CCNP Tutorial

CCNP Tutorial

CCNP stands for Cisco Certified Network Professional. It is the certification course developed by Cisco. This certification allows a user to plan, apply, endorse, and troubleshoot the different area networks and work collectively with advanced users on security, implementation, and voice to find the solutions. By next year, i.e., 2020, Cisco will release new certification exams, which includes CCNP routing and switching and CCNP Enterprise certification as well.

What is a CCNP certification?

CCNP (Cisco Certified Network Professional) certification is an intermediate level certification. It is suitable for those who have more than one year experience and are keen to advance his/her skills and work even on complex network solutions.

CCNP requires a candidate either to get certified in CCNA or any CCIE certification at any level.

Is CCNP certification important/necessary?

The certification is the key to success in any industry. CCNP certification improves your validity to troubleshoot and implement the WAN and local area networks. But before attempting CCNP certification, you have to be CCNA certified. The chances to get hired are increased by 70% after the certification.

What is the difference between CCNA and CCNP?

CCNA	CCNP
It is an associate-level certification.	It is a professional level certification.
It includes routing and switching fundamentals.	It includes in-depth knowledge of LAN, WAN, and how they work together.
It prepares a candidate for the role of a network administrator, network support engineer, and associate security analyst.	It prepares a candidate for the role of a network consultant, senior network engineer, and datacenter engineer.
CCNA required to pass one exam, sometimes two.	CCNP requires to pass up to four exams.
It stands for Cisco Certified Network Associate.	It stands for Cisco Certified Network Professional.

Eligibility criteria for CCNP certification-

Candidates who have a bachelor degree in Information Science, Computer Science, other engineering fields, or a related field can pursue CCNP certification.
Any CCNA or CCIE candidature with a minimum one year of experience can become CCNP by passing three exams, namely ROUTE, SWITCH, and TSHOOT.

The three exams are explained as:

1. ROUTE- This exam implies the routing knowledge and skills of a candidate using IP addressing and secured connection to the area networks and IPv6.

2. SWITCH- This exam signifies the switching knowledge and skills of a candidate in verification, planning, and execution of complex switching solutions.

3. TSHOOT- This exam explains the knowledge and skills of a candidate in troubleshooting and maintaining Cisco IP networks.

CCNP Syllabus

Introduction
Routing fundamentals
EIGRP
OSPF
Redistribution
Route selection
BGP (border gateway protocol)
IPv6
Redistribution variation of IPv4 and IPv6
Remote side connectivity

It is also further subdivided into its three exams.

Syllabus covered under the three exams is:

a) ROUTE (300-101) % contribution

Network principles 10%
Layer 2 technologies 10%
Layer 3 technologies 40%
VPN technologies 10%
Infrastructure security 10%
Infrastructure services 20%

b) SWITCH (300-115)

Layer 2 technologies 65%
Infrastructure security 20%
Infrastructure services 15%

c) TSHOOT (300-135)

Network principles 5%
Layer 2 technologies 40%
Layer 3 technologies 40%
VPN technologies 5%
Infrastructure security 5%
Infrastructure services 5%

After clearing these exams, there are four more exams of security certification to be CCNP certified.

Implementing Cisco Secure Access Solutions (300-208 SISAS)

Syllabus covered under this exam is:

TOPIC % CONTRIBUTION

Identity Management/Secure Access 33%
Threat Defense 10%
Troubleshooting, monitoring and 7%

Reporting tools

Threat Defense Architectures 17%
Identity Management Architectures 33%

Implementing Cisco Edge Network Security Solutions (300-206 SENSS)

Syllabus covered under this exam is:

Threat Defense 25%
Cisco security devices GUIs and Secured 25%

CLI Management

Management services on Cisco devices 12%
Troubleshooting, monitoring and 10%

Reporting tools

Threat Defense Architectures 16%
Security components and considerations 12%

Implementing Cisco Secure Mobility Solutions (300-209 SIMOS)

Syllabus covered under this exam is:

Secure communications 32%
Troubleshooting, monitoring and 38%

Reporting tools

Secure communications architecture 30%

Implementing Cisco Threat Control Solutions (300-210 SITCS)

Syllabus covered under this exam is:

Content Security 27%
Network Threat Defense 22%
Cisco FirePOWER Next-Generation IPS (NGIPS) 20%
Security Architectures 17%
Troubleshooting, monitoring, and 14%

Reporting tools

Introduction

CCNP means Cisco Certified Network Professional. It is the certification course developed by Cisco. This certification allows a user to plan, apply, endorse, and troubleshoot the different area networks and work collectively with advanced users on security, implementation, and voice to find the solutions. The knowledge strength and foundation of the CCNA and CCNP should be strong enough with all the basics and deep understanding of the subjects and topics related to it. The questions about subnetting are also important, so it is essential to understand the concepts of it.

Routing Fundamentals

IPv4

It operates on the network layer of the OSI model and considered as the connectionless protocol. The computer uses its default gateway to send something to another network. There are different classes to work with, like class A, Class B, and class C.

ARP

Address Resolution Protocol is a protocol used in the mapping of the IP address network to the hardware network. It is used by the IP (internet protocol), and it operates below the network layer. It is used to resolve an IP address or logical address into a physical address or MAC address such as Ethernet address.

DHCP Server

Layer 3 switches and the IOS devices to be configured as the DHCP (dynamic host configuration protocol) server. The DHCP protocol is a network management protocol used on UDP/IP networks. It innovatively assigns an IP address and other configurations of the system so that each device in the network can communicate with other IP networks.

TCP and UDP

TCP is defined as a transmission control protocol while UDP defines for user datagram protocol. TCP is reliable and connection-oriented while UDP is connectionless protocol. The TCP connection is called the three-way handshake, i.e., it set up a link first and then start transferring the data.

ICMP

It stands for internet control message protocol. It is a network protocol which is used by network management and for diagnostics. Let us consider an example of ‘ping’ utility, which uses the ICMP request and the ICMP reply message. It is an essential part of the IP protocol and determined as the layer three protocol.

Asymmetric routing may also result in unicast flooding. The Traffic that a NAT (network address translation) router uses should use the same router for returning Traffic also. It makes the packets to reach its correct destination or to the original IP address. Traffic should leave the network through the firewall so that returning Traffic can get back to it quickly preventing a packet from being dropped.

EIGRP

It stands for Enhanced Interior Gateway Routing Protocol and used for automatic routing decisions and configuration on a computer network. This protocol is available on cisco routers, designed by Cisco mainly for cisco devices.
It has four components:
Neighbor discovery/recovery.

This method is used to discover whether the neighbor router is inactive/unreachable or not. The process attained by sending hello packets at regular intervals so that the router can determine if the neighbor is working and functioning or not. And if the neighbor is working, then router starts exchanging router information.

Reliable Transport Protocol

It is the protocol used to ensure delivery of data packets to all its neighbors. It provides secure transmission, only necessary for supporting the intermixed transmission of multicast or unicast packets. For example, in Ethernet, it is not required to send packets to all of its neighbors. EIGRP send single multicast cast hello packets to inform that there is no need for the acknowledgment.

DUAL Finite State Machine

It manifests the decision process and tracks all the routes proclaim by all neighbors. The routes selected by the DUAL are based on feasible successors (a backup route/path whose reported distance is less than the reasonable/possible range). The feasible distance is the EGRP metric from the particular device while advertise distance is the EIGRP metric from the neighboring device.

Protocol Dependent Modules

They are mainly responsible for the network layer and its protocol-specific requirements. For example, sending and receiving encapsulated EIGRP packets, IP-EIGRP module is responsible for that.

EIGRP is an enhanced version of IGRP. The DUAL (Diffusion Update Algorithm) is the algorithm used to obtain loop freedom at every instant throughout the route reckoning. It works on protocol number 88. EIGRP is used for both IPv4 and IPv6, but the difference is that for IPv6 it uses assigned dedicated multicast address while for IPv4 it uses dedicated multicast address. EIGRP does not depend on the routing table like IGRP and RIP to hold all of its information. It built a secondary table called the topology table, from which routes in the routing table are installed.

OSPF

It stands for Open Shortest Path First (OSPF). It comes under the category of Interior Gateway Protocol which operates within a single autonomous system. OSPF chooses the best path for the transmission of packets through the set of connected networks. In corporate networks, it has replaced the RIP (router information protocol). Its sub-domains are named as area. EIGRP and OSPF are the classless IPv4 routing protocols, which in routing addresses includes all the subnet mask information with the network address. OSPF doesn’t use TCP or UDP; instead, it directly uses IP datagrams. The features of OSPF are given below:

In IP packet, it uses protocol value 89.
All the OSPF routers participate in the multicast groups 224.0.0.5 while all OSPF designated routers participate in 224.0.0.5 and 224.0.0.6 as well, and communicates through the multicast packets.
Minimum traffic exchange.
OSPF was developed to resist the limitation of RIP.
OSPF areas are manually configured and identified by a 32-bit field.
Area 0 is connected to other areas and is considered as the backbone if more than one area is defined.
Each router participating in OSPF is anomalous. It uses RIDs for router identification and also never uses the same loopback address on different routers.
To change the default behavior of the OSPF, metric’s (used to make routing decisions) need to be specified.
OSPF LSA’s is one of the vital topics. There are mainly five types of LSA’s namely LSA type 1, 2, 3, 4 and 5.
- LSA type 1- it is used to describe the state of each interface connected to the area.
- LSA type 2-it describes the set of a router attached to the network which is sent by the DR (Designated Router).
- LSA type 3 and 4- both are considered as the summary LSA’s sent by the ABR (Area Border Routers).
- LSA type 5-it is used by the ASBR (Autonomous System Boundary Routers) to proclaim the routes that are external to the OSPF network.
OSPF stub areas are of three types, namely stub areas (able to receive all types of LSA’s except LSA 5). The second is totally stub areas (unable to receive the LSA type 5 and advertise packets like LSA Type 3). The last one is not so stubby areas (it is almost the same as a standard stub but allows ASBR (Autonomous System Boundary Routers) to exist within the area.

Difference between EIGRP and OSPF

S.NO	EIGRP Enhanced Interior Gateway Routing Protocol.	OSPF Open Shortest Path First.
1.	It is a proprietary gateway protocol.	It is a dynamic routing protocol.
2.	For reliability and backup paths, it uses DUAL.	It uses SPF (shortest path first) and Dijkstra’s algorithm.
3.	Administrative distance is 70 for internal while 170 for the external redistributed path.	Administrative distance is 110.
4.	It is a hybrid protocol.	It is a link-state protocol.

REDISTRIBUTION

The routes are studiously redistributed by other means into a routing protocol are advertised by routes such as static routes, directly connected routes, and another routing protocol. Double redistribution inside the same router is not allowed, rather only routes used by the router itself are only redistributed.

The redistribution can be one point (one way or two way) and multipoint (one way or two-way end). One point redistribution defines a spot between two routing protocols. It requires the use of default or static routes.

Multipoint redistribution is accomplished on two or more points between routing protocols. It has to be performed carefully because it has the possibility of introducing routing loops. This problem leads to the difference in the AD (administrative distance) between two routing protocols. Most problematic are incompatible metrics which cause routing loops.

To ensure such problems following methods should be implemented-

Default metric should be preferred.
The safest way to perform route redistribution is to redistribute on only one router within a network and in one direction.
For the redistribution in both the directions or on multiple boundary routers, it should be tuned to avoid problems.
The solution to the problem of routing loops is the use of route maps, distribute lists or the manipulation of AD (administrative distance).

ROUTE SELECTION

This topic is the problematic concept of the CCNP process/examination.

It is essential to know that among all the routing protocols, Cisco routers use the best path. It is easy to understand the concept behind the selection of the best route by the routers but requires proper knowledge about the routers.

The first step is the establishment of the routing table. Below are the following steps for maintaining and building the routing table:

There are various routing processes or protocols which runs the network such as EIGRP (enhanced interior gateway routing protocol), OSPF (open shortest path first), BGP (border gateway protocol) and IS-IS (intermediate system-to-intermediate system).
The routing table not only accepts the requests for information but also replies for requests from the forwarding processes i.e., to forward any packet.
The main aspects while building the routing table are AD (Administrative Distance is used to measure the reliability), metrics (uses to calculate the best path), and prefix length.
If the most preferred route fails, then the next best route is preferred by calculating the AD on the next attempt.
If the route installed in the routing table fails, then the router asked the routers to install the backup route in the routing table.
If a packet arrives at the router which doesn’t have its IP address, then it forwards the packet.
If the IP classless command is not configured, then the router will not transmit any packet to the supernets.

BGP

It stands for Border Gateway Protocol. This protocol is used between the ISP’s (Internet Service Provider). It uses the concept of Autonomous System (a group of networks under a common administrator). Routing between the AS system is called inter-domain routing.

Routers can run only one occurrence of BGP at a time.
It is a path-vector protocol which routes the list of the autonomous system to the network on the path selected at that network.
BGP is different from the protocols discussed so far because it was built for the control, reliability, and scalability.
BGP uses three databases, namely neighbor database, BGPA database, and the routing table. The BGP database or RIB (Routing Information Base) is the list of networks along with their paths and attributes.
There are two types of BGP- internal and external. Internal BGP (IBGP) is the squint relationship between routers in the same autonomous system while external (EBGP) is the relationship between routers in the different autonomous system.
When the BGP routers receive information from the EBGP neighbor router, then it should pass it to the IBGP router without changing the next-hop attribute. But on a multi-access network, it can adjust the next-hop attribute to avoid an extra hop.

IPv6

IPv6 stands for Internet protocol version 6. It is the most recent version of the IP address, developed by the IETF (Internet Engineering Task Force). With the rapid growth of devices, it requires a unique identification address called the IP address for each device. IPv6 was built to accomplish the lags left by IPv4. It is a 128-bit address whose total number of a possible address is more than 7.9 *10^28 as many times as IPv4 which uses a 32-bit address.

It provides end to end datagram transmission across multiple networks. The IPv6 subnet is standardized by fixing the size of the host identifier to 64 bit, represented by eight groups of four hexadecimal digits separated by a colon.

Redistribution variation of IPv6 and IPv4

s.no	IPv6	IPv4
1.	It has eight octets separated by colon 2001:0db8:85d6:1243:8a2e:0765:1235.	It has four octets separated by a decimal 192.70.20.4.
2.	IPsec support is not optional.	IPsec support is optional.
3.	Optional data is supported as an extension header	The Header includes options and checksum.
4.	It does not require manual or DHCP configuration.	Configured either through manually or DHCP option.
5.	It supports only classless addressing scheme.	It supports class full and classless addressing scheme.
6.	Packet fragmentation is supported by sending packets but not by the routers.	Both the sending host and the routers support fragmentation of packets.

Remote side connectivity

VPN is the service which secures site-to-site and remote side connectivity.

There are various services responsible for remote side connectivity mentioned below:

DMVPN (Dynamic Multipoint Virtual Private Address)

VPN creates end-to-end private network connections over third party networks such as the Internet which is created via tunneling over a private network. It enables tunnel to set up or torn down between two sides as per the requirement.

GRE( Generic Routing Encapsulation)

It is a tunneling protocol, used to encapsulate many different protocol types, including IPsec, IPv6, IPv4, etc. to transport them across the network.

NHRP (Next Hop Resolution Protocol)

It is used to improve the efficiency of the routing computer network traffic over non-broadcast multi-access networks.

Multiprotocol GRE

A VPN technology that permits multiple GRE tunnels to the tunnel on the interface on the single GRE tunnel.

IPsec

It is an architecture for providing encryption and authentication services when creating VPN through an IP network.

Below is the further evaluation of the exam topics considered in the additional subdivided exams, namely ROUTE, SWITCH, and TSHOOT:

Network Principles

It includes FIB (forwarding information base, also known as MAC table), Adjacency table, general network challenges, TCP operations, UDP operations and proposed changes to the network. TCP operations include Windowing, Synchronization, IPv4, IPv6 and, synchronization.

Layer 2 Technologies

It includes configuring and verify PPP (Point to Point Protocol), and frame relay. Frame relay is defined as the packet-switching telecommunication service designed for cost-effective communications.

Layer 3 Technologies

It includes IPv4, DHCP, IPv6, subnetting (a division of networks), AD, static routing, default routing, protocols, route map. It also includes OSPF, EIGRP, BGP, and ASBR.

VPN Technologies

It includes GRE, DMVPN, EVN (Easy Virtual Network). GRE is defined as Generic Routing Encapsulation.

Infrastructure security

It includes a description of IOS AAA database, IPv6 standards, and device access control. AAA offers three services, namely Authentication, Authorization, and Accounting.

Infrastructure services

It includes devices management protocols such as Telnet, HTTP, SSH, SCP and FTP, DHCP, NAT, NPT, PAT, Tracking objects and cisco net flow. SSH stands for secure shell, FTP stands for file transfer protocol. NAT network address translator, NPT stands for Native packet transport and PAT stands for Port Address Translation.

The syllabus for the other four exams is:

Identity Management/Secure Access

It includes AAA, TACACS+, RADIUS, implementation OF MAB (MAC Authentication Bypass), posture services and network authorization enforcement, CWA (central web authentication) and BYOD. TACACS+ is defined as Terminal Access Controller Access Control Server, which is a security protocol of AAA.

RADIUS stands for Remote Authentication Dial-in User Service which provides centralization for AAA.

BYOD is defined as Bring Your Own Devices, is a concept for employees.

Threat Defense

It includes a description of TrustSec architecture like SGT and SGT enforcement. Cisco Security Group Tag is a technology, which overcomes the traditional approaches.

Troubleshooting, monitoring and reporting tools

It includes the methods used to troubleshoot the above devices or parts.

Identity Management Architectures

It includes device administration, profiling, guest services, posturing services, and BYOD access. Posturing is defined as the act of applying the set of rules to the posture.

Cisco security devices GUIs and Secured CLI Management

It includes the implementation of RBAC, SSH, HTTP, SNMP protocols across the network devices. RBAC is defined as the Role Base Access Control which is a method of restriction based on the roles of the individuals. The implementation of device managers and Cisco security managers.

Management services on Cisco devices

It includes NetFlow exporter on Cisco routers, switches, implementation of SNMPv3, NTP with authentication on Cisco routers, switches. It also describes DNS, DHCP, etc. NetFlow is the protocol developed by Cisco for managing and monitoring network traffic.

Secure communications

It includes site-to-site VPN routers and Firewalls and implementation of remote access and FLEX VPN. To prevent unauthorized access from a private network firewall was designed. FLEX VPN is a collection of CLI/API commands aimed for the simplification of the remote access commands.

Content Security

It includes CWS, WSA, and Cisco Email security appliance. CWS stands for Cisco cloud Web security for reducing the number of malware infections, management overhead, etc. WSA stands for Web Security Appliance.

Cisco FirePOWER Next-Generation IPS (NGIPS)

It includes deployments and the description of traffic redirection and capture methods. The deployment is defined as the setting up of a new system to a point where it is ready for productive work.