Multicasting:- It is a one to many communication.

eg:-internet radio, video conferencing, music on

hold

(224.0.0.0 - 224.0.0.255 =link local, 224.0.1.0 - 238.255.255.255 =public multicast, 239.0.0.0 -

239.255.255.255 =private multicast, eg for link local multicast ips: 224.0.0.9 ripv2, 224.0.0.10 eigrp,
224.0.0.1 all hosts in a segment, 224.0.0.2 all routers in a segment)

(Multicast ips ipv6- ff01:: single interface. Private multicasts like site local-ff05:: which is used
between routers within a branch, organizational address- ff08:: which is used between branches in vpn
tunnels. Global multicast ff0e:: Link local ff02:: Example for link local- FF02::5 FF02::6-ospf,
FF02::A-eigrp, FF02::9-RIPng, FF02::8-isis, FF02::D-pim, FF02::16-mldv2, FF02::1-all hosts, FF02::2-all
routers)

Igmp:- It is a messaging protocol used in communication between multicast host and multicast router.

(igmp ver3 is used for source specific multicast. It supports authentication, other security features.
Commonly used one is ver 2. Igmp ver 2 messages: membership report msg, ver1 membership report
msg, leave group msg, query msg)

Multicast Network designs:- 1.source tree- used in small network. Everyone directly contact the source
since everyone knows source ip 2.shared tree- used in large environment. There is a central point
called rp. only rp knows mulicast source address

RP:- Rendezvous point is a router which controls all multicast messages (request messages and
source information messages)

(RP types in ipv4- static rp,auto rp(cisco),bsr(open). In ipv6- staic, bsr, embedded rp)

(Auto rp-cisco proprietary method in which all routers automatically get rp information via multicast
address 224.0.1.40(used by mapping agent). Candidate rp use 224.0.1.39)

(auto rp listener- if we want to use sparse mode for auto-rp, we should use this command. Otherwise
we can use only sparse-dense mode)

(Bsr- open standard technology based on pimv2 in which there are 2 router roles; bsr and Rp candidate.
Bsr does the election of Rp and advertise the rp address)

PIM:- Pim is an open standard multicast routing protocol. It is responsible for exchanging multicast
messages between routers

(dense mode- uses source tree architecture. It doesn't contain Rps. It sends multicast streams without
request. Sparse mode- uses shared tree architecture. It sends streams only when it receives a request. In
ipv6 pim, only sparse mode is there)

RPF:- Rpf verifies that the multicast packets are coming from an interface which is the best path to to
reach the multicast source. Otherwise routers reject the packets
Multicast Bgp:- It is used to avoid RPF verification. When you enable multicast bgp, the multicast
packets can travel through any route

Msdp:- It is an open standard protocol used to advertise multicast source address between 2
rendezvous points in 2 AS.

(It uses Source Active(SA) messages between msdp peers to inform about multicast source. They also
exchange multicast request messages )

Anycast Rp:- It is used for redundancy and load-balancing in a network.

Mld:- Multicast Listener Discovery is the replacement of igmp used in ipv6 network for the
communication between multicast host and multicast router.

(mld ver 1 is based on igmp ver2, mld ver 2 is based on igmp ver3)

Embedded Rp:- It’s a simple method to inform rp address in a multicast network. In this method, rp
address is integrated in the multicast group id.

Bidirectional pim:- In this method, all communication is passing through Rp since no router learns
about multicast source ip

Source specific multicast:- This technology doesn’t require a rendezvous point since source ip address is
included in the membership report message (doesn’t need an rp to get the source ip information)

(We should use igmp v3. It supports only one multicast range which is 232.0.0.0/8)

Ipv6 and ipv4 integration:- There are methods like Dual stack, Tunnels, NAT-PT

Dual Stack:- Configuring ipv6 and ipv4 on a single router

Tunnels:- gre, ipv6ip, 6to4 automatic tunnel- we don't need to configure static point-point tunnels
and we can save number of tunnel interfaces in our dual stack router and lower the administrative
burden

(6to4 tunnel:- we don't specify tunnel destination. Router learns the tunnel destination (tunnel
destination means loopback ip of the branch router) from the destination ipv6 address (eg-when ping to
a tunnel/lan ipv6 ip). Becuse 2nd and 3rd portion of ipv6 (destination ip) will contain loopback ip
(loopback ip is in ipv4. we have to convert it to hexadecimal and add it to the ipv6 address); loopback ip
is used as tunnel source/destination.(The ipv6 address of Lan and tunnels must follow this rule so that
they contain the loopback ipv4 ip).Iana has reserved 2002/16 for this purpose.)

NAT-PT:- It is used to translate ipv6 address into ipv4 and vice versa. This is the only method
which permits communication between ip4 only network and ipv6 only network.There are 2 methods
static and dynamic.

(working:- Both source ip and destination ip are changed by the dual stack router on which Nat
configurations are done. If a packet travels from ipv4 network to ipv6 network, souce ip &destination
ip(which is the assigned ipv4 address of an ipv6 router) are changed to ipv6 by the nat router.)

Name Resolution:- It's a simple technique by which we can use names for communicating with
other devices

Policy Based Routing:- It is used to select a best path from multiple paths. It can be used for
redundancy and load balancing. It overrides the dynamic routing protocol.

(pbr's place is between static route and dynamic route)

IP SLA:- ip sla is an open standard proactive testing system. It will generate different types of
packets for testing reachability,state

(It supports icmp,http,ftp....eg:- we can use icmp echo for veryfing reachability)

Tracking:- It is a testing tool which can verify the status of interfaces, reachability of a network and
can even be used with routing protocols and methods to manipulate best path calculation.

(eg:- we can generate icmp echo using ip sla. And we can use track object to track ip sla for verifying
reachability)

URPF:- If the router finds out the receiving packet's source ip is reachable via another path, the packet
will be rejected

(Used to prevent ip spoofing attack. 2modes loose mode-accept packet if the source ip is found on the
routing table &strict mde- router accepts the packet verifying the incoming interface and the routing
table entry)

Distribute list,route-map:- Used to filter traffic

(distribute list (acl+distribute-list command) is used to filter network information passing to another
router. It is implemented in routing configuration ( so filtering works during redistribution also). Prefix
list/acl can be used with route-map to filter network information when the networks are redistributed
(In the case of bgp, we can apply it on neighbor command also). prefix list can alone filter traffic in the
case of bgp and it is applied as a neighbor command)

Qos:- Quality of Service (QoS) refers to the capability of a network to provide better service to
selected network traffic

Marking:- Marking is the process of sticking a value in the packet header and based on these
values, the packets are prioritized
( layer 2marking-cos(class of service) ,layer 3 marking- tos(type of service) or differentiated field which is
of two types 1. ip precedence marking(old one) 2. dscp marking )

(dscp marking:- contains 3 sections. 1.phb-per hop behaviour- it is equal to ip precedence value.eg: AF4
2.Dp-drop probability-contains values 1,2,3 and lower is better 3.Ecn-explicit congestion avoidance-
used for congestion avoidance)

NBAR:- It is the process of categorizing the traffic based on protocols

NBAR (Network based application Recognition) protocol discovery:- It is a monitoring feature which
can collect statistics of the traffic passing through the router. It shows protocols,no.of
packets,bandwidth usage for five minutes

(Similar command to find no.of packets of different types of protocols ‘sh interface <i/f no> accounting’)

MQC:- qos configuration steps are collectively known as mqc

(contains 3 steps: class map, policy map, service policy )

Queuing:- Queuing is the process of holding excess traffic in the router memories.

(2types. h/w queue:- it's a small buffer memory which is attached with the interface. It uses fifo. s/w
queue:- if h/w queue is full, router stores the additional packets on it's ram)

(s/w queues:- 1.fifo-default queuing method of ethernet interfaces, 2.Priority

Queue-high,medium,normal,low priority categories. high priority is taken first . 3.Custom Queue-Uses
round robin algorithm, assures bandwidth guarantee. 4.Weighted fair queue-default queuing method of
serial interfaces 5.Class based weighted fair queuing:combination of wfq and custom queue. It offers
bandwidth guarantee, but no delay guarantee. Once bandwidth is selected for certain traffic, all other
traffics are under weighted fair queue. 6.Low Latency Queuing: combination of pq,wfq,custom queue.
We can reserve bandwidth,priority for selected traffic. Thu provides bandwidth,delay guarantee. All
other traffics are forwarded using wfq.)

Tail drop:- Once the hardware and software queue is full, subsequent packets will be dropped. This
is called tail drop

Random Early Detection:- It is an open standard technology which randomly deletes the packets
from the queue for congestion avoidance. It deletes priority packets also

(Weighted RED: Cisco proprietary protocol which identify priority traffic based on marking values so that
packets from priority queue will not be deleted)

Policing:- Policing is used for restricting the bandwidth of unwanted traffic. It wil drop the excess
traffic when we create a police limit. It can be used to restrict the management and control traffic
(actions: conform-transmit ,exceed- transmit/drop/remark, violation-drop)

Shaping:- Shaping is an output policy used to maintain speed of outgoing traffic. It is used to
maintain a steady output traffic within the cir limit (set by isp)

(1.shape avg: If traffic is controlled within cir. 2.shape peak: If traffic is controlled above cir)

Nesting:- Nesting is the process of applying a policy map inside another policy map. Queuing
policy map is applied inside the policy map created for shaping)

Auto qos:- Router will automatically create all the classmaps and policymaps and it prioritize some
traffics.

(2types 1.auto qos for voip 2.auto discovery qos-router will inspect all the traffic and decide the
priority traffic. By default, we can reserve only 75% of total bandwidth. We can manually increase this
reservation limit using an interface level command)

VPN:- VPN is a network technology used to connect to a private network securely over the Internet.
2types. Remote access vpn, Sit-site vpn

Ipsec:- Ipsec is an industry standard framework containing different protocols and algorithms for
securing network. It offers data integrity(hashing), confidentiality(encryption), authentication

(security protocols used in ipsec are AH, ESP. AH&ESP supports authentication,hashing,anti-reply (using
sequence numbers) . Esp is the new one which supports encryption also. )

(Authentication- process of verifying credentials of a person/device. Credentials can be

usernme&password, digital signature, fingerprint ..

Encryption- It is the prcoess of transforming data from one to another form. 1.symmetric.
eg-des,3des,aes 2. asymmetric-one key used for encryption and another key for decryption.
eg-rsa

Hashing- It is used to check the errors of data while traveling from one to another location. It is used to
ensure data integrity. eg:- sha/md5 )

Negotiation protocols:- Protocols responsible for establishing, maintaining and terminating a vpn
session. eg:- ISAKMP, IKE (Internet key exchange), GDOI

(Phase 1 configuration is used to secure pre-shared key. For that we create isakmp policy.Phase 2
configuration is used to secure data (transform set creation) . phase 3 configuration is used to combine
access-list and transform set using crypto map and apply crypto map on an interface OR it is used to
create profile (on which we apply transform set ) and apply profile on tunnel interface)

GRE:- It is an open standard tunneling protocol used to connect 2 locations over the Internet.

Static vti vpn:- It is a point-point vpn which uses ipsec tunnels

Ipsec site-site vpn:- It is a point-point vpn which uses ipsec tunnel

(Communication b/w private networks happens through the ipsec tunnel. We don’t create tunnel
interfaces)

Dmvpn:- It is a new vpn technology which is usually used in hub&spoke networks

(dmvpn depends on 3 features that are multipoint gre, nhrp, and ipsec

Multipoint gre- A single multipoint gre tunnel can build connectio to multiple sites

Nhrp- Nhrp is used to resolve public ip from the tunnel ip. There are 2 types of routers based on nhrp.
NHC and NHS ;next hop client and next hop server. Nhs will have nbma address

Dmvpn modes. 1 hub and spoke- Even the communication to the other spoke passes through hub 2.
spoke-spoke- spokes can directly communicate with each other)

Getvpn:- It is a new vpn technology which is more flexible and scalable.It doesn't use any tunnel so that
it is used to secure mpls networks

(Mpls networks already provides data separation and connectivity.

Key server- key server is responsible for providing encryption keys and policies. It will periodically send
refreshing keys to the group members.Group member- It is usually found in branch office)

IKE GDOI- Modified version of isakmp. It is responsible for secure communication between KS and group
member.

(It uses RSA. It offers 2 different keys. KEK- It is used to secure rekey between the key server and
group members (using rsa keys, KS encrypts the key exchange with the group members ) TEK- It is
used to encrypt the data traffic between group members

Rekey- The KS periodically refresh the encryption keys and new keys are sent on a specific time period.
The process is rekey

(GDOI uses udp port number 848. IKE uses udp 500 )

BGP:- Border Gateway Protocol (BGP) is an exterior gateway protocol used to exchange routing
information among autonomous systems (AS) on the Internet

Bgp next-hop-process:- ibgp routers doesn't change next hop ip in routing updates. To solve this, we can
should use next-hop command

Bgp synchronization:- synchronization rule is used to prevent routing upates between ibgp routers. If
rule is enabled, ibgp can't exchange routing updates.

Ebgp multi-hop:- Ibgp routers can build neighborship with another router even if it is not directly
connected, but ebgp routers can't. To support this feature, we can use this command.

Ibgp split-horizon rule:- An ibgp router doesn’t forward update to another ibgp router if it is originally
learned from an ibgp neighbor.

(We can’t disable this feature. But we can do solutions for these like 1.full mesh topology
2.route-reflector- Route-reflector feature allows to forward routing updates between ibgp routers. This
is done on an ibgp router itself.

3.confederation-We can configure private Ass inside Primary AS to make the routers as ebgp routers
eventhough they are ibgp routers. Thus we can avoid the split-horizon problem)

BGP Attributes:- 1.Well known (mandatory&discretionary) 2.optional (transitive&nontransitive)

(Well known (open standard) : 1.mandatory attributes (next hop,AS path,origin)which are present with
every route 2. discretionary attributes which may or may not be included with routing upates.

There are optional attributes(may be cisco proprietary) which fall into 2 groups. 1.transitive- bgp router
accepts the routing update even if the router doesn’t understand the attribute. 2.non transitive- bgp
router doesn’t accept the routing update with non transitive attributes, if router doesn’t understand it.

Path selection criteria- 1.prefer reachable next hop 2.highest weight 3.highest local preference......

Community attributes- 1.no-advertise (route will not be published) 2.local AS (within a single private AS)
3.No-export (route can travel between confederations, still can’t cross the Primary AS. Ie, route can
travel between private ASs) 4.Internet(route can travel to another AS) )

Peer Group:- It s a group of bgp routers. If there are multiple neighbors with identical bgp
configuration, you can add these neighbors to a group. )

Suernetting:- It is a way to aggregate ip addresses of same class. It is also called as CIDR (classless
inter-domain routing. It is called so since we can use any prefix length for any class. We don’t consider
class of ips. Eg:- We can use even /23 mask for class C network)

BGP Aggregation:- Aggregation is the summarization of routes

(Atomic aggregate- Used to tell the next router that the route is a summarized route

Aggregator- Used to add router-id and AS number of the router that performs aggregation)

VRF:- Vrf is a technique that virtually divides a router into multiple logical sessions. Each logical
session is known as vrf

Route-distinguisher:- When we create a vrf, we should add a unique number in it. It is called route
distinguisher. It is used to recognize routes in a bgp table

(It is a number in ASN:nn or IP-address:nn format. It is configured in vrf)

Route-target:- It is used for exporting routes from vrf to bgp, import routes from bgp to vrf.

(It is a number in ASN:nn or IP-address:nn format. It is configured in vrf)

Packet switching:- process switching(arp is sent each time), fast switching (uses cache memory. arp
is used only for the first time), CEF (cisco proprietary.Fib- summary copy of routing table. Adjacency
table,AT- contains mac address of next hop devices. Routers pre-build the AT)

MPLS:- MPLS is an open standard WAN technology created by IETF which increases the speed and
performance of network while reducing resource utilization

(packet is forwarded based on 32bit label. This label is inserted between layer 3 and layer 2 headers. So
some people calls this as layer 2.5 technology

Mpls tables- FIB, LIB (labels are stored in LIB. It contains local label and labels created by neighbors), LFIB
(When a packet arrives, MPLS router verifies this table and forwards the packet according to this table.
This table contains n/w address, incoming label,outgoing label, outgoing i/f

MPLS routers:- CE, Edge LSR (provider edge router)-router located at edge of service provider
responsible for label imposition and disposition, LSR (label switch router)- MPLS core router responsbile
for label swapping )

LDP:- Protocols repsonsible for exchanging labels between mpls neighbors. TDP which is cisco
proprietary (tag distribution protocol) and LDP (label distribution protocol) )

MPLS VPN:- It is the combination of mpls, multiprotocol bgp, vrf. It provides data separation, provides
any to any connectivity between multiple locations.

IS-IS:- It is an open standard link-state dynamic routing protocol. The old IS-IS is redesigned by IETF and
is known as Integrated IS-IS (based on tcp/ip like all other protocols being used now; uses ip address
while old one was based on osi, and used clnp(connectionless n/w protocol) address

L1 router- can't communicate with routers in another area. L2 router- can communicate with rouers in
other areas by communicating with L2 routers. L1/L2- used as border router

NSAP(Network service access point) address- also known as net(n/w entity title) address used with
integrated is-is. It is of length 20 bytes. It contains 3 fields. a.NSAP selector(NSEL). It is always set to 0. It
is of length 1 byte. b. s/m id- 6 bytes portion which represents a device c.area id (usually
we use 3/4 bytes eventhough we can expand this field upto 13 bytes )

Is-is network types:- point-point, bma, nbma. In bma&nbma, DIS (designated is-is) router is selected and
DIS exchange routes. routing updates are called LSP(link state packet)

Securing management traffic

Securing management traffic- 1.permit only the safe source ip using access-list (access-class
command in line vty) 2.change port number of telnet using rotary command (only telnet’s port no.
can be changed) 3.assign management interface (and specify allowed protocols through that
interface)
AAA:- AAA is an access control mechanism used to prevent unauthorized access to our network. It
includes authentication(verifying credentials like username&password) ,authorization(control the
actions of a user based on different levels of permissions), accounting(accounting is the process of
keeping track of a user’s activity while accessing a network’s resources, including the amount of time
spent in the network, the services accessed and the amount of data transferred during the session.
Accounting data is used for capacity planning, billing)

Firewall:- A firewall is the thing responsible for traffic filtering. It may be software or hardware
firewall.

Zone based firewall: It’s an advanced firewall. It divides the network into multiple areas called zones.
Different zones will not communicate each other unless we create zone pairs and apply policies in it

Intrusion Detection System (IDS):- It is a device used to detect malicious traffic as well as abnormal
situations in a network. It verifies every incoming packets and if it finds out any problem, it will inform us
using syslog messages or SDEE messages (Security device event exchange)
(It can't prevent any traffic since it is not connected in line. A firewall/switch will take a copy of every
traffic and send it to IDS.eg:- cisco 4215, cisco ios ids)

Intrusion Prevention System (IPS):- It is a device which detects and prevents malicious
traffic/abnormal traffic in a network.

(It is connected as an inline device so that every traffic is passing through ips. If it detects a malicious
traffic, it will prevent the traffic first. Then inform using syslog messages or SDEE

IPS actions- True positive-IPS detects and prevents attacks, True negative- IPS reports that there is no
attack since no attack happens, False positive-IPS misunderstands some traffic as a malicious traffic,
False negative- IPS didn't find any attack, but attack is going on

eg:-cisco 4240, 4260, 4270, cisco ios ips(router) )

Traffic Detection Methods:- 1.Signature based-Signature is a globally unique code of an application.

We can store signature database in ids/ips 2.policy based 3.anomaly based-anomaly means
abnormal situation 4.reputation based-we can add a list of dangerous ip addresses, domain
names. And if any traffic comes from these, ips/ids can prevent it.

Honey pot:- It is a less secure server in our network. It is used to attract the attackers for observing
their attacking style.

BGP local-AS:- It is used to migrate to different AS number.

(usually used on ISP sides, without any configuration changes on client sides)

Multilink PPP:- It is a load-balancing technique, used between routers.

(For load-balancing, there should be multiple physical links between routers )

BGP backdoor:- This command is used to increase the administrative distance of a particular ebgp
route (AD from 20 to 200) so that particular route will be published using an igp protocol.

Syslog messages:- These are the messages created by router/switch/firewall which describes
important informations about the device and it's current condition.

(severity levels- 0-emergency 1-alert 2-critical 3-errors 4-warnings 5-notifications 6-informational

7-debugging. Lower numbers are very important

For telnet/ssh connections, we need to use the command 'terminal monitor' in the privilege mode in
order to enable syslog messages over the telnet/ssh connections

we can store the syslog messages to a buffer/ to a syslog server )

Netflow:- Netflow is a service used to collect statistics of network flows. Flow means continuous
streaming of packets which follow the same 7 criteria. 1.source ip 2.destination ip 3.source mac
4.destination mac 5.source interface 6.protocol 7.marking value

(cisco supported netflow versions are 1,5,9. IETF has standardized netflow as version 10. It is officially
called as ipfix (internet protocol flow information export)

Flexible netflow- Mofified version of netflow which includes 3 fields. flow record-responsible for
collecting necessary fields in a traffic flow like i/f, ip address. flow exporter-responsible for sending
statistics to netflow collector. flow monitor- flow record,flow exporter are applied on flow monitor. It
allows us to change cache memory entries and timeout.)

SNMP(simple network management protocol):- Snmp is an application layer protocol which is

used for managing and monitoring network devices. Snmp uses udp port numbers 161 (normal snmp
messages) and 162 (snmp trap messages)

(snmp components- snmp server, managed devices, snmp agent (s/w on managed device), management
information base (MIB)- It is the database belongs to snmp server and client. It contains thousands of
object IDs like bandwidth usage, port number, protocol...

snmp polling- The server sends messages on every 60 seconds to the clients for asking information. This
process is called polling

Trapping:- Snmp client sends information to snmp server even without receiving request

Versions:- ver1-old ver2c- popular. Uses community string for authentication ver3-most secure version
since this uses encryption also.