CCDP ARCH 642-874 Study Notes

An access switch failure is a single point of failure that causes an outage for the end devices
connected to it. You can reduce the outage to 1 to 3 seconds in this access layer by utilizing
SSO in Layer 2 environment or Cisco NSF in Layer 3 environment.
OSPF stub areas insulate area from external changes
OSPF totally stubby areas cannot distinguish between ABR for better routes to an external
network, since only the default route is injected into the area
With OSPF, the '' area range" command provides route summarization (only inter area between areas. OSPF cannot filter / summarize intra area routes)
Default CEF hashing algorithm is layer 3 IP addresses not layer 4 ports.
In a topology where VLANs span more than one access layer switch, the recommended
workaround is to tune the ARP timer so that it is equal to or less than the CAM aging timer
STP required to prevent user side loops, and when VLANs span access switches
HA high availability Continuous operation of computer systems
For trunks, use 802.1q encapsulation and DTP in negotiate mode
Three primary activities in building security strategy:
* activity auditing
* technology implementation
* policy establishment
NAC Central Deployment Mode or Edge Deployment Mode
Here the terms central and edge deployment refer to the physical configuration of NAC
Appliance Server. Central Deployment mode means that both the trusted interface and the
untrusted interface of NAC Appliance Server (NAS) are plugged in to the same physical switch.
Edge Deployment mode means that the interfaces are plugged in to two separate switches.
Out-of-band deployments use Central Deployment mode. This is because in an out-of-band
deployment, NAC Appliance Servers are almost always placed at the distribution or core layer
and not at the edge of the network.
Cisco Architecture for Voice, Video and Integrated Data (AVVID) :
* security

* multicasting
* QoS
VoIP QoS:
* Bandwidth control for voice control traffic
* Loss < 1%
* One way latency/delay no more than 150ms
* Jitter less than 30ms
For fastest convergence times, use L2 links Access distribution , and use L3 peer
link between distribution peers, with FHRP @ distribution layer (v topology: one
access switch V up links to distribution) - each distribution peer must have all
vlans defined on it in order to participate in FHRP
To secure management to IPS sensors:
* Use of secure tunnels
* Separate management vlans
* place IPS Sensors in isolated PVLANs
Routers do not advertise IBGP routes to other IBGP peers, since IBGP peers do not add any
info to the AS path, hence the possibility of loops. Therefore full IBGP peer mesh needed,
unless using confederations or reflectors
Virtual firewalls are normally one of the contexts that a physical firewall is split into
Traditionally firewalls are placed in routed mode, which is considered layer 3 and may own
multiple IP addresses. In transparent mode, the firewall owns only 1 IP, and is at layer2
ASR = asymmetric routing groups... enables asym routing of return traffic, though traffic is
dropped if a matching initial packet is not found
Only 8 interfaces can be placed in an ASR group
ASR can be used in both failover and nonfailover deployments
Cisco security management suite should be placed in a management VLAN since it delivers
policy administration & enforcement for the self -defending network.

GSS = Global Site Selector, similar to citrix GSLB, uses DNS to provide automatic traffic rerouting in case of a disaster. Due to its reliance on DNS, centralised management of DNS is
recommended
CISCO Unified wireless network architecture includes:
* mobility services
* network management (centralize management of LWAPP from a single appliance)
* network unification
802.11b defines 14 DSSS channels
Data only wireless roaming requires 10 - 15 % cell overlap. Voice roaming requires 15-20 %
overlap
In a VoWLAN deployment, 19dBm of separation is recommended, with a -67dBm radius
When protecting multiple assets, in multiple physical cabinets, recommended NAS deployment
is central ( as opposed to edge) which is logically inline, but not physically inline
NAC appliance can check several client metrics such as:
* antivirus software state
* firewall settings
* patch management level
WCCP provides:
* load balancing
* scalability
* fault tolerance
* service assurance
When transiting from LAN to WAN, probably congestion of type "TX-queue starvation" will
occur, since LAN speeds are much higher than WAN speeds, causing a mismatch in transfer
rates
Group Encrypted Transport VPNs (GET VPNs) is a tunnel-less VPN technology where
members register with a key server (symmetric) to retrieve security associations and updates
VPLS is a layer2 multipoint VPN, using ethernet bridging techniques
VPLS emulates an Ethernet switch, with each Ethernet Multipoint Service (EMS) being
analogous to a VLAN.

In order to avoid ACL sprawl, a well-designed addressing scheme supporting role-based

functions will result in efficient ACL use
One of the key attributes of EMS is that each customer edge device or node communicates
directly with all other customer edge nodes associated with the EMS
ISPs need to be dual homed to provide improved availability , loadbalancing, & disaster
recovery
device clustering: multiple physical devices appear as a single logical device
Layer 3 MPLS Can forward only IP
Layer 2 MPLS can forward any network protocol
eg of advanced WAN services = Secure routing
Route summarization supported by: RIP 2, EIGRP, OSPF
Size of contiguous block of IPs used constantly in summarization calculations
In the core, use layer 3 switching, due to faster convergence
IPS can be placed between two layer 2 devices with/without trunking
FHRP: first hop redundancy protocol (usually layer 3 @ distribution layer, layer 2 between
access & distribution)
All uplinks active: loop free U, looped square, loop free inverted U
looped triangle usually has one uplink blocked
Ideally a vpn termination device should be placed in a dmz behind a firewall, since this offers
moderate to high scalability, and stateful inspection of the encrypted VPN traffic by the firewall
Easy VPN allows cisco routers/ASA/ hardware clients, to act as remote VPN clients in order to
receive predefined security policies and config parameters from the VPN head-end at the
central site
Base e-commerce designs place firewalls in the core layer of the module
During merging of two IGP, best to keep distinct pockets with redistribution between pockets,
and move the pocket boundary

OSPF stub areas provide a simple form of summarization

OSPF does not perform intra area route summarization
Layer 3 access designs introduce IP address management difficulties, but faster convergence
times and fall back
SLB router mode allows for multiple server subnets, and routes between outside inside subnets
Ethernet relay service uses the VLAN tag As a Connection identifier to indicate destination
IVR: inter vsan routing, also known as fabric routing, allows devices in different VSAN fabrics to
communicate
A dedicated campus core should be deployed for connecting >= 3 buildings
Cisco NSF (non stop forwarding) & SSO are used to provide intra -chassis SSO (stateful switch
over) @ layers 2-4
iSCSI is parallel tech, while FCoE is serial
iSCSI is half duplex, 320 M b/s shared bandwidth , can handle up to 16 devices
STP enhancements:
* Portfast - port attached to host, transitions in mediately to forwarding State
* BPDU guard: On access ports where BPDUs are never recieved, if recieved, place in errdisable
* BPDU filter: if global, & BPDU recieved on port, disable portfast & participate in STP, if
configured @ port level, completely removes both incoming & outgoing BPDUs + takes
precedence over BPDU guard
* Root guard: enforces position of root bridge, if superior BPDU is recieved, go into err-disable
* loop guard: (point to point links) listens for BPDUs on blocked ports, if they stop then port
placed in err-disabled mode
* UDLD
Note: uplink fast & backbone fast are separate enhancements
Clientless ssl vpn provide more granular control (at L7) than other VPN solutions
EIGRP stub routing limit scope of queries and minimise convergence time

Cisco NSF with SSO and redundant supervisors has the most impact in the campus in the
access layer. An access switch failure is a single point of failure that causes outage for the end
devices connected to it.

When using multiple EIGRP AS, this improves scalability by dividing the network using summary
routes at AS boundaries. Multiple EIGRP AS will not have a beneficial effect on query
propagation
A distribute-list is used to control routing updates either coming TO your router or leaving FROM
your router.
Routing maps also allow for modification of routes and PBR
At enterprise edge, allow only the default and summary to remote and site to site vpn routers
Two simple but effective means of using route summarization include:
* advertising the default route dynamically into the network
* Using OSPF stub areas
Internetwork Performance Monitor is a ciscoworks application that will be used to report on
latency and availability on an end-to-end and hop-by-hop basis
Cisco NAS - an in/out band device for NAC
Cisco NAA - a windows based agent which permits network access based on tasks running
Rule-set Updates - status checker for OS, antivirus, antimalware
Cisco NAM - centralized management point
In vpn scalability issues, pps rate matters more than throughput bandwidth (bps) for the
connection speeds being terminated or aggregated. In general, routers and crypto engines have
upper boundaries for processing a given number of pps. Size of packets used for throughput
greatly affects the bandwidth (hence pre-fragmentation recommended)
Voice needs to be assigned a hardware priority queue, while call signalling must be given a
guaranteed bandwidth service
PVRST+ recommended for use [per vlan rapid spanning tree +]

Multicast uses only lower order 23 bits of mac address to map IP to MAC, and uses the
0x01005e prefix
UDLD should be enabled globally for every fibre link
Reduce outages by using cisco SSO for layer 2 and cisco NSF with SSO for layer 3
deployments. However, redundant supervisors with NSF and SSO may cause longer
convergence times than single supervisors with tuned IGP timers
FSPF (fabric shortest path first) supports multipath routing
VPC provides a logical star topology that allows all switch uplinks to be active and used
Firewall in routed mode = multiple IPs and at layer3
Firewall in transparent mode = 1 IP at layer 2
Depending on the requirements of the design, the boundary between Layer 2 and Layer 3
can be in the multilayer switches, firewalls, or content switching devices in the aggregation
layer.
Aggregation switches commonly provide network services eg firewalling, via integrated switch
modules
802.11a AP radios can support 14 active voice calls using the G.711 codec, 15 with
compression codec
Nexus 1000V addresses problem that VMware reduces network admin control of access layer
Multi VLAN access ports are 802.1 q based but they are not trunks, since they can carry only 2
vlans: voice & data
MEC: multi chassis ether channel
VPC allows designer to have MEC on both sides of nexus, (sandwich, enabling 16 links
between access & distribution)
OSPF over a multiaccess EMS or VPLS network may not have consistent broadcast or
multicast performance
IGMP snooping is not an option with VPLS or EMS; instead administrative scoping or allowing
sufficient bandwidth for unnecessary multicast traffic at the edge links is required

Server virtualization allows live migration of virtual servers w/o disruptions, and it also allows for
installation of scripts/addons etc for backup & management
It is critical to identify aggregation and rate transition points in the network, where preferred
traffic and congestion QoS policies should be enforced, for example LaN to WAN transition
points
NAC can ensure compliance of machines connecting to the network, while IBNS (identity based
network services - identifies users rather than machines) cannot
E-line services: ethernet private line, ethernet wire service, & ethernet relay service
E-Lan services: ethernet multipoint services & ethernet relay multipoint services (remember:
LAN is to Multipoint)
Metro ethernet has virtual circuit attributes & user-network interface
NAS server (network access control server) scaling depends on:
* rescan timer interval
* user authentications per second
* number of checks per posture assessment
out-of-band NAS deployments: traffic does not pass through server after auth & posture checks
NAS Server can operate in one of the following in-band (IB) or out-of-band (OOB) modes:
IB Virtual Gateway (L2 transparent bridge mode)Operates as a bridge between the
untrusted network and an existing gateway, while providing posture assessment, filtering and
other services.
IB Real-IP GatewayOperates as the default gateway for the untrusted network.
IB NAT Gateway (for testing only)Operates as an IP router/default gateway and performs
NAT (Network Address Translation) services for the untrusted network.
OOB Virtual Gateway (L2 transparent bridge mode)Operates as a Virtual Gateway during
authentication and certification, before the user is switched out-of-band (i.e., the user is
connected directly to the access network).
OOB Real-IP GatewayOperates as a Real-IP Gateway during authentication and
certification, before the user is switched out-of-band (i.e., the user is connected directly to the
access network).

OOB NAT Gateway (for testing only)Operates as a NAT Gateway during authentication
and certification, before the user is switched out-of-band (i.e., the user is connected directly to
the access network).
BGP can influence incoming traffic path, avoiding the use of backdoor links
Resilient packet ring (RPR) is a L2 transport that provides packet based data based on a dual
(counter rotating) ring topology
ESM (embedded syslog manager) provides a framework for filtering & correlating syslog
messages. Syslog messages to external servers normally use UDP port 514
Multicast sends packets to a subset of hosts
SPT (shortest path tree) threshold is 0 by default, determines when to switch from a shared tree
to a source tree
ASM any source multicast (one-to-many & many-to-many) (*,G )
SSM source specific multicast (one-to-many), uses source trees only (S,G)
With ASM, sources can launch traffic insertion or DoS attacks by sending to any of the groups
supported by an active RP. Such traffic may not reach a receiver, but it will reach at least the
first-hop router in the path, as well as the RP, allowing for limited attacks. If an attacking source,
however, knows a group to which a target receiver is listening, and if there are no appropriate
filters in place, it can send traffic to that group. This traffic will be received as long as it is
listening to the group.
With SSM, attacks by unwanted sources are only possible on the first-hop router where the
traffic will stop if no receiver has joined that (S,G) channel. This should not lead to any state
attack on the first-hop router because it should discard all SSM traffic for which no explicit join
state exists from receivers. In this model it is not sufficient for an attacking source to know which
group a target is listening to because joins are source-specific.
With SSM source or receiver attacks are not possible
Bidir PIM: bidirectional PIM is very similar to PIM-SM, but it also allows traffic to flow UP the
shared tree, towards the RP. To do this designated forwarders are used. The designated
forwarder is responsible for forwarding multicast packets received on that network. Routers use
unicast routing metrics for this DF election process. The router with the most preferred unicast
routing metric to the RP becomes the designated forwarder. This ensures that only one copy of
every packet is sent to the RP, even if there are parallel equal-cost paths.

Note: Because a DF is selected for every RP of bidirectional groups, multiple routers may be
elected as DF on any network segment.
Recommended practice is for core to always be in L3
OSPF recommendations:
* use NSSA from the Core down
* tune timers for quicker convergence
EIGRP recommendations:
* Summarize subnets
* advertise default route from core to access layer
* use passive interfaces to only advertise the networks needed
Note: With most routing protocols, the passive-interface command restricts outgoing
advertisements only. But, when used with Enhanced Interior Gateway Routing Protocol
(EIGRP), the passive-interface command in EIGRP suppresses the exchange of hello packets
between two routers, which results in the loss of their neighbor relationship. This stops not only
routing updates from being advertised, but it also suppresses incoming routing updates
*filter routes
79xx phones do not DSCP mark protocol traffic such as DHCP, DNS, etc
Fibre Channel is a gigabit-speed network tech, typically used for storage, which supports
multiple protocols & provides high-speed transport for SCSI payloads
RSVP (resource reservation protocol) requires a compatible Qos mechanism to implement the
guarantees set by RSVP reservations. For RSVP to be end-to-end, all devices along the route
must support RSVP
EISL enhanced inter switch link, is a method storage switches such as the Cisco
MDs family, use to support storage network trunking
Streaming video traffic requires packet loss < 2%
Traffic shaping is used to ensure that packets are kept within the CIR (committed information
rate) of a link

10

Inter VSAN routing (ivr) allows central storage services to be shared across different VSANs
In a SAN, a server request specific blocks of data from storage that is NOT directly attached,
but instead a fabric is used to connect serves to centralized storage
An IP/ TV control server allows bandwidth config so that streaming traffic will not interfere with
other traffic
Internet group management protocol (IGMP) dynamically registers individual host on a specific
LAN to a multicast group
Dynamic reconfiguration is a VPN management feature to ensure least amount of disruption
when changes are made
Netflow examines data @ Layer 3 & 4
A "firewall sandwich" implies multiple levels of firewalling
The use of GRE with IPSec in tunnel mode allows for secure transport of multicast based
routing protocols
L3 switching allows for:
* scaling to larger sizes
* control of broadcasts
* provide flexible topology w/o spanning tree loops
Proxy mode eliminates the need for L4 switches or Wccp to intercept user requests (recall proxy
vs reverse proxy mode) a.k.a explicit proxy
IP multicast has no mechanism for congestion avoidance & has no guarantee delivery
mechanism
In a VPN context, RADIUS & LDAP can be used to assign IP addresses to a particular user
IPS is an active device in traffic path. traffic arrives in one interface, exits another
Partial mesh VPN topology is appropriate when "spoke" sites process large amounts of traffic
between them. Dynamic multipoint VPN helps in automatically setting up partial-meshes

11

Security management involves patch management & vulnerability scanning

Netflow key fields:
* Source & destination IP
* Source & destination port
* Ingress interface
* Protocol Type
Pre-fragmentation can be used alongside path MTU & proper interface MTU settings to increase
performance & reduce fragmentation issues. Pre-Fragmentation for IPsec VPNs feature
increases performance between Cisco IOS routers and VPN clients by delivering encryption
throughput at maximum encryption hardware accelerator speeds for packets that are near the
maximum transmission unit (MTU) size. Packets are fragmented into equally sized units to
prevent further downstream fragmentation.
Default gateway redundancy allows for the failure of a redundant distribution switch without
affecting endpoint connectivity
FCIP or FCoE allow for easier integration by using FCP (fibre channel protocol) and fibre
channel framing respectively.
FCIP and iSCSI have a higher overhead than FCoE due to the underlying use of TCP/IP.
WRT CEF, recommendation is to use default L3 hash in the core (less uplinks / peer links) and
use layer 3 + layer 4 has in the distribution layer (larger amount of links and more IP diversity)
Functionality ensures that the network supports the required applications and that data flows
within required time frames
Video traffic design considerations:
* which traffic model used
* flow direction
* application traffic trends
QoS allows an admin to use class based policing to restrict traffic eg peer-to-peer
Bandwidth is normally the least important consideration when determining the number of users
a NAS can support

12

SLA: service level agreement, normally with the ISP for performance & connectivity
requirements
When using Active/ Standby service modules, switches are underutilized and servers require a
L2 adjacency with the switches (FHRP)
VRFs enable the partitioning of network resources
Scaling considerations such as headend configuration, routing protocol choice, and topology
have the broadest impact on the design of IPsec VPN design
IS-IS routers: Level 1 (intra-area); Level 2 (inter area); or Level 1-2 (both). Level 2 routers
are inter area routers that can only form relationships with other Level 2 routers. Routing
information is exchanged between Level 1 routers and other Level 1 routers, and Level 2
routers only exchange information with other Level 2 routers. Level 1-2 routers exchange
information with both levels and are used to connect the inter area routers with the intra area
routers. Hence IS-IS supports a flexible area structure
Clientless end user devices eg VPN do not receive a unique IP
The access layer is the first oversubscription point in the design of a DC
With NAS (network attached storage), data is accessed @ the file level, example using CIFS or
NFS. Note that NAS is slower than DAS (directly attached storage)
In fibre channel networks, N-Port to N-Port Connections use logical node connections (which
are analogous to TCP sockets)
VSAN logical isolation among devices physically connected to same fabric
2nd generation MDS switches offer a fully redundant switch design & 100% port efficiency
Both FCIP & ISCSI require high throughput & low latency + jitter & both offer block level storage
for remote devices. However, ISCSI is more normally used to connect host to storage device,
while FCIP is more commonly used to connect separate wide area SANs

13

Zoning increases security, and can be either hardware (switch) or software based. DNS queries
are used for software zoning
NAS client access modes:
* Layer 2 mode: clients are L2 adjacent MAC address is used to identify clients
* Layer 3 mode: clients are not L2 adjacent so IP + MAC is used as ID
NAS server physical deployment options:
* edge: both physically & logically in line
* central: logically inline but physically OOB
Transparent firewall mode is often referred to as "bump-in-the-wire", & in this mode traffic is
switched, not routed, across interfaces (L2)
SLB one-armed mode is not as common as bridge mode, & requires outbound traffic from
servers to be diverted via SNAT or PBR
OER optimized edge routing aka PFR (Performance Routing) uses Netflow & IP
SLA to measure jitter, delay, loss, throughput, utilisation, etc to select best
outbound path, hence providing load balancing across multiple links. In larger
environments, metrics are fed to a master controller, which controls border routers
(MC BR)
VPN termination address schemes need to allow for summarization
When using transparent or explicit caching, cache engine should be placed as close to end
users as possible
EIGRP can summarize per interface, unlike OSPF which can only summarize at interarea points
Recommended: summerize routes @ distribution core layer to limit EIGRP
queries / OSPF LSA propagation
Cisco Works Inventory Manager scans devices for hardware information
Multilink PPP (MLP) include support for Link Fragmentation Interleaving (LFI)

14

Interleaving on MLP allows large packets to be multilink encapsulated and fragmented into a
small enough size to satisfy the delay requirements of real-time traffic; small real-time packets
are not multilink encapsulated and are transmitted between fragments of the large packets.
Hence, it fragments and encapsulates packets larger than configured size, but does not
encapsulate smaller packets within a fragmentation header. These smaller packets are then
interleaved between the fragments of larger packets
A site can have between 1-8 call manager servers in a cluster
In an e-commerce module, routing is mostly static
Network vuln scanner is part of security monitoring
Modular block design @ the access layer allows for Scalability in the server farm module
IVR (Intra VSAN Routing) sharing across multiple VSANs
An IPS normally resembles a L2 bridge, & since inline interfaces will have no IP, they cannot be
detected
First step to be taken when selecting a router is to determine which environment it will be used
in
An enterprise network model should clearly define module boundaries and demarcation points
to identify where traffic is.
RIPv2 advantages:
* multivendor
* minimum resources
* supports both manual & auto route summarization
Multicast routing uses RPF (reverse path forwarding), since only the SOURCE is known, not the
specific destination, which is normally a group of hosts
RSVP is a QoS enhancement to address scalability & bandwidth guarantee issues
Considerations for IPSec design:
* connection speed
* number of sites
* features and applications to be supported

15

Locations are a type of call admission control which allows for limits on the bandwidth used by
active calls
Cisco IDS passively monitors listens to traffic and normally includes a promiscuous interface on
said network
Cisco Survivable Remote Site Telephony (SRST) allows remote IP phones to have limited
functionality in the event of a WAN failure, when using a multi site, centralized Call Manager
deployment. Limited functionality includes emergency calls, calls within the remote site, and
calls via backup PSTN
When the SLB is in one-armed mode, it is not in-line with traffic, in fact return traffic requires
PBR, client source NAT or gateway changes. This mode is not as common as bridge or routed
mode
Hub and Spoke designs incur a performance penalty since there are two encryption-decryption
cycles between any two remote sites.
An IDS normally analyzes a copy of the monitored traffic (fed via a SPAN port) and not the
actual forwarded traffic
The disadvantages of DAS (directly attached storage) are:
* scalability
* redundancy
* manageability
VoFR (voice over frame relay) provides two benefits:
* bandwidth efficiency
* congestion notification
If a network access control server (NAS) is L2 in-line it can support per-user ACLs.
When using the nexus 1000V, if an upstream access switch does not support VPC, then ESX
host traffic can still be distributed across multiple upstream switches by using virtual port
channel host mode using subgroups that can be auto discovered through CDP
Cisco offers a variety of enhancements to STP:

16

1. PortFast: Allows an access port to bypass STPs listening and learning phases so no need to
wait 50 seconds to forward data.
2. UplinkFast: Reduces STP convergence from 50 seconds to approximately 3 to 5 seconds so
no need to wait 50 seconds to forward data through alternate link
3. BackboneFast: Reduces STP convergence time for an indirect link failure.
4. LoopGuard: Helps prevent loops that could occur because of a unidirectional link failure, a
software failure, or a bridge protocol data unit (BPDU) loss due to congestion
5. RootGuard: Prevents an inappropriate switch from being elected as a root bridge
6. BPDUGuard: Causes a port configured for PortFast to go into the errordisable state if a
BPDU is received on the port
Two design scenarios that are applicable when redundancy is required from branch -> regional
office:
* either dual wan links to regional office
* or single links - one to the regional office, and the other to another branch office, which is in
turn connected to the regional office
Flex Links do not have to be the same interface types, but flex links operate on only single
pairs of links
A WAN service has primary attributes that define the service, including the following:
Bandwidth
Bursting capacity
QoS classes and policies
Multicast support
Use passive interfaces to avoid unnecessary adjacencies for both OSPF and EIGRP
EIGRP: Set hello and dead timers to 1 and 3 as a secondary mechanism to speed up
convergence. Recommended EIGRP minimum timer settings are two seconds for helos and six
seconds for the dead timer. Subsecond settings are not an option.
The rule-of-thumb recommendation for data oversubscription is 20:1 for access ports on the
access-to-distribution uplink. The recommendation is 4:1 for the distribution-to-core links.
When using a softphone, which is simply an application running on a PC, the voice traffic is
mixed with data traffic on the access VLAN that the PC is connected to. There is no 802.1Q
tagging and 802.1P class of service (CoS) marking between the PC and the switch. This has
implications for QoS

17

SLB: one-armed approach, the SLB VIP and the physical servers are in the same VLAN or
subnet. In the two-armed approach, the SLB device routes traffic to the physical server subnet,
which can be a private subnet.

18