CCNA Chapter 3
CCNA Chapter 3
CCNA Chapter 3
Network
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Chapter 11 - Sections & Objectives (Cont.)
11.3 Basic Network Performance
• Use common show commands and utilities to establish relative performance baseline for
the network.
• Use the output of the ping command to establish relative network performance.
• Use the output of the tracert command to establish relative network performance.
• Use show commands to verify the configuration and status of network devices.
• Use host and IOS commands to acquire information about the devices in a network.
11.4 Network Troubleshooting
• Troubleshoot a network.
• Describe common network troubleshooting methodologies.
• Troubleshoot cable issues and interface issues.
• Troubleshoot issues with devices in the network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
11.1 Network Design
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Devices in a Small Network
Small Network Topologies The majority of businesses are small and
typically require small networks consisting
of a single router with one or more
switches and possibly one or more
wireless access points. The business
might also have IP phones.
• For the Internet connection, the router will
normally have a single WAN connection
using DSL, cable, or an Ethernet
connection.
Managing a small network is similar to
managing a large network:
• Maintenance and troubleshooting of
existing equipment
• Securing devices and information on the
network
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Devices in a Small Network Regardless of the size, all networks
Device Selection for a Small require planning and design to ensure
that all requirements, cost factors, and
Network deployment options are considered:
• Cost – The cost of a switch or router is
determined by its capacity and
features.
• Speed and Types of Ports/Interfaces –
Choosing the number and types of
ports on a router or switch is an
important decision.
• Expandability – Networking devices
come in both fixed and modular
physical configurations for
expandability and flexibility.
• Operating System Features and
Services – Features and services
should be considered including:
security, QoS, VoIP, Layer 3 switching,
NAT and DHCP.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Devices in a Small Network
IP addressing space must be planned
IP Addressing for a Small Network when implementing a small network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Devices in a Small Network The types of traffic and how they
Traffic Management should be handled should be
considered and prioritized in the
network design.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Small Network Applications and Protocols Most network professionals work with
Common Protocols network protocols which support the
applications and services used by
employees in a network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Small Network Applications and Protocols
Voice and Video Applications Businesses today are increasingly
using IP telephony and streaming
media to communicate with
customers and business partners.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Small Network Applications and Protocols
Voice and Video Applications (Cont.)
In IP Telephony, the IP phone itself
performs the voice-to-IP conversion.
Voice-enabled routers are not required
within a network with an integrated IP
telephony solution. IP Phones use a
dedicated server for call control and
signaling.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Scale to Larger Networks The network administrator must allow for
Small Network Growth growth for small businesses and their
networks.
Ideally, the network administrator has
enough lead time to allow the network to
grow in-line with the growth of the company.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Security Threats and Vulnerabilities
Computer networks are essential to
Types of Threats everyday activities. Individuals and
organizations depend on their computers
and networks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Security Threats and Vulnerabilities
Four types of threats might occur:
Types of Threats (Cont.) • Information Theft – Occurs when someone
breaks into a computer for the purpose of
stealing confidential information.
• Data Loss and Manipulation – This is
breaking into a computer to destroy or alter
data records. An example of data loss: a
virus that reformats a person’s hard drive.
An example of data manipulation: breaking
into a system to change the price of an
item.
• Identity Theft – This is a form of
information theft where personal
information is stolen for the purpose of
stealing someone’s identity.
• Disruption of Service – This is preventing
legitimate users from accessing services to
which they should be entitled.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Security Threats and Vulnerabilities
The physical security of network devices
Physical Security is an equally important security
vulnerability to manage.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Network Attacks In addition to malicious code attacks,
networks can also fall prey to various network
Reconnaissance Attacks attacks. There are three major categories of
network attacks:
• Reconnaissance attacks – the discovery and
mapping of systems, services, or vulnerabilities
• Access attacks – the unauthorized
manipulation of data, system access, or user
privileges
• Denial of Service – the disabling or corruption
of networks, systems, or services
In a Reconnaissance attack, a hacker could
use either nslookup or whois to determine
the IP addresses assigned to an entity. Once
they have the IP address, they can use fping
to ping a range of IP addresses to see who is
responding. Once they know what IP
addresses are responding, they could use
nmap to see which ports are listening.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Network Attacks Access attacks exploit known vulnerabilities in
Access Attacks authentication services, FTP services, and web
services to gain entry to web accounts,
confidential databases, or access other
resources. There are four classes of access
attacks:
• Password attacks – Hackers can use several
methods including: brute-force attacks, Trojan
horse programs, and packet sniffers.
• Trust Exploitation – An attacker can access a
target system by taking advantage of a trust
relationship between the target system and one
that is compromised.
• Port Redirection – A hacker installs software on
an compromised host and uses that host to
access a target host on a different port.
• Man-in-the-middle – An attacker inserts himself
in the middle of a conversation. A common type
is a Phish email that a victim clicks a link on in
their email.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Network Attacks
Denial of Service (DoS) attacks prevent
Denial of Service Attacks authorized people from using a service by
using up system resources such as disk
space, bandwidth, and buffers. The attack
can be caused by resource overload or
malformed data.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Network Attacks
Denial of Service Attacks (Cont.) • DDoS – an Attacker uses many
intermediate hosts, called zombies, to
launch an attack on the victim host or
server. The intermediate hosts used
to launch the attack are usually
infected with malware giving control
to the attacker.
• Smurf attack – an ICMP-based attack
where an attacker broadcasts a large
number of ICMP packets using the
victim’s source IP address. The
zombie hosts reply to the target victim
in an attempt to overwhelm the WAN
link to the destination.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Network Attack Mitigation
Backup, Upgrade, Update, and Patch
• Keeping up-to-date with the latest
developments is a critical part of
network security and defending
against network attacks.
• As new malware is released,
enterprises need to keep current
with the latest versions of antivirus
software.
• The most effective way to mitigate
worm or other attacks is to
download security updates from the
operating system vendor and install
patches on all vulnerable systems.
• The use of a central patch server to
install critical patches automatically
is a very useful solution to this
issue.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Network Attack Mitigation
Authentication, Authorization, and Accounting
• Authentication, authorization,
and accounting (AAA) network
security services provide the
framework to set up access
control on a network device.
• AAA is used to control who is
permitted to access a network
(authentication), what they can
do while they are there
(authorize), and what did they
do when they were accessing
the network (accounting).
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Network Attack Mitigation
• Firewalls are one of the most effective security tools
Firewalls available for protecting users from external threats.
• Network firewalls reside between two or more
networks, control the traffic between them and help
prevent unauthorized access. Host-based firewalls
or personal firewalls are installed on end systems.
• Firewalls use various techniques for determining
what is permitted or denied:
• Packet filtering – Prevents or allows access based on
IP or MAC addresses
• Application filtering – Prevents or allows access by
specific application types based on port numbers
• URL filtering – Prevents or allows access to websites
based on specific URLs or keywords
• Stateful packet inspection (SPI) – Incoming packets
must be legitimate responses to requests from external
hosts. Traffic coming in through the firewall from the
outside must originate from the inside network unless
specifically permitted.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Network Attack Mitigation
Endpoint Security
• An endpoint, or host is an individual
computer system or device that acts as a
network client.
• Common endpoints include: laptops,
desktops, servers, smartphones, and
tablets.
• A company must have a well-documented
policy in place that employees must follow
since securing endpoint devices is one of
the most challenging jobs of a network
administrator.
• The policy should include the use of
antivirus software and host intrusion
prevention.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Device Security • When a new operating system is installed on
a device, the security settings are set to the
Device Security Overview default values.
• This usually leads to a security threats and
• Locking down your router: the default settings including passwords
should be changed.
• System updates and security patches should
be installed.
• For Cisco routers, the Cisco AutoSecure
feature can be used to assist in securing the
system.
• Here are some simple steps that should be
taken to most operating systems:
• Default usernames and passwords should be
changed immediately.
• Access to system resources should be restricted to
only those who need those resources.
• Unnecessary services and applications should be
turned off, disabled, and uninstalled if possible.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Device Security • Strong passwords are critical in
protecting network devices.
Passwords • Here are some password guidelines to
follow:
• Use a password of at least 8 to 10 characters
– preferably 10 or more. The longer the better.
• Password should be complex. Include a mix
of uppercase, lowercase, numbers, symbols,
and spaces if allowed.
• Do not use passwords based on repetition,
common dictionary words, letter or number
sequences, usernames, relative or pet names,
biographical information or any easily
identifiable information.
• Deliberately misspell words in your passwords.
• Change your passwords often.
• Never write down your passwords and leave
where anyone can find them.
• Use passphrases when possible.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Device Security
• In order to ensure that all configured
Basic Security Practices passwords are a minimum length, use
the security passwords min-length
• Use the global configuration command service
command in global configuration mode.
password-encryption to encrypt passwords in the
configuration file and prevent unauthorized individuals • Hackers frequently use a brute-force
from viewing plain text passwords. attack to decrypt encrypted passwords.
Block excessive login attempts to a
device if a set number of failures occur
within a specific amount of time using
the command login block-for 120
attempts 3 within 60
• This command will block login attempts for
120 seconds if there are three failed login
attempts within 60 seconds
• Setting the exec timeout on a router will
automatically disconnect users if they
have been idle for the duration of the
timeout value.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Device Security
Enable SSH • When a
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
11.3 Basic Network
Performance
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
The ping Command
The use of the ping command is a very
Interpreting Ping Results effective method to test for network
connectivity to a particular host, server, or
device – it is an important first step in
troubleshooting a network failure.
The ping command uses the Internet
Control Message Protocol and verifies
layer 3 connectivity.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
The ping Command
Network Baseline Establishing a network baseline is one
of the most effective tools for
monitoring and troubleshooting network
performance.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
The traceroute and tracert Command
Interpreting Trace Messages A trace returns a list of hops as a
packet is routed through a network.
Each router is a hop.
When using windows, use the tracert
command.
When performing a trace from a router
CLI, use the traceroute command.
A “Request timed out” response
indicates that the router did not
respond. It is possible that there is a
network failure, or the routers were
configured to not respond to echo
requests used in the trace.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
The traceroute and tracert Command
Extended Traceroute The extended traceroute command is a
variation that will allow the network
administrator to adjust parameters related
to the command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Show Commands
Video Demonstration – The show version Command
This video demonstration
walks through the output of the
show version command
when issued on a Cisco 1941
router.
The IOS software version is
highlighted in the figure to the
left.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Host and IOS Commands
The arp Command
On a Windows computer, the arp -a
command lists all devices currently
stored in the ARP cache of a
particular host.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Host and IOS Commands
The Cisco Discovery Protocol (CDP) is
The show cdp neighbors Command a Cisco-proprietary protocol that runs
at the data link layer that allows
adjacent Cisco devices to learn about
each other – even without Layer 3
connectivity.
When a Cisco device boots up, CDP
starts by default. CDP automatically
discovers neighboring devices running
CDP.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Host and IOS Commands
Lab – Using the CLI to Gather Network Device Information
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Debugging
The debug Command
IOS processes, protocols, mechanisms
and events generate messages to
communicate their status.
These messages can provide valuable
information when troubleshooting or
verifying system operations.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Debugging Connections to grant access to the
IOS command line interface can be
The terminal monitor Command established locally or remotely.
• Local connections require physical
access to the router or switch using a
cable.
• Remote connections using SSH or
Telnet are made using the network
and require a network protocol such
as IP to be configured.
Debugging long messages are sent
to the console by default and not to
virtual lines.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Troubleshooting Methodologies
Technicians must be able to analyze
Basic Troubleshooting Approaches the cause of the network problem
before they can resolve the issue.
This process is called troubleshooting.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Troubleshooting Methodologies
In some cases, it may not be
Resolve or Escalate? possible to resolve the network
problem immediately and may
need to be escalated if it
requires a manager’s decision.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Troubleshooting Methodologies
Verify and Monitor Solution The Cisco IOS includes
powerful tools to help with
troubleshooting and verification
such as:
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Troubleshoot Cables and Interfaces
In data communications, duplex refers to
Duplex Operation the direction of the data transmission
between two devices such as a router and
a switch.
• Half-duplex – the data is restricted to one
direction at a time
• Full duplex – the data can go both directions
at the same time
For the best communication performance,
two connected Ethernet network interfaces
must have matching duplex configurations.
• They must both be set to full or half.
• Ethernet autonegotiation was designed to
help with this configuration, but could lead
to problems if one side is set to auto and the
other is not.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Troubleshoot Cables and Interfaces
Duplex mismatch issues are difficult
Duplex Mismatch to troubleshoot since the
communication between devices still
occurs, but is usually much slower.
• ping might not detect the problem.
• A ping could be successful even
though there is a mismatch
The Cisco Discovery Protocol (CDP)
can detect a duplex mismatch
between two Cisco devices as
shown in the figure to the left.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Troubleshooting Scenarios
IP address-related problems will likely
IP Addressing Issues on IOS Devices cause connectivity issues.
Since IP addresses are hierarchical,
any IP addresses assigned to a
network device must conform to that
network’s range of addresses.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Troubleshooting Scenarios
Lab - Troubleshooting Connectivity Issues
This lab will allow you to
troubleshoot and resolve
network issues using the
skills and tools that you’ve
learned in this chapter.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Troubleshooting Scenarios
Packet Tracer – Troubleshooting Connectivity Issues
This Packet Tracer activity
will allow you to
troubleshoot and resolve
network connectivity issues
if possible, or escalated if
necessary.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
11.5 Summary
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Conclusion
Chapter 11: Build a Small Network
Explain the features and functions of Cisco IOS Software.
Configure initial settings on a network device using the Cisco IOS software.
Given an IP addressing scheme, configure IP address parameters on end devices to provide end-
to-end connectivity in a small to medium-sized business network.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63