Introduction xxvii Part I IP Access Control Lists 3 Chapter 1 Introduction to TCP/IP Transport and Applications 4 "Do I Know This Already?" Quiz 4 Foundation Topics 6 TCP/IP Layer 4 Protocols: TCP and UDP 6 Transmission Control Protocol 7 Multiplexing Using TCP Port Numbers 7 Popular TCP/IP Applications 10 Connection Establishment and Termination 12 Error Recovery and Reliability 13 Flow Control Using Windowing 15 User Datagram Protocol 16 TCP/IP Applications 16 Uniform Resource Identifiers 17 Finding the Web Server Using DNS 18 Transferring Files with HTTP 20 How the Receiving Host Identifies the Correct Receiving Application 21 Chapter Review 22 Chapter 2 Basic IPv4 Access Control Lists 24 "Do I Know This Already?" Quiz 24 Foundation Topics 26 IPv4 Access Control List Basics 26 ACL Location and Direction 26 Matching Packets 27 Taking Action When a Match Occurs 28 Types of IP ACLs 28 Standard Numbered IPv4 ACLs 29 List Logic with IP ACLs 29 Matching Logic and Command Syntax 31 Matching the Exact IP Address 31 Matching a Subset of the Address with Wildcards 31 Binary Wildcard Masks 33 Finding the Right Wildcard Mask to Match a Subnet 33 Matching Any/All Addresses 34 Implementing Standard IP ACLs 34 Standard Numbered ACL Example 1 35 Standard Numbered ACL Example 2 36 Troubleshooting and Verification Tips 38 Practice Applying Standard IP ACLs 39 Practice Building access-list Commands 39 Reverse Engineering from ACL to Address Range 40 Chapter Review 41 Chapter 3 Advanced IPv4 Access Control Lists 44 "Do I Know This Already?" Quiz 44 Foundation Topics 46 Extended Numbered IP Access Control Lists 46 Matching the Protocol, Source IP, and Destination IP 46 Matching TCP and UDP Port Numbers 48 Extended IP ACL Configuration 51 Extended IP Access Lists: Example 1 51 Extended IP Access Lists: Example 2 53 Practice Building access-list Commands 54 Named ACLs and ACL Editing 54 Named IP Access Lists 54 Editing ACLs Using Sequence Numbers 56 Numbered ACL Configuration Versus Named ACL Configuration 58 ACL Implementation Considerations 59 Additional Reading on ACLs 60 Chapter Review 61 Part I Review 64 Part II Security Services 67 Chapter 4 Security Architectures 68 "Do I Know This Already?" Quiz 68 Foundation Topics 70 Security Terminology 70 Common Security Threats 72 Attacks That Spoof Addresses 72 Denial-of-Service Attacks 73 Reflection and Amplification Attacks 75 Man-in-the-Middle Attacks 76 Address Spoofing Attack Summary 77 Reconnaissance Attacks 77 Buffer Overflow Attacks 78 Malware 78 Human Vulnerabilities 79 Password Vulnerabilities 80 Password Alternatives 80 Controlling and Monitoring User Access 82 Developing a Security Program to Educate Users 83 Chapter Review 84 Chapter 5 Securing Network Devices 86 "Do I Know This Already?" Quiz 86 Foundation Topics 88 Securing IOS Passwords 88 Encrypting Older IOS Passwords with service password-encryption 89 Encoding the Enable Passwords with Hashes 90 Interactions Between Enable Password and Enable Secret 90 Making the Enable Secret Truly Secret with a Hash 91 Improved Hashes for Cisco''s Enable Secret 92 Encoding the Passwords for Local Usernames 94 Controlling Password Attacks with ACLs 95 Firewalls and Intrusion Prevention Systems 95 Traditional Firewalls 96 Security Zones 97 Intrusion Prevention Systems (IPS) 99 Cisco Next-Generation Firewalls 100 Cisco Next-Generation IPS 102 Chapter Review 103 Chapter 6 Implementing Switch Port Security 106 "Do I Know This Already?" Quiz 106 Foundation Topics 108 Port Security Concepts and Configuration 108 Configuring Port Security 109 Verifying Port Security 112 Port Security MAC Addresses 113 Port Security Violation Modes 114 Port Security Shutdown Mode 115 Port Security Protect and Restrict Modes 117 Chapter Review 119 Chapter 7 Implementing DHCP 122 "Do I Know This Already?" Quiz 122 Foundation Topics 124 Dynamic Host Configuration Protocol 124 DHCP Concepts 125 Supporting DHCP for Remote Subnets with DHCP Relay 126 Information Stored at the DHCP Server 128 Configuring DHCP Features on Routers and Switches 129 Configuring DHCP Relay 130 Configuring a Switch as DHCP Client 130 Configuring a Router as DHCP Client 132 Identifying Host IPv4 Settings 133 Host Settings for IPv4 133 Host IP Settings on Windows 134 Host IP Settings on macOS 136 Host IP Settings on Linux 138 Chapter Review 140 Chapter 8 DHCP Snooping and ARP Inspection 144 "Do I Know This Already?" Quiz 144 Foundation Topics 146 DHCP Snooping 146 DHCP Snooping Concepts 146 A Sample Attack: A Spurious DHCP Server 147 DHCP Snooping Logic 148 Filtering DISCOVER Messages Based on MAC Address 150 Filtering Messages that Release IP Addresses 150 DHCP Snooping Configuration 152 Configuring DHCP Snooping on a Layer 2 Switch 152 Limiting DHCP Message Rates 154 DHCP Snooping Configuration Summary 155 Dynamic ARP Inspection 156 DAI Concepts 156 Review of Normal IP ARP 156 Gratuitous ARP as an Attack Vector 157 Dynamic ARP Inspection Logic 158 Dynamic ARP Inspection Configuration 160 Configuring ARP Inspection on a Layer 2 Switch 160 Limiting DAI Message Rates 163 Configuring Optional DAI Message Checks 164 IP ARP Inspection Configuration Summary 165 Chapter Review 166 Part II Review 168 Part III IP Services 171 Chapter 9 Device Management Protocols 172 "Do I Know This Already?" Quiz 172 Foundation Topics 174 System Message Logging (Syslog) 174 Sending Messages in Real Time to Current Users 174 Storing Log Messages for Later Review 175 Log Message Format 176 Log Message Severity Levels 177 Configuring and Verifying System Logging 178 The debug Command and Log Messages 180 Network Time Protocol (NTP) 181 Setting the Time and Timezone 182 Basic NTP Configuration 183 NTP Reference Clock and Stratum 185 Redundant NTP Configuration 186 NTP Using a Loopback Interface for Better Availability 188 Analyzing Topology Using CDP and LLDP 190 Examining Information Learned by CDP 190 Configuring and Verifying CDP 193 Examining Information Learned by LLDP 194 Configuring and Verifying LLDP 197 Chapter Review 199 Chapter 10 Network Address Translation 202 "Do I Know This Already?" Quiz 202 Foundation Topics 204 Perspectives on IPv4 Address Scalability 204 CIDR 205 Private Addressing 206 Network Address Translation Concepts 207 Static NAT 208 Dynamic NAT 210 Overloading NAT with Port Address Translation 211 NAT Configuration and Troubleshooting 213 Static NAT Configuration 213 Dynamic NAT Configuration 215 Dynamic NAT Verification 217 NAT Overload (PAT) Configuration 219 NAT Troubleshooting 222 Chapter Review 223 Chapter 11 Quality of Service (QoS) 226 "Do I Know This Already?" Quiz 226 Foundation Topics 228 Introduction to QoS 228 QoS: Managing Bandwidth, Delay, Jitter, and Loss 228 Types of Traffic 229 Data Applications 229 Voice and Video Applications 230 QoS as Mentioned in This Book 232 QoS on Switches and Routers 233 Classification and Marking 233 Classification Basics 233 Matching (Classification) Basics 234 Classification on Routers with ACLs and NBAR 235 Marking IP DSCP and Ethernet CoS 236 Marking the IP Header 237 Marking the Ethernet 802.1Q Header 237 Other Marking Fields 238 Defining Trust Boundaries 238 DiffServ Suggested Marking Values 239 Expedited Forwarding (EF) 240 Assured Forwarding (AF) 240 Class Selector (CS) 241 Guidelines for DSCP Marking Values 241 Queuing 242 Round-Robin Scheduling (Prioritization) 243 Low Latency Queuing 243 A Prioritization Strategy for Data, Voice, and Video 245 Shaping and Policing 245 Policing 246 Where to Use Policing 246 Shaping 248 Setting a Good Shaping Time Interval for Voice and Video 249 Congestion Avoidance 250 TCP Windowing Basics 250 Congestion Avoidance Tools 251 Chapter Review 252 Chapter 12 Miscellaneous IP Services 254 "Do I Know This Already?" Quiz 254 Foundation Topics 256 First Hop Redundancy Protocol 256 The Need for Redundancy in Networks 257 The Need for a First Hop Redundancy Protocol 259 The Three Solutions for First-Hop Redundancy 260 HSRP Concepts 261 HSRP Failover 261 HSRP Load Balancing 262 Simple Network Management Protocol 263 SNMP Variable Reading and Writing: SNMP Get and Set 264 SNMP Notifications: Traps and Informs 265 The Management Information Base 266 Securing SNMP 267 FTP and TFTP 268 Managing Cisco IOS Images with FTP/TFTP 26.