CCNA Training Notes for ICND 2

www.softechpune.com



Study Notes
for
CCNA
Training


ICND 2.0














CCNA Training Notes for ICND 2
www.softechpune.com
Layer-2 Switching

Layer-2 switching is hardware based, which means it uses the MAC address
from the hosts NIC cards to filter the network. Switches use Application-Specific
Integrated Circuits (ASICs) to build and maintain filter tables. switches are fast
because they do not look at the Network layer header information

Functions of Switch

Address learning : Layer-2 switches and bridges remember the source
hardware address of each frame received on an interface and enter this
information into a MAC database.

Forward/filter decisions : When a frame is received on an interface, the switch
looks at the destination hardware address and finds the exit interface in the MAC
database.

Loop avoidance : If multiple connections between switches are created for
redundancy, network loops can occur. The Spanning-Tree Protocol (STP) is
used to stop network loops and allow redundancy.

Address Learning

When a switch is powered on, the MAC filtering table is empty. When a device
transmits and an interface receives a frame, the switch places the source
address in the MAC filtering table, remembering what interface the device is
located on. The switch has no choice but to flood the network with this frame
because it has no idea where the destination device is located. If a device
answers and sends a frame back, then the switch will take the source address
from that frame and place the MAC address in the database, associating this
address with the interface that received the frame. Since the switch now has two
MAC addresses in the filtering table, the devices can make a point-to-point
connection, and the frames will only be forwarded between the two devices. This
is what makes layer-2 switches better than hubs. In a hub network, all frames are
forwarded out all ports every time.

Forward/Filter Decisions

When a frame arrives at a switch interface, the destination hardware address is
compared to the forward/filter MAC database. If the destination hardware
address is known and listed in the database, the frame is only sent out the
correct exit interface. The switch does not transmit the frame out any interface
except for the destination interface. This preserves bandwidth on the other
network segments and is called frame filtering.

CCNA Training Notes for ICND 2
www.softechpune.com
If the destination hardware address is not listed in the MAC database, then the
frame is broadcasted out all active interfaces except the interface the frame was
received on. If a device answers the broadcast, the MAC database is updated
with the device location (interface).

Loop Avoidance

Redundant links are a good idea between switches. They are used to help stop
complete network failures if one link fails. Even though redundant links are
extremely helpful, they cause more problems than they solve. Because frames
can be broadcast down all redundant links simultaneously, network loops can
occur, among other problems. Some of the most serious problems are discussed
in the following list.
1. If no loop avoidance schemes are put in place, the switches will flood
broadcasts endlessly throughout the internetwork. This is sometimes referred to
as a broadcast storm.
2. A device can receive multiple copies of the same frame since the frame can
arrive from different segments at the same time.
3. The MAC address filter table will be confused about where a device is located
since the switch can receive the frame from more than one link. It is possible that
the switch cant forward a frame because it is constantly updating the MAC filter
table with source hardware address locations. This is called thrashing the MAC
table.
4. One of the biggest problems is multiple loops generating throughout an
internetwork. This means that loops can occur within other loops. If a broadcast
storm were to then occur, the network would not be able to perform packet
switching.


Spanning-Tree Protocol (STP)

This protocol avoids layer 2 loops. Initially, the protocol was introduced by DEC
(Digital Equipment Corporation). But later on, IEEE introduced its own version of
STP (IEEE 802.1d version). This version is significant because all Cisco switches
use this version by default. Both versions are not compatible with each other.

STPs main task is to stop network loops from occurring on your layer-2 network
(bridges or switches). STP is constantly monitoring the network to find all links
and make sure that loops do not occur by shutting down redundant links.

The way it does this is by electing a root bridge that will decide on the network
topology. There can only be one root bridge in any given network. Root-bridge
ports are called designated ports, which operate in forwarding state. Forwarding-
state ports send and receive traffic.
CCNA Training Notes for ICND 2
www.softechpune.com
All other switches in the network are called non-root bridges. The port with the
lowest cost (as determined by a links bandwidth) to the root bridge is called a
root port and sends and receives traffic.
The other port or ports on the bridge are considered non-designated and will not
send or receive traffic, which is called blocking mode.

Selecting the Root Bridge

Switches or bridges running STP exchange information with what are called
Bridge Protocol Data Units (BPDUs). BPDUs send configuration messages using
multicast frames. The bridge ID of each device is sent to other devices using
BPDUs. The bridge ID is used to determine the root bridge in the network and to
determine the root port. The bridge ID is 8 bytes long and includes the priority
and the MAC address of the device. The priority on all devices running the IEEE
STP version is 32,768.

To determine the root bridge, the priorities of the bridge and the MAC address
are combined. If two switches or bridges have the same priority value, then the
MAC address is used to determine which one has the lowest ID.

Selecting the Designated Port

To determine the port or ports that will be used to communicate with the root
bridge, you must first figure out the path cost. The STP cost is an accumulated
total path cost based on the bandwidth of the links.

Spanning-Tree Port States

The ports on a bridge or switch running the STP can transition through four
different states:

Blocking : This mode does not forward frames but listens to BPDUs. All ports
are in blocking state by default when the switch is powered up.

Listening : Listens to BPDUs to make sure no loops occur on the network before
passing data frames.

Learning : Learns MAC addresses and builds a filter table but does not forward
frames.

Forwarding : Sends and receives all data on the bridged port.

Typically, switch ports are in either blocking or forwarding state. A forwarding port
has been determined to have the lowest cost to the root bridge. However, if the
network has a topology change because of a failed link or even if the
administrator adds a new switch to the network, the ports on a switch will be in
CCNA Training Notes for ICND 2
www.softechpune.com
listening and learning state. Blocking ports are used to prevent network loops.
Once a switch determines the best path to the root bridge, then all other ports will
be in blocking Blocked ports still receive BPDUs. If a switch determines that a
blocked port should now be the designated port, it will go to listening state. It will
check all BPDUs heard to make sure that it wont create a loop once the port
goes to forwarding state.

Convergence

Convergence occurs when bridges and switches have transitioned to either the
forwarding or blocking states. No data is forwarded during this time.
Convergence is important to make sure all devices have the same database.
Before data can be forwarded, all devices must be updated. The problem with
convergence is the time it takes for these devices to update. It usually takes 50
seconds to go from blocking to forwarding state. It is not recommended that you
change the default STP timers, but the timers can be adjusted if necessary.
Forward delay is the time it takes to transition a port from listening to learning
state or from learning to forwarding state.

LAN Switching Modes :

The latency for packet switching through the switch depends on the chosen
switching mode.

There are three switching modes:

Store and Forward

Store-and-forward switching is one of three primary types of LAN switching. With
the store-and-forward switching method, the LAN switch copies the entire frame
onto its onboard buffers and computes the cyclic redundancy check (CRC).
Because it copies the entire frame, latency through the switch varies with frame
length. The frame is discarded if it contains a CRC error, if its too short (less
than 64 bytes including the CRC), or if its too long (more than 1518 bytes
including the CRC). If the frame doesnt contain any errors, the LAN switch looks
up the destination hardware address in its forwarding or switching table and
determines the outgoing interface. It then forwards the frame toward its
destination.
This is the mode used by the Catalyst 5000 series switches and cannot
be modified on the switch.

Cut-Through (Real Time)

Cut-through switching is the other main type of LAN switching. With this method,
the LAN switch copies only the destination address (the first six bytes following
the preamble) onto its onboard buffers. It then looks up the hardware destination
CCNA Training Notes for ICND 2
www.softechpune.com
address in the MAC switching table, determines the outgoing interface, and
forwards the frame toward its destination. A cut-through switch provides reduced
latency because it begins to forward the frame as soon as it reads the destination
address and determines the outgoing interface.

FragmentFree (Modified Cut-Through)

FragmentFree is a modified form of cut-through switching, in which the switch
waits for the collision window (64 bytes) to pass before forwarding.
If a packet has an error, it almost always occurs within the first 64 bytes.
FragmentFree mode provides better error checking than the cut-through mode
with practically no increase in latency. This is the default switching method for the
1900 switches.
CCNA Training Notes for ICND 2
www.softechpune.com
VLAN
A Virtual Local Area Network (VLAN) is a logical grouping of network users and
resources connected to administratively defined ports on a switch. By creating
VLANs, you are able to create smaller broadcast domains within a switch by
assigning different ports in the switch to different subnetworks. A VLAN is treated
like its own subnet or broadcast domain. This means that frames broadcasted
onto a network are only switched between ports in the same VLAN. Using virtual
LANs, youre no longer confined to creating workgroups by physical locations.
VLANs can be organized by location, function, department, or even the
application or protocol used, regardless of where the resources or users are
located.

In a layer-2 switched network, the network is flat. Every broadcast packet
transmitted is seen by every device on the network, regardless of whether the
device needs to receive the data. Because layer-2 switching creates individual
collision domain segments for each device plugged into the switch, the Ethernet
distance constraints are lifted, which means larger networks can be built. The
larger the number of users and devices, the more broadcasts and packets each
device must handle.
Another problem with a flat layer-2 network is security, as all users can see all
devices. You cannot stop devices from broadcasting and users trying to respond
to broadcasts. Your security is passwords on the servers and other devices. By
creating VLANs, you can solve many of the problems associated with layer-2
switching

Broadcast Control

Broadcasts occur in every protocol, but how often they occur depends upon
the protocol, the application(s) running on the internetwork, and how these
services are used. There are multimedia applications that use broadcasts and
multicasts extensively. Faulty equipment, inadequate segmentation, and poorly
designed firewalls can also add to the problems of broadcast-intensive
applications. This has added a new chapter to network design, since broadcasts
can propagate through the switched network. Routers, by default, send
broadcasts only within the originating network, but switches forward broadcasts
to all segments. This is called a flat network because it is one broadcast domain.

As an administrator, you must make sure the network is properly segmented
to keep one segments problems from propagating through the internetwork.
The most effective way of doing this is through switching and routing. Since
switches have become more cost-effective, many companies are replacing the
flat network with a pure switched network and VLANs. All devices in a VLAN are
members of the same broadcast domain and receive all broadcasts. The
broadcasts, by default, are filtered from all ports on a switch that are not
members of the same VLAN.
CCNA Training Notes for ICND 2
www.softechpune.com
Routers, or layer-3 switches, must be used in conjunction with switches to
provide connections between networks (VLANs), which can stop broadcasts from
propagating through the entire internetwork.

Security

One problem with the flat internetwork is that security was implemented by
connecting hubs and switches together with routers. Security was maintained at
the router, but anyone connecting to the physical network could access the
network resources on that physical LAN. Another problem was that users could
join a workgroup by just plugging their workstations into the existing hub.

By using VLANs and creating multiple broadcast groups, administrators
now have control over each port and user. Users can no longer just plug their
workstations into any switch port and have access to network resources. The
administrator controls each port and whatever resources it is allowed to use. If
inter-VLAN communication needs to take place, restrictions on a router can also
be implemented. Restrictions can also be placed on hardware addresses,
protocols, and applications.

Flexibility and Scalability

Layer-2 switches only read frames for filtering; they do not look at the Network
layer protocol. This can cause a switch to forward all broadcasts.
However, by creating VLANs, you are essentially creating broadcast
domains. Broadcasts sent out from a node in one VLAN will not be forwarded
to ports configured in a different VLAN.

VLAN Membership Modes

Ports belonging to a VLAN are configured with a membership mode that
determines to which VLAN they belong. Catalyst switch ports can belong to one
of these VLAN membership modes:

Static VLAN: An administrator statically configures the assignment of VLANs to
ports.

Dynamic VLAN: The Catalyst switches support dynamic VLANs by using a
VLAN Management Policy Server (VMPS). The VMPS can be a Catalyst 5000
series switch or an external server. The Catalyst 2950 series cannot operate as
the VMPS. The VMPS contains a database that maps MAC addresses to VLAN
assignments. When a frame arrives on a dynamic port at the Catalyst access
switch, the Catalyst switch queries the VMPS for the VLAN assignment based on
the source MAC address of the arriving frame.
A dynamic port can belong to only one VLAN at a time. Multiple hosts can be
active on a dynamic port only if they all belong to the same VLAN.
CCNA Training Notes for ICND 2
www.softechpune.com
Type of Links : There are two different types of links in a switched environment:

Access links

Links that are only part of one VLAN and are referred to as the native VLAN of
the port. Any device attached to an access link is unaware of a VLAN
membership. This device just assumes it is part of a broadcast domain, with no
understanding of the physical network. Switches remove any VLAN information
from the frame before it is set to an access link device. Access link devices
cannot communicate with devices outside their VLAN unless the packet is routed
through a router.

Trunk links

Trunks can carry multiple VLANs and are used to connect switches to other
switches, to routers, or even to servers. Trunked links are supported on Fast or
Gigabit Ethernet only. To identify the VLAN that a frame belongs to with Ethernet
technology, Cisco switches support two different identification techniques: ISL
and 802.1q. Trunk links are used to transport VLANs between devices and can
be configured to transport all VLANs or just a few. Trunk links still have a native,
or default, VLAN that is used if the trunk link fails.


Trunking Protocols

Trunking is a way to carry traffic from several VLANs over a point-to-point link
between the two devices. You can implement Ethernet trunking in these two
ways:

Inter-Switch Link ( ISL), a Cisco proprietary protocol used for FastEthernet and
Gigabit Ethernet links only. Can be used on a switch port, router interfaces, and
server interface cards to trunk a server. The server that is trunked is part of all
VLANs (broadcast domains) simultaneously. This tagging information allows
VLANs to be multiplexed over a trunk link through an external encapsulation
method. By running ISL, you can interconnect multiple switches and still maintain
VLAN information as traffic travels between switches on trunk links. ISL provides
a low-latency, full wire-speed performance over FastEthernet using either half- or
full-duplex mode.
.
ISL is an external tagging process, which means the original frame is not
altered but instead encapsulated with a new 26-byte ISL header. It also adds
a second 4-byte frame check sequence (FCS) field at the end of the frame.
Because the frame is encapsulated with information, only ISL-aware devices
can read it. Also, the frame can be up to 1522 bytes long. Devices that receive
an ISL frame may record this as a giant frame because it is over the maximum
of 1518 bytes allowed on an Ethernet segment.
CCNA Training Notes for ICND 2
www.softechpune.com

802.1Q, an IEEE standard

IEEE 802.1Q extends IP routing capabilities to include support for routing IP frame types
in VLAN configurations using the IEEE 802.1Q encapsulation. Every 802.1Q port is
assigned to a trunk. All ports on a trunk are in a native VLAN. Every 802.1Q port is
assigned an identifier value that is based on the ports native VLAN ID (the default is
VLAN 1). All untagged frames are assigned to the LAN specified in the ID parameter. An
802.1Q trunk and its associated trunk ports have a native VLAN value. 802.1Q does not
tag frames for the native VLAN. Therefore, ordinary stations will be able to read the
native untagged frames, but will not be able to read any other frame because the frames
are tagged.


VLAN Trunking Protocol (VTP)

VTP is a Layer 2 messaging protocol that maintains VLAN configuration
consistency by managing the additions, deletions, and name changes of VLANs
across networks. VTP minimizes misconfigurations and configuration
inconsistencies that can cause problems, such as duplicate VLAN names or
incorrect VLAN-type specifications.
A VTP domain is one switch or several interconnected switches sharing the
same VTP environment. You can configure a switch to be in only one VTP
domain. By default, a Catalyst switch is in the no-management-domain state until
it receives an advertisement for a domain over a trunk link or until you configure
a management domain. Configurations made to a single VTP server are
propagated across links to all connected switches in the network.

VTP Modes

VTP operates in one of three modes: server mode, transparent mode, or client
mode. You can complete different tasks depending on the VTP operation mode.
The characteristics of the three modes are as follows:

Server mode: The default VTP mode is server mode, but VLANs are not
propagated over the network until a management domain name is specified or
learned. When you make a change to the VLAN configuration on a VTP server,
the change is propagated to all switches in the VTP domain. VTP messages are
transmitted out all trunk connections.

Transparent mode: When you make a change to the VLAN configuration in VTP
transparent mode, the change affects the local switch only and does not
propagate to other switches in the VTP domain. VTP transparent mode does
forward VTP advertisements within the domain.

Client mode: You cannot make changes to the VLAN configuration when in VTP
client mode. VTP advertisements are forwarded in VTP client mode.
CCNA Training Notes for ICND 2
www.softechpune.com

VTP Operations

VTP advertisements are flooded throughout the management domain. VTP
advertisements are sent every 5 minutes or whenever there is a change in VLAN
configurations. Advertisements are transmitted over the default VLAN (VLAN 1)
using a multicast frame. A configuration revision number is included in each VTP
advertisement. A higher configuration revision number indicates that the VLAN
information being advertised is more current than the stored information. One of
the most critical components of VTP is the configuration revision number. Each
time a VTP server modifies its VLAN information, the VTP server increments the
configuration revision number by one. The server then sends out a VTP
advertisement with the new configuration revision number. If the configuration
revision number being advertised is higher than the number stored on the other
switches in the VTP domain, the switches will overwrite their VLAN
configurations with the new information being advertised.

The configuration revision number in VTP transparent mode is always 0. A
device that receives VTP advertisements must check various parameters before
incorporating the received VLAN information. First, the management domain
name and password in the advertisement must match those configured in the
local switch. Next, if the configuration revision number indicates that the
message was created after the configuration currently in use, the switch
incorporates the advertised VLAN information.

To reset the configuration revision number on most Catalyst switches, use the
delete vtp privileged EXEC command. On a Catalyst 2950, change the VTP
domain to another name and then change it back to reset the configuration
revision number.

VTP Pruning

You can preserve bandwidth by configuring the VTP to reduce the amount of
broadcasts, multicasts, and other unicast packets, which helps preserve
bandwidth. This is called pruning. VTP pruning only sends broadcasts to trunk
links that must have the information; any trunk link that does not need the
broadcasts will not receive them. For example, if a switch does not have any
ports configured for VLAN 5, and a broadcast is sent throughout VLAN 5, the
broadcast would not traverse the trunk link to this switch. VTP pruning is disabled
by default on all switches.
CCNA Training Notes for ICND 2
www.softechpune.com
IP Routing

Routing is used for taking a packet from one device and sending it through the
network to another device on a different network. If your network has no routers,
then you are not routing. Routers route traffic to all the networks in your
internetwork. To be able to route packets, a router must know, at a minimum, the
following:

Destination address
Neighbor routers from which it can learn about remote networks
Possible routes to all remote networks
The best route to each remote network

The routers can only send packets by looking at the routing table and discovering
how to get to the remote networks. What happens when a router receives a
packet with a network that is not listed in the routing table? It doesnt send a
broadcast looking for the remote networkthe router just discards it. Period.

There are a few different ways to configure the routing tables to include
all the networks

Static Routing

Static routing is the process of an administrator manually adding routes in each
routers routing table. There are benefits and disadvantages to all routing
processes.

Static routing has the following benefits:

No overhead on the router CPU
No bandwidth usage between routers
Security (because the administrator only allows routing to certain
networks)

Static routing has the following disadvantages:

The administrator must really understand the internetwork and how each
router is connected to configure the routes correctly.
If one network is added to the internetwork, the administrator must add a
route to it on all routers.
Its not feasible in large networks because it would be a full-time job.

The command used to add a static route to a routing table is

ip route [destination_network] [mask] [next_hop_address or
exitinterface] [administrative_distance][permanent]
CCNA Training Notes for ICND 2
www.softechpune.com

ip route The command used to create the static route.

destination network The network you are placing in the routing
table.

mask Indicates the subnet mask being used on the network.

next hop address The address of the next hop router that will receive
the packet and forward it to the remote network. This is a router interface
that is on a directly connected network. You must be able to ping the
router interface before you add the route.

exit interface Used in place of the next hop address if desired. Must
be on a point-to-point link, such as a WAN. This command does not work
on a LAN; for example, Ethernet.

administrative distance By default, static routes have an administrative
distance of 1. You can change the default value by adding an
administrative weight at the end of the command.

permanent If the interface is shut down or the router cannot communicate
to the next hop router, the route is automatically discarded from the
routing table. Choosing the permanent option keeps the entry in the routing
table no matter what happens.

Default Routing

Default routing is used to send packets with a remote destination network not in
the routing table to the next hop router. You can only use default routing on stub
networks, which means that they have only one exit port out of the network.

Dynamic Routing

Dynamic routing is the process of using protocols to find and update routing
tables on routers. This is easier than static or default routing, but you use it at the
expense of router CPU processes and bandwidth on the network links. A routing
protocol defines the set of rules used by a router when it communicates between
neighbor routers.

Administrative Distances

When configuring routing protocols, you need to be aware of administrative
distances (ADs). These are used to rate the trustworthiness of routing
information received on a router from a neighbor router. An administrative
CCNA Training Notes for ICND 2
www.softechpune.com
distance is an integer from 0 to 255, where 0 is the most trusted and 255 means
no traffic will be passed via this route.

Route Source Default Distance
Connected Interface 0
Static Route 1
EIGRP 90
IGRP 100
OSPF 110
RIP 120
External EIGRP 170
Unknown 255

If a network is directly connected, it will always use the interface connected to the
network. If an administrator configures a static route, the router will believe that
route over any other learned routes. You can change the administrative distance
of static routes, but, by default, they have an AD of 1.

Routing Protocols

There are three classes of routing protocols:

Distance vector : The distance-vector routing protocols use a distance to
a remote network to find the best path. Each time a packet goes through a
router, its called a hop. The route with the least number of hops to the
network is determined to be the best route. The vector is the determination
of direction to the remote network. Examples of distance-vector
routing protocols are RIP and IGRP.

Link state : Typically called shortest path first, the routers each create
three separate tables. One of these tables keeps track of directly attached
neighbors, one determines the topology of the entire internetwork, and
one is used for the routing table. Link-state routers know more about the
internetwork than any distance-vector routing protocol. An example of
an IP routing protocol that is completely link state is OSPF.

Hybrid Uses aspects of distance vector and link state, for example, EIGRP.
CCNA Training Notes for ICND 2
www.softechpune.com
Routing Information Protocol (RIP)

Routing Information Protocol (RIP) is a true distance-vector routing protocol.
It sends the complete routing table out to all active interfaces every 30 seconds.
RIP only uses hop count to determine the best way to a remote network, but it
has a maximum allowable hop count of 15, meaning that 16 is deemed
unreachable.
RIP works well in small networks, but it is inefficient on large networks with slow
WAN links or on networks with a large number of routers installed. RIP version 1
uses only classful routing, which means that all devices in the network must use
the same subnet mask. This is because RIP version 1 does not send updates
with subnet mask information in tow.
RIP version 2 provides what is called prefix routing and does send subnet mask
information with the route updates. This is called classless routing.

RIP Timers

RIP uses three different kinds of timers to regulate its performance:

Route update timer Sets the interval (typically 30 seconds) between periodic
routing updates, in which the router sends a complete copy of its routing table out
to all neighbors.

Route invalid timer Determines the length of time that must expire (90 seconds)
before a router determines that a route has become invalid. It will come to this
conclusion if it hasnt heard any updates about a particular route for that period.
When that happens, the router will send out updates to all its neighbors letting
them know that the route is invalid.

Route flush timer Sets the time between a route becoming invalid and its
removal from the routing table (240 seconds). Before it is removed from the
table, the router notifies its neighbors of that routes impending doom. The value
of the route invalid timer must be less than that of the route flush timer. This is to
provide the router with enough time to tell its neighbors about the invalid route
before the routing table is updated.

RIP Configuration

Router(config)#router rip

The router rip command selects RIP as the routing protocol. It starts the RIP
routing process.

Router(config-router)#network network-number

CCNA Training Notes for ICND 2
www.softechpune.com
The network command assigns a major network number that the router is
directly connected to. The RIP routing process associates interface addresses
with the advertised network number and will begin RIP packet processing on the
specified interfaces.

The show ip protocols command displays values about routing protocols and
the routing protocol timer information that is associated with the router.

The show ip interface brief command displays summary of the IP information
and status of all interfaces.

The show ip route command displays the contents of the IP routing table.

The debug ip rip command displays information on RIP routing transactions.
CCNA Training Notes for ICND 2
www.softechpune.com


Enhanced Interior Gateway Routing Protocol (EIGRP)

Overview

Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of
Interior Gateway Routing Protocol (IGRP) developed by Cisco. EIGRP is suited
for many different topologies and media. In a well-designed network, EIGRP
scales well and provides extremely quick convergence times with minimal
overhead. EIGRP is a popular choice for a routing protocol on Cisco devices.

Features of EIGRP

EIGRP has rapid convergence times for changes in the network topology. In
some situations, convergence can be almost instantaneous. EIGRP uses the
Diffusing Update Algorithm (DUAL) to achieve rapid convergence. A router that is
running EIGRP stores backup routes for destinations when they are available so
that it can quickly adapt to alternate routes. If no appropriate route or backup
route exists in the local routing table, EIGRP queries its neighbors to discover an
alternate route. These queries are propagated until an alternate route is found.

EIGRP has very low usage of network resources during normal operation; only
hello packets are transmitted on a stable network. Like other link-state routing
protocols, EIGRP uses EIGRP hello packets to establish relationships with
neighboring EIGRP routers. Each router builds a neighbor table from the hello
packets that it receives from adjacent EIGRP routers. EIGRP does not send
periodic routing updates like IGRP does. When a change occurs, only routing
table changes are propagated, not the entire routing table. And when only
changes are propagated, the bandwidth that is required for EIGRP packets is
minimized, which reduces the load that the routing protocol itself places on the
network.

EIGRP supports automatic (classful) route summarization at major network
boundaries as the default. However, unlike other classful routing protocols, such
as IGRP and Routing Information Protocol (RIP), manual route summarization
can be configured on arbitrary network boundaries to reduce the size of the
routing table.

CCNA Training Notes for ICND 2
www.softechpune.com

EIGRP Terminology

Term Definition
Neighbor table
(AppleTalk, IPX, IPv6,
IPv4)

Each EIGRP router maintains a neighbor table that
lists adjacent routers. This table is comparable to the
adjacencies database used by OSPF, and it serves
the same purpose (to ensure bi-directional
communication between each of the directly
connected neighbors). There is a neighbor table for
each protocol that EIGRP supports.

Topology table
(AppleTalk, IPX, IPv6,
IPv4)

Each EIGRP router maintains a topology table for
each configured routing protocol. This table includes
route entries for all destinations that the router has
learned. All learned routes to a destination are
maintained in the topology table.

Routing table
(AppleTalk, IPX, IPv6,
IPv4)

EIGRP chooses the best (successor) routes to a
destination from the topology table and places these
routes in the routing table. The router maintains one
routing table for each network protocol.

Successor

A successor is a route selected as the primary route
to reach a destination. Successors are the entries
kept in the routing table.

Feasible successor

A feasible successor is considered a backup route.
Backup routes are selected at the same time that the
successors are identified; however, these routes are
kept in a topology table. Multiple feasible successors
for a destination can be retained.


EIGRP Configuration

Use the router eigrp and network commands to create an EIGRP routing
process. Note that EIGRP requires an autonomous system number. The
autonomous system number does not have to be registered. However, all routers
within an autonomous system must use the same autonomous system number;
otherwise, they will not exchange routing information.

Router(config)#router eigrp autonomous-system

Router(config-router)#network network-number
CCNA Training Notes for ICND 2
www.softechpune.com
The network command assigns a major network number that the router is directly
connected to. The EIGRP routing process associates interface addresses with
the advertised network number and will begin EIGRP packet processing on the
specified interfaces.

EIGRP Configuration Verification

The show ip route eigrp command displays the current EIGRP entries in the
routing table.

The show ip protocols command displays the parameters and current state of
the active routing protocol process. This command shows the EIGRP
autonomous system number. It also displays filtering and redistribution numbers
and neighbors and distance information.

The show ip eigrp interfaces command to determine on which interfaces EIGRP
is active, and to learn information about EIGRP relating to those interfaces. If you
specify an interface, only that interface is displayed. Otherwise, all interfaces on
which EIGRP is running are displayed. If you specify an autonomous system,
only the routing process for the specified autonomous system is displayed.
Otherwise, all EIGRP processes are displayed.

EIGRP Configuration Troubleshooting

The debug ip eigrp privileged EXEC command helps you analyze the packets
that are sent and received on an interface. Because the debug ip eigrp command
generates a substantial amount of output, use it only when traffic on the network
is light.
CCNA Training Notes for ICND 2
www.softechpune.com
Open Shortest Path First (OSPF)

Overview

Open Shortest Path First (OSPF) is an interior gateway protocol and a classless
link-state routing protocol. Because OSPF is widely deployed, knowledge of its
configuration and maintenance is essential. This lesson describes the function of
OSPF and explains how to configure a single-area OSPF network on a Cisco
router.

OSPF Features

OSPF is a routing protocol developed for IP networks by the Interior Gateway
Protocol (IGP) working group of the Internet Engineering Task Force (IETF).
Similar to Interior Gateway Routing Protocol (IGRP), OSPF was created in the
mid-1980s because Routing Information Protocol (RIP) was increasingly
incapable of serving large, heterogeneous internetworks. OSPF routes packets
within a single autonomous system.

OSPF characteristics:

The protocol is an open standard, which means that its specification is in the
public domain. The OSPF specification is published as an RFC. The most recent
version, known as OSPF version 2, is described in RFC 2328.

OSPF is based on the shortest path first (SPF) algorithm.

The ability of OSPF to separate a large internetwork, or autonomous system, into
smaller internetworks called areas is referred to as hierarchical routing. With this
technique, routing still occurs between the areas (called interarea routing), but
many of the minute internal routing operations, such as recalculating the
database, are kept within an area.

The hierarchical topology possibilities of OSPF have the following
important advantages:

Reduced frequency of SPF calculations
Smaller routing tables
Reduced link-state update overhead

CCNA Training Notes for ICND 2
www.softechpune.com

Shortest Path First Algorithm

The SPF algorithm places each router at the root of a tree and calculates the
shortest path to each node, using Dijkstras algorithm, based on the cumulative
cost that is required to reach that destination. LSAs are flooded throughout the
area using a reliable algorithm, which ensures that all routers in an area have
exactly the same topological database. Each router uses the information in its
topological database to calculate a shortest path tree, with itself as the root.
The router then uses this tree to route network traffic.

Each router has its own view of the topology, even though all the routers build a
shortest-path tree using the same link-state database. The cost, or metric, of an
interface is an indication of the overhead that is required to send packets across
a certain interface. The cost of an interface is inversely proportional to the
bandwidth of that interface, so a higher bandwidth indicates a lower cost. There
is more overhead, higher cost, and more time delays involved in crossing a 56
kbps serial line than in crossing a 10-Mbps Ethernet line.

The default formula used to calculate OSPF cost is:

cost =100,000,000 / bandwidth in bps

For example, it will cost 108/107 =10 to cross a 10-Mbps Ethernet line, and it will
cost 108/1,544,000 =64 to cross a T1 line.

Single-Area OSPF Configuration

Router(config)#router ospf process-id

Router(config-router)#network wildcard-mask area area-id

The router ospf command takes a process identifier as an argument. The
process ID is a unique, arbitrary number that you select to identify the routing
process. The process ID does not need to match the OSPF process ID on other
OSPF routers.

The network command identifies which IP networks on the router are part of the
OSPF network. For each network, you must also identify the OSPF area that the
networks belong to.
CCNA Training Notes for ICND 2
www.softechpune.com

The network command takes the three arguments listed in the table.

router ospf Command
Parameters

Description

address

Can be the network, subnet, or interface address.

wildcard-mask

Wildcard mask. This mask identifies the part of the
IP address that is to be matched, where 0 is a
match and 1 is do not care. For example, a
wildcard mask of 0.0.0.0 indicates a match of all 32
bits in the address.

area-id

Area that is to be associated with the OSPF
address range. It can be specified either as a
decimal value or in dotted-decimal notation.


OSPF Configuration Verification

Router# show ip protocols

The command displays parameters about timers, filters, metrics, networks, and
other information for the entire router.

Router# show ip route

The command displays the routes that are known to the router and how they
were learned. This command is one of the best ways to determine connectivity
between the local router and the rest of the internetwork.

Router# show ip ospf interface

The command verifies that interfaces have been configured in the intended
areas. If no loopback address is specified, the interface with the highest address
is chosen as the router ID. This command also displays the timer intervals,
including the hello interval, and shows the neighbor adjacencies.

Router# show ip ospf neighbor

The show ip ospf neighbor command displays OSPF neighbor information on a
per-interface basis.

CCNA Training Notes for ICND 2
www.softechpune.com
Access control lists (ACLs)
Overview

Access control lists (ACLs) provide an important network security feature. With
ACLs, you can classify and filter packets on inbound and outbound router
interfaces and access ports. Understanding the uses of ACLs enables you to
determine how to implement them on your Cisco network. This lesson describes
some of the applications for ACLs on Cisco Systems networks and explains how
Cisco IOS software processes ACLs.


Access lists are essentially lists of conditions that control access of network
traffic, both to and from network segments. They can filter unwanted packets and
be used to implement security policies of the organisation. With the right
combination of access lists, network managers will be armed with the power to
enforce nearly any access policy they can invent.

Access lists are basically the packet filters that packets are compared with,
categorized by, and acted upon. Once the lists are built, they can be applied to
either inbound or outbound traffic on any interface. Applying an access list will
then cause the router to analyze every packet crossing that interface in the
specified direction and take action accordingly.

There are a few important rules a packet follows when its being compared
with an access list:

Whenever a packet arrives on the interface of the router It is always
compared with each line of the access list in sequential order, i.e., itll always
start with line 1, then go to line 2, then line 3, and so on.

Its compared with lines of the access list only until a match is made. Once
the packet matches a line of the access list, its acted upon, and no further
comparisons take place.

There is an implicit deny at the end of each access listthis means that if a
packet doesnt match up to any lines in the access list, itll be discarded.


Types of Access Lists : Two Types

1. Standard access lists

These use only the source IP address in an IP packet to filter the network. This
basically permits or denies an entire suite of protocols.

2. Extended access lists
CCNA Training Notes for ICND 2
www.softechpune.com
These check for both source and destination IP address, protocol field in the
Network layer header, and port number at the Transport layer header

Once you create an access list, you apply it to an interface with either an
inbound or outbound list:

Inbound access lists : Packets are processed through the access list before
being routed to the outbound interface.

Outbound access lists : Packets are routed to the outbound interface and then
processed through the access list.

Some access list guidelines that should be followed when creating and
implementing access lists on a router:

You can only assign one access list per interface, per protocol, or per
direction. This means that if you are creating IP access lists, you can only
have one inbound access list and one outbound access list per interface.

Organize your access lists so that the more specific tests are at the top of the
access list.

Anytime a new list is added to the access list, it will be placed at the bottom of
the list.

You cannot remove one line from an access list. If you try to do this, you will
remove the entire list. It is best to copy the access list to a text editor before
trying to edit the list.

Unless your access list ends with a permit any command, all packets will be
discarded if they do not meet any of the lists tests. Every list should have at
least one permit statement, or you might as well shut the interface down.

Create access lists and then apply them to an interface. Any access list
applied to an interface without an access list present will not filter traffic.

Access lists are designed to filter traffic going through the router. They will not
filter traffic originated from the router.

Place IP standard access lists as close to the destination as possible.

Place IP extended access lists as close to the source as possible.
CCNA Training Notes for ICND 2
www.softechpune.com

Standard IP Access Lists

Standard IP access lists filter the network by using the source IP address in an IP
packet. You create a standard IP access list by using the access list numbers 1-
99.

Configuring Standard IP ACLs

To configure standard IP ACLs on a Cisco router, you need to create a standard
IP ACL and activate an ACL on an interface.

Router(config)# access-list access-list-number {permit | deny | remark}
source [mask]

Command sets parameters for this list entry
IP standard ACLs use 1 to 99
Default wildcard mask =0.0.0.0
no access-list access-list-number removes entire ACL
remark lets you add a description for the ACL

Router(config-if)# ip access-group access-list-number {in | out}

Command Activates the list on an interface

Sets inbound or outbound testing
Default =outbound
no ip access-group access-list-number removes ACL from
the interface

Steps required to configure standard ACLs on a router.

Step Action Notes
1. Create an entry in a
standard IP traffic filter list
using the access-list global
configuration command.

Router(config)#access-list
1 172.16.0.0 0.0.255.255

Enter the global no access-list access-
list-number command to remove the
entire ACL.
The example statement matches any
address that starts with 172.16.x.x.
Use the remark option to add a
description to your ACL.

2. Select an interface to enable
the ACL using the interface
configuration command.
Router(config)#interface e1

After you enter the interface command,
the CLI prompt will change from (config)#
to (config-if)#.

CCNA Training Notes for ICND 2
www.softechpune.com
3. Activate the existing ACL to
an interface using the ip
access-group interface
configuration command.
Router(config-if)#ip access-
group 1 out

To remove an IP ACL from an interface,
enter the no ip access-group access-list-
number command on the
interface.



Configuring Extended IP ACLs

Extended IP access lists allow you to choose your IP source and destination
address as well as the protocol and port number, which identify the upper-layer
protocol or application. By using extended IP access lists, you can effectively
allow users access to a physical LAN and stop them from using certain services.

Syntax :

This command sets parameters for this list entry

Router(config)#access-list access-list-number {permit | deny} protocol source
source-wildcard [operator port] destination destination-wildcard [operator port]
[established] [log]

Activates the extended list on an interface

Router(config-if)#ip access-group access-list-number {in | out}

Steps to configure extended ACLs on a router.

Step Action Notes
1. Define an extended IP ACL.
Use the access-list global
configuration command.

Router(config)# access-list
101 deny tcp 172.16.4.0
0.0.0.255 172.16.3.0
0.0.0.255 eq 21

Use the show access-lists command to
display the contents of the ACL. In the
example, access-list 101 denies TCP
traffic from source 172.16.4.0, using the
wildcard 0.0.0.255, to destination
172.16.3.0, using the wildcard 0.0.0.255
on port 21 (FTP control port).

2. Select a desired interface to
be configured. Use the
interface global config
command.
Router(config)#interface e0

After the interface command is entered,
the CLI prompt changes from (config)#
to (config-if)#.

CCNA Training Notes for ICND 2
www.softechpune.com
3. Link the extended IP ACL to
an interface. Use the ip
access-group interface
config command.

Router(config-if)#ip access-
group 101 in

Use the show ip interfaces command to
verify that an IP ACL is applied to the
interface.


Controlling VTY (Telnet) Access

You will have a difficult time trying to stop users from telnetting into a router
because any active port on a router is fair game for VTY access. However, you
can use a standard IP access list to control access by placing the access list on
the VTY lines themselves.

To perform this function:

1. Create a standard IP access list that permits only the host or hosts you
want to be able to telnet into the routers.

2. Apply the access list to the VTY line with the access-class command.
Here is an example of allowing only host 172.16.10.3 to telnet into a router:

RouterA(config)#access-list 50 permit 172.16.10.3
RouterA(config)#line vty 0 4
RouterA(config-line)#access-class 50 in

Because of the implied deny any at the end of the list, the access list stops
any host from telnetting into the router except the host 172.16.10.3.
CCNA Training Notes for ICND 2
www.softechpune.com
Network Address Translation (NAT )
Overview
Two scalability challenges facing the Internet are depletion of registered IP
address space and scaling in routing. Cisco IOS Network Address Translation
(NAT) and port address translation (PAT) are mechanisms for conserving
registered IP addresses in large networks and simplifying IP addressing
management tasks. NAT and PAT translate IP addresses within private internal
networks to legal IP addresses for transport over public external networks, such
as the Internet, without requiring a registered subnet address. Incoming traffic is
translated back for delivery within the inside network.

Features Of NAT (Network Address Translation) and PAT (Port Address
Translation)

NAT operates on a Cisco router and is designed for IP address simplification and
conservation. NAT enables private IP internetworks that use nonregistered IP
addresses to connect to the Internet. Usually, NAT connects two networks
together and translates the private (inside local) addresses in the internal
network into public addresses (inside global) before packets are forwarded to
another network. As part of this functionality, you can configure NAT to advertise
only one address for the entire network to the outside world. Advertising only one
address effectively hides the internal network from the world, thus providing
additional security.

Any device that sits between an internal network and the public networksuch
as a firewall, a router, or a computeruses NAT, which is defined in RFC 1631.

In NAT terminology, the inside network is the set of networks that are subject to
translation. The outside network refers to all other addresses. Usually these are
valid addresses located on the Internet.

Cisco defines the following list of NAT terms:

Inside local address: The IP address assigned to a host on the inside network.
The inside local address is likely not an IP address assigned by the Network
Information Center (NIC) or service provider.

Inside global address: A legitimate IP address assigned by the NIC or service
provider that represents one or more inside local IP addresses to the outside
world.

Outside local address: The IP address of an outside host as it appears to the
inside network. Not necessarily legitimate, the outside local address is allocated
from an address space routable on the inside

CCNA Training Notes for ICND 2
www.softechpune.com
Outside global address: The IP address assigned to a host on the outside
network by the host owner. The outside global address is allocated from a
globally routable address or network space.

NAT has many forms and can work in the following ways:

Static NAT: Maps an unregistered IP address to a registered IP address (one-to-
one). Static NAT is particularly useful when a device needs to be accessible from
outside the network.

Dynamic NAT: Maps an unregistered IP address to a registered IP address from
a group of registered IP addresses.

Overloading: Maps multiple unregistered IP addresses to a single registered IP
address (many-to-one) by using different ports. Overloading is also known as
PAT, and is a form of dynamic NAT.

Configuring Static NAT

Router(config-if)# ip nat inside
Marks the interface as connected to the inside

Router(config-if)# ip nat outside
Marks the interface as connected to the outside

Router(config)# ip nat inside source static local-ip global-ip
Establishes static translation between an inside local address
and an inside global address

Steps for configuring static inside source address translation.

Steps Configuration Notes
1. Establish static translation between an
inside local address and an inside
global address.
Router(config)#ip nat inside source
static local-ip global-ip
Enter the no ip nat
inside source static
global command to
remove the static source
translation.
2. Specify the inside interface.
Router(config)# interface type
number
After you enter the
interface command, the
CLI prompt will change
from (config)# to
(configif)#.
3. Mark the interface as connected to the
inside.
Router(config-if)#ip nat inside

4. Specify the outside interface.
CCNA Training Notes for ICND 2
www.softechpune.com
Router(config-if)# interface type
number
5. Mark the interface as connected to the
outside.
Router(config-if)#ip nat outside



Configuration of Dynamic NAT

Router(config)# ip nat pool name start-ip end-ip {netmask netmask | prefix-
length prefix-length}

Defines a pool of global addresses to be allocated as needed

Router(config)# access-list access-list-number permit source [source
wildcard]
Defines a standard IP ACL permitting those inside local addresses that are to be
translated.

Router(config)# ip nat inside source list access-list-number pool name
Establishes dynamic source translation, specifying the ACL that was defined in
the prior step.

Steps for configuring dynamic inside source address translation.

Step Action Notes
1. Define a pool of global addresses
to be allocated as needed.
Router(config)#ip nat pool name
start-ip end-ip {netmask netmask
| prefix-length prefix-length
Enter the no ip nat pool global
command to remove the pool of
global addresses
2. Define a standard ACL that will
permit the addresses that are to
be translated.
Router(config)# access-list
access-listnumber permit source
[source-wildcard]
Enter the no access-list access-list
number global command to remove
the ACL.
3. Establish dynamic source
translation, specifying the ACL
that was defined in the prior step.
Router(config)# ip nat inside
source list access-list-number
pool name
Enter the no ip nat inside source
global command to remove the
dynamic source translation
4. Specify the inside interface.
Router(config)# interface type
number
After you enter the interface
command, the CLI prompt will
change from (config)#to (configif)#.
CCNA Training Notes for ICND 2
www.softechpune.com
5. Mark the interface as connected
to the inside.
Router(config-if)#ip nat inside

6. Specify the outside interface.
Router(config-if)# interface type
number

7. Mark the interface as connected
to the outside.
Router(config-if)#ip nat outside



Configuring PAT

One of the main features of NAT is static PAT, which is also referred to as
overload in Cisco IOS configuration. Several internal addresses can be
translated using NAT into just one or a few external addresses by using PAT.
PAT uses unique source port numbers on the inside global IP address to
distinguish between translations. Because the port number is encoded in 16 bits,
the total number of internal addresses that NAT can translate into one external
address is, theoretically, as many as 65,536. PAT attempts to preserve the
original source port. If the source port is already allocated, PAT attempts to find
the first available port number. It starts from the beginning of the appropriate port
group, 0-511, 512-1023, or 1024-65535. If PAT does not find a port that is
available from the appropriate port group and if more than one external IP
address is configured, PAT will move to the next IP address and try to allocate
the original source port again. PAT continues trying to allocate the original source
port until it runs out of available ports and external IP addresses.

You can conserve addresses in the inside global address pool by allowing the
router to use one inside global address for many inside local addresses. When
this overloading is configured, the router maintains enough information from
higher-level protocolsfor example, TCP or User Datagram Protocol (UDP) port
numbersto translate the inside global address back into the correct inside local
address. When multiple inside local addresses map to one inside global address,
the TCP or UDP port numbers of each inside host distinguish between the local
addresses.

Configuration

Router(config)# access-list access-list-number permit source source
wildcard
Defines a standard IP ACL that will permit the inside local
addresses that are to be translated

Router(config)# ip nat inside source list access-list-number interface
interface overload
CCNA Training Notes for ICND 2
www.softechpune.com
Establishes dynamic source translation, specifying the ACL
that was defined in the prior step

To configure overloading of inside global addresses, perform the steps in
this table.

Step Action Notes
1. Define a standard ACL that will
permit the addresses that are to be
translated.
Router(config)# access-list
access-listnumber permit source
[source-wildcard]
Enter the no access-list access-
list number global command to
remove the ACL.
2. Establish dynamic source
translation, specifying the ACL that
was defined in the prior step.
Router(config)# ip nat inside
source list access-list-number
interface interface overload
Enter the no ip nat inside source
global command to remove the
dynamic source translation. The
keyword overload enables PAT.
3. Specify the inside interface.
Router(config)# interface type
number
Router(config-if)#ip nat inside
After you enter the interface
command, the CLI prompt will
change from (config)# to (config-
if)#.
4. Specify the outside interface.
Router(config-if)# interface type
number
Router(config-if)#ip nat outside


Verifying the NAT and PAT Configuration

Router# clear ip nat translation *
Clears all dynamic address translation entries from the NAT translation table.

Router# show ip nat translations
Displays active translations

Router# show ip nat statistics
Displays translation statistics

Use the debug ip nat command to verify the operation of the NAT feature by
displaying information about every packet that is translated by the router.

The debug ip nat detailed command generates a description of each packet
considered for translation. This command also outputs information about certain
errors or exception conditions, such as the failure to allocate a global address.
CCNA Training Notes for ICND 2
www.softechpune.com
WAN Protocols

A WAN is different from a LAN. Unlike a LAN, which connects workstations,
peripherals, terminals, and other devices that are located within a single building
or other small geographic area, a WAN makes data connections across a broad
geographic area. Companies use the WAN to connect various company sites so
that information can be exchanged between distant offices. Because the cost of
building a global network to connect remote sites can be very high, WAN
services are generally leased from service providers. You must subscribe to an
outside WAN provider to use network resources that your organization does not
own. The service provider will transport your information via the portion of its
network that you lease.

WAN connection types

Leased line: A leased line, also known as a point-to-point or dedicated
connection, provides a single, preestablished WAN communication path from the
customer premises through a service provider network to a remote network. The
service provider reserves this connection for private use by the client. Leased
lines eliminate the issues that arise with a shared connection, but they are costly.
Leased lines are typically employed over synchronous serial connections up to
T3 speeds, operating at 45 Mbps.

Circuit-switched: Circuit switching is a switching system in which a dedicated
circuit path must exist between sender and receiver for the duration of the call.
Service provider networks use circuit switching to provide basic telephone
service or ISDN. Circuitswitched connections are commonly used in
environments that require only sporadic WAN usage. Circuit switching is typically
employed over an asynchronous serial connection

Packet-switched: Packet switching is a WAN switching method in which
network devices share a common backbone to transport packets from a source
to a destination across a carrier network. Packet-switched networks use virtual
circuits (VCs) that provide end-to end connectivity. Programmed switching
devices provide the physical connections. Packet headers generally identify the
destination. Packet switching offers services that are similar to those of leased
lines; however, the line is shared and the cost of the service is lower. Like leased
lines, packet-switched networks are often employed over serial connections with
speeds ranging from 56 kbps to T3 speeds (45 Mbps).

Layer 2 Encapsulation Protocols

On each WAN connection, data is encapsulated into frames before crossing the
WAN link. To ensure that the correct protocol is used, you will need to configure
the appropriate Layer 2 encapsulation type. The choice of protocol depends on
the WAN technology and the communicating equipment.
CCNA Training Notes for ICND 2
www.softechpune.com

HDLC: The Cisco default encapsulation type on point-to-point connections,
dedicated links, and circuit-switched connections. HDLC is typically used when
two Cisco devices are communicating. HDLC is a bit-oriented synchronous data
link layer protocol.

PPP: Provides router-to-router and host-to-network connections over
synchronous and asynchronous circuits. PPP was designed to work with several
network layer protocols, including IP. PPP also has built-in security mechanisms,
such as Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP).

Serial Line Internet Protocol (SLIP): A standard protocol for point-to-point
serial connections using TCP/IP. SLIP has been largely replaced by PPP.

X.25 and Link Access Procedure, Balanced (LAPB): These are International
Telecommunication Union Telecommunication Standardization Sector (ITU-T)
standards that define how connections between DTE and DCE are maintained
for remote terminal access and computer communications in public data
networks. X.25 specifies LAPB, a data-link layer protocol that manages the
communication between DTE and DCE, including packet framing, ordering, and
error checking. X.25 is a predecessor to Frame Relay.

Frame Relay: This is an industry standard, switched data-link layer protocol that
handles multiple VCs. It is a successor to X.25 that is streamlined to eliminate
some of the time consuming processes (such as error correction and flow
control) that were employed in X.25 to compensate for older, less-reliable
communication links.

ATM: This is the international standard for cell relay in which multiple service
types (such as voice, video, and data) are conveyed in fixed-length (53-byte)
cells. ATM, a cell switched technology, uses fixed-length cells, which allow
processing to occur in hardware, thereby reducing transit delays. ATM is
designed to take advantage of high-speed transmission media such as T3, E3,
and SONET.
CCNA Training Notes for ICND 2
www.softechpune.com

Configuring Serial Point-to-Point Encapsulation

Overview

You can use serial point-to-point connections to connect your LAN to your
service provider WAN. You will most likely have serial point-to-point connections
within your network, between your network and a service

HDLC Encapsulation Configuration

HDLC is an ISO standard, bit-oriented, data-link layer protocol that encapsulates
data on synchronous serial data links. Standard HDLC does not inherently
support multiple protocols on a single link because it does not have a way to
indicate which protocol it is carrying. HDLC specifies a data encapsulation
method on synchronous serial links using frame characters and checksums.
Cisco offers a proprietary version of HDLC. The Cisco HDLC frame uses a
proprietary-type field that acts as a protocol field, which makes it possible for
multiple network layer protocols to share the same serial link.

Router(config-if)# encapsulation hdlc

Command enables HDLC encapsulation

By default, Cisco devices use the Cisco HDLC serial encapsulation method on
synchronous serial lines. However, if the serial interface is configured with
another encapsulation protocol and you want to change the encapsulation back
to HDLC, enter the interface configuration mode of the interface that you want to
change. Use the encapsulation hdlc interface configuration command to specify
HDLC encapsulation on the interface. Cisco HDLC is a PPP that can be used on
leased lines between two Cisco devices. When communicating with a device
from another vendor, synchronous PPP is a more viable option.
CCNA Training Notes for ICND 2
www.softechpune.com
(Point to Point Protocol) PPP

Developers designed PPP to make the connection for point-to-point links. PPP,
described in RFCs 1661 and 1332, encapsulates network layer protocol
information over point-to-point links.

You can configure PPP on the following types of physical interfaces:
Asynchronous serial
Synchronous serial
High-Speed Serial Interface (HSSI)
ISDN

PPP uses its Network Control Program (NCP) component to encapsulate and
negotiate options for multiple network layer protocols. PPP uses another of its
major components, the link control protocol (LCP), to negotiate and set up control
options on the WAN data link.

PPP uses a layered architecture. With its lower-level functions, PPP can
use the following:

Synchronous physical media
Asynchronous physical media, such as basic telephone service for modem
dial-up
connections
ISDN

PPP offers a rich set of services that control the setup of a data link. These
services are options in LCP. They are primarily negotiation and checking frame
options to implement the point-to-point controls that an administrator specifies for
the call.

With its higher-level functions, PPP carries packets from several network layer
protocols using its NCPs. The NCPs include functional fields containing
standardized codes to indicate the network layer protocol type that PPP
encapsulates.

PPP Configuration

This topic describes the different configuration options for PPP. Cisco routers
that use PPP encapsulation may include these LCP configuration options

Authentication: Requires the calling side of the link to enter information to help
ensure that the caller has network administrator permission to make the call.
Peer routers exchange authentication messages.
Two alternatives are Password Authentication Protocol (PAP) and
Challenge Handshake Authentication Protocol (CHAP).
CCNA Training Notes for ICND 2
www.softechpune.com
Compression: Increases the effective throughput on PPP connections by
reducing the amount of data in the original frame that must travel across the link.
The protocol decompresses the frame at its destination.
Two compression protocols available in Cisco routers are Stacker and predictor.

Error-detection: Along with PPP, enables a compression process to identify
fault conditions. The Quality and Magic Number options help ensure a reliable,
loop-free data link.

Multilink PPP (MLP): Provides load balancing over the router interfaces that
PPP uses. This feature is sometimes referred to as Multilink Protocol. Cisco IOS
Release 11.1 (and later releases) support MLP. MLP, as specified in RFC 1717,
provides packet fragmentation and sequencing that splits the load for PPP and
sends fragments over parallel circuits. In some cases, this bundle of MLP pipes
functions as a single logical link, improving throughput and reducing latency
between peer routers. RFC 1990, The PPP Multilink Protocol (MP), renders RFC
1717 obsolete.

PPP Authentication Protocols

This topic describes the two PPP authentication protocols.

PAP is a two-way handshake that provides a simple method for a remote node to
establish its identity. PAP is done only upon initial link establishment. After the
PPP link establishment phase is complete, a username and password pair are
repeatedly sent by the remote node to the router until authentication is
acknowledged or the connection is terminated. PAP is not a strong authentication
protocol. Passwords are sent across the link in clear text, which may be fine in
environments that use token-type passwords that change with each
authentication, but are not secure in most environments. Also, there is no
protection from playback or repeated trial-and-error attacksthe remote node is
in control of the frequency and timing of the login attempts

CHAP, which uses a three-way handshake, occurs at the startup of a link and
periodically thereafter to verify the identity of the remote node using a three-way
handshake. After the PPP link establishment phase is complete, the local router
sends a challenge message to the remote node. The remote node responds with
a value that is calculated using a one-way hash function (typically, Message
Digest 5 [MD5]) based on the password and challenge message. The local router
checks the response against its own calculation of the expected hash value. If
the values match, the authentication is acknowledged. Otherwise, the connection
is terminated immediately. CHAP provides protection against playback attack
through the use of a variable challenge value that is unique and unpredictable.
Because the challenge is unique and random, the resulting hash value will also
be unique and random. The use of repeated challenges is intended to limit
CCNA Training Notes for ICND 2
www.softechpune.com
exposure to any single attack. The local router or a third-party authentication
server is in control of the frequency and timing of the challenges


PPP Authentication Configuration

1. To enable PPP encapsulation, enter interface configuration mode. Use the
encapsulation ppp interface configuration command to specify PPP
encapsulation on the interface.

Router(config-if)# encapsulation ppp

2. Verify that each router has a host name assigned to it. To assign a host name,
enter the hostname name command in global configuration mode. This name
must match the username expected by the authenticating router at the other end
of the link.

Router(config)# hostname name

3. On each router, define the username and password to expect from the remote
router with the username name password password global configuration
command.

Router(config)# username name password password

4. Configure PPP authentication.

If you configure ppp authentication chap on an interface, all incoming calls on
that interface that initiate a PPP connection will be authenticated using CHAP.
Likewise, if you configure ppp authentication pap, all incoming calls that start a
PPP connection will be authenticated using PAP.

If you configure ppp authentication chap pap, the router will attempt to
authenticate all incoming calls that start a PPP session by using CHAP. If the
remote device does not support CHAP, the router will try to authenticate the call
by using PAP

If you configure ppp authentication pap chap, the router will attempt to
authenticate all incoming calls that start a PPP session with PAP. If the remote
device does not support PAP, the access server will try to authenticate the call
using CHAP.

Router(config-if)# ppp authentication {chap | chap pap | pap chap | pap}
CCNA Training Notes for ICND 2
www.softechpune.com
Frame-Relay

Overview

Frame Relay is a connection-oriented data-link technology that is streamlined to
provide high performance and efficiency. For error protection, it relies on upper
layer protocols and dependable fiber and digital networks. Frame Relay defines
the interconnection process between the router and the service provider local
access switching equipment. It does not define how the data is transmitted within
the Frame Relay service provider cloud.

Devices attached to a Frame Relay WAN fall into the following two categories:

Data terminal equipment (DTE): Generally considered to be terminating
equipment for a specific network. DTE devices are typically located on the
premises of a customer and may be owned by the customer.
Examples of DTE devices are Frame Relay access devices (FRADs), routers,
and bridges.

Data circuit-terminating equipment (DCE): Carrier-owned internetworking
devices. The purpose of DCE devices is to provide clocking and switching
services in a network and transmit data through the WAN. In most cases, the
switches in a WAN are Frame Relay switches.

Frame Relay provides a means for statistically multiplexing many logical data
conversations (referred to as virtual circuits [VCs]) over a single physical
transmission link by assigning connection identifiers to each pair of DTE devices.
The service provider switching equipment constructs a switching table that maps
the connection identifier to outbound ports. When a frame is received, the
switching device analyzes the connection identifier and delivers the frame to the
associated outbound port. The complete path to the destination is established
prior to the transmission of the first frame.

Frame Relay Terminology

The terms described here may be the same or slightly different from the terms
your Frame Relay service provider uses. Some terms that are used frequently
when discussing Frame Relay are as follows:

Local access rate: Clock speed (port speed) of the connection (local loop) to the
Frame Relay cloud. It is the rate at which data travels into or out of the network,
regardless of other settings.

VC: Logical circuit, uniquely identified by a data-link connection identifier (DLCI),
that is created to ensure bidirectional communication from one DTE device to
another. A number of VCs can be multiplexed into a single physical circuit for
CCNA Training Notes for ICND 2
www.softechpune.com
transmission across the network. This capability can often reduce the complexity
of equipment and network that is required to connect multiple DTE devices. A VC
can pass through any number of intermediate DCE devices (Frame Relay
switches). A VC can be either a permanent virtual circuit (PVC) or a switched
virtual circuit (SVC).

PVC: Provides permanently established connections that are used for frequent
and consistent data transfers between DTE devices across the Frame Relay
network. Communication across a PVC does not require the call setup and call
teardown that is used with an SVC.

SVC: Provides temporary connections that are used in situations requiring only
sporadic data transfer between DTE devices across the Frame Relay network.
SVCs are dynamically established on demand and are torn down when
transmission is complete.

DLCI: Contains a 10-bit number in the address field of the Frame Relay frame
header that identifies the VC. DLCIs have local significance because the
identifier references the point between the local router and the local Frame Relay
switch that the DLCI is connected to. Therefore, devices at opposite ends of a
connection can use different DLCI values to refer to the same virtual connection.

Committed information rate (CIR): Specifies the maximum average data rate
that the network undertakes to deliver under normal conditions. When subscri ing
to Frame Relay service, you will specify the local access rate (for example, 56
kbps or T1). Typically, you will also be asked to specify a CIR for each DLCI. If
you send faster than the CIR on a given DLCI, the network will flag some frames
with a discard eligible (DE) bit. The network will do its best to deliver all packets,
but will discard any DE packets first if there is congestion. Many inexpensive
Frame Relay services are based on a CIR of zero. A CIR of zero means that
every frame is a DE frame, and the network will throw any frame away when it
needs to. The DE bit is within the address field of the Frame Relay frame header.

Inverse Address Resolution Protocol (Inverse ARP): A method of dynamically
associating the remote router network layer address with a local DLCI. Inverse
ARP allows a router to automatically discover the network address of the remote
DTE device associated with a VC.

LMI: A signaling standard between the router (DTE device) and the local Frame
Relay switch (DCE device) that is responsible for managing the connection and
maintaining status between the router and the Frame Relay switch.

Forward explicit congestion notification (FECN): A bit in the address field of
the Frame Relay frame header. The FECN mechanism is initiated when a DTE
device sends Frame Relay frames into the network. If the network is congested,
DCE devices (Frame Relay switches) set the FECN bit value of the frames to
CCNA Training Notes for ICND 2
www.softechpune.com
one. When these frames reach the destination DTE device, the address field
(with the FECN bit set) indicates that these frames experienced congestion in the
path from source to destination. The DTE device can relay this information to a
higher-layer protocol for processing. Depending on the implementation, flow
control may be initiated or the indication may be ignored.

Backward explicit congestion notification (BECN): A bit in the address field of
the Frame Relay frame header. DCE devices set the value of the BECN bit to 1
in frames that travel in the opposite direction of frames that have their FECN bit
set. Setting BECN bits to 1 informs the receiving DTE device that a particular
path through the network is congested. The DTE device can then relay this
information to a higher-layer protocol for processing. Depending on the
implementation, flow control may be initiated or the indication may be ignored.

Frame Relay Address Mapping

A Frame Relay connection requires that on a VC, the local DLCI be mapped to a
destination network layer address, such as an IP address. Routers can
automatically discover their local DLCI from the local Frame Relay switch using
the LMI protocol. On Cisco routers, the local DLCI can be automatically mapped
to the remote router network layer addresses dynamically with Inverse ARP.
Inverse ARP associates a given DLCI to the next-hop protocol address for a
specific connection. Inverse ARP is described in RFC 1293.

Frame Relay Signaling

The LMI is a signaling standard between the router and the Frame Relay switch.
The LMI is responsible for managing the connection and maintaining the status
between the devices. Although the LMI is configurable, beginning in Cisco IOS
Release 11.2, the Cisco router tries to autosense which LMI type the Frame
Relay switch is using. The router sends one or more full LMI status requests to
the Frame Relay switch. The Frame Relay switch responds with one or more LMI
types, and the router configures itself with the last LMI type received. Three types
of LMIs are supported as follows:

Cisco: LMI type defined jointly by Cisco, StrataCom, Northern Telecom, and
Digital Equipment Corporation
ANSI: Annex D, defined by the ANSI standard T1.617
Q.933A: ITU-T Q.933 Annex A

An administrator setting up a connection to a Frame Relay network may choose
the appropriate LMI from the three supported types to ensure proper Frame
Relay operation. When the router receives LMI information, it updates its VC
status to one of the following three states:

CCNA Training Notes for ICND 2
www.softechpune.com
Active state: Indicates that the VC connection is active and that routers can
exchange data over the Frame Relay network

Inactive state: Indicates that the local connection to the Frame Relay switch is
working, but the remote router connection to the remote Frame Relay switch is
not working

Deleted state: Indicates that either no LMI is being received from the Frame
Relay switch or there is no service between the router and local Frame Relay
switch.

Monitoring Frame Relay

Show Frame-Relay Lmi

The show frame-relay lmi command will give you the LMI traffic statistics
exchanged between the local router and the Frame Relay switch.

Show Frame-Relay Pvc

The show frame pvc command will list all configured PVCs and DLCI numbers. It
provides the status of each PVC connection and traffic statistics. It will also give
you the number of BECN and FECN packets received on the router.

Show Interface

We can also use the show interface command to check for LMI traffic. The show
interface command displays information about the encapsulation as well as layer
2 and layer-3 information.

Show Frame Map

The show frame map command will show you the Network layertoDLCI
mappings.