book

Network Warrior

Name: Network Warrior
Author: Gary A. Donahue
ISBN: 9780596554859

by Gary A. Donahue

June 2007

Intermediate to advanced

600 pages

18h 19m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Network Warrior
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Preface
Who Should Read This Book
Conventions Used in This Book
Using Code Examples
We'd Like to Hear from You
Safari® Enabled
Acknowledgments
I. Hubs, Switches, and Switching
1. What Is a Network?

2. Hubs and Switches
2.1. Hubs
2.2. Switches
2.2.1. Switch Types2.2.2. Planning a Chassis-Based Switch Installation2.2.2.1. Rack space2.2.2.2. Power2.2.2.3. Cooling2.2.2.4. Installing and removing modules2.2.2.5. Routing cables
3. Auto-Negotiation
3.1. What Is Auto-Negotiation?
3.2. How Auto-Negotiation Works
3.3. When Auto-Negotiation Fails
3.4. Auto-Negotiation Best Practices
3.5. Configuring Auto-Negotiation
4. VLANs
4.1. Connecting VLANs
4.2. Configuring VLANs
4.2.1. CatOS4.2.2. IOS Using VLAN Database4.2.3. IOS Using Global Commands
5. Trunking
5.1. How Trunks Work5.1.1. ISL5.1.2. 802.1Q5.1.3. Which Protocol to Use5.1.4. Trunk Negotiation
5.2. Configuring Trunks
5.2.1. IOS5.2.2. CatOS
6. VLAN Trunking Protocol
6.1. VTP Pruning
6.2. Dangers of VTP
6.3. Configuring VTP
6.3.1. VTP Domains6.3.1.1. IOS6.3.1.2. CatOS6.3.2. VTP Mode6.3.2.1. IOS6.3.2.2. CatOS6.3.3. VTP Password6.3.3.1. IOS6.3.3.2. CatOS6.3.4. VTP Pruning6.3.4.1. IOS6.3.4.2. CatOS
7. EtherChannel
7.1. Load Balancing
7.2. Configuring and Managing EtherChannel
7.2.1. EtherChannel Protocols7.2.2. CatOS Example7.2.3. IOS Example
8. Spanning Tree
8.1. Broadcast Storms
8.2. MAC Address Table Instability
8.3. Preventing Loops with Spanning Tree
8.3.1. How Spanning Tree Works
8.4. Managing Spanning Tree
8.5. Additional Spanning Tree Features
8.5.1. PortFast8.5.2. BPDU Guard8.5.3. UplinkFast8.5.4. BackboneFast
8.6. Common Spanning Tree Problems
8.6.1. Duplex Mismatch8.6.2. Unidirectional Links
8.7. Designing to Prevent Spanning Tree Problems
8.7.1. Use Routing Instead of Switching for Redundancy8.7.2. Always Configure the Root Bridge
II. Routers and Routing
9. Routing and Routers
9.1. Routing Tables
9.2. Route Types
9.3. The IP Routing Table
9.3.1. Host Route9.3.2. Subnet9.3.3. Summary (Group of Subnets)9.3.4. Major Network9.3.5. Supernet (Group of Major Networks)9.3.6. Default Route
10. Routing Protocols
10.1. Communication Between Routers
10.2. Metrics and Protocol Types
10.3. Administrative Distance
10.4. Specific Routing Protocols
10.4.1. RIP10.4.2. RIPv210.4.3. EIGRP10.4.4. OSPF10.4.5. BGP
11. Redistribution
11.1. Redistributing into RIP
11.2. Redistributing into EIGRP
11.3. Redistributing into OSPF
11.4. Mutual Redistribution
11.5. Redistribution Loops
11.6. Limiting Redistribution
11.6.1. Route Tags11.6.2. A Real-World Example11.6.2.1. Another method
12. Tunnels
12.1. GRE Tunnels
12.2. GRE Tunnels and Routing Protocols
12.3. GRE and Access Lists
13. Resilient Ethernet
13.1. HSRP
13.2. HSRP Interface Tracking
13.3. When HSRP Isn't Enough
14. Route Maps
14.1. Building a Route Map
14.2. Policy-Routing Example
14.2.1. Monitoring Policy Routing
15. Switching Algorithms in Cisco Routers
15.1. Process Switching
15.2. Interrupt Context Switching
15.2.1. Fast Switching15.2.2. Optimum Switching15.2.3. Cisco Express Forwarding
15.3. Configuring and Managing Switching Paths
15.3.1. Process Switching15.3.2. Fast Switching15.3.3. Cisco Express Forwarding
III. Multilayer Switches
16. Multilayer Switches
16.1. Configuring SVIs16.1.1. Native Mode (4500, 6500, 3550, 3750)16.1.2. Hybrid Mode (4500, 6500)
16.2. Multilayer Switch Models
17. Cisco 6500 Multilayer Switches
17.1. Architecture17.1.1. Buses17.1.2. Enhanced Chassis17.1.3. Supervisors17.1.3.1. MSFC17.1.3.2. PFC17.1.3.3. Models17.1.4. Modules17.1.4.1. Module interaction17.1.4.2. Module types17.1.4.2.1. Ethernet modules17.1.4.2.2. Firewall Services Modules17.1.4.2.3. Content Switch Modules17.1.4.2.4. Network Analysis Modules17.1.4.2.5. Intrusion Detection System Modules17.1.4.2.6. FlexWAN modules17.1.4.2.7. Communication Media Modules
17.2. CatOS Versus IOS
18. Catalyst 3750 Features
18.1. Stacking
18.2. Interface Ranges
18.3. Macros
18.4. Flex Links
18.5. Storm Control
18.6. Port Security
18.7. SPAN
18.8. Voice VLAN
18.9. QoS
IV. Telecom
19. Telecom Nomenclature
19.1. Introduction and History
19.2. Telecom Glossary
20. T1
20.1. Understanding T1 Duplex
20.2. Types of T1
20.3. Encoding
20.3.1. AMI20.3.2. B8ZS
20.4. Framing
20.4.1. D4/Superframe20.4.2. Extended Superframe (ESF)
20.5. Performance Monitoring
20.5.1. Loss of Signal (LOS)20.5.2. Out of Frame (OOF)20.5.3. Bipolar Violation (BPV)20.5.4. CRC620.5.5. Errored Seconds (ES)20.5.6. Extreme Errored Seconds (EES)
20.6. Alarms
20.6.1. Red Alarm20.6.2. Yellow Alarm (RAI)20.6.3. Blue Alarm (AIS)
20.7. Troubleshooting T1s
20.7.1. Loopback Tests20.7.2. Integrated CSU/DSUs
20.8. Configuring T1s
20.8.1. CSU/DSU Configuration20.8.2. CSU/DSU Troubleshooting
21. DS3
21.1. Framing21.1.1. M1321.1.2. C-Bits21.1.3. Clear-Channel DS3 Framing
21.2. Line Coding
21.3. Configuring DS3s
21.3.1. Clear-Channel DS321.3.2. Channelized DS3
22. Frame Relay
22.1. Ordering Frame-Relay Service
22.2. Frame-Relay Network Design
22.3. Oversubscription
22.4. Local Management Interface (LMI)
22.4.1. Congestion Avoidance in Frame Relay
22.5. Configuring Frame Relay
22.5.1. Basic Frame Relay with Two Nodes22.5.2. Basic Frame Relay with More Than Two Nodes22.5.3. Frame-Relay Subinterfaces
22.6. Troubleshooting Frame Relay
V. Security and Firewalls
23. Access Lists
23.1. Designing Access Lists23.1.1. Wildcard Masks23.1.2. Where to Apply Access Lists23.1.3. Naming Access Lists23.1.4. Top-Down Processing23.1.5. Most-Used on Top23.1.6. Using Groups in PIX ACLs23.1.7. Turbo ACLs23.1.8. Allowing Outbound Traceroute and Ping23.1.9. Allowing MTU Path Discovery Packets
23.2. ACLs in Multilayer Switches
23.2.1. Configuring Port ACLs23.2.2. Configuring Router ACLs23.2.3. Configuring VLAN Maps
23.3. Reflexive Access Lists
23.3.1. Configuring Reflexive Access Lists
24. Authentication in Cisco Devices
24.1. Basic (Non-AAA) Authentication24.1.1. Line Passwords24.1.2. Configuring Local Users24.1.3. PPP Authentication24.1.3.1. PAP24.1.3.1.1. One-way authentication24.1.3.1.2. Two-way authentication24.1.3.1.3. Debugging PPP authentication24.1.3.2. CHAP24.1.3.2.1. One-way authentication24.1.3.2.2. Two-way authentication24.1.3.2.3. Changing the sent hostname
24.2. AAA Authentication
24.2.1. Enabling AAA24.2.2. Configuring Security Server Information24.2.2.1. Default RADIUS and TACACS+ server groups24.2.2.2. Custom groups24.2.3. Creating Method Lists24.2.3.1. Login authentication24.2.3.2. PPP authentication24.2.4. Applying Method Lists
25. Firewall Theory
25.1. Best Practices
25.2. The DMZ
25.2.1. Another DMZ Example25.2.2. Multiple DMZ Example
25.3. Alternate Designs
26. PIX Firewall Configuration
26.1. Interfaces and Priorities
26.2. Names
26.3. Object Groups
26.4. Fixups
26.5. Failover
26.5.1. Failover Terminology26.5.2. Understanding Failover26.5.3. Configuring Failover26.5.4. Monitoring Failover
26.6. NAT
26.6.1. NAT Commands26.6.2. NAT Examples26.6.2.1. Simple PAT using the outside interface26.6.2.2. Simple PAT using a dedicated IP address26.6.2.3. Simple PAT with public servers on the inside26.6.2.4. Port redirection26.6.2.5. DMZ
26.7. Miscellaneous
26.7.1. Remote Access26.7.2. Saving Configuration Changes26.7.3. Logging
26.8. Troubleshooting
VI. Server Load Balancing
27. Server Load-Balancing Technology
27.1. Types of Load Balancing
27.2. How Server Load Balancing Works
27.2.1. Balancing Algorithms
27.3. Configuring Server Load Balancing
27.3.1. IOS SLB27.3.1.1. Real servers27.3.1.2. Server farms27.3.1.3. Virtual servers27.3.1.4. Port translation using SLB27.3.2. Content Switch Modules27.3.2.1. Real servers27.3.2.2. Server farms27.3.2.3. Virtual servers27.3.2.4. Port redirection
28. Content Switch Modules in Action
28.1. Common Tasks
28.2. Upgrading the CSM
VII. Quality of Service
29. Introduction to QoS
29.1. Types of QoS
29.2. QoS Mechanics
29.2.1. Priorities29.2.2. Flavors of QoS
29.3. Common QoS Misconceptions
30. Designing a QoS Scheme
30.1. Determining Requirements30.1.1. Protocols30.1.2. Priorities30.1.3. Determine Bandwidth Requirements
30.2. Configuring the Routers
30.2.1. Class Maps30.2.2. Policy Maps30.2.3. Service Policies
31. The Congested Network
31.1. Determining Whether the Network Is Congested
31.2. Resolving the Problem
32. The Converged Network
32.1. Configuration
32.2. Monitoring QoS
32.3. Troubleshooting a Converged Network
32.3.1. Incorrect Queue Configuration32.3.2. Priority Queue Too Small32.3.3. Priority Queue Too Large32.3.4. Nonpriority Queue Too Small32.3.5. Nonpriority Queue Too Large32.3.6. Default Queue Too Small32.3.7. Default Queue Too Large
VIII. Designing Networks
33. Designing Networks
33.1. Documentation33.1.1. Requirements Documents33.1.2. Port Layout Spreadsheets33.1.3. IP and VLAN Spreadsheets33.1.4. Bay Face Layouts33.1.5. Power and Cooling Requirements33.1.6. Tips for Network Diagrams
33.2. Naming Conventions for Devices
33.3. Network Designs
33.3.1. Corporate Networks33.3.1.1. Three-tiered architecture33.3.1.2. Collapsed core—no distribution33.3.1.3. Collapsed core—no distribution or access33.3.1.4. Configuration concerns33.3.1.4.1. Trunks33.3.1.4.2. EtherChannels33.3.1.4.3. Spanning Tree33.3.1.4.4. VTP33.3.1.4.5. VLANs33.3.2. E-Commerce Web Sites33.3.3. Small Networks
34. IP Design
34.1. Public Versus Private IP Space
34.2. VLSM
34.3. CIDR
34.4. Allocating IP Network Space
34.5. Allocating IP Subnets
34.5.1. Sequential34.5.2. Divide by Half34.5.3. Reverse Binary
34.6. IP Subnetting Made Easy
35. Network Time Protocol
35.1. What Is Accurate Time?
35.2. NTP Design
35.3. Configuring NTP
35.3.1. NTP Client35.3.2. NTP Server
36. Failures
36.1. Human Error
36.2. Multiple Component Failure
36.3. Disaster Chains
36.4. No Failover Testing
36.5. Troubleshooting
36.5.1. Remain Calm36.5.2. Log Your Actions36.5.3. Find Out What Changed36.5.4. Check the Physical Layer First!36.5.5. Assume Nothing; Prove Everything36.5.6. Isolate the Problem36.5.7. Don't Look for Zebras36.5.8. Do a Physical Audit36.5.9. Escalate36.5.10. Troubleshooting in a Team Environment36.5.11. The Janitor Principle
37. GAD's Maxims
37.1. Maxim #1
37.2. Maxim #2
37.3. Maxim #3
38. Avoiding Frustration
38.1. Why Everything Is Messed Up
38.2. How to Sell Your Ideas to Management
38.3. When to Upgrade and Why
38.3.1. The Dangers of Upgrading38.3.2. Valid Reasons to Upgrade
38.4. Why Change Control Is Your Friend
38.5. How Not to Be a Computer Jerk
Index
About the Author
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly

Content preview from Network Warrior

Reflexive Access Lists

Reflexive access lists are dynamic filters that allow traffic based on the detection of traffic in the opposite direction. A simple example might be, "only allow telnet inbound if I initiate telnet outbound." When I first explain this to junior engineers, I often get a response similar to, "Doesn't it work that way anyway?" What confuses many people is the similarity of this feature to Port Address Translation (PAT). PAT only allows traffic inbound in response to outbound traffic originating on the network. This is due to the nature of PAT, in which a translation must be created for the traffic to pass. Reflexive access lists are much more powerful, and can be applied for different reasons.

Without PAT, a filter denies traffic without regard to other traffic. Consider the network in Figure 23-3. There are two hosts, A and B, connected through a router. The router has no access lists installed. Requests from host A to host B are answered, as are requests from host B to host A.

Figure 23-3. Simple network without ACLs

Say we want host A to be able to telnet to host B, but we don't want host B to be able to telnet to host A. If we apply a normal inbound access list to interface E1 on the router, we allow A to contact B, and prevent B from contacting A. Unfortunately, we also prevent B from replying to A. This limitation is shown in Figure 23-4.

Figure 23-4. Simple ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780596101510Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Network Warrior

by Gary A. Donahue

Reflexive Access Lists

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

More than 5,000 organizations count on O’Reilly

Julian F.

Addison B.

Amir M.

Mark W.

You might also like

Network Warrior, 2nd Edition

Network Routing, 2nd Edition

Cyber Security and Network Security

CCNA 200-301 Exam Prep

Publisher Resources