Introduction xxxi Part I Wireless LANs 3 Chapter 1 Fundamentals of Wireless Networks 4 "Do I Know This Already?" Quiz 4 Foundation Topics 6 Comparing Wired and Wireless Networks 6 Wireless LAN Topologies 7 Basic Service Set 8 Distribution System 10 Extended Service Set 12 Independent Basic Service Set 13 Other Wireless Topologies 14 Repeater 14 Workgroup Bridge 15 Outdoor Bridge 16 Mesh Network 17 Wireless Bands and Channels 17 Chapter Review 20 Chapter 2 Analyzing Cisco Wireless Architectures 22 "Do I Know This Already?" Quiz 22 Foundation Topics 24 Autonomous AP Architecture 24 Cloud-based AP Architecture 26 Split-MAC Architectures 28 Comparing Cisco Wireless LAN Controller Deployments 32 Cisco AP Modes 35 FlexConnect Mode 36 Chapter Review 37 Chapter 3 Securing Wireless Networks 40 "Do I Know This Already?" Quiz 40 Foundation Topics 42 Anatomy of a Secure Connection 42 Authentication 43 Message Privacy 44 Message Integrity 45 Wireless Client Authentication Methods 46 Open Authentication 46 WEP 47 802.1x/EAP 47 LEAP 48 EAP-FAST 49 PEAP 49 EAP-TLS 50 Wireless Privacy and Integrity Methods 50 TKIP 50 CCMP 51 GCMP 51 WPA, WPA2, and WPA3 51 Chapter Review 53 Chapter 4 Building a Wireless LAN 56 "Do I Know This Already?" Quiz 56 Foundation Topics 58 Connecting a Cisco AP 58 Accessing a Cisco WLC 59 Connecting a Cisco WLC 63 WLC Physical Ports 63 Configuring a WLAN 65 Configuring a WLAN on an IOS-XE WLC 67 Step 1: Configure a WLAN Profile 69 Step 2: Configure a Policy Profile 74 Step 3: Map the WLAN and Policy Profiles to a Policy Tag 77 Step 4: Apply the Policy Tag to Some APs 78 Configuring a WLAN on an AireOS WLC 79 Step 1: Create a Dynamic Interface 79 Step 2: Create a New WLAN 80 Step 3: Configure the WLAN 81 Configuring WLAN Security 83 Configuring WLAN QoS 85 Configuring Advanced WLAN Settings 85 Finalizing WLAN Configuration 86 Chapter Review 87 Part I Review 88 Part II IP Access Control Lists 91 Chapter 5 Introduction to TCP/IP Transport and Applications 92 "Do I Know This Already?" Quiz 92 Foundation Topics 94 TCP/IP Layer 4 Protocols: TCP and UDP 94 Transmission Control Protocol 95 Multiplexing Using TCP Port Numbers 95 Popular TCP/IP Applications 98 Connection Establishment and Termination 100 Error Recovery and Reliability 101 Flow Control Using Windowing 102 User Datagram Protocol 103 TCP/IP Applications 104 Uniform Resource Identifiers 104 Finding the Web Server Using DNS 105 Transferring Files with HTTP 108 How the Receiving Host Identifies the Correct Receiving Application 109 HTTP Versions 110 HTTP 1.0 and 1.1 110 HTTP/2 and TLS 110 HTTP 3.0 111 Chapter Review 112 Chapter 6 Basic IPv4 Access Control Lists 114 "Do I Know This Already?" Quiz 114 Foundation Topics 116 IPv4 Access Control List Basics 116 ACL Location and Direction 116 Matching Packets 117 Taking Action When a Match Occurs 118 Types of IP ACLs 118 Standard Numbered IPv4 ACLs 119 List Logic with IP ACLs 119 Matching Logic and Command Syntax 121 Matching the Exact IP Address 121 Matching a Subset of the Address with Wildcard Masks 122 Binary Wildcard Masks 123 Finding the Right Wildcard Mask to Match a Subnet 124 Matching Any/All Addresses 124 Implementing Standard IP ACLs 125 Standard Numbered ACL Scenario 1 125 Standard Numbered ACL Scenario 2 127 Troubleshooting and Verification Tips 129 Practice Applying Standard IP ACLs 130 Practice Building access-list Commands 130 Reverse Engineering from ACL to Address Range 131 Chapter Review 133 Chapter 7 Named and Extended IP ACLs 136 "Do I Know This Already?" Quiz 136 Foundation Topics 138 Named ACLs and ACL Editing 138 Named IP Access Lists 138 Editing ACLs 140 Editing Named ACLs 140 Editing Numbered ACLs 143 Extended IP Access Control Lists 144 Matching the Protocol, Source IP, and Destination IP 145 Matching TCP and UDP Port Numbers 147 Extended IP ACL Configuration 150 Extended IP ACL Example 1: Packets to Web Servers 151 Extended IP ACL Example 2: Packets from Web Servers 153 Adjusting ACLs for HTTP/3 154 Practice Building access-list Commands 155 ACL Implementation Considerations 156 Chapter Review 157 Chapter 8 Applied IP ACLs 160 "Do I Know This Already?" Quiz 160 Foundation Topics 162 ACLs and Network Infrastructure Protocols 162 Filtering DNS 163 Filtering ICMP 164 Filtering OSPF 165 Filtering DHCP 167 Filtering SSH and Telnet 169 Filtering for End User SSH/Telnet 169 Filtering for Router VTY Access 171 Comparing ACLs in IOS and IOS XE 173 Configuration Syntax and Show Commands 173 Resequencing ACL Sequence Numbers 174 Using a Second (Common) Interface ACL 175 Matching Multiple Nonconsecutive Ports with eq 177 Chapter Review 177 Part II Review 180 Part III Security Services 183 Chapter 9 Security Architectures 184 "Do I Know This Already?" Quiz 184 Foundation Topics 186 Security Terminology 186 Common Security Threats 188 Attacks That Spoof Addresses 188 Denial-of-Service Attacks 189 Reflection and Amplification Attacks 191 Man-in-the-Middle Attacks 191 Address Spoofing Attack Summary 193 Reconnaissance Attacks 193 Buffer Overflow Attacks 194 Malware 194 Human Vulnerabilities 195 Password Vulnerabilities 196 Password Alternatives 196 Controlling and Monitoring User Access 198 Developing a Security Program to Educate Users 200 Chapter Review 201 Chapter 10 Securing Network Devices 202 "Do I Know This Already?" Quiz 202 Foundation Topics 204 Securing IOS Passwords 204 Encrypting Older IOS Passwords with service password-encryption 205 Encoding the Enable Passwords with Hashes 206 Interactions Between Enable Password and Enable Secret 206 Making the Enable Secret Truly Secret with a Hash 207 Improved Hashes for Cisco''s Enable Secret 209 Encoding the Passwords for Local Usernames 210 Firewalls and Intrusion Prevention Systems 211 Traditional Firewalls 211 Security Zones 213 Intrusion Prevention Systems (IPS) 215 Cisco Next-Generation Firewalls 216 Cisco Next-Generation IPS 218 Chapter Review 219 Chapter 11 Implementing Switch Port Security 222 "Do I Know This Already?" Quiz 222 Foundation Topics 224 Port Security Concepts and Configuration 224 Configuring Port Security 225 Verifying Port Security 228 Port Security MAC Addresses 229 Port Security Violation Modes 230 Port Security Shutdown Mode 231 Port Security Protect and Restrict Modes 233 Chapter Review 235 Chapter 12 DHCP Snooping and ARP Inspection 238 "Do I Know This Already?" Quiz 238 Foundation Topics 240 DHCP Snooping 240 DHCP Snooping Concepts 240 A Sample Attack: A Spurious DHCP Server 241 DHCP Snooping Logic 242 Filtering DISCOVER Messages Based on MAC Address 243 Filtering Messages That Release IP Addresses 244 DHCP Snooping Configuration 245 Configuring DHCP Snooping on a Layer 2 Switch 246 Limiting DHCP Message Rates 248 DHCP Snooping Configuration Summary 249 Dynamic ARP Inspection 250 DAI Concepts 250 Review of Normal IP ARP 250 Gratuitous ARP as an Attack Vector 251 Dynamic ARP Inspection Logic 253 Dynamic ARP Inspection Configuration 254 Configuring ARP Inspection on a Layer 2 Switch 254 Limiting DAI Message Rates 257 Configuring Optional DAI Message Checks 258 IP ARP Inspection Configuration Summary 259 Chapter Review 260 Part III Review 264 Part IV IP Services 267 Chapter 13 Device Management Protocols 268 "Do I Know This Already?" Quiz 268 Foundation Topics 270 System Message Logging (Syslog) 270 Sending Messages in Real Time to Current Users 270 Storing Log Messages for Later Review 271 Log Message Format 272 Log Message Severity Levels 272 Configuring and Verifying System Logging 273 The debug Command and Log Messages 276 Network Time Protocol (NTP) 277 Setting the Time and Time Zone 278 Basic NTP Configuration 279 NTP Reference Clock and Stratum 281 Analyzing Topology Using CDP and LLDP 283 Examining Information Learned by CDP 283 Configuring and Verifying CDP 286 Examining Information Learned by LLDP 287 Configuring and Verifying LLDP 290 LLDP-MED and TLVs 292 Chapter Review 293 Chapter 14 Network Address Translation 298 "Do I Know This Already?" Quiz 298 Foundation Topics 300 Network Address Translation Concepts 300 IPv4 Address Conservation with NAT 300 Inside Source NAT 302 Static NAT 303 Inside Local and Inside Global Addresses 303 Dynamic NAT 304 Overloading NAT with Port Address Translation 306 NAT Configuration and Troubleshooting 307 Static NAT Configuration 308 Dynamic NAT Configuration 310 Dynamic NAT Verification 312 NAT Overload (PAT) Configurati.