Layer 4: Transport - Dealing with Segments!

TCP/UDP

TCP & UDP:
	- ID application layer protocol: Ex TCP 80 = HTTP
	- provide session multiplexing: doing two things at once
	- Types of ports IANA (Internet Assigned Numbers Authority):
		- well known port numbers: 0 - 1023
			- servers use this so that hosts know which ports to query
		- registered port numbers: 1024 - 49151
			- must be registered to use this range
		- ephemeral port numbers: 1025 - 65535
			- hosts use this range when selecting random source port

	- TCP (Transmission Control Protocol): 
		- Services that TCP provides (UDP does NOT):
			- reliable data transfer
				- before sending data, two hosts communicate to establish connection
			- data sequencing
				- sequence numbers in TCP header allow destination host to put segments in order
			- flow control
				- dest host can tell source host to incr/decr rate that data is sent
			- error recovery
		- TCP header:
			- source & destination port 
			- sequence & acknowledgement number
			- flag bits: ACK, SYN, FIN
			- window size: flow control
		- TCP 3-way handshake (initiates connections):
			1) SYN: PC1 sends TCP segment to SRV1 with SYN flag set
			2) SYN-ACK: SRV1 replies with TCP segment with SYN & ACK flags set
			3) ACK: PC1 sends TCP segment with ACK bit set
		- TCP 4-way handshake (terminates connections):
			1) FIN: PC1 sends TCP segment to SRV1 with FIN flag set
			2) ACK: SRV1 replies with TCP segment with ACK flag set
			2) FIN: SRV1 sends TCP segment with FIN flag set
			3) ACK: PC1 sends TCP segment with ACK bit set
		- TCP sequencing / reliablility / flow control:
			- sequencing: 
				- 3-way handshake, PC sends SYN with random sequence number
				- SRV replies with SYN-ACK with its own random sequence number & PC's sequence number + 1
					- +1 for forward acknowledgement: next segment will increment by 1 (or more)
				- PC sends ACK with its sequence number incremented by 1 & SRV's sequence number + 1
				- After this 3 way handshake, they continue sending ACK segments back and forth, increasing their seq. numbers
			- reliability:
				- if PC doesn't hear an ACK from SRV, it will send it again (re-transmit failed segments)
			- Flow control:
				- window size field allows to send multiple segments to send before ACK required 
				- dynamic adjust: window size increases until segment is dropped, then decreases until all segments go through
	
	- UDP (User Datagram Protocol):
		- connectionless
		- just sends, no guarantee of delivery, no sequencing, no flow control
		- UDP header:
			- source port, destination port, length, checksum

	- Common Ports:
		- TCP: 
			- 20 FTP data
			- 21 FTP control
			- 22 SSH
			- 23 Telnet
			- 25 SMTP
			- 80 HTTP
			- 110 POP3
			- 443 HTTPS
		- UDP:
			- 67 DHCP server
			- 68 DHCP client
			- 69 TFTP
			- 161 SNMP agent
			- 162 SNMP manager
			- 514 Syslog
		- TCP & UDP:
			- 53 DNS
			

ACL

Standard & Extended ACLs (Access Control List):
	- controls which hosts can access which parts of network
	- packet filter
	- ACL tells router what to do based on source/dest IP, source/dest layer 4 ports, etc...
	- ACL configured globally on router
	- ACL processed from top to bottom
	- ACE (Access Control Entries) make up ACLs
		- ordered sequence for ACEs
	- after being created in global config mode, ACL must then be applied to an interface to take effect
		- ACLs are applied inbound or outbound (filter traffic entering vs exiting)
		- one outbound ACL && one inbound ACL allowed per interface
	- implicit deny: if none match in ACL, router will deny 
		- on ALL ACLs
	- standard ACLs should be applied as close to destination as possible
	- extended ACLs should be applied as close to the source as possible
	- ACL Types:
		- Standard ACLs: 
			- Standard Numbered ACLs: match Source IP ONLY
				- identified with a number (ACL1, ACL2, etc...)
					- ACL number range: 1-99 & 1300-1999 (IP ACL)
				- "access-list  {deny | permit}  " --> ACL to deny/permit network
				- "access-list  {deny | permit} host " --> ACL to deny/permit single host
				- "access-list  {deny | permit} any --> usually used at end of ACL to allow all unspecified traffic
					- allowing 'any' is same as allowing 0.0.0.0/0
				- "access-list  remark <##comment/description##>"
				- "show access-lists" --> see ACLs on router
				- "show ip access-lists" --> see ip ACLs on router 
				- "ip access-group  {in | out}" --> apply ACL to an interface
				- CANNOT delete single entries in global config mode, can ONLY delete entire ACL
				- CANNOT specify entry-number (only in ACL config mode)
				- Another way to config numbered ACLs:
					- uses ACL config mode
					- can configure exact same way as Named ACLs, just replace  with 
					- can more easily delete entries with "no " from ACL config mode
					- can use this just to edit ACL but still use above method for creating ACL
			- Standard Named ACLs: match Source IP ONLY
				- identified with a name ('block_bob')
				- "ip access-list standard " --> enter standard named ACL config mode
				- "[entry-number] {deny | permit}  " --> create ACL
				- "no " --> delete entries in ACL from ACL config mode
				- "show access-lists" --> see all ACLs, incl default entry numbers				
				- "ip access-group  {in | out}" --> apply ACL to an interface
		- Extended ACLs:
			- Extended Numbered ACLs: match Source/Dest IP, Source/Dest Port, etc... 
				- ACL number range: 100-199 & 2000-2699
				- "access-list  [permit | deny]   " --> setup ACL
			- Extended Named ACLs: match Source/Dest IP, Source/Dest Port, etc...
				- "ip access-list extended {name | number}" --> enter ACL config mode
				- "[entry-num] [permit | deny]   " --> set ACL
						- add "[{eq | gt | lt | range | neq}  to specify port numbers for src
						- add "[{eq | gt | lt | range | neq}  to specify port numbers for dest
						- eq = equal to # | gt = greater than # | lt = less than # | range # # | neq #| (specify port numbers)
					- ex: "deny tcp any 10.0.0.0  0.0.0.255" --> must incl wildcard-mask
					- ex: "permit ip any any" --> allow all traffic
					- ex: "deny udp 10.0.0.0  0.0.255.255 host 192.168.1.1" --> with 'host', wildcard not required
					- ex: "deny tcp any eq 80 10.0.0.0  0.0.0.255" --> deny all traffic to port 80 on 10.0.0.0
				- "show ip interface " --> see ACL status and stuff
		- Editing ACLs: 
			- "ip access-list resequence    --> resequencing entry numbers in ACLs
				- ex: "ip access-list resequence 1 10 10" --> changes entry '1' to 10 and then increments all others by 10
			

NTP

NTP (Network Time Protocol):
	- Why time is important for network devices:
		- "show clock" --> see time in IOS
		- "show clock detail"
		- "show clock source" --> see where device gets time from (hardware calendar)
		- default time = UTC (Coordinated Universal Time)
		- Accurate Logs requires accurate Time --> required for accurate troubleshooting
			- Syslog --> protocol used to keep device logs
			- "show logging" --> see logs
		- hardware clock & software clock are separate, can be configured separately

	- Manual time config (Without NTP):
		- Software clock:
			- "clock set " --> date/month can swap possitions
				- set in privileged exec mode
				- ex: "clock set 14:40:00 27 Apr 2023"
		- Hardware clock:
			- "calendar set " --> date/month can swap possitions
			- "show calendar" --> view time
			- "clock update calendar" --> sync calendar to clock's time
			- "clock read calendar" --> sync clock to calendar's time
		- Timezone:
			- configured from global config mode
			- "clock timezone  "
				- ex: "clock timezone JST 9"
			- Daylight Savings Time:
				- "clock summer-time  {recurring | date}        "
					- ex: "clock summer-time EDT recurring 2 Sunday March 02:00 1 Sunday November 02:00"
	
	- NTP baics:
		- manually config clocks not scalable & time drift will happen
		- NTP allows auto sync of time over network
		- NTP accuracy ~1ms over LAN or 50ms over WAN
		- Stratum: distance of NTP server from original reference clock (higher stratum = less accurate)
			- Reference clock: have stratum = 0, atomic clocks / GPS clocks
				- NTP servers connected directly to reference clock = stratum 1
				- stratum goes up to 15 (anything more isn't reliable)
				- NTP servers can peer with other servers in their stratum for more accuracy
		- NTP uses UDP port 123 to communicate
		- 3 modes for NTP:
			- Server mode
				- "ntp master"
			- Client mode
				- "ntp server  become client of server
			- Symmetric Active mode
				- "ntp peer "
				- peer with other devices on same stratum
			* NTP devices can be in all 3 modes at once
		- Primary Servers = Stratum 1
		- Secondary Servers = Stratum > 1

	- NTP config:
		- "ntp server  [prefer]" --> if multiple, will store all and choose best automatically
		- "show ntp associations" --> show all NTP servers configured (* = current NTP server in use, + = backup)
		- "show ntp status"  
		- "ntp update-calendar" --> router update hardware clock with NTP
		- "ntp source loopback0"
		- "ntp master <#>" --> makes router its own NTP server (uses itself) --> #-1 = stratum
			- default stratum for ntp master command = 8
		- "ntp peer "
		- NTP Authentication:
			- allows NTP clients to ensure they only sync to intended servers
			- "ntp authenticate" --> enable NTP authentication
			- "ntp authentication-key  md5 " --> key-num = 1, key = password
			- "ntp trusted-key " --> specify which keys are trusted
			- "ntp server  key " --> specify which key is used on which server
			* Must do all of these commands
			

DNS

DNS (Domain Name System):
	- Basic Functions of DNS:
		- can be configured manually or by DHCP
		- A records = map names to IPv4 addresses
		- AAAA records = map names to IPv6 addresses
		- CNAME records = map name to another name
		- standard DNS queries/responses typically use UDP 53
			- only uses TCP 53 above 512 bytes
		- devices save DNS server's response to local DNS cache
			- "ipconfig /displaydns" --> Windows view DNS cache
			- "ipconfig /flushdnp" --> Windows clear DNS cache
			- "show hosts" --> shows cached name/IP mappings (Cisco IOS)
		- Host file = alternative to DNS (manually configured)
		- router will forward traffic to DNS
			- sometimes router is DNS server (not common but the commands are for this)

	- Config DNS:
		- "ipconfig /all" --> verify IP parameters Windows (also see DNS server)
		- "nslookup youtube.com" --> name server lookup (find IP and info on a site) Windows (see DNS server)
		- Config Router to be DNS server:
			- "ip dns server" --> config router to act as DNS server
			- "ip host  " --> config list of devices/IP mappings
			- "ip name-server 8.8.8.8" --> config external server for router to use if a site is not in its table
			- "ip domain lookup" --> enable router to perform DNS queries (enabled by default)
				- "ip domain-lookup" --> old command, still works
			- if router doesn't have ip for the site you want, it acts as DNS client and asks another server
			- "show hosts" --> shows cached name/IP mappings (Cisco IOS)
		- Config Router to be DNS client:
			- "ip name-server 8.8.8.8" --> config R1 to use google's DNS server
			- "ip domain lookup" --> enable R1 to perform DNS queries (default on)
			- "ip domain name wizardnotes.com" --> optional, config default domain name
			- router needs no config to forward DNS queries to servers externally
			

DHCP

DHCP (Dynamic Host Configuration Protocol):
	- Purpose of DHCP:
		- allow hosts to automatically and dynamically learn network config (IP, netmask, DNS server, default G)
		- used for host devices
		- routers, servers, etc... (usually) need to be manually configured, NO DHCP
			- router in home = DHCP server
		- "ipconfig /all" 
			- shows if DHCP is enabled
			- preferred address (if had an address before)
			- shows Lease Obtained & Lease Expires
			- default gateway, DHCP server, DNS server = home router
		- "ipconfig /release" --> release IP address
		- DHCP servers = UDP 67
		- DHCP clients = UDP 68
	
	- Basic Functions of DHCP:
		- "ipconfig /renew" --> get new IP
			- 4 message exchange:
				1) DHCP discover message: client asks if there are DHCP servers, need IP
					- client --> server
					- broadcasts MAC FFFF
					- src: UDP 68, dst: UDP 67
					- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
				2) DHCP offer message: DHCP server offers IP, default gateway, DNS server to client
					- server --> client 
					- unicast (knows client's MAC)
					- src: UDP 67, dst: UDP 68
					- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
						- can send Unicast or Broadcast (would make message FFFF MAC)
						- client requested Unicast in discover message, that's why
					- lease time, DNS server, router (default gateway)
				3) DHCP request message: confirm wanting to use IP offered
					- client --> server
					- broadcasts MAC FFFF
					- src: UDP 68, dst: UDP 67
					- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
				4) DHCP Ack: confirms client can use IP
					- server --> client 
					- unicast (knows client's MAC)
					- src: UDP 67, dst: UDP 68
					- Bootp flags: predecessor of DHCP = 0x0000 (Unicast)
						- can send Unicast or Broadcast (would make message FFFF MAC)
						- client requested Unicast in discover message, that's why
			- release message: client to server unicast

	- Config DHCP in Cisco IOS:
		- Router as DHCP server:
			- "ip dhcp excluded-address  " --> optional, specify range of excluded IPs
			- "ip dhcp pool " --> create pool of addresses
				- separate pool for each network the router is a DHCP server for
			- "network  " --> enable router as DHCP server for this net.
			- "dns-server 8.8.8.8" -- > config DNS server that clients will use (google's in this case)
			- "domain-name " --> config domain name for network
			- "default-router " --> config 
			- "lease 0 5 30" --> 0 days, 5 hours, 30 min ("lease infinite" is possible)
			- "show ip dhcp binding" --> shows all DHCP clients currently assigned IP addresses
		- Router as DHCP relay agent:
			- forward clients' broadcast DHCP messages to remote DHCP server as unicast messages
			- "interface g0/1" --> specify interface connected to subnet of client devices
			- "ip helper-address " --> config relay (note: devices must have route to DHCP serv.)
			- "show ip int g0/1" --> see config
		- Router as DHCP client:
			- rare, usually routers need to be servers or relay agents
			- "int g0/1" --> int connected to device
			- "ip address dhcp" --> enable client mode
			

SNMP

SNMP (Simple Network Management Protocol):
	- ** Explain SNMP (Exam topics)

	- SNMP Overview:
		- SNMP Agent listen for messages on: UDP 161
		- SNMP Manager listen for messages on: UDP 162
		- industry standard protocol
		- 2 devices in SNMP:
			1) Managed Devices: devices being managed (routers, switches, ...)
				- made up of 2 things:
					1) SNMP Agent: SNMP software that runs on device
					2) MIB (Management Information Base): structure containing variables managed by SNMP
						- each variable has OID (object id)
							- organized in hierarchical structure
			2) NMS (Network Management Station): device(s) managing devices above
				- NMS = SNMP server
				- made up of 2 things:
					1) SNMP Manager: software on NMS interacting with managed devices
					2) SNMP application: interface the network admin uses to interact w NMS
		- 3 operations used in SNMP:
			1) managed devices notify NMS of events
			2) NMS can ask devices for info about their status
			3) NMS can tell devices to change their configs

	- SNMP Versions:
		- v1, v2c (allows NMS to retrieve more info per request), v3 (encryption & authentication)

	- SNMP Messages:
		- Read: request sent by NMS to read config/status of devices
			- Get, GetNext, GetBulk
		- Write: request sent by NMS to change config/status of devices
			- Set
		- Notification: sent from managed devices to NMS as alerts
			- Trap (unreliable), Inform (reliable) 
		- Response: sent in response to previous message/request
			- Response

	- SNMP Config:
		- "snmp-server contact  setup SNMP Agent
		- "snmp-server community  setup SNMP Agent
		- ..........
			

Syslog

Syslog:
	- Overview:
		- industry standard protocol for message logging
		- log network events
		- messages you get after configuring anything = Syslog messages
		- Syslog & SNMP monitor & troubleshoot devices

	- Syslog Message Format:
		- sequence-num: time stamp: %facility-severity-MNEMONIC:description
			- facility = value that indicates which process generated this message (OSPF, LINK, SYS, etc)
			- severity = how serious something is
			- MNEMONIC = code for message, indicates what happened (UPDOWN, CLOCKUPDATE, etc)
			- description = details of everything that happened

	- Syslog Facilities & Severity Levels:
		- severity levels:
			0) Emergency
				- system is unusable
			1) Alert
				- action must be taken immediately
			2) Critical
			3) Error
			4) Warning
			5) Notice/Notification
				- notification (significant condition)
			6) Informational
			7) Debugging
			- Every Awesome Cisco Engineer Will Need Icecream Daily
	
	- Syslog Logging Locations:
		- Console line: in CLI connected to console port
		- VTY lines: in CLI when connected to SSH/Telnet
			- disabled by default
		- Buffer: RAM
			- "show logging"
		- External server: 
			- listens for Syslog messages on UDP 514

	- Syslog Config (Not in Exam Topics):
		- "logging console 6" --> enables logging for levels 0-6 in severity
		- "logging monitor informational" --> enables logging for levels 'informational' and more severe
		- "logging buffered  "
		- logging to external server:
			- "logging "
			- "logging host "
			- "logging trap "
		- "terminal monitor" --> must be used everytime connecting to device via Telnet/SSH on router
		- "line console 0"
		- "logging synchronous" --> new line printed if typing is interrupted by message
		- "show ip int"
		- service timestamps:
			- "service timestamps log "
		- service sequence numbers:
			- "service sequence-numbers"
	
	- Syslog vs SNMP:
		- SNMP can actively pull info from devices (NMS SNMP GET message) & actively modify (SET message)
		- Syslog: retreive & organize info about SNMP managed devices
			

SSH

SSH (Secure SHell): remotely connect to devices
	- Console Port Security:
		- physically connecting to console port, can use password (default none)
			- "line console 0" -->  enter console line mode - because there's only a single console line, always 0
			- "password ccna" --> config password
			- "login" --> tells device to require users to enter password when logging in via console port
		- can also make separate users with unique passwords
			- "username jeremy secret ccnp" --> create username & secret 
			- "line console 0"
			- "login local" --> tells device to require user login with a username & password
		- config timer to logout after no activity:
			- "exec-timeout  "

	- Layer 2 Management IP Address:
		- IP addresses for switches SVI so they can be configured remotely
		- "interface vlan 1"
		- "ip address  "
		- "no shutdown"
		- "ip default-gateway " --> allows switch to communicate outside of LAN

	- Telnet:
		- passwords are displayed in plain text --> can see in packet captures
		- TCP 23 (device connecting listens on this port)
		- "enable secret ccna"
		- "username jeremy secret ccna"
		- "access-list 1 permit host " --> config ACL to limit which devices can connect to VTY lines
			- * VTY = Virtual TeleType
		- "line vty 0 15" --> allowing 15 users to connect at once (0-16)
		- "login local" --> 
		- "exec-timeout 5 0"
		- "transport input telnet"
			- alternatives: "transport input telnet ssh" --> allows both - "all" | "none" --> also options
		- "access-class 1 in" --> applies ACL to the VTY lines (only allow certain hosts to access Telnet/SSH)
			-* applying an ACL to an interface = "ip access-group"

	- SSH:
		- v1 & v2
		- if device supports both v1 & v2, said to be 'v1.99'
		- supports encryption and authentication
		- TCP 22
		- "show version"
		- IOS versions that support SSH have 'K9' in the version name
		- Cisco exports NPE (Non Payload Encryption) IOS versions to countries with encryption restrictions
			- NPE IOS images don't support cryptographic features such as SSH
		- "show ip ssh" --> show version and info on ssh
		- SSH uses RSA public & private key to encrypt, decrypt & authenticate
		- "ip domain name " --> FQDN (Fully Qualified Domain Name) used to name RSA keys
			- FQDN = host name + domain name --> ex: SW1.youtube.com
		- "crypto key generate rsa " --> enable SSH w RSA keys
			- key-length must be 768 bits or greater for SSHv2
		- config SSH:
			- "enable secret ccna"
			- "username jeremy secret ccna"
			- "access-list 1 permit host " --> config ACL to limit which devices can connect to VTY lines
			- "ip ssh version 2"
			- "line vty 0 15" --> allowing 15 users to connect at once (0-16)
			- "login local" --> enable local user authentication
			- "exec-timeout 5 0"
			- "transport input ssh"
			- "access-class 1 in" --> applies ACL to the VTY lines (only allow certain hosts to access Telnet/SSH)
			
		- overall steps:
			- config host name
			- config DNS domain name (FQDN)
			- generate key pair
			- enable password/username
			- enable sshv2 only
			- config VTY lines
			- apply ACL

********* practice configuring SSH, it's in exam
			

FTP

FTP & TFTP:
	- Purpose of FTP/TFTP:
		- client-server model (copy files to and from server)
		- download new version of OS to upgrade a network device
	
	- FTP/TFTP Functions & Differences:
		- TFTP: 
			- only copy to and from server
			- no authentication, no encryption
			- UDP 69
			- provides reliability (built into TFTP):
				- lock-step communication:
					- every TFTP data message is Acknowledged
					- timers are used (resend if late)
					- (send message, wait for reply, repeat...)
					- not as efficient as FTP but works
			- 3 phases of connection:
				1) Connection: 
					- TFTP client sends request to server
					- server responds & initiates connection
				2) Data Transfer:
					- client & server exchange TFTP messages
					- one sends, other acknowledges
				3) Connection Termination:
					- after last data message, final Ack to terminate
		- FTP:
			- TCP 20 & 21
				- 21: control, send FTP commands & replies
					- client initiates
				- 20: data, send FTP data
					- Active mode: server initiates (default)
					- Passive mode: client initiates (if client firewall)
			- authentication (username & password)
			- FTPS (TFP over SSL/TLS) Upgrade to FTP
			- SFTP --> new protocol
			- clients can navigate, add, remove file directories

	- IOS File Systems:
		- transfering files to a Cisco device with FTP
		- "show file systems"
			- Cisco 'disk' = flash memory (usually)
			- Cisco 'opaque' = used for internal functions
			- Cisco 'nvram' = persistent RAM, startup-config here
			- Cisco 'network' = external file systems (ex: FTP/TFTP)
			- * filesystem types NOT on exam topics

	- Using FTP/TFTP in IOS:
		- "show version" --> K9 = support cryptographic features
		- "show flash" --> see flash memory (OS image)
		- "copy tftp: flash:" --> TFTP copy file
			- "" --> enter TFTP server address
				- "" --> enter file name on server (know b4)
					- "" --> enter name to save on router
		- "boot system " --> set OS upgrade as boot with filepath
			- "write" --> save config before rebooting
				- "reload" --> restart device
		- "delete " --> delete old OS file
		- FTP setup:
			- "ip ftp username "
			- "ip ftp password "
				- Uname & Pwd must be same on Server side
			- "copy ftp: flash:" --> FTP copy file
			- all other commands Same as above