350-401 Infrastructure

Infrastructure Detailed Explanation

1. Layer 2 Infrastructure (Switching)

Layer 2 refers to the Data Link Layer in the OSI model. It handles MAC addresses, switching, and frame forwarding within a local network segment.

1.1 VLANs (Virtual Local Area Networks)

What is a VLAN?

• A VLAN is a logical separation within a physical switch.

• Devices in different VLANs cannot communicate with each other without a router or Layer 3 switch.

Why Use VLANs?

• To segregate departments (e.g., HR, Finance, IT).

• Improve network performance by reducing broadcast domains.

• Enhance security (one department can’t see another’s traffic).

Basic Configuration (Cisco IOS):

vlan 10
 name Finance
!
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10

• This creates VLAN 10 named "Finance" and assigns it to an access port.

1.2 Trunking (802.1Q)

What is Trunking?

• Trunking allows a switch port to carry traffic from multiple VLANs.

• Required for:

  • Switch-to-switch connections

  • Router-on-a-stick (router doing inter-VLAN routing)

  • Links to virtualization hosts

802.1Q Tagging:

• Adds a VLAN ID to the Ethernet frame so the receiving device knows which VLAN the frame belongs to.

• Native VLAN: untagged VLAN on the trunk (default is VLAN 1).

Basic Trunk Port Configuration:

interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

This trunk carries VLANs 10, 20, and 30.

1.3 Spanning Tree Protocol (STP)

What is STP?

STP prevents Layer 2 loops, which can crash a network by endlessly forwarding broadcast frames.

STP Variants:

Version	IEEE Standard	Notes
STP	802.1D	Original, slow convergence
RSTP	802.1w	Fast convergence
MSTP	802.1s	Supports multiple VLANs in one instance

Key Concepts:

• Root Bridge: The “boss” switch — elected based on lowest bridge ID (priority + MAC)

• Root Port (RP): Best path to the Root Bridge (one per switch)

• Designated Port (DP): Forwarding port for each segment

• Blocking Port: Prevents loops

Bridge Priority (default 32768):

Lower priority = more likely to be Root.

Example:

If two switches are connected with multiple cables, STP blocks one link to avoid a loop. If the active link fails, the blocked one becomes active — keeping the network alive.

1.4 EtherChannel (Link Aggregation)

What is EtherChannel?

EtherChannel groups multiple physical links between two devices into one logical link.

Benefits:

• Redundancy: If one link fails, others keep running.

• Load Balancing: Traffic can be distributed across links.

Protocols:

Protocol	Standard?	Notes
PAgP	Cisco proprietary	Both sides must be Cisco
LACP	IEEE 802.3ad	Open standard, widely used

Configuration Modes:

• PAgP: desirable / auto

• LACP: active / passive

Basic Configuration (LACP Example):

interface range g0/1 - 2
 channel-group 1 mode active
!
interface port-channel 1
 switchport mode trunk

1.5 Port Security

What is Port Security?

Used to limit access to switch ports based on MAC addresses. Prevents:

• Unauthorized devices

• MAC flooding attacks

Modes:

Mode	Action on Violation
Protect	Drops traffic silently
Restrict	Drops + logs
Shutdown	Disables port (default mode)

Configuration Example:

interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky

• Sticky MAC: learns the first MAC and saves it.

Summary of Layer 2 Infrastructure

Feature	Purpose	Common Use
VLAN	Logical segmentation	Separate departments
Trunking	Carry multiple VLANs	Switch-switch, router connections
STP	Prevent loops	Redundant links
EtherChannel	Link aggregation	Redundancy + speed
Port Security	MAC filtering	Prevent rogue devices

2. Layer 3 Infrastructure (Routing)

Layer 3 (Network Layer) is responsible for IP addressing and routing — deciding how data travels between networks. Here, we learn both manual and dynamic routing techniques.

2.1 Static Routing

What is Static Routing?

A manual routing method where the administrator manually defines routes on routers.

Use Cases:

• Small networks

• Backup links

• Route summarization

Basic Command:

ip route 192.168.1.0 255.255.255.0 10.1.1.1

This tells the router:

“To reach 192.168.1.0/24, send packets to 10.1.1.1”

Pros:

• Simple

• No CPU/memory overhead

• Predictable

Cons:

• Doesn’t adapt to network changes

• Manual effort increases as network grows

2.2 Dynamic Routing Protocols

What is Dynamic Routing?

Routers learn and exchange routes automatically using a routing protocol.

A. OSPF (Open Shortest Path First)

• Link-state protocol

• Uses Dijkstra's SPF algorithm

• Fast convergence

• Organizes the network into areas

Key Concepts:

• Router ID: Highest IP address or manually set

• LSAs (Link-State Advertisements): Share info about links

• Area 0 (Backbone Area): All areas must connect to it

Basic Configuration Example:

router ospf 1
 router-id 1.1.1.1
 network 192.168.1.0 0.0.0.255 area 0

B. EIGRP (Enhanced Interior Gateway Routing Protocol)

• Cisco proprietary (now open standard)

• Uses the DUAL algorithm

• Fast convergence

• Supports IPv4 and IPv6

Key Concepts:

• Feasible Distance (FD): Best known distance to a destination

• Reported Distance (RD): Distance reported by a neighbor

• Successor: Best path

• Feasible Successor: Backup path

Basic Configuration Example:

router eigrp 100
 network 10.0.0.0

C. BGP (Border Gateway Protocol)

• Path-vector protocol

• Used between different organizations (ISP to ISP, company to ISP)

• Very scalable, but complex

Key Concepts:

• AS (Autonomous System): Group of routers under a single admin

• AS-Path: List of ASes the route has passed through

• Route Reflectors: Reduce iBGP full-mesh requirement

• eBGP vs iBGP:

  • eBGP = between different ASes

  • iBGP = inside one AS

Basic Configuration Example:

router bgp 65001
 neighbor 192.0.2.2 remote-as 65002
 network 10.0.0.0 mask 255.255.255.0

2.3 First Hop Redundancy Protocols (FHRPs)

To prevent a single point of failure at the default gateway, FHRPs provide gateway redundancy.

Main Protocols:

Protocol	Standard	Notes
HSRP	Cisco	Active/Standby
VRRP	Open	Master/Backup
GLBP	Cisco	All routers active, load balancing

Use Case:

If your default gateway router fails, another router takes over without interrupting service.

2.4 Routing Redistribution

What is Redistribution?

Redistribution allows routes learned by one protocol to be shared with another protocol.

When is it needed?

• You run OSPF in one area and EIGRP in another

• Merging networks during an acquisition

• Connecting to legacy networks

Basic Example:

router ospf 1
 redistribute eigrp 100 metric 1000

This command tells OSPF to accept routes from EIGRP with a given metric.

Summary Table

Concept	Description	Use Case
Static Routing	Manual path configuration	Small or stable networks
OSPF	Link-state protocol	Medium to large enterprises
EIGRP	Advanced distance-vector	Cisco-heavy environments
BGP	Internet-scale routing	ISP, multi-organization
FHRP	Redundant default gateway	Prevent single point of failure
Redistribution	Share routes across protocols	Network merging or transitions

3. Wireless Infrastructure

Wireless networking (Wi-Fi) extends the network to devices like laptops, phones, tablets, and IoT devices without needing physical cabling. Understanding wireless architecture is key to managing performance, security, and mobility.

3.1 Wireless Architecture Models

Wireless networks can be deployed in several architectures, depending on size, scalability, and management needs.

A. Autonomous Access Point (AP)

• Each AP operates independently.

• All configurations, updates, and monitoring must be done manually on each AP.

• Best for small environments (e.g., a single office or classroom).

Pros:

• Simple to deploy

• No controller needed

Cons:

• Difficult to scale

• No centralized management

Like giving each teacher their own whiteboard, with no shared lesson plan.

B. Controller-Based Architecture

• Access Points are “lightweight” — they offload their intelligence to a central Wireless LAN Controller (WLC).

• The controller handles:

  • Authentication

  • Roaming

  • Channel assignment

  • Configuration updates

Pros:

• Centralized control

• Easier scaling

• Better monitoring and security

Cons:

• Requires investment in a WLC

Like a school principal coordinating all classrooms to follow the same rules and curriculum.

C. Cloud-Managed (e.g., Cisco Meraki)

• APs are managed via the cloud using a dashboard interface.

• No on-site controller — policies are pushed from the cloud.

• Ideal for distributed networks (e.g., retail stores, campuses).

Pros:

• Easy to deploy and manage remotely

• Built-in analytics and security

• Scales globally

Cons:

• Dependent on internet connectivity

• Subscription model may increase cost over time

Like a virtual principal managing dozens of remote schools through a web portal.

3.2 CAPWAP (Control and Provisioning of Wireless Access Points)

What is CAPWAP?

CAPWAP is the protocol used between lightweight APs and WLCs.

How it works:

• Control messages (e.g., configuration, firmware) and data messages (client traffic) are sent via separate tunnels.

• Supports encryption and authentication.

Split MAC Architecture:

• The AP handles only the real-time, low-level radio functions (like beaconing).

• The WLC handles:

  • Authentication

  • Security policies

  • QoS

  • Client roaming decisions

Think of CAPWAP like an invisible link that allows the WLC to “remote control” all APs.

3.3 WLAN Configuration

Key Elements of a Wireless LAN:

1. SSID (Service Set Identifier):

• The name of the wireless network (e.g., “Office-WiFi”).

• Can be broadcast or hidden.

2. Authentication Methods:

Method	Description
Open	No authentication
PSK (Pre-Shared Key)	Password shared among users (e.g., WPA2-PSK)
802.1X	Enterprise-level security using RADIUS for dynamic credentials

3. Encryption Standards:

Standard	Security Level	Notes
WPA2	Strong	Still widely used
WPA3	Stronger	Supports 192-bit encryption and improved handshake

Best Practices:

• Use WPA2/WPA3 with 802.1X for secure enterprise environments.

• Avoid open or WEP networks.

• Segment guest Wi-Fi with separate SSIDs or VLANs.

3.4 Wireless Roaming

Roaming lets a wireless client move between APs without losing its network connection.

Layer 2 Roaming:

• The IP address stays the same.

• Client moves between APs on the same VLAN/subnet.

• Seamless and fast.

Layer 3 Roaming:

• The client moves between APs on different VLANs/subnets.

• Requires additional handling (e.g., tunneling to anchor controller).

• Used in large or multi-site deployments.

Fast Roaming (802.11r):

• Speeds up authentication when clients roam.

• Essential for VoIP over Wi-Fi, real-time video, or mobile scanners in warehouses.

Summary Table

Feature	Function	Benefit
Autonomous AP	Standalone APs	Simple, but not scalable
Controller-Based	Centralized management via WLC	Scalable, policy-driven
Cloud-Managed	Web-based control (e.g., Meraki)	Remote, global control
CAPWAP	AP ⇄ WLC communication protocol	Secure, scalable control
SSID + Auth	Define Wi-Fi access	Secure, policy-enforced access
Roaming	Move between APs	Mobility without disruption

4. Network Services

Network services are the supporting mechanisms that help devices get IP addresses, sync time, report health, and log events. These services ensure smooth operation, diagnostics, and automation in a network.

4.1 DHCP (Dynamic Host Configuration Protocol)

What is DHCP?

DHCP automatically assigns:

• IP address

• Subnet mask

• Default gateway

• DNS servers

• Lease time

to clients that join the network — reducing manual configuration errors.

How DHCP Works:

1. DISCOVER – Client broadcasts to find a DHCP server.

2. OFFER – Server replies with an IP offer.

3. REQUEST – Client requests the offered IP.

4. ACK – Server confirms assignment.

Basic DHCP Server Configuration (Cisco IOS):

ip dhcp pool OFFICE
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 8.8.8.8
 lease 7

DHCP Relay (Helper Address):

Used when DHCP clients and servers are in different VLANs or subnets.

interface VLAN 10
 ip helper-address 192.168.100.10

Common DHCP Options:

• Option 3: Default gateway

• Option 6: DNS server

• Option 66: TFTP server for VoIP phones

4.2 NTP (Network Time Protocol)

Why is time synchronization important?

• Accurate log timestamps

• Proper certificate validation

• Coordinated automation and monitoring

NTP Hierarchy:

• Uses stratum levels (lower = closer to the authoritative time source).

• Stratum 0 = Atomic clock

• Stratum 1 = Directly connected to Stratum 0

• Stratum 2+ = Clients syncing from higher levels

Basic Configuration:

ntp server 192.168.1.1

NTP Best Practices:

• Use multiple sources for redundancy

• Monitor time drift regularly

• Secure with authentication if needed

4.3 SNMP (Simple Network Management Protocol)

What is SNMP?

SNMP is a protocol for monitoring and managing network devices. It lets a central NMS (Network Management System) query devices for:

• Uptime

• Interface status

• CPU/Memory usage

SNMP Versions:

Version	Security	Notes
v1	None	Obsolete
v2c	Community string (plaintext)	Still used
v3	Auth + encryption	Preferred in secure environments

Community Strings (v1/v2c):

• Read-only: allows polling

• Read-write: allows configuration changes

SNMP Traps:

• Devices can send alerts to the NMS (e.g., interface down).

• Unlike polling, traps are event-driven.

Basic SNMPv2 Configuration:

snmp-server community public RO
snmp-server host 192.168.1.100 version 2c public

4.4 Syslog

What is Syslog?

Syslog is a logging protocol that allows network devices to send event messages to a centralized Syslog server.

Logging Levels (0–7):

Level	Meaning
0	Emergencies
1	Alerts
2	Critical
3	Errors
4	Warnings
5	Notifications
6	Informational
7	Debugging

Basic Syslog Configuration:

logging host 192.168.1.50
logging trap warnings

Summary Table

Service	Purpose	Key Configuration
DHCP	IP address assignment	ip dhcp pool, ip helper-address
NTP	Time synchronization	ntp server <IP>
SNMP	Monitoring/management	snmp-server community
Syslog	Event logging	logging host, logging trap

5. IP Services

IP services enhance the basic functionality of IP networking. These include address translation, IPv6 support, traffic prioritization (QoS), and more — all vital for a scalable, performant, and secure network.

5.1 NAT (Network Address Translation)

What is NAT?

NAT allows private IP addresses (e.g., 192.168.x.x) to communicate with the public internet by translating them to a public IP address.

Types of NAT:

1. Static NAT (One-to-One)

• Maps one internal IP to one external IP.

ip nat inside source static 192.168.1.10 203.0.113.10

2. Dynamic NAT (Many-to-Many)

• Translates internal addresses using a pool of public addresses.

ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
ip nat inside source list 1 pool PUBLIC_POOL

3. PAT (Port Address Translation) – Many-to-One

• All internal IPs use a single public IP with different ports (most common).

ip nat inside source list 1 interface GigabitEthernet0/0 overload

Inside vs Outside Interfaces:

interface GigabitEthernet0/1
 ip nat inside
!
interface GigabitEthernet0/0
 ip nat outside

5.2 IPv6 Routing

IPv6 solves the IPv4 exhaustion problem by using 128-bit addresses (vs. 32-bit in IPv4).

IPv6 Address Types:

Type	Purpose
Link-local	Always starts with FE80::; used on the same link only
Global unicast	Routable on the internet (like IPv4 public IPs)
Multicast	One-to-many communication
Anycast	Sent to nearest member of a group

Basic IPv6 Routing Configuration:

interface GigabitEthernet0/0
 ipv6 address 2001:DB8:1::1/64
 ipv6 enable
!
ipv6 unicast-routing

Routing Protocols:

• OSPFv3: OSPF for IPv6

• EIGRP for IPv6: EIGRP adapted for IPv6 networks

Dual Stack:

Running IPv4 and IPv6 simultaneously on the same network — useful during transition phases.

5.3 QoS (Quality of Service)

QoS ensures that important traffic (like voice or video) is prioritized over less critical data (like file downloads).

QoS Process:

1. Classification and Marking

• Identify traffic and mark it for special treatment.

• Layer 2: Class of Service (CoS)

• Layer 3: DSCP (Differentiated Services Code Point)

2. Congestion Management (Queuing)

• Determines how packets are scheduled for transmission.

• Types of queues:

  • FIFO (First-In-First-Out)

  • WFQ (Weighted Fair Queuing)

  • LLQ (Low-Latency Queuing) — prioritizes voice

3. Congestion Avoidance

• Prevents queues from getting full.

• WRED (Weighted Random Early Detection) drops less important packets when queues begin to fill.

4. Policing and Shaping

• Policing: Drops or re-marks packets exceeding a rate limit.

• Shaping: Buffers excess traffic to smooth out bursts.

Example of QoS Configuration:

class-map match-any VOICE
 match dscp ef
!
policy-map QOS_POLICY
 class VOICE
  priority 1000
!
interface GigabitEthernet0/0
 service-policy output QOS_POLICY

Summary Table

Feature	Purpose	Common Usage
Static NAT	One-to-one IP translation	Server publishing
PAT	Many-to-one IP translation	Internet access for LAN users
IPv6	128-bit addressing	Modern networks, IoT, scalability
QoS	Prioritize traffic	Voice, video, critical apps

6. High Availability and Resiliency

High availability (HA) and resiliency ensure that a network can continue operating smoothly even when hardware or links fail. These features are critical in enterprise environments where downtime is unacceptable.

6.1 Redundant Links and Devices

Redundancy is the foundation of high availability. It ensures there is always a backup path or backup device ready to take over in case of failure.

Redundant Links

Use dual-homed connections so that if one link fails, the second can take over.

Example:
Two switches connected by two trunk links or an EtherChannel — prevents downtime from a single cable cut.

Link Aggregation (EtherChannel):

We already covered EtherChannel earlier in Layer 2. It helps combine links for:

• Load balancing

• Redundancy (if one link fails, traffic continues on the others)

Redundant Devices

Device	Redundancy Type	Purpose
Switches	StackWise / VSS	Logical single switch with hardware backup
Routers	HSRP / VRRP / GLBP	Redundant gateways
Firewalls	Active/Standby pairs	Seamless failover
Power Supplies	Dual PSU	Avoid single-point power failure
Supervisor Modules	Dual Sup cards	Continues operation if one fails (e.g., in chassis switches)

VSS (Virtual Switching System) and StackWise

Technology	Platform	Benefit
VSS	Catalyst 6500/6800	Two chassis act as one switch
StackWise	Catalyst 3850/9300	Up to 9 switches managed as one unit

Both allow for:

• Single control plane

• Simplified management

• Failover within milliseconds

6.2 Load Balancing

Load balancing is the process of distributing traffic across multiple links or paths to optimize performance and avoid congestion.

Layer 2 Load Balancing:

Done via EtherChannel — balances traffic across member interfaces using hash algorithms (source/destination MAC/IP/port).

Layer 3 Load Balancing:

When a router has multiple equal-cost paths to a destination, it can distribute traffic between them.

Equal-Cost Multi-Path (ECMP):

• Supported by OSPF, EIGRP, BGP

• Uses hashing to balance traffic

• Per-packet or per-flow

Example:

router ospf 1
 maximum-paths 4

Allows OSPF to use 4 equal-cost routes for load sharing.

Per-Flow vs Per-Packet:

Mode	Behavior	Pros	Cons
Per-Flow	All packets of a session follow one path	Avoids out-of-order packets	Less balanced traffic
Per-Packet	Each packet can take a different path	Best load usage	May cause jitter (bad for voice/video)

Summary Table

Feature	Purpose	Example
Redundant Links	Prevent link failure from disrupting service	Dual uplinks
Redundant Devices	Hardware-level HA	Dual PSUs, routers, switches
VSS / StackWise	Logical chassis for switches	2–9 switches act as one
ECMP	Use multiple routes	OSPF, EIGRP, BGP
Load Balancing	Improve performance and redundancy	EtherChannel, ECMP

Infrastructure (Additional Content)

1. Spanning Tree Protocol (STP) Protection Features

To enhance STP security and stability, Cisco implements several protection mechanisms that prevent misbehaving or unauthorized devices from affecting the Layer 2 topology.

Key Features:

Feature	Purpose	Typical Use
BPDU Guard	Shuts down access ports that receive unexpected BPDUs	Protects against rogue switches on access ports
Root Guard	Prevents a port from becoming the Root Port	Ensures consistent root bridge election
Loop Guard	Prevents a blocking port from mistakenly becoming forwarding when BPDUs stop	Protects against unidirectional link failures

Example Use Case:

Enable BPDU Guard on all portfast interfaces to prevent users from accidentally plugging in a switch.

2. Routing Filter Mechanisms

Routing filters are essential for controlling the propagation of routing updates. Cisco devices use various tools depending on the protocol and use case.

Tools and Use Cases:

Tool	Description	Protocols
Prefix-list	Filter routes based on prefix/mask; supports greater-than/less-than logic	BGP, OSPF
Distribute-list	Restricts incoming or outgoing route advertisements	RIP, EIGRP, OSPF
Route-map	Advanced filtering using match/set clauses, can include ACLs, tags	BGP, OSPF, redistribution

Example:

Use a prefix-list + route-map to control which BGP routes are allowed to be advertised to a peer.

3. Wireless LAN Controller (WLC) High Availability Modes

To ensure uptime and uninterrupted wireless connectivity, Cisco WLCs support multiple High Availability (HA) architectures.

Mode	Description	Behavior on Failover
SSO (Stateful Switchover)	Active and standby share state	Seamless AP and client session continuity
N+1	One WLC backs up multiple others	APs must rejoin the backup WLC
N+N	One-to-one active/standby pairs	Fast failover, high hardware cost

Summary:

• SSO is the most seamless and preferred in enterprise.

• N+1 is cost-effective but with recovery delay.

4. IPv6 Neighbor Discovery Protocol (NDP)

IPv6 replaces many IPv4 legacy protocols with NDP, which operates using ICMPv6 messages.

Message	Function
Router Solicitation (RS)	Host asks routers to send RA
Router Advertisement (RA)	Router advertises prefix, gateway, and lifetime
Neighbor Solicitation (NS)	Used for address resolution (like ARP)
Neighbor Advertisement (NA)	Response to NS
Redirect	Router informs host of better first-hop

Summary:

NDP provides both Layer 2 address resolution and routing discovery in IPv6 networks.

5. QoS Detailed Additions

DSCP (Differentiated Services Code Point):

DSCP Class	Name	Use Case
EF (46)	Expedited Forwarding	VoIP
AFxx	Assured Forwarding	Mission-critical apps
BE (0)	Best Effort	Default traffic

Trust Boundary:

• The trust boundary defines where QoS markings are accepted.

• Access ports are usually untrusted, so markings are rewritten at the switch.

Example:

Mark trusted traffic at the access switch only if you trust the endpoint device.

6. HSRP State Machine

Understanding HSRP state transitions is a common exam topic.

HSRP States:

1. Initial – Interface is down or HSRP not configured

2. Learn – No HSRP messages received, no virtual IP known

3. Listen – Knows virtual IP, no active/standby router known

4. Speak – Sending Hello messages, participating in election

5. Standby – Candidate to become active

6. Active – The router currently forwarding traffic for the group

Exam Tip:

Be prepared to order states or identify missing state transitions in scenario-based questions.

7. Multicast Infrastructure Basics

Multicast is a scalable solution for one-to-many communications, such as video streaming and IPTV.

Key Components:

Component	Description
PIM (Protocol Independent Multicast)	Builds multicast distribution trees
PIM Dense Mode	Assumes receivers are everywhere; flood and prune
PIM Sparse Mode	Assumes receivers are few; uses Rendezvous Point
IGMP	Hosts join multicast groups via Layer 2
RPF (Reverse Path Forwarding)	Ensures multicast packets arrive on the correct interface toward the source

Summary:

• Use PIM Sparse Mode for scalable multicast networks.

• RPF check prevents loops and ensures correct forwarding paths.