IPS and IDS

2
Next Generation Firewall

2
Cisco APs and Controllers

4
Twisted Pair Cables Categories

2
SM vs MM Fiber

2
SM vs MM Fiber

2
SM vs MM Fiber

8
Power Over Ethernet

• Negotiation the Power Inline with devices

• No need for power adapter
• Central Backup (UPS)
• CDP & LLDP negotiate

9
Power Over Ethernet

• Mode A {pin 1,2,3,6}

• Mode B {pin 4,5,7,8}

18
Collapsed Core or Two-Tier

11
Three-tier Architectures

1
 Spine and Leaf
• A Topic came from CCNA Design
• A Data Center Structure
• Same as Hierarchical Switching Design with Load Balancing capability, no STP and
Broadcast issues using routing facilities
• Best Way for Fast East-West Traffic Flow
• As well as North-South Flows
• For a 100% SLA at anytime

13
WAN Architecture

15
Small Office Home Office (SOHO)

7
Cloud Architecture

7
Identify interface

7
Introduction to Wireshark

7
Network Setting with different OS

19
Virtualization Fundamentals

20
 Three Basic Concepts of Network Security:

• Confidentiality
Only the authorized individuals/systems can view sensitive or classified
information.

• Integrity
Changes made to data are done only by authorized individuals/systems.

• Availability
Data should be accessible whenever needed.

20
 Security Terminology

• Asset: It is anything that is valuable to an organization.

• Vulnerability: An exploitable weakness in a system or its design.
• Threat: A threat is any potential danger to an asset.
• Risk: is the potential for unauthorized access to, compromise,
destruction, or damage to an asset.
• Countermeasures: A safeguard that somehow mitigates a potential risk.
An Exploit : is a piece of software, a chunk of data, or a sequence of
commands that takes advantage of a bug or vulnerability to cause
unintended or unanticipated behavior to occur on computer software,
hardware, or something electronic (usually computerized).

21
 Security Terminology

• Password Policy
• Management Policy
• Mitigation Techniques
• User awareness
• User training

22
Asset Classification
Classifying Vulnerabilities

• Policy flaws
• Design errors
• Protocol weaknesses
• Misconfiguration
• Software vulnerabilities
• Human factors
• Malicious software
• Hardware vulnerabilities
• Physical access to network resources

25
Introduction to an Attack
• An attack is the process of attempting to steal data, destroy data, gain
unauthorized access to a device, or even shut down/disable a system.
preventing legitimate users from accessing the resources.
• Types of Attack:
o Reconnaissance
o Social Engineering
o Privilege escalation
o Back door
o Code execution
o Trust exploitation
o Brute force
o Botnet
o DoS and DDoS
27
Man in the Middle attack

• When attackers place themselves in line between two devices that are
communicating, with the intent to perform reconnaissance or to manipulate the data
as it moves between them.
• Example: ARP Poisoning, DAI, Fake Root , Rogue Router, Rogue DHCP.

28
 Fundamental Security Principles to Network Design

• Rule of Least Privilege

• Defense in depth
• Separation of duties
• Auditing

29
 Motivation behind the attack

• Financial
• Disruption
• Geopolitical

36
 Distributed Deny of Service Attack

• Directed
• Reflected
• Amplification

37
 Social Engineering

• Phishing
• Malvertising
• Phone scams

38
 Defense against
Defense socialsocial
against engineering
engineering
• Password management
• Two-factor authentication
• Antivirus/antiphishing defense
• Change management
• Information classification
• Document handling and destruction
• Physical security

39
DHCP Snooping

• Switching Security Feature

• Prevent from unauthorized DHCP or Rogue DHCP, MitM attack, DHCP
starvation, limit the DHCP request messages.
• Untrusted ports and trusted ports
• DORA process
• Block Offer and Acknowledge on untrusted ports
• DHCP snooping per-vlan configuration
• DHCP Snooping database

76
Dynamic ARP Inspection (DAI)

• Switching Security Feature

• Limit the Dynamic ARP packets
• Prevent from ARP spoofing, ARP poisoning, gratuitous ARP and MitM.
• Untrusted ports and trusted ports
• Port security and DHCP snooping is pre-requisites
• DAI use the DHCP Snooping database information
• Static MAC address using ACL.

77
AAA Concept

40
AAA Server

• Authentication: who is the user?

• Authorization: what is the user allowed to do?
• Accounting: what did the user do ?
Cisco devices can the following two protocols to communicate with AA server:
• TACACS+ : A Cisco proprietary protocol that separate each of the AAA
functions, communication is secure and encrypted over TCP 49.
• RADIUS: A standard-base protocol that combine authentication &
authorization into a single resource, communication uses UDP port 1812 &
1813. Unencrypted accounting

42
AAA server …

• Network Access Server (NAS) & Network Access Device (NAD) the Switch or
WAP who wants authentication.
• Cisco implementation uses ACS and ISE
• Authentication methods:
Configuring locally on the switch
Use external RADIUS server
Use external TACACS server

43
Secure Access 802.1x Port Base authentication

 Prevent from Unauthorized access, ARP flooding, MAC changer

 Open standard (IEEE 802.1x), Layer 2 protocol
 EAPoL and RADIUS
 If not enable on Switch so traffic goes normal, but if not enable on PC port goes
on unauthorized state.
 PC must also have an 802.1X-capable application or client software.
 802.1x components: 1. supplicant 2. authenticator 3.
authentication SRV
 Extensible authentication protocol over LAN (EAPoL)
 RADIUS = remote authentication dail in user services

41
Remote-Access VPN

44
Site to Site VPN

44
Simple Network Management Protocol

• UDP # 162
• Monitoring and troubleshooting the internal status of network devices
• SNMP Manager | SNMP Agent | OID | MIB | SNMP trap | SNMP request
• SNMP version 1 | 2 | 3 differences
• SNMPv3 (View, Group, User)
• noAuthNoPriv | authNoPriv | authPriv
• PRTG software and configuration
• Cisco SNMP object Navigator

83
SNMPv2 configuration
• Switch(config)# access-list 10 permit 192.168.3.99
• Switch(config)# access-list 10 permit 192.168.100.4
• Switch(config)# snmp-server community MonitorIt ro 10
• Switch(config)# snmp-server host 192.168.3.99 MonitorIt

SNMPv3 configuration
Switch(config)# access-list 10 permit 192.168.3.99
Switch(config)# access-list 10 permit 192.168.100.4
Switch(config)# snmp-server group NetOps v3 priv
Switch(config)# snmp-server user mymonitor NetOps v3 auth sha s3cr3tauth priv aes
128 s3cr3tpr1v 10
Switch(config)# snmp-server host 192.168.3.99 informs version 3 priv mymonitor
snmp-server view ALL iso included
snmp-server group Group1 v3 priv read/write ALL
snmp-server user AHMAD Group1 v3 auth sha P@SSW0rD priv des56 KEY@123
84
 QoS introduction

• Normal or Default operation FIFO {First in First out}

• QoS Tools to classify:
1. Latency (Delay)
2. Jitter
3. Loss
4. Bandwidth

43
Overview of QoS Tools

2
Comparing wired & wireless

2
WLAN Topology

• Radio Frequency (RF)

• Unidirectional communication
• Bidirectional communication
• Interference in transmission

43
 WLAN Terms

• Basic Service Set (BSS)

• Basic Service Area (BSA) or cell
• Basic Service Set Identifier (BSSID)
• Service Set Identifier (SSID)

2
Distribution System Multiple SSID

2
 Scaling Wireless Coverage

2
IBSS & Repeater

• Independent Basic Service Set (IBSS) or Ad hoc

• Repeater

2
Workgroup bridge

• Universal Workgroup Bridge

• Workgroup Bridge: Cisco pro.

2
Outdoor Bridge

10
Mesh wireless network

50
Radio Frequency

• Electromagnetic waves do not travel in a straight

line. Instead, they travel by expanding in all
directions away from the antenna.
• What is Cycle?
• Frequency unit names.

51
Radio Frequency

43
Wifi Channel

• Wifi channel is a collection of different frequencies which work together

• For example: In channel-1 in the 2.4 GHz consist of 2.401 GHz through 2.423
GHz

51
Non Overlapping Channel 2.4

2
Non Overlapping Channel 5GHz

2
Wireless Bands and channels
• One of the two main frequency ranges used for wireless LAN communication lies
between 2.400 and 2.4835 GHz. This is usually called the 2.4-GHz band.
• The other wireless LAN range is usually called the 5-GHz band because it lies
between 5.150 and 5.825 GHz. (24 Non overlapping channel)
• The 5-GHz band consist of non-overlapping channels but 2.4 GHz band not.
• Use channel 1, 6, and 11 to avoid overlaps
• Wireless devices & Aps should all be capable of operating in same Band.
• Device support means: 802.11b/g/a/n/ac
• Cisco AP support dual radio {2.4 & 5 GHz} also multiple SSID.
• In open space, RF reach further on the 2.4-GHz band than on the 5-GHz band.
They also tend to penetrate indoor walls and objects easier at 2.4 GHz than 5 GHz.
52
IEEE 802.11 Amendments

53
Autonomous vs Light-weight mode

• Autonomous mode: each APs must be configured and maintain individually & do
not require a controller to control the AP for management.
• Light-weight mode: each APs require a WLC to configure, control and maintain all
of the AP and provide ease of management for the communication setting
between APs.
• An AP will operate in a combine mode, means when connected to Controller can be
controlled by WLC {Light-weight} mode and when it disconnected can operate
Autonomous mode

54
Wireless Network with Autonomous APs

2
Cloud-Based APs

• Cisco Prime Infrastructure in a Central location within the enterprise or internet.

• The Cisco Meraki cloud register device and adds the intelligence needed to
automatically instruct each AP on which channel and transmit power level to use.
It can also collect information from all of the APs about things such as RF
interference, rogue or unexpected wireless devices that were overheard, and
wireless usage statistics.
• Cisco Meraki products are not only APs. Switches, Routers, Security … also include.

56
 Cloud-based AP {Meraki}

2
 Comparing WLC deployment

• A unified or centralized WLC

deployment, which tends to follow
the concept that most of the
resources users need to reach are
located in a central location such as
a data center or the Internet.
• Unified support up to: 6000 APs
• If need more add another unified.

2
 Cloud-Based WLC

• a cloud-based WLC deployment,

where the WLC exists as a virtual
machine rather than a physical
device.
• Support up to: 3000 APs.

2
 Embedded WLC

This is known as an embedded WLC

deployment because the controller is
embedded with in the switching
hardware.
Typical Cisco embedded WLCs can
support up to 200 APs.

2
 Mobility Express

Support up to: 100 APs.

2
 Mobility Express

Support up to: 100 APs.

2
Summary of WLC Deployment Mode

67
 WLC base AP & Split-MAC Arch.

• Split-Mac Architectures: The lightweight AP-WLC division of labor is known as a split-

MAC architecture, where the normal MAC operations are pulled apart into two distinct
locations.
• Control and Provisioning of Wireless Access Points (CAPWAP) control message and
data messages.
• It can use one IP address for both management and tunneling. No trunk link is needed
because all of the VLANs it supports are encapsulated and tunneled as Layer 3 IP
packets, rather than individual Layer 2 VLANs.

58
 WLC Based APs

2
 Autonomous vs LWAP

2
 WLC-Based APs

2
 WLC Activities and APs

• Dynamic channel assignment

• Transmit power optimization
• Self-healing wireless coverage
• Flexible client roaming
• Dynamic client load balancing
• RF monitoring
• Security management
• Wireless intrusion protection system

62
 Authentication

• What is authentication ?
• Message integrity check (MIC) is a security tool that can protect against data tampering.

22
 WEP

• The original 802.11 standard offered only two choices to authenticate a client: open
authentication and WEP.
• Wired Equivalent privacy: use RC4 cipher algorithm
• Symmetric encryption or shared-key security
• 40 to 104 bit longs, 10 to 26 hex digits.
• Consider weak encryption and not recommended at this time.

69
 802.1x/EAP

• Extensible Authentication Protocol

• EAP defines a set of common functions that actual authentication methods can use
to authenticate users
• It can integrate with the IEEE 802.1x port-based access control standard.

22
 LEAP

• Lightweight EAP {LEAP}

• Cisco developed a proprietary wireless authentication method called Lightweight EAP
(LEAP). It can integrate with the IEEE 802.1x port-based access control standard.
• Both the client and authentication server must exchange challenge message that are
then encrypted and returned. {mutual authentication}
• LEAP has been deprecated and should not use it.

71
 EAP-FAST
• EAP - Flexible Authentication by Secure Tunneling.
• Cisco developed a proprietary wireless authentication
• Authentication credentials are protected by passing a protected access credential
(PAC) between the AS and the supplicant.
• PAC is a form of shared secret that is generated by the AS and used for mutual
authentication
• EAP-FAST has three phases: Phase 0 | Phase 1 | Phase 2
• Notice that two separate authentication occur in EAP-FAST—one between the AS
and the supplicant and another with the end user. These occur in a nested fashion, as
an outer authentication (outside the TLS tunnel) and an inner authentication (inside
the TLS tunnel).
72
 PEAP
• Protected EAP {PEAP}
• Auth. Server presents a digital certificate to authenticate itself with the supplicant in the
outer authentication.
• Auth. Server and client build a TLS tunnel to use for the inner authentication and encryption
key exchange.
• Certificates provided by third party Certification Authority (CA).
• certificate is also used to pass a public key, in plain view, which can be used to help decrypt
messages from the AS.
• The client does not have or use a certificate of its own, so it must be authenticated within the
TLS tunnel using one of the following two methods:
• MSCHAPv2: Microsoft Challenge Authentication Protocol version 2
• GTC: Generic Token Card; a hardware device that generates one-time passwords for the
user or a manually generated password
73
 EAP-TLS
• EAP – Transport Layer security
• Auth. Server and Client both require digital certificate
• Auth. Server and Supplicant both exchange certificate and can authenticate each other.
• A TLS tunnel is built afterward so that encryption key material can be surely exchange.
• Implement a Public Key Infrastructure (PKI) that could supply certificates securely and
efficiently and revoke them when a client or user should no longer have access to the
network.
• Certification Authority (CA) will release digital certificate
• The most secure wireless authentication.

74
 Wireless Privacy & Integrity
• Temporal Key Integrity Protocol (TKIP)
• TKIP adds the following security features using legacy hardware and the underlying
WEP encryption:
• MIC {Message Integrity Check} : Add hash to the frame
• Time stamp: a time stamp is added into the MIC to prevent replay attackers
• Sender’s MAC address
• TKIP sequence counter: add sequence # to the frame
• Key mixing algorithm: adds a unique 128-bit WEP key
• Longer initialization vector (IV): prevent from brute-force calculation

75
 CCMP
• Counter/CBC-MAC Protocol {CCMP}
• More secure that TKIP, and consist of two algorithms:
1. Advanced Encryption Standard {AES} counter mode encryption
2. Cipher Block Chain Message Authentication Code {CBC-MAC} used as a MIC
• AES is open, publicly accessible, and represents the most secure encryption method
available today.
• The devices should checked to support AES before applying CCMP

76
 GCMP
• Galois/Counter Mode Protocol {GCMP}
• The robust authenticated encryption suite that is more secure and more efficient than
CCMP.
• GCMP consist of two algorithms:
1. AES counter mode encryption
2. Galois Message Authentication Code used as a MIC
• GCMP is used in WPA3

77
 Wi-Fi Protect Access (WPA)
• Wi-Fi Alliance, a nonprofit wireless industry association, has worked out
straightforward ways to do that through its Wi-Fi Protected Access (WPA) industry
certifications. To date, there are three different versions: WPA, WPA2, and WPA3.
• The Wi-Fi Alliance first generation WPA certification was based on parts of 802.11i and
included 802.1x authentication, TKIP, and a method for dynamic encryption key
management.
• Wi-Fi Alliance (WPA2) certification is based around the superior AES CCMP algorithms.
It should be obvious that WPA2 was meant as a replacement for WPA.
• In 2018, the Wi-Fi Alliance introduced (WPA3) as a future replacement for WPA2.
WPA3 leverages stronger encryption by AES with the (GCMP). It also uses Protected
Management Frames (PMF) to secure important 802.11 management frames between
APs and clients, to prevent malicious activity that might spoof or tamper with a BSS’s
operation. 78
WPA , WPA2 , WPA3 Summarization
• Each successive version is meant to replace prior versions by offering better
security features. You should avoid using WPA and use WPA2 instead—at least
until WPA3 becomes widely available on wireless client devices, APs, and WLCs.

79
Personal Mode and Enterprise mode
• WPA versions support two client authentication modes: a pre-shared key (PSK) or 802.1x, based on the
scale of the deployment.
• With personal mode, a key string must be shared or configured on every client and AP before the clients
can connect to the wireless network.
• clients and APs work through a four-way handshake procedure that uses the pre-shared key string to
construct and exchange encryption key material that can be openly exchanged. Once that process is
successful, the AP can authenticate the client and the two can secure data frames that are sent over the
air.
• With WPA-Personal and WPA2-Personal modes, a malicious user can eavesdrop and capture the four-
way handshake between a client and an AP. That user can then use a dictionary attack to automate
guessing the pre-shared key. If he is successful, he can then decrypt the wireless data or even join the
network posing as a legitimate user.
• WPA3-Personal avoids such an attack by strengthening the key exchange between clients and APs
through a method known as Simultaneous Authentication of Equals (SAE). Rather than a client
authenticating against a server or AP, the client and AP can initiate the authentication process equally
and even simultaneously.
• Even if a password or key is compromised, WPA3-Personal offers forward secrecy, which prevents
attackers from being able to use a key to unencrypt data that has already been transmitted over the air.
80
 Using WLC Ports
• Service port: Used for out-of-band management, system recovery, and initial boot
functions; always connects to a switch port in access mode
• Distribution system port: Used for all normal AP and management traffic; usually
connects to a switch port in 802.1Q trunk mode
• Console port: Used for out-of-band management, system recovery, and initial boot
functions; asynchronous connection to a terminal emulator
• Redundancy port: Used to connect to a peer controller for high availability (HA)
operation

82
Using WLC Ports

82
Using WLC Ports

82
 Using WLC Interfaces
• Management interface: Used for normal management traffic, such as RADIUS user
authentication, WLC-to-WLC communication, web-based and SSH sessions, SNMP,
(NTP), syslog, and so on. The management interface is also used to terminate CAPWAP
tunnels between the controller and its APs.
• Redundancy management: The management IP address of a redundant WLC that is part
of a high availability pair of controllers. The active WLC uses the management interface
address, while the standby WLC uses the redundancy management address.
• Virtual interface: IP address facing wireless clients when the controller is relaying client
DHCP requests, performing client web authentication, and supporting client mobility.
• Service port interface: Bound to the service port and used for out-of-band
management.
• Dynamic interface: Used to connect a VLAN to a WLAN.
83
 Using WLC interfaces

22
Configuring WLC

85
Control, Data, Management Plan

85
Software Defined-Networking (SDN)

Software-defined networking (SDN) offers a centralized, programmable network

that consists of an SDN controller, southbound APIs, and northbound
APIs. SDN controllers are the brains of the network, offering a centralized view of
the overall network.

• Application Programming Interface (API) is a software intermediary that allows

two applications to talk to each other. Each time you use an app like SDN, talk
to application on the router or switches.

85
Software Defined-Networking (SDN)

85
Application Programming Interface

85
SDN SBI and NBI

85
 Network Automation Tools & Pro

Network Automation Languages & Protocols:

• CLI / Telnet / SSH
• Notepad
• Python / Java / TCL
• NETCONF/YANG
• RESTCONF/YANG
• SNMP
• OpenFlow
• Cisco OpFlex
• REST API
85
SDN SBI and NBI

85
NBI Protocol and API

85
 REST API

REST (Representational State Transfer) describes a type of API that allows applications
to sit on different hosts, using HTTP messages to transfer data over the API.

85
Network Programmability and SDN

Three different SDN and network programmability solutions available from Cisco.
Others exist as well. These three were chosen because they give a wide range of
comparison points:
■ OpenDaylight Controller
■ Cisco Application Centric Infrastructure (ACI)
■ Cisco APIC Enterprise Module (APIC-EM)

85
OpenFlow

ONF defines OpenFlow as the first

standard communications interface
defined between the control and
forwarding layers of an SDN
architecture. OpenFlow allows direct
access to and manipulation of the
forwarding plane of network devices
such as switches and routers, both
physical and virtual (hypervisor-based).

85
OpenFlow

85
Cisco Application Centric Infrastructure (ACI)

Cisco took a research path, but Cisco’s work happened to arise from different
groups, each focused on different parts of the network: data center, campus, and
WAN. That research resulted in Cisco’s current SDN offerings of ACI in the data
center, Software-Defined Access (SDA) in the enterprise campus, and Software-
Defined WAN (SD-WAN) in the enterprise WAN.
Cisco made the network infrastructure become application centric, hence the name
of the Cisco data center SDN solution: Application Centric Infrastructure, or ACI.
Spine and Leaf network design use in ACI and datacenter.

85
Cisco Application Policy Infrastructure Controller (APIC)

The Cisco Application Policy Infrastructure Controller (Cisco APIC) is the unifying
point of automation and management for the (ACI) fabric. The Cisco APIC provides
centralized access to all fabric information, optimizes the application lifecycle for
scale and performance, and supports flexible application provisioning across physical
and virtual resources.
Designed for automation, programmability, and centralized management, the Cisco
APIC itself exposes northbound APIs through XML and JSON. It provides both a
command-line interface (CLI) and GUI which utilize the APIs to manage the fabric
holistically.

85
Cisco Application Policy Infrastructure Controller (APIC)

Cisco APIC provides:

• A single pane of glass for application-centric network policies
• Fabric image management and inventory
• Application, tenant, and topology monitoring
• Troubleshooting
Features
• Centralized application-level policy engine for physical, virtual, and cloud infrastructures
• Detailed visibility, telemetry, and health scores by application and by tenant
• Designed around open standards and open APIs
• Robust implementation of multi-tenant security, quality of service (QoS), and HA
• Integration with management systems such as VMware, Microsoft, and OpenStack

85
ACI and APIC

85
Cisco APIC Enterprise Module

• Can control the cisco traditional network devices.

• Use Telnet / SSH / HTTP / SNMP

• Topology map: The application discovers and displays the topology of the network.
• Path Trace: The user supplies a source and destination device, and the application
shows the path through the network, along with details about the forwarding
decision at each step.
• Plug and Play: This application provides Day 0 installation support so that you can
unbox a new device and make it IP reachable through automation in the controller.
• Easy QoS: With a few simple decisions at the controller, you can configure complex
QoS features at each device.

85
 APIC-EM

https://developer.cisco.com
/site/apic-em/

85
Controllers Comparison

85
 Cisco DNA and SDA

85