CST3607: Interconnectivity (Spring 2018)
Contents:
Announcements
Final Exam: Tuesday: May 22, 2018
Notify your family and friends not to make any travel plans for you, as you will not be able to take the final exam before class on May 22, 2018.
|
| Important note about sending E-Mail to Me |
- Only use the e-mail address I gave you in class to communicate with me.
- Do not use my cuny.edu address and do not e-mail me via Blackboard.
|
[ Top ]
[ Home ]
Required for all Assignments
- Make sure that your full name is neatly written on your assignment.
- Submit a typed hardcopy
at the beginning of class.
- If you use the RTF or DocX template I supply, type your answers in the table below each question.
- If you do not use the template I supply, make sure your
answers stand out from the text of the question. i.e. bold or underlined, not both.
- Do not double
space.
- Do not type
your answers in all uppercase.
- Print out your
assignments before you come to class.
Do not rely on the printer or network in our classroom to be available or functional.
- Make sure that
the correct assignment number and chapter are on your paper. Be mindful that the assignment number is not always the same as the chapter number.
- E-mail your assignment only if
you are going to be absent, and at least 2 hours before class starts, on
the day that the assignment is due. This should ensure that I receive your assignment before the start of class.
- No late assignments will be accepted.
|
[ Top ]
[ Home ]
Required Text
Reference Texts
[ Top ]
[ Home ]
Class Notes & Assignments
News & Tools
- The Final Exam will be on Tuesday: May 22, 2018, at 8PM
- The Privacy Paradox Challenge: A week of challenges with thousands of other "Note to Self" podcast listeners Feb 6-10.
- Surveillance Self-Defense is Electronic Frontier Foundation (EFF)'s guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices.
- security.txt: "When security risks in web services are discovered by independent security researchers who understand the severity of the risk, they often lack the channels to properly disclose them. As a result, security issues may be left unreported. Security.txt defines a standard to help organizations define the process for security researchers to securely disclose security vulnerabilities."
- Microsoft Windows and Office ISO Download Tool: This tool allows an easy way to download genuine Windows 7, Windows 8.1 and Windows 10 disk images (ISO) directly from Microsoft's servers, as well as Office 2007, Office 2010, Office 2013, Office 2016, and Office for Mac.
- InSpectre: Easily examine and understand any Windows system's hardware and software capability to prevent Meltdown and Spectre attacks.
Notes
- The Class Web page is located at ConsciousVibes.com (No www. prefix!)
- All assignments, reading and written, will be posted only on the class Web page
- Assignments will not be posted on Blackboard.
- Make sure that you can log into Blackboard and access our class section as soon as possible.
- Exams and quizzes will be administered via Blackboard
- Free ESL, GED, Job prep classes are available from the Office of Adult & Continuing Education
Principle of Least Privilege
- Why You Should Not Run as an Administrator or Root User
- How to Change Your Account to a Standard User
- Create a new local account that’s an administrator, with a strong password.
- Log in under the new local administrator account to verify that it’s working properly
- Change the account type of your original account to a Standard user
- Log in under your original account, that's now a Standad user.
- The times that you need elevated rights, UAC will prompt you for your administrator account.
- How and Why AutoPlay / AutoRun in Windows Should be Disabled
- The simple way to mitigate over 90% of Critical Microsoft Vulnerabilities
- Avecto's Analysis of Patch Tuesday vulnerabilities show that, of the 147 vulnerabilities reported by Microsoft in 2013 with a Critical severity rating:
- 92% were concluded to be mitigated by removing administrator rights
- 96% of Critical vulnerabilities affecting Windows Operating Systems could be mitigated by removing admin rights
- 100% of all vulnerabilities affecting Internet Explorer could be mitigated by removing admin rights
- 91% of vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights.
- 100% of Critical Remote Code Execution vulnerabilities and 80% of Critical Information Disclosure vulnerabilities could be mitigated by removing admin rights.
Malware (short for malicious software. e.g. Virus, Trojan Horse, Worm, Adware, etc.)
- The key to solving the malware problem is avoidance, not detection and removal.
- Rootkit : You can never be sure you've removed all traces of a rootkit. The only way to be certain that your system is clean of malware is to:
- Backup only your data. (Do not backup any .exe's, .com's as they may have been compromised.)
- Erase/format the hard drive
- Do a clean install of the operating system from known safe media. (Do not use the recovery partition, as it may have been compromised too.)
- Live AntiVirus and Recovery Discs
- KNOPPIX Live Disc
- Download via the "Get Knoppix" menu
BadUSB
- Blocks data transfer - your device will not go into 'data transfer' mode if connected to a computer, so you can use a computer just like a mains charger. This also prevents data hacking and any risk of viruses being loaded onto your device when charging from an unknown/public USB socket.
- Puts your device into fast charge mode - allows you to charge at high speed (upto 2.4A) from a computer USB socket or other USB charger even if it was not originally designed for your device. Most Android and Apple products will charge at double the speed of normal computer USB charging.
- Available from Amazon.com
Stay Informed! News Sources
Studying & Learning Tips
Bit(s) |
Binary |
|
Decimal |
1 |
10000000 |
= |
128 |
2 |
11000000 |
= |
192 |
3 |
11100000 |
= |
224 |
4 |
11110000 |
= |
240 |
5 |
11111000 |
= |
248 |
6 |
11111100 |
= |
252 |
7 |
11111110 |
= |
254 |
8 |
11111111 |
= |
255 |
Password Managers
- LastPass is a password manager. It helps you be more secure by making it easy to use a different password for every Web site.
- LastPass uses: AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.
- User data is encrypted and decrypted locally at the device level.
- Data stored in the vault is kept secret, even from LastPass.
- The user’s master password, and the keys used to locally encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.
Backing Up: 3-2-1 Rule
- 3: Have three copies of your files. The original, plus 2 copies
- 2: On different storage mediums. e.g. separate hard drives, optical (CD/DVD), tape
- 1: Have a current backup that is offsite and/or online :
Optical Media for Long Term Archives
- Regular writable optical media, CDs & DVDs, etc., are not reliable for long term storage. The die used with optical media degrade with exposure to light, temperature extremes, etc. Because of this, the data on the media will start to degrade within 1 to 5 years.
- M-DISC (Millennial Disc) is a write once optical disc technology available in DVD and Blu-ray forms.
- Millenniata claims that properly stored M-DISC DVD recordings will last 1,000 years, and are readable in conventional optical drives
- Drives with M-DISC support and M-DISC Media
Live AntiVirus and Recovery Discs
Troubleshooting Client Network Connectivity
- Reasons why a client workstation did not get an IP address from the DHCP server within the correct IP address scope of your network, while other client workstations do.
- Keep it simple. Check the obvious things first.
- Are both ends of the network cable plugged in?
- Do you have a link status light?
- IPConfig /all
- ping 127.0.0.1 (the loop back, to verify that the IP protocol stack is okay.)
- Can the problem be reproduced? (Re-boot the computer)
- Are other workstations getting an IP address in the correct range?
- Can you ping the DHCP server, from a working system?
- Have you checked that the IP addresses in the DHCP scope have not been used up?
Read / Watch
- CST3607 Class Outline / Syllabus
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 1: Internetworking
- OSI Reference Model
Do
- CCNA Routing and Switching Study Guide:
- Assessment Test p. lvii
- Chapter 1: Review Questions
- Note: The answers for the Review Quesions are in Appendix B.
- Send me an e-mail, from the e-mail address you check regularly, that I will use to communicate with you for the rest of this semester.
- Subject: CST3607 Contact Info
- In the Body of the e-mail: Include your first and last names and your mobile phone number.
- Note: I will not share your phone number and e-mail address with anyone.
- Study the OSI Reference Model
February
News
More than 150,000 Internet-facing printers were scanned, located, and used
- if your router has UPnP enabled, your printers, (or anything else on your network), may have punched a hole through your border router's stateful NAT firewall to make itself "available" to anyone on the public Internet in the world.
Tools and News
- Malware is one of the many ways that identity theives can get your personal information.
Educatate yourself and your people.
Protocol Review:
- DNS (Domain Name System) (or Service or Server)
- DHCP (Dynamic Host Configuration Protocol)
- NAT (Network Address Translation)
- Network Address Translation is an Internet Engineering Task Force (IETF) standard used to allow multiple PCs or devices on a local area network to share a single, globally routable IP address.
- NAT is also used to avoid address renumbering in a LAN when topology outside the private network changes.
- ARP (Address Resolution Protocol)
Unicast, Broadcast, Multicast
- The Internet Protocol and other network addressing systems recognize three main addressing methodologies:
- Unicast addressing uses a one-to-one association between the destination address and the network endpoint: each destination address uniquely identifies a single receiver endpoint.
- Broadcast addressing uses a one-to-many association, datagrams are routed from a single sender to all endpoints, in the broadcast domain, simultaneously in a single transmission. The network automatically replicates datagrams as needed for all network segments (links) that contain an eligible receiver.
- Multicast addressing is the sending of the same message simultaneously to to multiple endpoints simultaneously in a single transmission, but not to all. The network automatically replicates datagrams as needed for all network segments (links) that contain an eligible receiver.
Collision and Broadcast Domains
Telemetry is an automated communications process by which measurements and other data are collected at remote or inaccessible points and transmitted to receiving equipment for monitoring.
How would you know that a network has been compromised?
Network Analyzer/Packet Sniffer
Segment Your Network / Isolate Guests & IoT devices from your main segment
Ubiquiti Networks EdgeRouter X:
Universal Plug-and-Play (UPnP)
- OneNote gives users an easily organized, tabbed workspace on which they can type notes, draw, grab links, and insert a variety of media. When connected to a Microsoft account, OneNote data will be synchronized between all your devices.
You may already have OneNote is you have Windows 8 or Microsoft Office.
Read
- CCNA R&S Study Guide 2nd Edition: Chapter 2: Ethernet Networking and Data Encapsulation
- OSI Reference Model {r...}
- Subnetting and Supernetting
- How a Broadcast Address Works
Do
- CCNA R&S Study Guide 2nd Edition: Chapter 2: Written Labs & Review Questions
- Until further notice, bring in a stand-alone calculator, (not one on your phone, or computer), to every class. The calculator must have an Exponent function (^key) ( xy )
- If you don't already have a stand-alone calculator, you can pick-up any of the following, or similar, from Staples or Office Depot for $10.
- Sign up for a free Cisco Learning Network account. [A paid membership is not necessary to access a lot of the material]
- Check if your router has UPnP, or any other ports/protocols, exposed to the Internet:
- Go to GRC.com > Services Menu > ShieldsUP!
- Run GRC's Instant UPnP Exposure Test
- Run GRC's "All Service Ports Test"
- Report your results at our next class
New & Tools
Attackers Exploiting Unpatched Flaw in (Flash 02 Feb 18)
- Adobe warned on Thursday that attackers are exploiting a previously unknown security hole in its Flash Player software to break into Microsoft Windows computers. Adobe said it plans to issue a fix for the flaw in the next few days, but now might be a good time to check your exposure to this still-ubiquitous program and harden your defenses. Adobe said a critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could allow an attacker to take control of the affected system.
Enable Microsoft Office Protected View
- Applies To: Excel 2016 Word 2016 PowerPoint 2016 Excel 2013 Word 2013 More... Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened as read only or in Protected View. By using Protected View, you can read a file and see its contents and enable editing while reducing the risks.
QuickTime should be uninstalled from all Microsoft Windows systems
2 Factor Authentication
The Electronic Frontier Foundation (EFF) has online tracker-testing in its Panopticlick, helping you analyze the privacy protections in your Web browser.
Web Browser Plugins
- uBlock Origin
- NoScript
- Since so many sites depend on JavaScript, you may want to disable NoScript, but when prompted, leave the other NoScript protections enabled.
Wireless Network Security
- WEP (Wired Equivalent Privacy)
- Due to known security issues with WEP encryption, it is recommended that you do not use WEP. WEP can easily be cracked in a few minutes.
- Wi-Fi Protected Access (WPA and WPA2)
- When using WPA2, use AES encryption only, instead of TKIP+AES
- Wi-Fi Protected Setup
- A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup, allows WPA and WPA2 security to be bypassed and effectively broken in many situations. WPA and WPA2 security implemented without using the Wi-Fi Protected Setup feature are unaffected by the security vulnerability.
- Widget Jacking (session hijacking (sidejacking/widgetjacking) attacks)
WPA3
Virtual Private Network (VPN)
A virtual private network (VPN) enables users to send and receive data while remaining anonymous and secure online.
In the simplest terms, a VPN is used to create a secure, encrypted connection between your computer and a server operated by the VPN service.
Types of Ethernet cabling
- Straight-through cables are used to connect unlike devices.
- e.g. Host to Switch, Router to Switch
- On a host: Pins 1 & 2 are transmit, and 3 & 6 are receive.
- Crossover cables are used to connect like devices.
- e.g. Switch to switch, Router to host, Router to Router
- It is possible to connect switches using a straight-through cable because many switchs have auto configuring ports. Usually referred to as Auto-MDIX. a.k.a. Auto Uplink.
- Roll-over cables are used to connect a hosts' RS-232 / EIA-TIA-232 serial interface to a routers console port.
- The default COM port settings for Cisco routers & switches are:
- Bits per Second: 9600, Data bits: 8, Parity: None, Stop Bits: 1, Flow Control: None
- A group of networks and routers under a common administrative control.
- Routing inside and autonomous system is referred to as intradomain routing.
- Routing between autonomous systems is referred to as interdomain routing.
RFC (Request for Comments)
IEEE (Institute of Electrical and Electronics Engineers)
Deprecated / Deprecation
- Core layer or Backbone
- Distribution layer
- Access layer
Read
- CCNA R&S Study Guide 2nd Edition: Chapter 3: Introduction to TCP/IP
Do
- CCNA R&S Study Guide 2nd Edition: Chapter 3: Written Labs & Review Questions
News
Tools
Rufus: Create a bootable USB from an ISO
XBoot: Create a bootable USB flash drive with multple Live OS's
- The process a host uses to get an IP address lease from the DHCP server
- RFC2131
- In addition to an IP address, what additional parameters, if any, does a host need to get from the DHCP server?
- Subnet Mask
- Default Gateway
- DNS Server's IP address
Phase |
Transmission Method |
Description |
| Discover |
broadcast --> |
Client requests an IP address.
The client broadcasts a DHCPDISCOVER message on the physical subnet to find available servers. The client creates a UDP packet with the broadcast destination of 255.255.255.255 or the subnet broadcast address. |
| Offer |
<-- unicast |
DHCP server offers an IP address from its pool.
When a DHCP server receives an IP lease request from a client, it extends an IP lease offer. This is done by reserving an IP address for the client and sending a DHCPOFFER message across the network to the client. This message contains the client's MAC address, followed by the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer. |
| Request |
broadcast --> |
When the client PC receives an IP lease offer, it must tell all the other DHCP servers that it has accepted an offer. To do this, the client broadcasts a DHCPREQUEST message containing the IP address of the server that made the offer. When the other DHCP servers receive this message, they withdraw any offers that they might have made to the client. They then return the address that they had reserved for the client back to the pool of valid addresses that they can offer to another computer. Any number of DHCP servers can respond to an IP lease request, but the client can only accept one offer per network interface card. |
| Acknowledge |
<-- unicast |
When the DHCP server receives the DHCPREQUEST message from the client, the final phase of the configuration process is initiated. The acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the IP configuration process is complete. |
- DHCP: How a client handles errors.
- DHCP Scopes: A Dynamic Host Configuration Protocol (DHCP) scope is the consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. Scopes typically define a single physical subnet on your network to which DHCP services are offered. Scopes are the primary way for the DHCP server to manage distribution and assignment of IP addresses and any related configuration parameters to DHCP clients on the network.
- WireShark decode of an ARP Request packet:
- Why is ARP on Layer 2 and not on Layer 3 of the OSI Reference Model?
- ARP provides a service to Layer 3
- ARP does not provide Layer 3 services.
- ARP does not use Layer 3 services.
- ARP is not exclusive to IP. ARP is used by other protocols
- ARP is definitely a layer 2 protocol, with Ethernet type = 0x806
- If anyone claims that ARP is on Layer 3, ask them: Does ARP have an IP protocol number?
- ARP/RARP
- ARP Spoofing
- Neighbor Discovery Protocol (NDP) performs functions for IPv6 similar to the way Address Resolution Protocol (ARP) and ICMP Router Discovery and Router Redirect protocols do for IPv4.
- Connection-Oriented Service
- In a connection-oriented service:
- A connection is first established between the sender and the receiver.
- Data is transferred.
- At the end, the connection is released.
- TCP and SCTP are connection-oriented protocols.
- Connectionless Service
- In a connectionless service, the packets are sent from one party to another with no need for connection establishment or connection release.
- The packets are not numbered; they may be delayed or lost or may arrive out of sequence.
- There is no acknowledgment of the packet arrived at its destination
- UDP is connectionless.
- Reliable vs Unreliable
- The transport layer service can be reliable or unreliable
- If the application layer program needs reliability, we use a reliable transport layer protocol by implementing flow and error control at the transport layer.
- On the Internet, there are three common transport layer protocols.
Subnet zero and the all-ones subnet
- The first subnet obtained from subnetting has all bits in the subnet bit group set to zero (0). It is therefore called subnet zero.
- The last subnet obtained from subnetting has all bits in the subnet bit group set to one (1). It is therefore called the all-ones subnet.
- The IETF (Internet Engineering Task Force) discouraged the production use of these two subnets at one point due to possible confusion of having a network and subnet with the same address. The practice of avoiding subnet zero and the all-ones subnet was declared obsolete in 1995 by RFC 1878.
- In this class, we will always include subnet zero when we subnet.
ICMP (Internet Control Message Protocol)
The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite.
- ICMP works at the Network layer and is used by IP for many different services. ICMP is basically a management protocol and messaging service provider for IP.
- ICMP messages are encapsulated within IP datagrams.
- ICMP is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached.
- Destination unreachable:
If a router can’t send an IP datagram any further, it uses ICMP to send a message back to the sender, advising it of the situation.
- For example, take a look at Figure 3.17, which shows that interface E0 of the Lab_B router is down.
- ICMP can also be used to relay query messages.
- ICMP is assigned protocol number 1.
- ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).
ICMP messages are divided into two broad categories: error-reporting messages and query messages.
- The error-reporting messages report problems that a router or a host (destination) may encounter when it processes an IP packet.
- The query messages, which occur in pairs, help a host or a network manager get specific information from a router or another host.
- For example, nodes can discover their neighbors. Also, hosts can discover and learn about routers on their network, and routers can help a node redirect its messages.
When a packet is received by a router, what does the router have to do?
- Decrement TTL by 1, then evaluate TTL
- The router will decrement TTL by 1, then evalutate the value of TTL to determine if the packet should be dropped or forwarded.
- If TTL = 0, then drop the packet and send an ICMP destination unreachable to the sender
- If TTL > 0, then proceed
- What is the network that the packet is destined for?
- Do I have that network in my routing table?
- If no, then drop the packet and send an ICMP destination unreachable to the sender
- If yes, then…
- Which interface of mine do I have to send the packet out of to get it to the destination network?
- What is the IP address of the next closest router that I have to send the packet to? (Next Hop IP)
- Forward the packet to the destination network via the next hop router.
Traceroute
- Traceroute is a diagnostic command that uses ICMP and TTL to map a path to the destination IP address:
Read / Watch
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 4: Easy Subnetting
- Subnetting and Supernetting {re-post}
- OSI Reference Model {re-post}
Do
- CCNA R&S Study Guide 2nd Edition: Chapter 4: Written Labs & Review Questions
- Until further notice, bring in a stand-alone calculator, with an Exponents (^key) Xy , (not the one on your phone, or computer) to every class.
News & Tools
BlueBorne
- The IoT Attack Vector "BlueBorne" Exposes Almost Every Connected Device
- BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices.
- BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices.
- The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode.
Anti-Virus, or Not?
- In my opinion, anyone who promotes not using anti-virus and other protective software on all computers and devices that connect to the Internet is being very irresponsible. It is too trivial for systems to be compromised by malware and zero-day exploits.
Better Focus and Efficient Studying When Not Multitasking / Multi-Focusing
Using the AND function to determine the network address
- Use the bitwise AND to determine the network address by comparing the binary of the subnet mask to the binary of an IP address withing the subnet.
- If both bits in the compared position are 1, the bit in the resulting binary representation is 1, (1 × 1 = 1);
- Otherwise, the result is 0 (1 × 0 = 0 or 0 × 0 = 0)
- For example:
10010010.00101111.10000001.00001011 (146.47.129.11 ~ IP Address)
11111111.11111111.00000000.00000000 (255.255.0.0 ~ Subnet Mask)
10010010.00101111.00000000.00000000 (146.47.0.0 ~ Network Address / 1st address in the network/subnet)
Broadcast Address, Wildcard Mask, Block Size practice:
- Add the Wildcard Mask to the network address to determine the broadcast address
- The block size is determined by subtracting the value of the "interesting" octet from 256.\
- The block size is not the number of address per subnet. It is the subnet increment.
Default Mask vs Mask
- Default Mask is when there is no subnetting or supernetting.
Using the Wildcard mask to determine the last address (a.k.a. broadcast address) within a subnet.
- The Wildcard mask is the inverse of the Subnet mask
- Each octet of the subnet mask, and its corresponding wildcard mask, must add up to 255.
- Example:
- If you have a /26 prefix, the mask would be: 255.255.255.192, and then the Wildcard mask would be: 0.0.0.63. (As 192 + 63 = 255 in the 4th octet)
MicroNugget: Wildcard Masks by Keith Barker
Read / Do
Practice makes improvement!
- See the things you've searched for, visited, and watched on Google services.
- Combines contiguous networks to create a larger block of addresses
- Decreases the number of 1's in the mask
- (i.e. Decreases the number of "network" bits, and increases the number "host" bits)
- Divides an address block into smaller networks
- Increases the number of 1's in the mask
- (i.e. Increases the number of "network" bits, and decreases the number "host" bits)
Answer these questions when subnetting:
- How many subnets?
- How many addresses/hosts per subnet?
- What are the valid subnets?
- What's the broadcast address for each subnet?
Using the AND function to determine the network address
- Use the bitwise AND to determine the network address by comparing the binary of the subnet mask to the binary of an IP address withing the subnet.
- If both bits in the compared position are 1, the bit in the resulting binary representation is 1, (1 × 1 = 1);
- Otherwise, the result is 0 (1 × 0 = 0 or 0 × 0 = 0)
- For example:
10010010.00101111.10000001.00001011 (146.47.129.11 ~ IP Address)
11111111.11111111.00000000.00000000 (255.255.0.0 ~ Subnet Mask)
10010010.00101111.00000000.00000000 (146.47.0.0 ~ Network Address / 1st address in the network/subnet)
Subneting into a Large Number of Subnets
- The Block Size works for a small number of subnets, but is not efficient when you need hundreds or thousands or millions of subnets.
Determine the network address of a high subnet number.
- Multiply the target subnet number by the number of addresses per subnet, to get the number of addresses to add to the network address (subnet zero) to jump to the target subnet.
- Convert the resulting number of addresses to its Base-256 (dotted-decimal) equivalent.
- Add the Base-256 (dotted-decimal) equivalent to the network address/subnet zero, to determine the target subnet address.
Note about the "target subnet"
- If you're given subnet number x, then you use x as is to multiply by the number of addresses per subnet.
- If you're given the nth, subnet, e.g. 59th, 343rd, then you subtract one, then multiply by the number of addresses per subnet
Converting a Decimal Number to Base 256 (Dotted-decimal)
-
| |
Calculations for Base-256 Conversion |
| Evaluate # |
|
| 4th Octet |
|
| 3rd Octet |
|
| 2nd Octet |
|
| 1st Octet |
|
Subnetting Tips/Notes
- How to: Convert a Decimal Number to a Base-256 Dotted-decimal
- If the prefix/mask is given, and either the required number of subnets, or the required number of host addresses, then the prefix/mask is our starting point, and we ignore the "class" of the network address.
- If a prefix/mask and the requested # of subnets or hosts are given, then 1) that given mask is where you start from, and 2) ignore the implied class of the network address.
- If only the prefix/mask is given, (no requested number of subnets or requested number of hosts), then that given mask is of the already subnetted network, and the class of the network address is were we started from. (e.g. Q. 7, Pg. 40)
- The total number of subnets and total number of hosts must be a power of 2.
- Be conscious of whether your're asked for "subnets" or "hosts."
- If you're asked for the # of hosts, then you must determine how many bits are needed to get that # hosts, then subtract those bits from the 32 IPv4 bits, to determine the network bits / mask / prefix.
- Determine the number of subnets: 2[number of bits borrowed].
- Determine the total number of addresses: 2[the number of host bits].
- Add the Wildcard mask to the network/subnet address to determine the broadcast/last address in the network/subnet.
- Block Size:
- The block size (256 - [The interesting octet]) is best used to determine the increment of the subnets.
- The interesting octet is the last octet, from the left, that you borrowed bits from.
- The "block size" is not the number of addresses per subnet. It is the increment from one subnet to the next, withing the "interesting" octet.
- Determine how many addresses to add to the network address/subnet zero to get to the target subnet.
- 1. Multiplying (Subnet "Number") by the (number of addresses per subnet).
(For the Nth subnet, subtract 1 before multiplying by the number of addresses per subnet.)
- 2. Convert the result to its Base-256 equivalent
- 3. Add the Base-256 equivalent to the original network address of the block to get the network/subnet address of the target subnet.
- The "subnet address" an alternate term for the "network address" of a subnet.
- Subnet using the methods that work for all subnets, large or small. Switching methods depending on the size of the subnet
Do
- Assignment #1, Due Tues. 2/22/2017
- Subnetting problems 6 through 15 on the handout received in class on Tues. 2/15/2017.
- Note:
- If only the Network Address and a Prefix is given, then the given prefix the result of subnetting. Since we're not given any other information, we'll have to use the "class" of the Network Address as the starting point, before subnetting, and then borrow the number of bits needed to match the given prefix.
- The nth subnet range are all addresses for a subnet, including the network address and the broadcast address.
- The subnet number for the nth subnet, is the 1st address in the nth subnet. e.g. Network ID / Subnet address / Network address for the nth subnet.
- The answers you hand in for your assignment must be neat and readable, by me. Use a pencil.
- Do your calculations/work/notes on a copy or separate paper, then neatly copy your answers to the assignment handout.
- Use a pencil.
- If you have any issues completing all parts of every question on the assignment, e-mail me with the question # and specific questions.
- This assignment takes a lot of time to complete, so start on it right away. Give yourself enough time to complete all parts of every question, without rushing.
- No late assignments will be accepted.
- Note: We will go over this assignment in our next class, after you've handed in the hardcopy.
Make sure you make a copy of your completed assignment, so that you can follow along while we go over the assignment in class.
- Review Subneting Examples 1 & 2
- Until further notice, bring in a stand-alone calculator (not the one on your phone, or computer) to class. One that has an Exponents (^key) ( xy )
Do
| Tues. Feb 20, 2018 No Class (Classes follow a Monday Schedule) |
Top /
Home
|
Do
News and Tools
Anki is a program which makes remembering things easy. Because it's a lot more efficient than traditional study methods, you can either greatly decrease your time spent studying, or greatly increase the amount you learn.
NYU Tandon School of Engineering’s NY Cyber Fellows program is an elite, affordable part-time online MS in Cybersecurity in partnership with New York City Cyber Command, with a curriculum designed in cooperation with elite corporate partners.
Assignment #1 Debriefing
- Make sure to make a hardcopy of your completed assignment to review in class.
- Hand in your completed assignment at the start of class.
Subnetting practice
Read/Do
- Assignment #2, Due Tues. 2/27/2017
- Subnetting problems (12 questions) on the handout received in class on this day.
- The answers you hand in for your assignment must be neat and readable, by me. Use a pencil.
- Do your calculations/work/notes on a copy or separate paper, then neatly copy your answers to the assignment handout. Use a pencil.
- You may need to use the "AND" function on the binary of the IP address with the binary of the subnet mask to get the network address.
- If you have any issues completing all the parts of every question on the assignment, e-mail me with the question # and specific questions.
- This assignment takes time to complete, so do not wait to start on it, so that you'll have enough time to complete all parts of every question.
- Only hand in the assignment hardcopy. Hold on to your worksheets/scrap.
- No late assignments will be accepted
- Until further notice, bring in your stand-alone calculator that has an Exponents (^key) ( xy ) to class every day. (Not the one on your phone, or computer)
Read/Do
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 5 (VLSM)
- Do the Chapter: Written Lab and Review Questions
Assignment #2 Debriefing
Subnetting Practice
March
Classful vs. Classless Subnetting
When you’re subnetting an IP address for a network you have two options: classful and classless.
Classful subnetting is the simplest method.
- It tends to be the most wasteful because it uses more addresses than are necessary.
- In classful subnetting you use the same subnet mask for each subnet,
- and all the subnets have the same number of addresses in them.
Classless addressing allows you to use different subnet masks and create subnets tailored to the number of users/addresses in each group.
- VLSM (Variable Length Subnet Mask) is a way of further subnetting a subnet.
- In previous lessons, we divided a network only into subnets with an equal number of IPv4 addresses.
- Using Variable Length Subnet Masking (VLSM) we can allocate IPv4 addresses to the subnets by the exact need.
- Variable Length Subnet Masking (VLSM) allows us to use more than one subnet mask within the same network address space.
- Variable Length Subnet Masking (VLSM) allows us to create subnets from a single network with an unequal number of IPv4 addresses.
- VLSM supports hierarchical addressing design therefore, it can effectively support route aggregation, also called route summarization.
- Route summarization can successfully reduce the number of routes in a routing table by representing a range of network subnets in a single summary address. For example subnets 192.168.10.0/24, 192.168.11.0/24 and 192.168.12.0/24 could all be summarized into 192.168.8.0/21.
VLSM: Configuring Subnets Using the Numeric Method (PDF)
-
|
256 |
128 |
64 |
32 |
16 |
8 |
4 |
2 |
# of Hosts |
# of Subnets |
2 |
4 |
8 |
16 |
32 |
64 |
128 |
256 |
|
|
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
Binary Values |
Mask |
128 |
192 |
224 |
240 |
248 |
252 |
254 |
255 |
|
-
Subnet |
Mask |
Subnets |
Hosts |
Block |
/25 |
128 |
2 |
126 |
128 |
/26 |
192 |
4 |
62 |
64 |
/27 |
224 |
8 |
30 |
32 |
/28 |
240 |
16 |
14 |
16 |
/29 |
248 |
32 |
6 |
8 |
/30 |
252 |
64 |
2 |
4 |
- Routing Protocols that do not support VLSM
- Routing Protocols that do support VLSM
- Supernetwork
VLSM Numeric Method Outline
- Draw a chart with the
- "Number of Hosts" (line 1),
- "Number of Subnets" (line 2),
- "Binary Values" (line 3),
- "Bit Values" (line 4)
- Determine the number of addresses needed for all subnets, and write them in decending order.
- Draw a line allowing for the number of hosts/addresses needed, and label it.
- Use the value of the last bit borrowed (line 2, # of subnets) or the Block size as increment to the next subnet.
- The broadcast address is one less than the "next subnet."
Watch:
Quiz #1: Subnetting
- (10 questions, 1/2 hour only)
- Make sure to bring in your stand-alone calculator, pencils, and an eraser.
- Make sure that you're proficient and comfortable with the decimal to Base-256 dotted-decimal conversion method. Practice makes improvement!
- "Subnet number" x starts from 0, so do not subtract one before you multiply by the number of addresses per subnet. The result will be the number of addresses to add to the first address in the block to get to the first address in subnet #.
- For example: What's the subnet range for subnet "number" 1023?
- i.e. The 1024th subnet is subnet number 1023.
- The "Nth subnet" starts from 1, so you'll have to subtract one before you multiply by the number of addresses per subnet. The result will be the number of addresses to add to the first address in the block to get to the first address in the Nth subnet.
- For example: What's the subnet range for the 5028th subnet?
Do
- Assignment #3: VLSM Problems from the handout received in class on this day.
- Due Tues. 3/6/2018
- Make sure to write as neat as possible so that I can read your answers.
- Do your calculations/work/notes on a copy or separate paper, then neatly copy your answers to the assignment handout.
- Enter you answers in pencil, in case you have to make changes.
- If you insist on using a pen, and you have to make changes, use whiteout instead of crossing out and making a mess.
- VLSM: Configuring Subnets Using the Numeric Method (PDF)
- VLSM Addressing Samples (PDF)
- IPv4 VLSM Addressing Worksheet (DocX)
- You must start from the largest subnet to the smallest subnet.
- You must base your calculations on the total addresses per subnet.
- The problems ask for the number of needed hosts, i.e. usable addresses, so don't forget to include the subnet and broadcast addresses when you specify the subnet range.
- The total addresses per subnet must be a power of two.
- Each subnet must be a power of two.
- Determine the broadcast address for a subnet
- Add the Wildcard mask to the subnet address to get the broadcast of the subnet.
- Or, you can add the block size to increment to the next subnet, then subtract one to get the broadcast address of the previous subnet.
- Problem 31:
- Requires 1 router for each location, and each router connects to 1 switch for the location.
- The routers use a point-to-point connection: A to B, B to C, C to D. i.e. A--B--C--D
- Draw your diagram on a separate sheet of paper, that you should attach to the assignment you hand in.
- Make a copy of your completed assignment, so that you can follow along during class.
- No late assignments will be accepted
News & Tools
A flight of new research papers show 4G LTE networks can be exploited for all sorts of badness.
Privacy win for encrypted messaging app.
- As the documents show, the government’s effort did not amount to much—not because OWS refused to comply with the government’s subpoena (it complied), but because the company simply does not keep the kinds of information about their customers that the government sought (and that too many technology companies continue to amass).
- All OWS was able to provide were the dates and times for when the account was created and when it last connected to Signal’s servers.
- Memcached is a general-purpose distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source must be read.
- Memcached DDoS: This 'kill switch' can stop attacks dead in their tracks Researchers find a technique to contain the memcached amplification attacks seen over the past week.
Microsoft fights massive cryptocoin miner malware outbreak
- Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.
Assignment #3 debriefing
Quiz #1 Debriefing
Route Summarization / Route Aggregation / Network Address Aggregation
| Step 1 |
Convert the addresses to binary format and align them in a list. |
| Step 2 |
Locate the bit where the common pattern of digits ends.
(It might be helpful to draw a vertical line marking the last matching bit in the common pattern.) |
| Step 3 |
Count the number of common bits.
The summary route number is represented by the first IP address in the block, followed by a slash, followed by the number of common bits. |
Do
- Assignment #4, Due Tues. 3/13/2018
- VLSM Problem 38, Parts 1 through 4 on the handout received in class today.
- Make sure to write as neat as possible so that I can read your answers.
- Do your calculations/work/notes on a copy or separate paper, then neatly copy your answers to the assignment handout.
- Enter your answers in pencil, in case you have to make changes.
- If you insist on using a pen, and you have to make changes, use whiteout instead of crossing out and making a mess.
- Classless A and Classless B IPv4 - Charts
- No late assignments will be accepted
Exam #1
The exam includes, but is not limited, to the following:
Chapters 1 - 5 from the CCNA Routing and Switching Study Guide 2nd Edition
- You must be able to correctly answer all of the review questions at the end of each chapter.
- Know the Exam Essentials & terminology from each chapter.
- Chapter 1: Internetworking Basics & Models, OSI Reference Model
- Chapter 2: Ethernet Networking and Data Encapsulation
- Chapter 3: Introduction to TCP/IP
- Chapter 4: Subnetting
- Chapter 5: VLSM, Route Summarization
- Collision Domains vs Broadcast Domains
- Which device is used to separate broadcast domains?
- How many collision domains does a switch have?
- How many collision domains does a hub have?
- How do VLANs change the topology of the LAN and the Broadcast Domain created by the router?
- Unicast vs Broadcast vs Multicast
- Ethernet cables: Straight-through vs
Cross-over vs console
- What is CSMA/CD? How does CSMA/CD work?
- The number of bits and number of bytes in different types of addresses: IPv4, IPv6, MAC
OSI Reference Model:
- The names and layer numbers of all 7 layers
- The layer name that devices operatate on: e.g. Hub, Switch, Router, NIC
- The type of addressing used on Layer 2, and Layer 3
- The layer name that certain protocols operate on: e.g. ARP, IP, TCP, Telnet, FTP
- Which layer of the OSI model is responsible for creating packets?
- Which layer of the OSI model is responsible for creating frames?
- Segmentation and reassembly of data from the upper-layer applications occurs at what layer?
Classfull vs Classless (CIDR) IP addressing
- Define the "default mask"
- Determine the # of bits for: Network, Host, Bits Borrowed.
- Determine the Number of: Subnets, addresses per subnet, Wildcard mask.
- Determine the dotted-decimal mask from the number of host bits or the prefix.
- Count the borrowed bits on your fingers to determine the mask.
-
128 |
192 |
224 |
240 |
248 |
252 |
254 |
255 |
1 bit |
2 bits |
3 bits |
4 bits |
5 bits |
6 bits |
7 bits |
8 bits |
- Determine the block size / increment of each subnet, and the correct octet that increments.
- When subnetting, are we increasing or decreasing the number of 1's for the network portion of the IP address?
- When supernetting, are we increasing or decreasing the number of 1's for the network portion of the IP address?
Converting a decimal number to its Base-256 dotted-decimal form.
- VLSM / Classless Subnetting
- Route Summarization / Route Aggregation / Network Address Aggregation
Protocols
- Roles/function, and full name.
- IPv4, DHCP, DNS, ARP, TCP, UDP, ICMP, etc.
Troubleshooting Commands
- Ping <Target IP Address>
- Tracert <Target IP Address>
- ipconfig /all
- arp -a
- netstat
DHCP
- All four phases of the DHCP handshake, in the correct order, and mode of transmission (unicast, broadcast) for each phase.
- What is the purpose of the DHCP Scope on the DHCP Server?
- Know the powers of 2 up to 8192.
News and Tools
@Citizenlab catches ISPs invisibly redirecting download requests for popular programs, injecting them with government spyware. Unencrypted web traffic is now provably a critical, in-the-wild vulnerability. 20-30% of top internet sites affected.
The Hapless User: Secure from the inside out
Cisco CSS/CSM Day 828 problem
Exam 1 Debriefing
Cisco IOS
Read / Do
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 6 (Cisco IOS)
- Do the Chapter 6: Written Lab and Review Questions
- Bring in your book (Chapter 6) for the Hands-on lab.
Note: Until further notice, bring your text book to every class, so that you'll have access to the instructions for the Hands-on Labs.
Better Focus and Efficient Studying When Not Multitasking
Assignment #4 Debriefing
- The login command enables password checking at login.
- If the login command isn't applied, the console port won’t prompt for authentication.
- For Cisco IOS v12.2 and newer, you cannot set the login command before a password is set on a line.
- If you were able to "enable password checking at login," but did not set a password, that line won’t be usable. You’ll get prompted for a password that doesn’t exist.
- Cisco IOS prior to v12.2 did not have this "password" then "login" restriction.
Set password for console access:
(config)# line console 0
(config-line)# password <password_here>
(config-line)# login
Routers
- What Happens As Your Router Boots Up
- Cisco CCNA Certification: RAM, ROM, NVRAM, Flash, Boot Process
- Components of a Cisco Router (Ch. 7)
- Startup process of a Cisco Router (Ch. 7)
- Managing the Configuration Register on a Cisco router
- Configuration Register Bits
- 16 bits read 15-0, from left to right
- default setting: 0x2102
-
Register |
2 |
1 |
0 |
2 |
Bit Number |
15 14 13 12 |
11 10 9 8 |
7 6 5 4 |
3 2 1 0 |
Binary |
0 0 1 0 |
0 0 0 1 |
0 0 0 0 |
0 0 1 0 |
NOTE: 0x means the digits that follow are in hexadecimal
To bypass startup-config, we'll need to turn on bit 6 in the register.
Register |
2 |
1 |
4 |
2 |
Bit Number |
15 14 13 12 |
11 10 9 8 |
7 6 5 4 |
3 2 1 0 |
Binary |
0 0 1 0 |
0 0 0 1 |
0 1 0 0 |
0 0 1 0 |
- Working with Configuration Files
- Cisco IOS: Configuration Register & Password Reset
- Using Cisco 2600 & 2800 series routers
- Connecting to a router using the console/rollover cable and HyperTerminal
- Getting into ROM monitor mode
- Changing the configuration register to turn on bit 6
- Setting an encyrpted password
Lab-01
You must be in this class to get credit for this labs.
- Lab-01 (part 1 of 2): Download and Install: LammleSim – IOS CCNA RS Simulator
- Boot into the Windows Server partition for our class
- Download and install LammleSim into the Windows Server.
- Lab-01 (part 2 of 2): Connecting to a switch or router via the console port
- Default serial port settings are 9600,n,8,1,none
- Explore/query the device using the diagnostic Cisco IOS commands.
Read / Do
- CCNA Routing and Switching Study Guide, 2nd Edition: Chapter 7 (Cisco IOS)
- Do the Chapter 6 and Chapter 7: Written Lab, Review Questions, and Hands-on Labs
- Bring in your book (Chapter 6 and Chapter 7) for Hands-on lab's.
- Cisco IOS and Router Command Reference
Note: Until further notice, bring your text book to every class, so that you'll have access to the instructions for the Hands-on Labs.
Office Lens
Office Lens trims, enhances, and makes pictures of whiteboards and docs readable. You can use Office Lens to convert images to PDF, Word and PowerPoint files, and you can even save images to OneNote or OneDrive.
Cisco Discovery Protocol (CDP)
How Routers Talk to Each Other
Techniques to make the size of the routing table manageable.
- Next-Hop Method vs. Route Method
- The routing table holds only the address of the next hop instead of information about the complete route (route method).
- Network-Specific Method vs. Host-Specific Method
- Instead of having an entry for every destination host connected to the same physical network (host-specific method), we have only one entry that defines the address of the destination network (Network-Specific Method).
- Default Method
- Default routing is used to send packets with a remote destination network not in the routing table to the next hop router.
Delivery of a Packet
- Direct Delivery
- Direct delivery occurs when the source and destination of the packet are located on the same physical network or when the delivery is between the last router and the destination host.
- Indirect Delivery
- If the destination host is not on the same network as the deliverer, the packet is delivered indirectly.
- In an indirect delivery, the packet goes from router to router until it reaches the one connected to the same physical network as its final destination.
- A delivery always involves one direct delivery but zero or more indirect deliveries.
- The last delivery is always a direct delivery.
Routing protocols:
- A unit of measure used by routing protocol algorithms to determine the best pathway for traffic to use to reach a particular destination.
- Routers use various metrics and calculations to determine the best route for a packet to reach its final network destination.
- Each routing protocol uses its own algorithm with varying weights to determine the best possible path.
An interior gateway protocol (IGP) is a routing protocol that is used within an autonomous system (AS).
- Interior gateway protocols can be divided into two categories
- Distance-vector routing protocols
- e.g. RIP, IGRP, EIGRP
- A distance-vector routing protocol requires that a router inform its neighbors of topology changes periodically and, in some cases, when a change is detected in the topology of a network.
- Link-state routing protocols
- e.g. OSPF, Intermediate System to Intermediate System (IS-IS)
- link-state protocols require a router to inform all the nodes in a network of topology changes
An Exterior Gateway Protocol (EGP) is used between autonomous systems.
Prevent "Translating. domain server (255.255.255.255)" Messages after an Invalid Command is Entered on a Router
Lab-02
- R&S Study Guide: Chapters 6 & 7 Hands-on Labs Combined
- You must be in this class to get credit for this lab.
Read / Do
- CCNA Routing and Switching Study Guide, 2nd Ed.: Chapter 9: IP Routing
- Do the Chapter: Written Lab, Review Questions, AND Hands-on Labs
- Note: Until further notice, bring your text book to every class, so that you'll have access to the instructions for the Hands-on Labs.
Read / Do
Note: Until further notice, bring your text book to every class, so that you'll have access to the instructions for the Hands-on Labs.
Do
News and Tools
Protocol |
Category / Vector |
Description |
RIP (Routing Information Protocol) |
distance-vector routing |
|
IGRP (Interior Gateway Routing Protocol) |
distance-vector routing |
- considered a classful routing protocol
- IGRP supports multiple metrics for each route, including bandwidth, delay, load, MTU, and reliability
- maximum hop count of IGRP-routed packets is 255 (default is 100)
|
EIGRP (Enhanced Interior Gateway Routing Protocol) |
distance-vector routing |
- Adds support for VLSM (variable length subnet mask)
- Adds the Diffusing Update Algorithm (DUAL) in order to improve routing and provide a loopless environment.
- EIGRP has completely replaced IGRP
|
OSPF (Open Shortest Path First) |
link-state routing protocol |
- Routes packets based solely on the destination IP address found in IP packets.
- Designed to support variable-length subnet masking (VLSM, CIDR).
- OSPF detects changes in the topology, such as link failures, very quickly and converges on a new loop-free routing structure within seconds.
- falls into the group of interior gateway protocols, operating within an autonomous system (AS)
- the most widely-used interior gateway protocol (IGP) in large enterprise networks
- OSPF does not use TCP or UDP but uses IP directly, via IP protocol 89. OSPF handles its own error detection and correction, therefore negating the need for TCP or UDP functions.
|
BGP (Border Gateway Protocol) |
path vector protocol |
- makes routing decisions based on path, network policies and/or rulesets
- v4 supports Classless Inter-Domain Routing and the use of route aggregation to decrease the size of routing tables.
- RFC 4271
- The most widely-used exterior gateway protocol (EGP) is BGP.
|
Router Configuration Checklist
- Identify the interfaces on the router that are going to be used.
- Identify the directly connected networks.
- Configure the IP address and subnet mask on only those interfaces on the router that are going to be used.
- Enable the interface(s) : no shutdown
- Add the routing protocol
- Add only the network address for each "directly connected" network
Loop Prevention (Routers)
- Split horizon in distance-vector Routing Protocols
- When using split horizon, a routing protocol tries to prevent a routing loop. It does this by not advertising a route from an interface from which it received an advertisement for that route. Simply: The split horizon rule prohibits a router from advertising a route through an interface that the router itself uses to reach that destination network.
- Poison Reverse
- Distance-vector routing protocols in computer networks use route poisoning to indicate to other routers that a route is no longer reachable and should be removed from their routing tables.
Techniques to make the size of the routing table manageable.
- Next-Hop Method vs. Route Method
- The routing table holds only the address of the next hop instead of information about the complete route (route method).
- Network-Specific Method vs. Host-Specific Method
- Instead of having an entry for every destination host connected to the same physical network (host-specific method), we have only one entry that defines the address of the destination network (Network-Specific Method).
- Default Method
- Default routing is used to send packets with a remote destination network not in the routing table to the next hop router.
Routing Tables
- The minimum fields needed in a routing table:
Field |
Description |
| Mask |
The network prefix (in CIDR notation) of the destination network |
Network address |
The network address of the destination network |
Next Hop IP address |
The IP address of the next neighbor router to the destination network.
Think... From the router I am on, what is the IP address of the closest router I can forward the packet to, to get that packet to the destination network? |
Interface |
The network interface used to get to the next hop router.
a.k.a. "Exit Interface"
Think... From the router you're on, which interface do I have to send the packet out of, to get it to the Next Hop router? |
Lab-03: Building Routing Tables
Read / Do
- CCNA Routing and Switching Study Guide, 2nd Ed.: Chapter 18: OSPF
- Do the Chapter: Written Lab, Review Questions, AND Hands-on Labs
- Note: Until further notice, bring your text book to every class, so that you'll have access to the instructions for the Hands-on Labs.
Do
News and Tools
- Podnutz Pro: Talks about working with and the needs of small businesses, and the technology, and processes used.
- StartPage.com: Is a proxy to searching Google.com, with privacy protection. Anonymizes your search. Other search engines deliver results based on what they know about you rather than giving you equal access to the Internet.
- See the things you've searched for, visited, and watched on Google services.
Lab-03 Debriefing
- Compare Routing Table Worksheet with the output of "show ip route" from each router.
Loop Prevention (Routers)
- Split horizon in distance-vector Routing Protocols
- When using split horizon, a routing protocol tries to prevent a routing loop. It does this by not advertising a route from an interface from which it received an advertisement for that route. Simply: The split horizon rule prohibits a router from advertising a route through an interface that the router itself uses to reach that destination network.
- Poison Reverse
- Distance-vector routing protocols in computer networks use route poisoning to indicate to other routers that a route is no longer reachable and should be removed from their routing tables.
Decoding the output from "show ip route"
This is one entry from: show ip route
O 90.125.0.0 [110/74] via 18.1.25.2, 05:29:08, Serial0/0
| O |
Routing protocol "OSPF" |
| 90.125.0.0 |
Remote network |
| [110 |
OSPF Administrative Distance (AD) |
| /74] |
OSPF cost |
| via 18.1.25.2 |
Next hop for the 18.0.0.0 /8 network |
| 05:29:08 |
Aging time. How long the protocol has been running? |
| Serial0/0 |
Exit interface |
Reference:
Router Configuration Checklist
- Identify the interfaces on the router that are going to be used.
- Identify the directly connected networks.
- Configure the IP address and subnet mask on only those interfaces on the router that are going to be used.
- Enable the interface(s) : no shutdown
- Add the routing protocol
- Add only the network address for each "directly connected" network
Cisco IOS
- Adding an IP address to an interface
- Adding the RIP routing protocol
- Troubleshooting/Status commands
- Routing protocols
- How to configure:
- Serial Ports
- DCE vs DTE
- Clock Rate on DCE end only
- show controller serial0/0
- OSPF Routing Protocol
- Uses the Wildcard mask, instead of the subnet mask
- DHCP via Cisco IOS
- Set the range
- exclude addresses for static IP's from the DHCP pool
- Cisco IOS and Router Command Reference
Router Simulator (RouterSim)
Lab-04: (Configuring Router interfaces, and the RIP Routing Protocol)
- You'll need a USB Flash drive with at least 200MB of free space to save your labs.
- When saving, always increment the version number at the end of the filename every time you save. And, save often.
- Instructions (PDF)
- Network Diagram (PDF)
- The lab must be done in RouterSim
- RouterSim is available in any of the CST computers in the Namm building. (4th & 9th floors)
- Note: Substitute the # within an IP address with the number assigned to you in class. Use all other octets/digits, as written.
- After you've verified that all of your configurations are complete and accurate, and you're able to ping from host A to B and from B to A, and the routing tables on both routers are correct, only then e-mail your completed RSM file and configuration text file to me for grading.
- E-mail Subject: CST3607 Lab-04 YourLastName
- Note: Do not use "version 2" when configuring RIP
- Important: Lab-04 is required, as it is the starting point/baseline for future labs.
Troubleshooting: Having a problem with your lab?
- Did you enable all the required interfaces on all the routers? no shutdown
- Have you checked all the router interfaces to make sure that both Status and Protocol are both up? show ip interface brief
- Did you check that the clockrate on the DCE interface is set and greater than zero?
- Did you add only the directly connected networks to the routing protocol?
- Did you use the interface's IP address instead of it's network address when configuring the routing protocol?
- Did you use the wildcard mask, not the subnet mask, when configuring OSPF?
- When you ping a host or router, where is the ICMP request failing to get to its destination?
- Still having problems? And you're confident that your configuration is correct? Save the lab, exit RouterSim, and then reload the lab.
Do
Read / Do
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 10: Layer 2 Switching
- Listen to RunAs Radio: Show #442: Thinking Through Security Policy with Dana Epp
- What does your security plan look like?
- Richard chats with Dana Epp about the ever increasing attack surface of our organizations and the ongoing battle to provide better tools and techniques to keep the lights on.
Exam 2
You must be able to correctly answer all of the Review Questions from each chapter.
The exam includes, but is not limited, to the following:
Chapter 5 (VLSM)
Chapter 6: Cisco's Internetworking Operating System (IOS)
- Modes of Operation in Cisco IOS, how to get into each mode, and identify the CLI prompt for each mode.:
- User EXEC (aka unprivileged mode)
- Privileged EXEC
- Global Configuration
- Interface Configuration
- Purpose and options of the Configuration Register
- ROM Monitor (rommon)
- What are the four types of memory used on a Cisco Router?
- What information or files are stored in each type of memory?
- What is the command to set an encrypted password using Cisco IOS?
Chapter 7: Components of a Cisco Router and Switch, CDP (Cisco Discover Protocol)
Chapter 8: Managing Cisco Devices
- Define the Cisco router components.
- Describe the functions of the bootstrap, POST, ROM monitor, mini-IOS, RAM, ROM, flash memory, NVRAM, and the configuration register.
- What are the steps in the router boot sequence?
- Managing the Configuration Register
- Understanding the Configuration Register Bits
- Checking the Current Configuration Register Value
- Recovering Passwords
- Interrupting the Router Boot Sequence
- Changing the Configuration Register
- Save the configuration from RAM to NVRAM
Chapter 9: IP Routing
- Static routing
- Dynamic routing
- Distance Vector routing protocols
- Link State routing protocols
- Default Route
- Default Gateway
- Next Hop IP address (Neighbor router)
- IP Routing Table
- Prefix, Network Address, Next Hop IP address, Interface
- Administrative distance
- Metric
- RIP (Routing Information Protocol)
- What is the maximum hop count for RIP?
- By default, what is the maximum hop count of IGRP-routed packets?
- What are some Interior Gateway Protocols (IGP)?
- What are some Exterior Gateway Protocols (EGP)?
- Convergence on routers
- Chapter 18: OSPF (Open Shortest Path First)
- OSI Reference Model
- All seven layers, their functions, protocols, etc.
- Subnetting
- block size to determine the subnet increments. (265 - "interesting octet")
Chapter 18: OSPF
- In OSPF, why is "Area Zero" a.k.a. backbone, important?
Describe How A Network Works
- Describe the purpose and functions of various network devices.
- Select the components required to meet a network specification.
- Use the OSI reference model and its associated protocols to explain how data flows in a network.
- Describe the purpose and basic operation of the protocols in the OSI reference model.
- Determine the path between two hosts across a network.
- Describe the components required for network and Internet communications.
- Identify and correct common network problems at layers 1, 2, 3 and 7 using a layered model approach.
- Differentiate between LAN/WAN operation and features.
- Differentiate between IP addresses, MAC addresses, and at which phase and layer of the OSI Reference Model each type of address is used.
Diagnostics & Troubleshooting Commands
- ICMP (Internet Control Message Protocol)
- Traceroute and how TTL is used with Traceroute.
- e.g. Does the router evaluate TTL before or after decrementing TTL, to determine if the packet should be forwarded?
- ping
- ipconfig /all
- tracert (on Windows) or traceroute (on Linux)
- show ip interface brief
- show ip route
- show ip protocol
- show controllers s0/0 (To determine if a serial interface is DCE or DTE)
- version
- Techniques used to make the size of the routing table manageable.
- Next-Hop Method
- Network-Specific Method
- Default Method
Delivery of a Packet
- Direct Delivery
- Indirect Delivery
Logical and Physical addressing during the forwarding process:
- When a packet is destined for a different network, what address needs to be resolved by the source host?
- Which protocol is used to resolve the address?
- Autonomous System (AS)
- Convergence (routing protocol)
- Convergence (Switch) (Loop prevention)
- Routing Tables
- The minimum fields needed in a routing table:
- ("Type" is not one of the minimum fields.)
- Routing [within] an autonomous system
- Which types/vectors of routing protocols are used for routing [within] an autonomous system?
- Which routing protocols are used for routing [within] an autonomous system?
- Routing [between] autonomous systems
- Which types/vectors of routing protocols are used for routing [between] autonomous systems?
- Which routing protocols are used for routing [between] autonomous systems?
- Loop prevention in Routing Protocols
April
| Tues. April 3, 2018 (Spring Recess - No Class) |
Top /
Home
|
Read / Do
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 10: Layer 2 Switching
- Listen to RunAs Radio: Show #442: Thinking Through Security Policy with Dana Epp
- What does your security plan look like?
- Richard chats with Dana Epp about the ever increasing attack surface of our organizations and the ongoing battle to provide better tools and techniques to keep the lights on.
| Thurs. April 5, 2018 (Spring Recess - No Class) |
Top /
Home
|
Read / Do
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 10: Layer 2 Switching
- Listen to RunAs Radio: Show #442: Thinking Through Security Policy with Dana Epp
- What does your security plan look like?
- Richard chats with Dana Epp about the ever increasing attack surface of our organizations and the ongoing battle to provide better tools and techniques to keep the lights on.
Exam 2 Debriefing
Lab-04 Debriefing
- Make sure to bring your completed Lab-04 rsm file to class.
- Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers.
Document the configuration of each router in your lab
- How to save the output from commands from a router
- Create a new TXT file with the same filename as the RSM file you're documenting. syntax: CST3607 Lab-04 LastName, FirstName v<version #>.txt
- At the top of the TXT file, type your CST3607 Lab-04 <YourLastName>, <YourFirstname>
- Paste the output from all routers into the one TXT file:
- Make sure all routers have uniquie names: e.g. hostname 2621-A, 2621-B, etc.
- Close and reopen the CLI, to clear its history.
- enable
- terminal length 0
- show run {Make sure to press the space bar to complete the listing if the CLI says "More"}
- show ip interface brief
- show ip route
- show ip protocol
- show ip ospf neighbor {If you're using OSPF}
- show controllers s0/0 or s0/1 {If the router has a DCE interface}
- show ip dhcp binding {If the router is acting as a DHCP server}
- Right-click in the CLI and choose copy. (In RouterSim, it's not necessary to highlight first.)
- Switch to your TXT file, and paste
- Save the TXT file.
- Repeat for each router in the lab.
- Send the TXT file with your router configurations to me: Subject: CST3607 Lab-04 YourLastName, Firstname
Chapter 10: Layer 2 Switching
The three functions of a switch.
- Address learning
- forward/filter decisions
- loop avoidance.
Configuring an IP address on a switch
- The Management VLAN Interface, is a routed interface on every Cisco switch and is called interface VLAN 1.
Port Security on a Switch
(Chapter 10, pgs. 417, 428)
- Protect: When the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses.
You are not notified that a security violation has occurred.
- Restrict: When the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses.
In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
- Shutdown: A port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.
Restrict and shutdown violation modes alert you via SNMP that a violation has occurred on a port. (pg. 443, 3rd sentence in the 5th paragraph)
- As listed in the Errata, There's an error in Appendix B, pg. 1005: Answer to Chapter 10 Review Question 11: The correct answer should be A, C and the explanation should read: "Shutdown and restrict mode will alert you..."
Spanning Tree Protocol (STP)
- The function of Spanning Tree Protocol (STP) is to prevent Layer 2 switching loops and broadcast storms in a Local Area Network (LAN).
- The Spanning Tree Protocol (STP) allows redundant links in a network to prevent complete network failure if an active link fails, without the danger of Layer 2 Switching loops.
Bridge Protocol Data Unit (BPDU)
- Bridge Protocol Data Units (BPDUs) are messages exchanged between the switches inside an interconnected redundant Local Area Network (LAN).
- Bridge Protocol Data Units (BPDUs) frames contain information regarding the Switch ID, originating switch port, MAC address, switch port priority, switch port cost etc.
- Bridge Protocol Data Units (BPDUs) frames are sent out as multicast messages regularly at multicast destination MAC address 01:80:c2:00:00:00. When Bridge Protocol Data Units (BPDUs) are received, the Switch uses a mathematical formula called the Spanning Tree Algorithm (STA) to know when there is a Layer 2 Switch loop in network and determines which of the redundant ports needs to be shut down.
- The basic purpose of the Bridge Protocol Data Units (BPDUs) and the Spanning Tree Algorithm (STA) is to avoid Layer 2 Switching loops and Broadcast storms.
Spanning Tree Protocol (STP): Port States
The ports on a switch with enabled Spanning Tree Protocol (STP) are in one of the following four port states.
Blocking
- A port in the blocking state does not participate in frame forwarding and also discards frames received from the attached network segment.
- During blocking state, the port is only listening to and processing BPDUs on its interfaces.
Listening
- During the listening state the port discards frames received from the attached network segment and it also discards frames switched from another port for forwarding.
- At this state, the port receives BPDUs from the network segment and directs them to the switch system module for processing.
Learning
- During the learning state, the port is listening for and processing BPDUs.
- In the listening state, the port begins to process user frames and starts to update the MAC address table.
- But the user frames are not forwarded to the destination.
Forwarding
- A port in the forwarding state forwards frames across the attached network segment.
- In a forwarding state, the port will process BPDUs, update its MAC Address table with frames that it receives, and forward user traffic through the port.
- Forwarding State is the normal state.
Note: "Disabled" is not one of the four STP states. Disabled (technically, is not a transition state). A port in the administratively disabled state doesn’t participate in frame forwarding or STP. A port in the disabled state is virtually nonoperational.
Read / Do / Watch
Exam #3 will be on Thursday: April 26, 2018
News & Tools
- Chrome Is Scanning Files on Your Computer, and People Are Freaking Out
- Whoer.net is a service aimed at verifying the information your computer sends to the web. It is perfect for checking proxy or socks servers, providing information about your VPN server and scanning black lists for your IP address. The service shows whether your computer enables Flash and Java, as well as its language and system settings, OS and web-browser, define the DNS etc.
Self-Evaluation
- At this point in the semester, you should be confident in your understanding of Cisco IOS, routing protocols, etc., that you can complete this lab, using only the network diagram as your guide, with 100% accuracy, and a resonable amount of time. About 15 to 20 minutes.
- If that’s not the case, then you must practice, practice, practice, to gain that skill and confidence.
- Practice makes improvement.
- The labs use dynamips or GNS3 as a simulator/emulator.
- Has the .net file with the router layouts and the configurations for each lab.
Cisco IOS
- How to configure:
- Serial Ports
- DCE vs DTE
- Clock Rate on DCE end only
- show controller serial0/0
- OSPF Routing Protocol
- DHCP via Cisco IOS
- Set the range
- exclude static IP addresses from the DHCP pool
- Cisco IOS and Router Command Reference
OSPF Router ID
The OSPF Router-ID is used to identify a specific device within an OSPF database. Router ID’s must be unique to prevent unintended OSPF database problems.
OSPF Loopback Interface
- A router with one loopback interface generates a router-LSA with Type-1 link (stub network).
Configuring a Gateway of Last Resort Using IP Commands
Lab-05: (Serial, OSPF, DHCP)
- Requires your 100% acurate and working Lab-04 as the starting point.
- Increment the version number at the end of the filename every time you "Save As." And, "Save As" often.
- Network Parameters (DocX)
- Complete this chart before proceding with the lab.
- Use the block size (256 - interesting octet) to see which subnet an IP address fits into.
- Instructions (PDF)
- Network Topology Diagram (PDF)
- Substitute the # within an IP address with the number assigned to you in class.
- Make sure that:
- You've verified that all of the configurations / parameters / network addresses / IP's are complete and 100% accurate. (show run)
- the IP address and mask of each interface is correct
- “Status” and “Protocol” are both “up” for each enabled interface. (show ip interface brief)
- You're able to ping all hosts, in both directions.
- The routing tables on all routers show the correct number of connected and indirect networks. (show ip route)
- For RIP: The network addresses and subnet masks under "Routing for Networks" are correct. (show ip protocol)
- For OSPF: The network addresses, wildcard masks, and area #'s under "Routing for Networks" are correct. (show ip protocol)
- The DCE has a clock rate set and greater than zero: show controllers s0/0 or s0/1
- At least one neighbor shows up with OSPF on every router. (show ip ospf neighbor)
- Only then is your lab considered complete.
- Note: show ip ospf neighbor, by not work on 2621-C, but will on the other 3 routers.
- You should then e-mail only your final completed simulation file, and documentation TXT file to me.
- The TXT file should have the same filename, including the version number, as the simulation file.
- E-mail Subject: CST3607 Lab-05 YourLastName, YourFirstName
- Cisco IOS and Router Command Reference
Do
- Complete Lab-05, along with the documentation file, and send them to me ASAP.
- E-mail Subject: CST3607 Lab-05 YourLastName
Read / Do
News & Tools
- PoisonTap: exploiting locked computers over USB
- PoisonTap - siphons cookies, exposes internal router & installs web backdoor (reverse tunnel) on locked/password protected computers with a $5 Raspberry Pi Zero and Node.js.
- Raspberry Pi Zero (YouTube.com)
Chapter 11: VLANs and InterVLAN Routing
Lab-06: VLANs
Read / Do
News and Tools
- Standard IP Access List
- Filters network traffic by exammining the source IP address in a packet
- access-list numbers: 1-99 or 1300-1999
- Extended IP Access List
- Can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet.
- Can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header.
- access-list numbers: 100-199 or 2000-2699
- Inbound access list: applied to inbound packets on an interface, before being routed.
- Outbound access list: applied to outbound packets on an interface.
- An access list must be applied to an interface to be executed
Standard ACL (1-99)
|
Extended ACL (100-199)
|
| applied closest to the destination |
applied closest to the source |
Denies or Permits:
|
Denies or Permits:
- source IP address
- destination IP address
- port or service
|
Lab-07: Chapter 12: Cisco IOS: Security: Access Control Lists (ACLs)
- Lab-07 Instructions/Errata (pdf)
- Lab-07 Worksheet (docx)
- Syntax for filename: (Increment the version each time you save.)
- CST3607 Lab-08 (12.0) Lastname, Firstname v01 (For the initial topology build, and configuration of the IP addresses and OSPF)
- CST3607 Lab-08 (12.1) Lastname, Firstname v01
- CST3607 Lab-08 (12.2) Lastname, Firstname v01
- Send me only your completed 12.2 lab and the configuration documentation text file.
- E-mail Subject: CST3607 Lab-08 YourLastName, YourFirstName
- Note: Bring your text book to class for the rest of the semester
- IP Address Summary
Router |
Interface |
IP Address |
Network Address |
Wildcard Mask |
Description |
Corp |
Serial 0/0 |
172.16.10.1 /30 |
|
|
Connection to SF |
Corp |
Serial 0/1 |
172.16.10.5 /30 |
|
|
Connection to LA |
Corp |
Fa0/0 |
10.10.10.1 /24 |
|
|
|
|
|
|
|
|
|
SF |
Fa0/0 |
192.168.10.1 /24 |
|
|
|
SF |
S0/0/0 |
172.16.10.2 /30 |
|
|
Connection to Corp |
|
|
|
|
|
|
LA |
Fa0/0 |
192.168.20.1 /24 |
|
|
|
LA |
S0/0/0 |
172.16.10.6 /30 |
|
|
Connection to Corp |
Read / Do
Lab-08: Chapter 10 Hands-on Lab
Chapter 11 Hands-on Lab: VLANs
Read / Do
Read / Do
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 13: Network Address Translation (NAT)
- Do the: Written Lab, Review Questions at the end of the chapter.
- Study for the Final Exam
Exam #3: In Class, via Blackboard
To be prepared for this, and any of the exams, you must be able to answer all of the Review Questions at the end of each chapter.
This exam includes, but is not limited, to the following:
Chapter 10: Layer 2 Switching
- What are the steps that a switch uses to build its MAC address table?
- What will a switch do with a frame received on a port that has a destination MAC address that "is not" in the mac address-table?
- What will a switch do with a frame received on a port that has a destination MAC address that "is" in the mac address-table?
- Layer 2 switch functions
- Configuring a Management IP address on a switch
- Switch Port Security
- Switch Port Violation Modes
- Protect
- Restrict
- Shutdown
- Which switch port violation modes will alert you via SNMP that a violation has occurred on a port?
- Spanning Tree Protocol (STP)
- Loop avoidance
- Preventing broadcast storms
- Convergence (on switches)
- Name the four Spanning-Tree port states
- Disabled is not one of the four states. Disabled (technically, not a transition state). A port in the administratively disabled state doesn’t participate in frame forwarding or STP. A port in the disabled state is virtually nonoperational.
Chapter 11: VLANs and InterVLAN Routing
- Virtual LAN (VLAN)
- VLAN 1 is the default Ethernet VLAN
- VLANs 1002 through 1005 are automatically created and cannot be deleted
- Trunking
- What is the purpose of a Trunk port?
- What are the Cisco IOS commands to configure an interface as a trunk port?
- IEEE 802.1Q
Chapter 12: Security: Access Control Lists (ACL)
- You will need to decode an ACL to determine:
- which IP addresses or networks are being denied or allowed,
- which protocols are being denied or allowed,
- whether the rule applies to inboud our outbound traffic,
- etc.
- Standard Access Lists
- Standard Access Lists can check for what in the IP packet?
- Is a Standard ACL applied closest to the destination or closest to the source?
- What are the access-list numbers for a Standard ACL?
- Extended Access Lists
- Extended Access Lists can check for what in the IP packet?
- Is an Extended ACL applied closest to the destination or closest to the source?
- What are the access-list numbers for an Extended ACL?
- What is an Implict Deny?
- An Inbound access list is applied to inbound packets on an interface, before being routed.
- Why is an inbound access list applied before the packet is routed?
- An Outbound access list is applied to outbound packets on an interface.
- Why must an access list must be applied to an interface to be effective?
- Configuring ACLs
- access-list
- access-group
- access-class
- Security Appliances
- Determine the Subnet Block Sizes
- Use the block size to determine the subnet ranges
OSI Reference Model
- All seven layers of the OSI Reference Model
Troubleshooting Commands and syntax
Read / Do
- CCNA Routing and Switching Study Guide 2nd Edition: Chapter 13: Network Address Translation (NAT)
- Do the: Written Lab, Review Questions at the end of the chapter.
- Study for the Final Exam
May
Guest speaker presentation on IT Project Management w/Q&A
- E-mail questions you'd like to ask re: IT industry, and project management, before 6pm Monday.
News & Tools
Windows Subsystem for Linux (WSL)
- Windows Subsystem for Linux (WSL) is a compatibility layer for running Linux binary executables (in ELF format) natively on Windows 10.
- WSL provides a Linux-compatible kernel interface developed by Microsoft (containing no Linux kernel code), which can then run a GNU userland on top of it, such as that of Ubuntu, openSUSE, SUSE Linux Enterprise Server, Debian and Kali Linux.
- Such a userland might contain a Bash shell and command language, with native Linux command-line tools (sed, awk, etc.) and programming language interpreters (Ruby, Python, etc.).
- Install the Windows Subsystem for Linux
NAT Router Security Solutions: Tips & Tricks You Haven't Seen Before
GRC’s Link Farm
Trello’s boards, lists, and cards enable you to organize and prioritize your projects in a fun, flexible and rewarding way.
Exam 3 Debriefing
What does a NAT router do? A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. The "Network Address Translation" (NAT) performed by the router allows multiple computers (machines) connected to the LAN behind the router to communicate with the external Internet.1
Lab-09: Chapter 13: Network Address Translation (NAT)
- Chapter 13 : (Bring your text book to class for the rest of the semester)
- Instructions / Errata (pdf)
- Baseline Simulation (Make sure to rename, by replacing "YourLastName" and adding your First Name)
- Hands-on Lab 13.1
- Hands-on Lab 13.2
- Hands-on Lab 13.3
- You must be in class to get credit for completing this lab.
Read / Do
News & Tools
Lucidchart provides an intuitive and collaborative diagramming solution for your entire organization.
- Free accounts for students and teachers. Visit the education page for educational inquiries.
Three strategies for the transition from IPv4 to IPv6:
- Dual Stack
- Tunneling
- A strategy used when two computers using IPv6 want to communicate with each other and the packet must pass through a region that uses IPv4.
- The IPv6 packet is encapsulated in an IPv4 packet
- The IPv4 packet carries an IPv6 packet as data, the protocol value is set to 41
- Header Translation
- The header of the IPv6 packet is converted to an IPv4 header
- Used when a host wants to use IPv6, but the receiver does not understand IPv6
Advantages that IPv6 has over IPv4.
- Larger address space. (This is the primary reason that IPv6 was developed.)
- Better header format
- New options
- Allowance for extension
- Support for resource allocation
- Support for more security
IPv6 Addressing
- IPv6 Tutorial [9tut.com]
- Mastering IPv6 SLAAC Concepts and Configuration [ciscopress.com]
- What is the problem with StateLess Automatic Address Configuration (SLAAC)?
- With SLAAC, by default no DNS configuration is returned to the host.
- IPv4/IPv6 subnet calculator
- IPv6 addresses fall into one of three categories / transmission methods
- Unicast
- Multicast
- Anycast addressing routes datagrams to a single member of a group of potential receivers that are all identified by the same destination address. This is a one-to-one-of-many association.
- There are no broadcast addresses in IPv6.
- Types of IPv6 addresses.
- Link-local addresses are similar to APIPA addresses and start with FE80.
- Unique local addresses are similar to private IP addresses and start with FC00.
- Global addresses are like public IP addresses and start with 2000.
- The IPv6 loopback address is ::1.
Global Unicast IPv6 Address
Global Routing Prefix -
- This is assigned by the ISP to a customer or site.
- The Global Routing Prefix is determined by the prefix-length notation. (example /48 or /64).
- This is similar to the network portion of an IPv4 address.
Subnet ID -
- This is similar to the subnet portion of an IPv4 address.
- The difference is in IPv4 the subnet is borrowed from the host portion of the address.
- In IPv6 the Subnet ID is a separate field (/48 to /64) and not necessarily part of the Interface ID.
Interface ID -
- The Interface ID uniquely identifies an interface on the local subnet.
IPv6 Address Format
IPv6 Address Format: x:x:x:x:x:x:x:x ? where x is a 16 bit hexadecimal field, and x represents four hexadecimal digits.
An example IPv6 Address: 2001:0000:5723:0000:0000:D14E:DBCA:0764
There are:
- 8 groups of 4 hexadecimal digits, with each group separated by ":"
- Each group represents 16 bits (4 hexadecimal digits * 4 bits)
- Each hexadecimal digit is equal to 4 bits
- Each pair of hexadecimal digits are equal to 8 bits = 1 byte.
- Hex digits are not case sensitive, so “DBCA” is same as “dbca” or “DBca”?
- Each group is referred to as a "hextet"
IPv6 (128-bit) address contains two parts:
- The first 64-bits is known as the prefix. The prefix includes the network and subnet address. Because addresses are allocated based on physical location, the prefix also includes global routing information. The 64-bit prefix is often referred to as the global routing prefix.
- The last 64-bits is the interface ID. This is the unique address assigned to an interface.
Note: Addresses are assigned to interfaces (network connections), not to the host. Each interface can have more than one IPv6 address.
IPv6: Zero Omission Rules
- Rule 1: Omission of the Leading 0s:
- Rule 1 allows you to remove all the leading 0s in each individual hextet.
- Rule 2: Omission of the All-0 Hextets:
- Rule 2 uses a double colon :: to represent a single "contiguous" set of all zero hextexts.
- It can only be used once within an IPv6 address.
OSPFv3
- In OSPFv3, the interfaces and therefore the networks attached to them can be configured directly on the interface, in interface configuration mode.
- This is because if we go with the interface configuration option, the router configuration process is added automatically.
- Router1(config-if)#ipv6 ospf 10 area 0
What is the command to configure OSPFv3 on a router?
- In global configuration mode?
- In interface configuration mode?
Stateless Autoconfiguration (EUI-64)
[Reference: Ch. 14 Pg. 556]
SLAAC (State Less Automatic Address Configuration):
Stateless Autoconfiguration is a useful solution because it allows devices on a network to address themselves with a link-local unicast address as well as with a global unicast address. This process happens through first learning the prefix information from the router and then appending the device’s own interface address as the interface ID.
To perform autoconfiguration, a host goes through a basic two-step process:
- First, the host needs the prefix information, similar to the network portion of an IPv4 address, to configure its interface, so it sends a router solicitation (RS) request for it. This RS is then sent out as a multicast to all routers (FF02::2). The RS message is ICMP type 133.
- The router answers back with the required prefix information via a router advertisement (RA). An RA message also happens to be a multicast packet that’s sent to the all-nodes multicast address (FF02::1) and is ICMP type 134. RA messages are sent on a periodic basis, but the host sends the RS for an immediate response so it doesn’t have to wait until the next scheduled RA to get what it needs.
What is the problem with StateLess Automatic Address Configuration (SLAAC)?
- With SLAAC, by default, no DNS configuration is returned to the host.
Mastering IPv6 SLAAC Concepts and Configuration
DHCPv6 (Stateful) (IP and Options)
[Reference: Ch. 14 Pg. 559]
- Static
- Stateful DHCP (IP and Options)
- Stateless DHCP (no IP, just Options) [DNS, Domain you belong to.] (Used with SLAAC)
Lab-10: Chapter 14: IPv6
- Using LammleSim
- RouterSim and Packet Tracer do not recognize all of the necessary IPv6 commands.
- You must be in class to get credit for completeting this lab.
- You will need your text book for the Hands-on lab instructions.
Read / Do
Assignment #5: IPv6 Zero Omission Rules
- Use the Microsoft Word document to enter your answers: Assignment #5: IPv6 Zero Omission Rules (DocX)
- If you are using the hardcopy, instead of the the Microsoft Word Template, enter your answers in pencil, in case you have to make changes.
- Make sure to write as neat as possible so that I can read your answers.
- If you use a pen, and you have to make changes, use whiteout instead of crossing out and making a mess.
Read / Do
A EUI (Extended Unique Identifier)-64-bit interface identifier is most commonly derived from its 48-bit MAC address.
Example 1:
We usually see the MAC in the following format: 00:90:27:16:fd:0f
- Remember that each pair of hexadecimal characters is 1 byte/8bits. So, 1 hex character is 4 bits.
- Instead of separating each byte by colons, we'll group them into 2 bytes. (3 fields)
- MAC address now looks like: 0090:2716:fd0f
Step 1: Transform the MAC Address
- The MAC address is transformed by inserting fffe in the middle: 0090:27ff:fe16:fd0f
Step 2: Flip the 7th bit:
- Then, flipping the 7th bit : 0290:27ff:fe16:fd0f
- The 7th bit of the 1st byte is part of the 2nd hex character: 00 (hexadecimal) = 0000 0000 (binary)
- The 7th bit of the 1st byte is flipped: so 00 becomes 02. = 0000 0020 (binary)
Take the first two hex digits (from the left) and write them in binary.
| |
2nd Hex digit
|
1st |
2nd |
3rd |
4th |
5th |
6th |
7th |
8th |
| |
|
128 |
64 |
32 |
16 |
8 |
4 |
2 |
1 |
| Original value |
0 |
|
|
|
|
0 |
0 |
0 |
0 |
| Resulting value |
2 |
|
|
|
|
0 |
0 |
1 |
0 |
- The host portion of the IPv6 EUI-64 address is: 0290:27ff:fe16:fd0f
- The complete IPv6 EUI-64 address is: 2001:0db8:0:1:0290:27ff:fe16:fd0f
Read / Do
Quiz 5 - Fix Me Challenge!
- Hands-on Troubleshooting.
- You'll be given a simulation file, with problems.
- Your task will be to find and fix the errors in the configuration.
Preparation
- Boot into our server partition
- Load Packet Tracer.
- Make sure it is v7.1
- If it's not v7.1 or newer, then download and install v7.1
- Open a Web browser to the top of our Class Web page.
Tips
- Do not remove OSPF from any of the routers!
- You may need to remove/change/add network(s) from/to OSPF.
- You must manually remove incorrect networks from the routing protocol
- Do not change the Router ID in OSPF on any of the routers!
- Verify that all IP addresses and all network addresses are correct.
- Verify that all the subnet masks, and OSPF wildcard masks are correct.
- If a DHCP client/host is not pulling updated settings from the DHCP server, use the ipconfig /renew command on that host.
- You must set the clock rate to 9600 on the DCE interfaces.
- But fix any routing protocol issues first.
- If you don't know why you're changing a parameter, then you should not change it. Don't guess.
- Use the network diagram to compare to the simulation.
- Use the help built-in to Cisco IOS. e.g. show ?
- If you modify anything outside of what is expected in the simulation, you'll never get to 100%.
Read / Do
News and Tools
Quiz 5 Troubleshooting Challenge Hands-on Lab Debriefing
- A walkthrough of the thinking process to diagnose, isolate, and correct the issues in the lab.
Hands-On Lab
- You must be in class to get credit for completeting this lab.
Read / Do
| Thurs. May 17, 2018: No Class (Classes Follow Wednesday Schedule) |
Top /
Home
|
Read / Do
Books
Mark Russinovich (SysInternals.com)
Final Exam
(Note: This outline of the final exam may change, so check often for updates.)
The final exam includes, but is not limited, to the following:
Chapter 13: Network Address Translation (NAT)
Network Address Translation (NAT) allows many inside IP addresses to be represented by some smaller number of outside/public IP addresses.
Types of NAT, and how they work:
- Static
- Dynamic
- Port Address Translation (PAT) a.k.a. NAT Overload
- What type of address translation can use only one address to allow thousands of hosts to be translated globally?
- In the following output, what type of NAT is being used?
ip nat pool todd-nat 170.168.10.10 170.168.10.20 netmask 255.255.255.0
- Instead of the netmask command, you can use the _____________ statement.
NAT terms
- An inside local address is before or after translation?
- An inside global address is before or after translation?
- Outside Local
- Outside Global
CCNA CCNP Training - No confusion with IP NAT Inside Outside Local Global
- Using ACLs with NAT
- What are the Cisco IOS commands to define the NAT ACL, and then to apply the ACL to an interface?
- Configure and verify NAT for given network requirements
- NAT Diagnostic Commands and output
- What command will show you the translation table?
- What command can you use to show the NAT translations as they occur on your router?
- What command will clear all your NAT entries from the translation table?
- Which command can be used for troubleshooting and displays a summary of the NAT configuration, as well as counts of active translation types, and hits to an existing mapping?
- What commands must be used on your router interfaces before NAT will translate addresses?
- Once you create a pool for the inside locals to use to get out to the global Internet, what is the command to allow them access to the pool?
- Operation of IP Data Networks
- Predict the data flow between two hosts across a network
- Identify the basic operation of NAT
- Purpose
- Pool
- Static
- one-to-one
- Overloading
- Source addressing
- One-way NAT
Chapter 14: Internet Protocol Version 6 (IPv6)
- What are the three categories / transmission types of IPv6 addresses and how do they work?
- What are the types of IPv6 addresses?
- Which types of IPv6 addresses can't be routed at all, not even within your organization/LAN?
- Define and use IPv6 Zero Omission Rule 1 and Rule 2
- StateLess Automatic Address Configuration (SLAAC)
- What is the Cisco IOS command to enable IPv6 on a Cisco router?
- OSPFv3
- What is the command to configure OSPFv3 on a router?
- In global configuration mode?
- In interface configuration mode?
Chapter 15: Enhanced Switched Technologies
- Spanning Tree Protocol (STP)
- What is the main purpose of the Spanning Tree Protocol in a switched LAN?
- Loop avoidance
- Preventing broadcast storms
- Convergence (on switches)
- Name the four Spanning-Tree port states
- Disabled is not one of the four states. Disabled (technically, is not a transition state). A port in the administratively disabled state doesn’t participate in frame forwarding or STP. A port in the disabled state is virtually nonoperational.
- Bridge Protocol Data Units (BPDU)
- Root bridge
- Non-root bridges
- Bridge ID
- Port cost
- Path cost
- Switch Port Roles
-
How do you determine the "root bridge" of each VLAN?
-
What command shows the status of your STP network and root bridges?
- (RSTP) Rapid Spanning Tree Protocol
- IEEE 802.1w
- Understand what PortFast and BPDU Guard provide
- Understand what EtherChannel is and how to configure it
- Know the the port specific roles that STP assigns to each port on switch/bridge, and how each functions.
- Designated
- Root
- Alternate
- Blocked port
- Switch Port Security
- Switch Port Violation Modes
- Protect
- Restrict
- Shutdown
- Which switch port violation modes will alert you via SNMP that a violation has occurred on a port?
- show ip interface brief
- What would the "port" and "protocol" columns display if an interface was not enabled?
- What would the "port" and "protocol" columns display when an interface is "shutdown?"
- What would the "port" and "protocol" columns display if an interface is enabled, and configured, but the other end of the connection was shutdown?
- What would the "port" and "protocol" columns display if an interface is enabled, and configured, but the interface was not connected to another device?
- What would the "port" and "protocol" columns display for a Serial DCE interface, where the clock rate was not set or was zero?
Recommended Web Sites and Books
[ Top ]
[ Home ]
Copyright ©1996 - 2018 Chin. All Rights reserved
|
Reproduction without explicit permission is prohibited. See: Terms of use |
![[ NoScript ]](../../../images/NoScript-badge.png)
