac-addresses are learned any additional sources will cause the port to be shutdown (error disabled).

37. HSRP and Port Security • HSRP has a virtual mac-address that counts towards the maximum allowed on a port configured for port security. • Options: • Switchport port-security maximum 2 (still can cause violation for a short period of time • Static Mac-address entry for HSRP virtual mac-address • (Best choice) Use-bia command on the router’s interface • standby use-bia scope interface http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804462c4.html#wp1165870

38. ARP Spoofing • Gratuitous ARP • Detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict. • They assist in the updating of other machines' ARP tables. • They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port. • Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.

39. ARP DoS • Overloads a switch port with ARP traffic • Switch can handle untrusted host connecting to as many as 15 new hosts per second. checks every 1 second • Exceed limit than port changes to error disabled

40. IP ARP Inspection • This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN • How does it work? • DHCP Snooping (Recommended in production) • Static ARP Access-list (Use for Lab situation)

41. ARP inspection Cont. • Option to change defaults per port

42. IP Source Guard • By watching which IP addresses are assigned by DHCP, a switch can create dynamic ACL's to block all traffic except traffic from DHCP-assigned IP addresses. • Benefits: • Prevents a hacker from spoofing their IP address to launch an anonymous attack. • Prevents users from ignoring DHCP and manually configuring a static IP address.

43. IP Source Guard Configuration

44. DHCP Snooping • Create a DHCP database on flash or TFTP • Enable DHCP Snooping • "The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server. " • ip dhcp snooping database flash:file01.txt" • ip dhcp snooping • ip dhcp snooping information option

45. Show IP DHCP Snooping Bindings Switch> show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 01:02:03:04:05:06 10.1.2.150 9837 dhcp-snooping 20 GigabitEthernet0/1 00:D0:B7:1B:35:DE 10.1.2.151 237 dhcp-snooping 20 GigabitEthernet0/2 Total number of bindings: 2

46. Mac-address Access-list • You can configure a MAC address ACL using either of the following: • Access-list 700-799 48-bit MAC address access-list • or the extended version of the 48-bit MAC address access-list is 1100-1199 • To filter using the MAC address access-list, first you would define your access-list. Say that you wanted to allow only a host with the MAC address of 0800001234567 to access-list Ethernet0/0 interface. You would define the access-list like this: Router(config)# access-list 700 permit 0800.0123.4567 You can use these same methods to filter by “vendor code”. All companies who create Ethernet devices are designated a block of MAC addresses and all of these blocks begin with a specific string. This prefix for each vendor is known as the “vendor code”.

47. Protocol Type-Code Access-Lists (ACL) • Used for non IP traffic • Inbound only

48. MAC ACLs Cont.

49. Vlan ACLs (VACLs)

50. Private VLANs • The private-VLAN feature addresses two problems that service providers face when using VLANs: • Scalability: The switch supports up to 1005 active VLANs. If a service provider assigns one VLAN per customer, this limits the numbers of customers the service provider can support. • To enable IP routing, each VLAN is assigned a subnet address space or a block of addresses, which can result in wasting the unused IP addresses, and cause IP address management problems.