# CCNP ENCOR 350-401 Cheat Sheet **VantagePoint Networks** | Exam-focused study reference for Cisco Enterprise Core --- ## 1. Enterprise Architecture ### Campus Design Models | Model | Layers | Use Case | |---|---|---| | 3-Tier | Access, Distribution, Core | Large campus (>5000 endpoints) | | 2-Tier / Collapsed Core | Access, Distribution/Core | Small-medium campus | | Spine-Leaf (Clos) | Spine, Leaf | Data centre / modern fabric | ### Cisco Architectures - **Cisco DNA / Catalyst Center**: Controller-based campus with intent-based networking - **SD-Access**: Overlay using LISP + VXLAN + Cisco TrustSec (SGT) on campus - **SD-WAN (Viptela)**: Overlay WAN using OMP + IPsec/GRE, vManage/vSmart/vBond/vEdge - **ACI**: Data centre fabric using VXLAN + IS-IS underlay, managed by APIC ### Fabric Roles | Role | Function | |---|---| | Control Plane Node | Maps endpoint locations (LISP) | | Border Node | Connects fabric to external networks | | Edge Node | Connects endpoints to fabric | | Intermediate Node | Transit (underlay routing) | | Fabric WLC | Wireless controller with fabric awareness | ## 2. OSPF Deep Dive ### LSA Types (OSPFv2) | Type | Name | Origin | Scope | |---|---|---|---| | 1 | Router LSA | Every router | Within area | | 2 | Network LSA | DR on broadcast/NBMA | Within area | | 3 | Summary LSA | ABR | Between areas | | 4 | ASBR Summary | ABR | How to reach ASBR | | 5 | External LSA | ASBR | Redistributed routes | | 6 | Multicast (not used) | - | - | | 7 | NSSA External | ASBR in NSSA | NSSA only, converted to Type 5 at ABR | ### Area Types | Type | Characteristics | LSAs Allowed | |---|---|---| | Backbone (0) | Transit for all areas | All | | Standard | Default | 1, 2, 3, 4, 5 | | Stub | No Type 5 (no external) | 1, 2, 3 (+ default) | | Totally Stubby | No Type 3/4/5 | 1, 2 (+ default) | | NSSA | Stub + allows redistribution | 1, 2, 3, 7 (+ default) | | Totally NSSA | NSSA + no Type 3/4 | 1, 2, 7 (+ default) | ### OSPF Path Selection 1. Intra-area (O) - within same area 2. Inter-area (O IA) - across areas via ABR 3. External Type 1 (E1 / N1) - metric increases along path 4. External Type 2 (E2 / N2) - metric stays fixed (default) ### Key Commands ``` router ospf 1 router-id 10.0.0.1 area 0 authentication message-digest network 10.0.0.0 0.0.0.255 area 0 passive-interface default no passive-interface GigabitEthernet0/1 auto-cost reference-bandwidth 10000 area 1 stub no-summary ! totally stubby area 2 nssa default-information-originate summary-address 10.0.0.0 255.255.0.0 ``` ### Metrics - Cost = Reference BW / Interface BW (default ref BW = 100 Mbps) - Set `auto-cost reference-bandwidth 10000` (10 Gbps) in modern networks - DR/BDR election: Highest priority > Highest router-ID (priority 0 = never DR) ## 3. EIGRP Deep Dive ### Metric (Composite) - Default uses Bandwidth (K1) and Delay (K3) - Classic metric: ((10^7 / min BW) + cumulative delay) x 256 - Wide metric (named mode): 64-bit, supports up to 655 Tbps ### K-Values - K1: Bandwidth (default 1) - K2: Load (default 0) - K3: Delay (default 1) - K4: Reliability (default 0) - K5: MTU (default 0) Must match between neighbours. ### DUAL Algorithm - **Successor**: Best path (FD) - **Feasible Successor**: Backup satisfying feasibility condition (Reported Distance < Feasible Distance) - **Feasibility Condition**: RD of alternate path < FD of successor - **Passive state**: Converged - **Active state**: Searching for new successor (query neighbours) ### Named Mode (Preferred) ``` router eigrp VANTAGEPOINT address-family ipv4 unicast autonomous-system 100 af-interface GigabitEthernet0/0 authentication mode hmac-sha-256 hello-interval 5 hold-time 15 topology base redistribute static network 10.0.0.0 0.0.0.255 eigrp router-id 10.0.0.1 ``` ### Stub Routing - `eigrp stub [receive-only | connected | static | summary | redistributed]` - Stubs do not receive queries (reduces convergence SIA events) ## 4. BGP ### eBGP vs iBGP | Feature | eBGP | iBGP | |---|---|---| | Neighbours | Different AS | Same AS | | TTL | 1 (default) | 255 | | AD | 20 | 200 | | Loop prevention | AS_PATH | Split-horizon (no forwarding between iBGP peers) | | Next-hop | Changed | Preserved | ### BGP Path Selection (13 Steps) 1. **Weight** (Cisco proprietary, higher wins, local only) 2. **Local Preference** (higher wins, within AS) 3. **Locally originated** (network, aggregate, redistribute) 4. **AS_PATH** (shortest wins) 5. **Origin** (IGP < EGP < Incomplete) 6. **MED** (Multi-Exit Discriminator, lower wins) 7. **eBGP > iBGP** 8. **IGP metric** to next-hop (lowest wins) 9. **Oldest path** (eBGP only, for stability) 10. **Router ID** (lowest wins) 11. **Cluster list length** (shortest wins, route reflector) 12. **Neighbour IP** (lowest wins) Mnemonic: **W**ise **L**ip **L**overs **A**pply **O**ils **M**ore **E**specially **I**n **O**pen **R**omantic **C**onditions **N**ightly ### Attributes | Attribute | Type | Transitive | |---|---|---| | AS_PATH | Well-known mandatory | Yes | | NEXT_HOP | Well-known mandatory | Yes | | ORIGIN | Well-known mandatory | Yes | | LOCAL_PREF | Well-known discretionary | iBGP only | | ATOMIC_AGGREGATE | Well-known discretionary | Yes | | AGGREGATOR | Optional transitive | Yes | | COMMUNITY | Optional transitive | Yes | | MED | Optional non-transitive | No | | ORIGINATOR_ID | Optional non-transitive | No | ### Scaling iBGP (full mesh replacements) - **Route Reflectors**: RR reflects routes between clients - **Confederations**: Sub-ASes within a larger AS ### Common Communities - `no-export` (0xFFFFFF01): Don't advertise to eBGP peers - `no-advertise` (0xFFFFFF02): Don't advertise to any peer - `local-AS` / `no-export-subconfed`: Confederation boundary - `internet` (0x00000000): All peers ### MP-BGP - Supports multiple address families (IPv4, IPv6, VPNv4, EVPN, MVPN) - Used for MPLS L3VPN, EVPN (DC fabrics) ## 5. Spanning Tree ### STP Variants | Variant | Standard | Convergence | Instances | |---|---|---|---| | STP | 802.1D | ~50s | 1 per VLAN (PVST+ Cisco) | | RSTP | 802.1w | ~6s | 1 per VLAN (Rapid PVST+ Cisco) | | MST | 802.1s | ~6s | Few instances, map many VLANs | ### Port States | STP State | RSTP State | |---|---| | Disabled | Discarding | | Blocking | Discarding | | Listening | Discarding | | Learning | Learning | | Forwarding | Forwarding | ### Port Roles (RSTP) | Role | Description | |---|---| | Root Port | Best path to root bridge | | Designated Port | Best port on segment toward root | | Alternate Port | Backup path to root (alternate to Root Port) | | Backup Port | Backup for Designated Port on same segment | ### Root Bridge Election - Lowest Bridge ID wins = Priority (default 32768) + MAC address - Set priority: `spanning-tree vlan 1-4094 priority 4096` - Command `spanning-tree vlan 1 root primary` sets priority to 24576 ### Protection Features | Feature | Purpose | |---|---| | PortFast | Skip listening/learning on access ports | | BPDU Guard | Disable port if any BPDU received | | BPDU Filter | Stop sending/processing BPDUs (dangerous) | | Root Guard | Prevent port from becoming root (disables if superior BPDU received) | | Loop Guard | Detect unidirectional links (puts port in loop-inconsistent) | | UDLD | Detect unidirectional links at L2 | ``` spanning-tree portfast default spanning-tree portfast bpduguard default spanning-tree loopguard default ``` ## 6. EtherChannel ### Protocols | Protocol | Vendor | Modes | |---|---|---| | LACP (802.3ad) | Open | active, passive | | PAgP | Cisco | desirable, auto | | Static | Both | on | ### Mode Compatibility - LACP: active-active, active-passive (NOT passive-passive) - PAgP: desirable-desirable, desirable-auto (NOT auto-auto) - static `on`: only on-on ### Load Balancing `port-channel load-balance src-dst-ip` (check platform capabilities) Options: src-mac, dst-mac, src-dst-mac, src-ip, dst-ip, src-dst-ip, src-port, dst-port, src-dst-port, src-dst-mixed-ip-port ### Troubleshooting - Must match on all members: speed, duplex, VLANs, trunk mode, native VLAN, STP mode ## 7. First Hop Redundancy Protocols (FHRP) | Protocol | Standard | Active/Standby | Load Balance | VIP Timers | |---|---|---|---|---| | HSRP v1 | Cisco | 1 Active, 1 Standby | No | hello 3s, hold 10s | | HSRP v2 | Cisco | 1 Active, 1 Standby | No | hello 3s, hold 10s (sub-sec possible) | | VRRP | RFC 5798 | 1 Master, 1+ Backup | No | advert 1s, master down 3.6s | | GLBP | Cisco | 1 AVG, multiple AVFs | Yes (per host) | hello 3s, hold 10s | ### HSRP Sample ``` interface Vlan10 ip address 10.0.10.2 255.255.255.0 standby version 2 standby 10 ip 10.0.10.1 standby 10 priority 110 standby 10 preempt delay minimum 60 standby 10 authentication md5 key-string standby 10 track 1 decrement 20 ! track 1 interface GigabitEthernet0/1 line-protocol ``` - Preempt: allow higher-priority to take over - Track: decrement priority if tracked object fails ## 8. Wireless ### AP Modes | Mode | Description | |---|---| | Local | Normal mode, all traffic to WLC (CAPWAP) | | FlexConnect | Local switching, local authentication (branch) | | Mesh / Bridge | AP-to-AP wireless backhaul | | Sniffer | Captures 802.11 traffic for analysis | | Monitor | Scans for rogues, location services | | Rogue Detector | Listens for rogue APs on wired network | | SE-Connect | Spectrum analysis mode | ### RF Concepts | Feature | Purpose | |---|---| | RRM (Radio Resource Management) | Dynamic channel/power optimisation | | DCA (Dynamic Channel Assignment) | Auto channel selection | | TPC (Transmit Power Control) | Auto power adjustment | | CleanAir | Interference detection | | Band Select | Steer dual-band clients to 5 GHz | | Load Balancing | Spread clients across APs | ### Roaming - **Layer 2 roaming**: Same VLAN/subnet, fast association - **Layer 3 roaming**: Different subnets, requires mobility tunnel (EoIP or CAPWAP) ### 802.11 Extensions | Standard | Function | |---|---| | 802.11k | Neighbour reports (roaming candidates) | | 802.11r | Fast BSS transition (pre-auth) | | 802.11v | BSS transition management (AP steering) | | 802.11w | Management frame protection | ### Wireless Security Profile (5 layers) 1. **Open**: No auth 2. **WEP**: Broken 3. **WPA2/PSK**: Personal 4. **WPA2-Enterprise**: 802.1X + RADIUS 5. **WPA3-Enterprise 192-bit**: Suite B ## 9. IP Services ### NTP - Stratum: 0 (reference) up to 15 (usable), 16 = unreachable - Authentication: `ntp authentication-key 1 md5 ` - NTP master: `ntp master 4` (becomes stratum 4 source if no upstream) ### SNMP | Version | Authentication | Encryption | |---|---|---| | v1 / v2c | Community string (plaintext) | None | | v3 noAuthNoPriv | None | None | | v3 authNoPriv | MD5/SHA | None | | v3 authPriv | MD5/SHA | DES/AES | ``` snmp-server group SNMP-RO v3 priv snmp-server user admin SNMP-RO v3 auth sha priv aes 256 snmp-server host 10.0.30.50 version 3 priv admin ``` ### Syslog Severity | Level | Keyword | |---|---| | 0 | Emergency | | 1 | Alert | | 2 | Critical | | 3 | Error | | 4 | Warning | | 5 | Notification | | 6 | Informational | | 7 | Debug | ### NetFlow / IPFIX - **NetFlow v5**: Fixed format, IPv4 only - **NetFlow v9 / IPFIX (v10)**: Template-based, flexible, IPv4/IPv6 ``` flow record VP-RECORD match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port collect counter bytes collect counter packets ! flow exporter VP-EXPORTER destination 10.0.30.80 transport udp 2055 ! flow monitor VP-MONITOR record VP-RECORD exporter VP-EXPORTER ! interface GigabitEthernet0/1 ip flow monitor VP-MONITOR input ``` ### IP SLA ``` ip sla 1 icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0 frequency 10 ip sla schedule 1 life forever start-time now ! track 1 ip sla 1 reachability ip route 0.0.0.0 0.0.0.0 track 1 ip route 0.0.0.0 0.0.0.0 250 ``` ## 10. Network Assurance ### SPAN / RSPAN / ERSPAN | Feature | Scope | Transport | |---|---|---| | SPAN | Local switch only | Direct port mirror | | RSPAN | Across switches in same L2 domain | VLAN-based | | ERSPAN | Across IP network (L3) | GRE-encapsulated | ``` monitor session 1 source interface GigabitEthernet0/1 monitor session 1 destination interface GigabitEthernet0/24 ``` ### Catalyst Center Assurance - Machine reasoning for root cause analysis - Client health, application health, device health scores - Path trace, packet capture, sensor tests ### Debug vs Show - `show` - state snapshot, safe - `debug` - live stream of events, high CPU impact (use `conditional debugging` and `logging buffered`) ## 11. Security ### Control Plane Policing (CoPP) Protects the route processor from floods/DoS. ``` class-map match-any COPP-CRITICAL match access-group name COPP-CRITICAL-ACL policy-map COPP-POLICY class COPP-CRITICAL police 5000 conform-action transmit exceed-action transmit class class-default police 200 conform-action transmit exceed-action drop ! control-plane service-policy input COPP-POLICY ``` ### uRPF (Unicast Reverse Path Forwarding) - **Strict mode**: Source must be reachable via incoming interface (symmetric routing required) - **Loose mode**: Source must be reachable via any interface (anti-spoofing with asymmetry) ### 802.1X / MAB / Web Auth - 802.1X: EAP-based, requires supplicant - MAC Authentication Bypass (MAB): Fallback for non-802.1X devices (printers) - Web Auth: Browser-based captive portal ### MACsec (802.1AE) - Layer 2 hop-by-hop encryption (wire-level) - AES-GCM encryption - MKA (MACsec Key Agreement) for key distribution ### Cisco TrustSec (SGT/SGACL) - Tag-based segmentation (Security Group Tag in packet) - SGACLs enforce policy based on source and destination SGT - Propagation: inline tagging or SXP (SGT Exchange Protocol) ## 12. Automation and Programmability ### REST APIs - HTTP methods: GET, POST, PUT, PATCH, DELETE - Auth: Basic, Bearer token, API key - Payload: JSON (most common), XML ### Data Models - **YANG** (RFC 7950): Data modelling language for network configs - **IETF YANG**: Vendor-neutral (ietf-interfaces) - **OpenConfig YANG**: Multi-vendor industry models - **Native YANG**: Cisco-IOS-XE-native for platform-specific ### Transport Protocols | Protocol | Transport | Encoding | Notes | |---|---|---|---| | NETCONF | SSH (port 830) | XML | RFC 6241, candidate config | | RESTCONF | HTTPS | JSON/XML | RFC 8040, REST over YANG | | gNMI | gRPC (HTTP/2) | Protobuf | Streaming telemetry | | SNMP | UDP | ASN.1 | Legacy management | ### Telemetry - **Streaming telemetry**: Push model, efficient, near-real-time - Dial-in: Collector initiates - Dial-out: Device initiates - **SNMP polling**: Pull model, legacy ### Ansible for Networking - Agentless (uses SSH or NETCONF/API) - Playbooks in YAML - Modules: `ios_config`, `ios_facts`, `nxos_config`, `junos_config`, `cli_command` ### Python for Networking - **Paramiko**: SSH library - **Netmiko**: Multi-vendor CLI abstraction (built on Paramiko) - **NAPALM**: Unified API across vendors (Cisco, Juniper, Arista) - **Nornir**: Python automation framework with inventory - **ncclient**: NETCONF client ## 13. Virtualisation ### VRF (Virtual Routing and Forwarding) Multiple routing tables on one device. ``` vrf definition CUSTOMER-A rd 65001:100 address-family ipv4 exit-address-family ! interface GigabitEthernet0/1 vrf forwarding CUSTOMER-A ip address 10.10.0.1 255.255.255.0 ``` ### GRE - IP Protocol 47 - No encryption (pair with IPsec for confidentiality) - Carries multicast (useful for OSPF/EIGRP across Internet) ### VXLAN - MAC-in-UDP encapsulation (UDP port 4789) - 24-bit VNI (16M segments vs VLAN's 4K) - VTEP: VXLAN Tunnel Endpoint (performs encap/decap) - Flood-and-learn vs BGP EVPN control plane ### LISP (Locator/ID Separation Protocol) - Decouples endpoint ID (EID) from routing locator (RLOC) - Map server / map resolver architecture - Foundation of Cisco SD-Access ## 14. QoS ### Classification - **DSCP** (L3, 6 bits): AF11-AF43, EF, CSx - **CoS** (L2, 3 bits in 802.1Q tag) - **IP Precedence** (L3, 3 bits, legacy) - **MPLS EXP** (L2.5, 3 bits) - **NBAR2**: Deep packet inspection for application recognition ### Marking Recommendations | Traffic | DSCP | PHB | |---|---|---| | Voice RTP | 46 | EF | | Voice Signaling | 24 | CS3 | | Interactive Video | 34 | AF41 | | Multimedia Conf | 34 | AF41 | | Multimedia Stream | 26 | AF31 | | Network Control | 48 | CS6 | | Critical Data | 18 | AF21 | | Best Effort | 0 | BE/default | | Scavenger | 8 | CS1 | ### Queuing - **FIFO**: No QoS - **WFQ**: Weighted Fair Queuing (flow-based) - **CBWFQ**: Class-Based WFQ (user-defined classes with bandwidth guarantees) - **LLQ**: Low Latency Queuing (CBWFQ + priority queue for voice) ### Policing vs Shaping | Feature | Policing | Shaping | |---|---|---| | Action | Drop/re-mark | Delay (buffer) | | Effect | Burst | Smoother rate | | Typical use | Ingress | Egress | ### MQC (Modular QoS CLI) ``` class-map match-any VOICE match dscp ef policy-map QOS-OUT class VOICE priority percent 10 class class-default fair-queue ! interface GigabitEthernet0/0 service-policy output QOS-OUT ``` ## 15. Key Enable-Mode Commands Cheat Sheet ``` show running-config show startup-config show version show platform show ip route vrf show ip ospf neighbor show ip ospf database show ip eigrp neighbors detail show ip bgp summary show ip bgp neighbors show spanning-tree show etherchannel summary show standby brief show ip int brief show interface status show interface counters errors show mac address-table show cdp neighbors detail show lldp neighbors detail show ip arp show logging show snmp show ntp status show ntp associations show flow monitor show access-lists show access-list dynamic show tech-support show crypto ikev2 sa show crypto ipsec sa show policy-map interface show control-plane host open-ports show processes cpu sorted show processes memory sorted ``` --- **VantagePoint Networks** - vantagepointnetworks.com End of document