Network Handout PDF
Network Handout PDF
Network Handout PDF
(CCNA) Handout
Networking Level – 1
CONTENT
Section 5 Switching
Basics of Networking
Network
Network can be said as devices connected together to share information, resources and Services.
Some types of data or services that can be shared on a network are documents, music, email,
websites, databases, printers, faxes, telephony, videoconferencing, etc.
As network grows, Traffic also increases and the flow becomes inefficient and overloaded. Devices
like Router, Switch and bridges perform segmentation to manage the traffic flow.
Protocols are set of rules, which define the method by which devices share data and services.
LAN (Local Area Networks) - a high-speed network that covers a relatively small geographic area.
WAN (Wide Area Networks) – A WAN is a collection of networks that spans large geographical
locations, usually to interconnect multiple LANs.
MAN (Metropolitan Area Network). A MAN is defined as a network that spans several LAN‟ s
across a city-wide geographic area.
CAN (Campus Area Network). A CAN is defined as a network that confines within a campus
area.
PAN (Personnel Area Network) - A personal area network (PAN) is the interconnection of
information technology devices within the range of an individual person. Example: like connecting
Mobile, PDA to LAPTOP.
Network Types:
• Peer-to-Peer networks
• Client/Server networks
• Mainframe/Terminal networks
When using client/server architecture, hosts are assigned specific roles. Clients request data
and services stored on Servers. Example: Connecting Windows XP workstations to a Windows
2003 Domain.
Advantage is that the data is now centrally located on a server or servers, and hence only one or
few entities to manage, back-up, and secure the data and is more scalable.
The Disadvantage here is being a single point of failure, but this can be overcome by using
Clustering.
The Open Systems Interconnection (OSI) model was developed in early 1970‟ s and
formulated in 1983 by the International Organization for Standardization (ISO). It was the first
networking model, and provided the framework governing how information is sent across a
network. It is a set of guidelines for communicating between two end users.
The OSI Model consists of seven layers, each corresponding to a particular network function:
Layer 7 Application
Layer 6 Presentation
Layer 5 Session
Layer 4 Transport
Layer 3 Network
Layer 2 Data Link
Layer 1 Physical
A more practical model was developed by the Department of Defense, and became the basis for
the TCP/IP protocol suite.
The Application layer (Layer 7) provides the actual interface between the user application
and the network. This is the layer where user directly interacts. This layer ensures that the
remote communication peer is available and agrees upon the data integrity, privacy etc. Examples
of application layer protocols include:
• FTP (via an FTP client)
• HTTP (via a web-browser)
• SMTP (via an email client)
• Telnet
The Presentation layer (Layer 6) controls the formatting of user data, whether it is text,
video, sound, or an image. The presentation layer ensures that data from the sender to receiver
are in understandable format. This layer also performs encryption and compression of data.
Examples of presentation layer formats include:
• Text (RTF, ASCII, EBCDIC)
• Music (MIDI, MP3, WAV)
• Images (GIF, JPG, TIF, PICT)
• Movies (MPEG, AVI, MOV)
The four layers below the upper layers are referred as the lower Layers.
The Transport layer (Layer 4) is concerned with the reliable transfer of data, end-to-end.
This layer ensures transporting data in two methods that is Connection-oriented (reliable) or
Connectionless (Unreliable).
Flow Control (Windowing) – Dictating how much data can be sent between
acknowledgements
TCP uses a series of acknowledgements enforcing flow control. When a router receives a packet,
it sends an acknowledgement back to the sender. If the sender does not receive acknowledge the
segment will be resent and reassembled in the correct order at the receiver.
Congestion Control:
This prevents the receiver‟ s buffer from being overloaded, since packets that are not received
due to a full buffer are not acknowledged.
Error-Checking:
The transport layer does not actually send data. Instead, it segments data into smaller pieces for
transport. Each segment is assigned a sequence number, so that the receiving device can
reassemble the data on arrival.
Examples of transport layer protocols include Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP).
Windowing:
The term refers to data sent during the time after the sender sent a packet, but before it completes
processing the acknowledgement it receives.
Size of window means the number of packets the sender can transmit before it must wait for an
acknowledgement. Sliding windows is nothing but changing the window size dynamically based on
the traffic.
Example: Transport control Protocol (TCP) and User Datagram Protocol (UDP). Sequenced
Packet Exchange (SPX) is the transport layer protocol in the IPX protocol suite.
TCP Header
UDP Header
TCP and UDP use ports to identify the different types of service,
TCP FTP
TCP SSH
23 TCP TELNET
25 TCP SMTP
53 UDP DNS
80 TCP HTTP
110 TCP POP3
443 TCP SSL
666 TCP DOOM
The Network layer (Layer 3) has two key responsibilities. First, this layer controls the logical
addressing of devices. Logical addresses are organized as a hierarchy, and are not embedded on
devices. And also the network layer determines the best path to a particular destination network,
and routes the data appropriately.
Examples: Internet Protocol (IP) and Internetwork Packet Exchange (IPX).
For internal purpose | Confidential 8
Routed Protocol means the one which are routed like IP and Routing Protocol means the
one which determine the path by exchanging the routes.
A frame contains a source and destination hardware or physical address. Hardware addresses
usually contain no hierarchy, and are often hard-coded on a device. Each device must have a
unique hardware address on the network.
As data is passed from the Application layer down the virtual layers of the OSI model, each of
the lower layers adds a header/Trailer containing protocol information specific to that layer.
These headers are called Protocol Data Units (PDUs), and the process of adding these headers
is called encapsulation.
Order of Encapsulation:
The following illustrates the OSI model in more practical terms, using a FTP request as an example:
• The format of the data being accessed is a Presentation layer function. Common data formats
on the Internet include HTML, XML, PHP, GIF, JPG, ASCII etc. Additionally, any encryption or
compression mechanisms used on a FTP page are a function of this layer.
• The Session layer establishes the connection between the Requestor and FTP Server. It
determines whether the communication is half-duplex or full-duplex.
Since FTP is the protocol used it takes the help of TCP for connection oriented data transfer.
• The TCP protocol ensures the reliable delivery of data from the FTP server to the client. These
are functions of the Transport layer.
Here before sending the Data three-way handshake is performed for which it takes the help of
IP to send the SYN packet to the destination. Get the SYN, ACK packet from the destination
and send back ACK packet before sending the FTP request data.
• The logical in this case, IP addresses configured on the client and FTP server are a Network
Layer function. Additionally, the routers that determine the best path from the client to the FTP
server operate at this layer.
The network layer takes the help of Data link layer to identify the Layer 3 to Layer 2 mapping
using ARP
Note: ARP is used when the devices wants to map a Known IP to an Unknown MAC Address.
When devices learn MAC address it builds & maintains an ARP Cache table. The devices lookup
these ARP cache for proper MAC Address, if not found sends an ARP Broadcast with the Known
IP Address and for which gets an ARP Reply from the destination with the required MAC Address.
• The actual cabling, network cards, hubs, and other devices that provide the physical connection
between the client and the web server operate at the Physical layer.
Ethernet has become the standard technology used in LAN networking. It is a transmission
method where each host on the network shares bandwidth on the link. There are different IEEE
categories of Ethernet:
802.3 - Ethernet (10 Mbps)
802.3u - Fast Ethernet (100 Mbps)
802.3z or 802.3ab - Gigabit Ethernet (1000 Mbps)
Half-Duplex
Half duplex, devices can either transmit or receive data, but not simultaneously. Devices connected
to a hub operate at half-duplex
Full-Duplex
Full-duplex allows devices to both transmit and receive at the same time. Devices connected to a
switch can operate at full-duplex.
Twisted-Pair Cabling
Twisted-pair cable contains 2 or 4 pairs of wire, which are twisted around each other to reduce
crosstalk. Crosstalk is a form of electromagnetic interference EMI that reduces the strength and
Quality of the signal. Twisted-pair cabling can be either shielded or unshielded.
Various categories of twisted-pair cable, identified by the number of twists per inch.
Straight-through Cable
Crossover Cable
Before knowing the difference between different networking devices, let us define two terms
Broadcast Domain and Collision Domain.
Broadcast Domain:
It‟ s a set of networking devices that will receive all broadcasts sent on that segment. Broadcast
message will not have a specific destination, and will be received by each single device. If too many
devices are there in the broadcast domain, congestion can occur.
Collision Domain:
Any part of the network where there is a possibility that packets from two or more nodes will
interfere with each other is considered to be part of the same collision domain.
A network with a large number of nodes on the same segment will often have a lot of collisions
and therefore a large collision domain.
Hubs are Layer 1 devices that physically connect network devices together for communication.
Hubs do not look at the Data-Link header, and thus cannot make intelligent forwarding decisions
based on MAC address. Thus, hubs will always forward every frame, including unicasts, out every
port, excluding the port that frame originated from. Hubs are basically multiport repeaters. Hub
cannot be used to break up a broadcast domain or a collision domain.
Repeaters are used to regenerate an electrical signal to allow the signal to travel long distance.
Bridges are used to break up collision domains but not broadcast domain.
Switches are basically a highly intelligent bridge. Switches also offer many more ports than a
bridge. Switches break up collision domains by logically placing hosts into their own, smaller
collision domains. Consider an Ethernet network with 50 hosts. Using CSMA/CD, if one host is
transmitting then the other 49 hosts cannot transmit. Switches can be used to create virtual
networks, each containing a smaller amount of hosts. In a network of 10 hosts if switches are
used and if one host is transmitting data would not affect the other nine users in that virtual
network. The chance of collisions decreases as well. Both Bridges and Switches operate at
Layer 2 of OSI model.
Router breaks up a broadcast domain due to one simple rule: routers do not forward broadcasts.
Routers also break up collision domains, but not by default. Router operate at Layer 3 of OSI
model
SWITCHING
Switches build CAM (Content Addressable memory) tables, to make intelligent forwarding
decisions on frames. The MAC address table maintains a list of MAC addresses and the switch
port each MAC is associated with.
When a Layer-2 switch is first powered on, it behaves much like a hub. The switch will flood
every frame, including unicasts, out every port except for the port the frame was received on.
The switch will then build a MAC address table by looking at the source MAC address of each
frame.
Layer-2 switches will forward a broadcast or multicast out every port, except for the port the
broadcast or multicast was received on.
Only Layer-3 devices can break apart broadcast domains. Because of this, Layer-2 switches are
not well suited for large, scalable networks. Layer-2 switches make forwarding decisions solely
based on Data-Link layer MAC addresses, and cannot differentiate different networks for which
Routers are must.
In the above diagram, Comp-A is attached to interface E0 and Comp-B is attached to interface
E1. When Comp-A sends a frame to Comp-B, the switch will add Comp-A‟ s MAC address to
For internal purpose | Confidential 16
its table and associate it with port E0. Since the Switch does not have the MAC of Comp-B in its
CAM table it will send a flood the frame out all ports except on which it was received, for which
it will get a reply from only Comp-B. Once it receives a frame from Comp-B, the switch will add
Comp-B‟ s MAC address to its table and associate it with port E1. In future any frame Comp-A
to Comp-B will be sent out only from port E0 through E1.
A switch is always in a perpetual state of learning. However, as the MAC address table becomes
populated, the flooding of frames will decrease, allowing the switch to perform more intelligent
forwarding decisions.
These forwarding decisions are made at wire speed, due to specialized hardware circuits called
ASICs (Application-Specific Integrated Circuits).
Switching Methods:
Switches support three methods of forwarding frames.
Cut-Through method reads only the header of a frame to determine its destination address.
This method transfers frames at wire speed, and has the least latency. No error checking is
attempted when using the cut-through method.
FragmentFree - Modified Cut-Through method reads only the first 64 bytes of a frame,
which is minimize size of an Ethernet packet. Most collisions or corruption occurs in the first 64
bytes of a frame.
Store-and-Forward method reads the entire frame, and performs a Cycle Redundancy Check (CRC) to
ensure complete reliability. However, this additional error-checking causes store-and-forward to have the
highest latency of any of the switching methods.
By default, a switch will forward a broadcast or multicast out all ports, except for the port the
broadcast or multicast was received on.
When a loop is introduced into the network, a highly destructive broadcast storm can
develop within seconds. Broadcast storms occur when broadcasts are endlessly switched
through the loop, choking off all other traffic.
If the computer connected to Switch 3 sends out a broadcast, the switch will forward the
broadcast out all ports, including the ports connecting to Switch 1 and Switch 4. Those
switches, likewise, will forward that broadcast out all ports, including to their neighboring
switches.
The broadcast will loop around the switches infinitely. In fact, there will be two separate
broadcast storms cycling in opposite directions through the switching loop. Only
powering off the switch or physically removing the loop will stop the storm. Along with
this it creates problems like Inconsistency in CAM table and multiple frame copies to the
gateway. To avoid all these Spanning tree Protocol is used.
STP Process
Elect a Root Bridge, which serves as the centralized point of the STP topology. Good design
practice dictates that the Root Bridge be placed closest to the center of the STP topology.
The Root Bridge is determined by a switch‟ s priority. The default priority is 32,768, and
the lowest priority wins. In case of a tie in priority, the switch with the lowest MAC
address will be elected root bridge. The combination of a switch‟ s priority and MAC
address make up that switch‟ s Bridge ID.
In the above example:
Switches 1 to 4 have the default priority set. However, Switch 1 will become the root bridge,
as it has the lowest MAC address.
Switches exchange BPDU‟ s to perform the election process. By default, all switches believe
they are the Root Bridge, until a switch with a lower Bridge ID is discovered.
Root Bridge elections are a continuous process. If a new switch with a lower Bridge ID is
added to the topology, it will be elected as the new Root Bridge.
Root Ports are the port on each switch that has the lowest path cost to get to the Root Bridge.
Each switch has only one Root Port, and the Root Bridge cannot have a Root Port.
Path Cost is a cumulative cost based on the bandwidth of the links. The higher the bandwidth,
the lower the Path Cost:
Bandwidth Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
100 Mbps 19
Assume the links between all switches are 100Mbps Ethernet, with a Path Cost of 19.
Each switch will identify the port with the least cumulative Path Cost to get to the Root
Bridge. For Switch 2, the port leading up to Switch 1 has a Path Cost of 19, and becomes
the Root Port. For Switch 3, the port leading up to Switch 1 has a Path Cost of 19, and
becomes the Root Port.
For Switch 4, the port leading up to Switch 1 via Switch 2 and Switch 3 has a Path Cost
of 38, but the lowest senders (either Switch 2 or Switch 3) Bridge ID becomes the tie
breaker and hence for Switch 3, the port leading up to Switch 1 via switch 2 becomes
the Root Port.
Ports on the Root Bridge are never placed in a blocking state, and hence all ports originating
from Root bride will become Designated Ports for directly attached segments.
For the network segments between Switches 1 and 3, and between Switches 1 and 2,
Switch 1‟ s port will become the designated port. But for the network segments between
Switches 2 and 4, and between Switches 3 and 4, both require a Designated Port. The
ports on Switch 2 and Switch 3 have the lowest Path Cost to the Root Bridge for the two
respective segments, and thus both become Designated Ports.
The segment between Switch 3 and Switch 4 does not contain a Root Port but one of the
ports must be elected the Designated Port for that segment, and Switch 3 have the lowest
Path Cost to the Root Bridge and hence become designated port, the other must be
placed in a blocking state.
Electing Root Port if the Bridge ID and the Port Cost is same
Blocking – The default state of an STP port when a switch is powered on, Ports in a
blocking state do not forward frames or learn MAC addresses. It will still listen for BPDUs
from other switches.
Listening – A port will progress from a Blocking to a Listening state only if the switch
believes that the port will not be shut down to eliminate a loop. The port will listen for
BPDU‟ s to participate in the election of a Root Bridge, Root Ports, and Designated
Ports. Ports in a listening state will not forward frames or learn MAC addresses.
Learning – After a brief period of time, called a Forward Delay, a port in a listening
state will be elected either a Root Port or Designated Port, and placed in a learning state.
Ports in a learning state listen for BPDUs, and also begin to learn MAC addresses.
However, ports in a learning state will still not forward frames.
Forwarding – After another Forward Delay, a port in learning mode will be placed in
forwarding mode. Ports in a forwarding state can send and receive all data frames, and
continue to build the MAC address table. All designated, root, and non-uplink ports will
eventually be placed in a forwarding state.
Disabled – A port in disabled state has been administratively shut down, and does not participate
in STP or forward frames at all.
On average, a port in a blocking state will take approx. 50 seconds to reach a forwarding state.
For internal purpose | Confidential 21
STP Timers
• Hello Timer – Default is 2 seconds. Indicates how often BPDU‟ s are sent by switches.
• Forward Delay – Default is 15 seconds. This timer indicates a delay period in both the
listening and learning states of a port, for a total of 30 seconds.
• Max Age – Default is 20 seconds. Indicates how long a switch will keep BPDU information
from a neighboring switch before discarding it.
Section 7
There are two types of Addressing Hardware Addressing and Logical Addressing,
Hardware Addressing
The hardware address is used by devices to communicate on the local network. Hardware
addressing is a function of the data-link layer of the OSI model (Layer-2). The hardware
address for Ethernet networks is the MAC address, a 48-bit hexadecimal address that is
usually hardcoded on the network card. The first six hexadecimal digits of a MAC identify
the manufacturer of the network card (referred to as the OUI (Organizational Unique
Identifier)), and the last 6 digits identify the host device (referred to as the host ID).
Logical Addressing
Logical addressing is a function of the network layer-3 of the OSI Model. Logical addresses
provide a hierarchical structure to separate networks. A logical address identifies not only
a unique Host ID, but also the network that host belongs to. Additionally, logical addresses
are rarely hard-coded onto hosts, and can be changed freely.
IPv4 Addressing
An IP address is separated into four octets and represented in decimal as 192.168.10.
Each octet is 8 bits long, resulting in a 32-bit IP address. A computer understands an IP
address in its binary form; the above address in binary would look as follows:
11000000.10101000.00001010.00000001
In the above IP address one part identifies the network and the other part address identifies
the host. A subnet mask helps make this distinction.
Hosts on the same logical network will have identical network addresses, and can communicate
freely. For example, the following two hosts are on the same network:
Host A: 192.168.10.1 255.255.255.0
Host B: 192.168.10.2 255.255.255.0
Both share the same network address of 192.168.10., which is determined by the 255.255.255.0
subnet mask.
Hosts that are on different networks cannot communicate without an intermediating device.
For example:
Host A: 192.168.10.1 255.255.255.0
Host B: 192.168.11.1 255.255.255.0
IP Address Classes
The IPv4 address has three classes of Addresses. The value of the first octet of an address
determines the class of the network:
Class A networks range from 1 to 127. The default subnet mask is 255.0.0.0; thus, by
default, the first octet defines the network, and last three octets define the host. This
results in a maximum of 127 Class A networks, with 16,777,214 hosts per network.
Class A address: Address: 10.0.0.1, Subnet Mask: 255.0.0.0
Class B networks range from 128 to 191. The default subnet mask is 255.255.0.0; thus,
by default, the first two octets define the network, and the last two octets define the host.
Class C networks range from 192 to 223. The default subnet mask is 255.255.255.0;
thus, by default, the first three octets define the network, and the last octet defines the
host. This results in a maximum of 2,097,152 Class C networks, with 254 hosts per
network. Class C address: Address: 192.168.10.1, Subnet Mask: 255.255.255.0
The first 28 bits of the above subnet mask are set to 1. To represent this in CIDR notation: /27
Two addresses have been reserved on each network for special use. Each network must
have a subnet / network address, and a broadcast address. Neither of these addresses can
be assigned to a host device. The subnet address is used to identify the network itself.
Routing tables contain lists of networks, and each network is identified by its subnet
address.
Subnet addresses contain all 0 bits in the host portion of the address.
Example the following is a subnet address: 192.168.1.0/24
The broadcast address identifies all hosts on a particular network. A packet sent to the
broadcast address will be received and processed by every device on that network.
Broadcast addresses contain all 1 bits in the host portion of the address. Example, the
following is a broadcast address: 192.168.1.255/24
Subnetting is the process of dividing Major Network into smaller networks or subnets by taking
bits from the host portion of a subnet mask.
The default subnet mask for this network is 255.255.255.0. This single network can be
subnetted into multiple networks. For example, assume a minimum of 14 new networks
are required. Resolving this is possible using the following magical formula:
2n – 2, where n identifies the number of bits to be considered from the host portion of the subnet
mask.
There are a total of 24 bits set to 1, which are used to identify the network.
There are a total of 8 bits set to 0, which are used to identify the host, and these host bits
can be considered for Subnets.
Taking bits from host essentially means changing host bits from 0 or off to 1 or on.
Network bits in a subnet mask must always be sequential, skipping bits is not allowed.
Consider the result if four bits are taken. Using the formula:
To determine the number of hosts in each network, the same formula can be used: 2n – 2
Thus, subnetting a Class C network with a /28 mask creates fourteen new networks, with
fourteen usable hosts per network.
Calculating the ranges of subnetted networks can be quickly calculated using shortcut
method by taking the subnet mask 255.255.255.240 and subtracting the subnetted octet
that is, 240 from 256.
256 – 240 = 16
Knowing the first address of each new network makes it simple to determine the last address
of each network:
First Address 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224
240
Valid Host 1 17 33 49 65 81 97 113 129 145 161 177 193 209 225 241
Range 14 30 46 62 78 94 110 126 142 158 174 190 206 222 238 254
Last Address 15 31 47 63 79 95 111 127 143 159 175 191 207 223 239 255
The last address of each network becomes the broadcast address for that network.
Note: There is a specific purpose for the „– 2‟ portion of the 2n – 2formula. Earlier it
was not acceptable to use an address that contained all 0 or all 1 bits in the network
portion of the address.
However, this is no longer true on modern systems. Specifically, on Cisco IOS devices, the
following command is now enabled by default:
Router(config)# ip subnet-zero
The ip subnet-zero commands allows for the use of networks with all „0‟ or all „1‟
bits in the network portion of the address. Thus, the formula for calculating the number
of new network is slightly altered, to simply 2n.
Hence if four bits are considered for networks: then it would be 2n = 24 = 16 networks.
A public address is a unique address on the internet and can be routed on the Internet. Hence
devices that should be Internet accessible must be configured with public addresses.
A private address is only used within an organization, and can never be routed on the internet.
Three private addressing ranges were allocated, one for each IPv4 class:
Class Range
Class A 10.0.0.0 – 10.255.255.255
Class B 172.16.0.0 – 172.31.255.255
Class C 192.168.0.0 – 192.168.255.255
Diagnostic Purposes - Loop Back Testing 127.0.0.0 – 127.255.255.255
Automatic Private IP Addressing (APIPA) 169.254.0.0 – 169.254.255.255
• Flash
Boot Sequence:
ROM contains a bootstrap program called ROM Monitor also referred as ROMmon.
When a router is powered on, the bootstrap runs a hardware diagnostic called POST
(Power-On Self Test). If POST completes successfully, the bootstrap then attempts to
locate an IOS based on the configuration file present in NVRAM, wherein we might have
Boot System command configured to locate a particular IOS (Internetwork Operating
System) file, if not it will load the Cisco IOS stored in Flash memory. Flash memory
can be erased or overwritten, thus making the Cisco IOS upgradeable. If the bootstrap
cannot find the IOS in Flash, a basic version of the IOS will be loaded from ROM. The
contents of ROM cannot be altered or erased; the entire ROM chip must be replaced if
an upgrade/repair is necessary. If the bootstrap does find the IOS in Flash, it is loaded into
RAM and attempts to find a Startup Configuration file in NVRAM. NVRAM is non-
volatile, thus its contents will survive a power-cycle. If the IOS cannot find a startup-config
file in NVRAM, it will attempt to load a configuration file from a TFTP server where in
the request is broadcasted to 255.255.255.255. If no TFTP server responds, the IOS will
enter Initial Configuration Mode, a series of interactive questions intended for quick
configuration of the router. If the IOS does find a startup-config file in NVRAM, this file is
loaded into RAM, and becomes the Running Configuration (running-config). RAM is a
volatile memory, and thus its contents will be lost if the router is power cycled.
Interfaces vs Lines
Cisco devices contain two different types of ports that are, interfaces and lines.
Interfaces connect routers and switches to each other. In other words, traffic is actually routed
or switched across interfaces. Some of the interfaces include:
• Serial interfaces
• Ethernet interfaces
• Fast Ethernet interfaces
• Token Ring interfaces
• ATM interfaces
For internal purpose | Confidential 27
• BRI/PRI interfaces
Interfaces are identified by both the type of interface, and the interface number which
usually begins with 0.Example: Ethernet 0, Serial 0 etc. There are other router families
such as the 3600 series which are modular, and have multiple slots for interfaces. In which
case, the interfaces on these routers are identified by both the module number and the
interface number. Example: The Second Serial interface on the first modular slot would
be identified as Serial0/1.
Lines identify ports that allow us to connect into, and then configure, Cisco devices. The most
common examples of lines include:
• Console ports
• Auxiliary ports
• VTY or telnet ports
Just like interfaces, lines are identified by both the type of line and the line number Example:
The first console port on a router would be identified as Console0.
All Cisco router or switch includes a console port, sometimes labeled on the device
simply as con. The console port is generally a RJ-45 connector, and requires a rollover
cable to connect to. The opposite side of the rollover cable connects to a PC‟ s serial
port using a serial terminal adapter.
From the PC, software such as HyperTerminal is required to make a connection from
the local serial port to the router console port. The following settings are necessary for
a successful connection:
Cisco devices also include an auxiliary port, which is similarly to a console port, and can
be accessed using a rollover cable. Additionally, auxiliary ports support modem
commands, thus providing dial-in access to Cisco devices.
Telnet, and secured SSH, are the most common methods of remote access to routers
and switches. The standard edition of the IOS supports up to 5 simultaneous VTY
connections. Enterprise editions of the IOS support up to 255 VTY connections.
There are two requirements before a router/switch will accept a VTY connection:
Cisco IOS
The Cisco IOS is stored in Flash on Cisco routers and Catalyst switches, in a .BIN file
format. It can be upgraded using one of several methods:
The IOS .bin file stored in flash follows a specific naming convention. Observe the following IOS
image: c3640-advipservicesk9-mz.121-3.S.bin
C3640 advipservicesk9 M z 121 3 T
Cisco Feature Set Memory Compression Maintenance Minor identifier
H/w location format release release
By default the first mode you enter when logged into a Cisco device is User EXEC mode.
We can identify the User EXEC mode by the prompt “>” after the device hostname:
Router>
In this mode no configuration can be changed or viewed. Only basic status information can be
viewed from this mode.
Router#
Router> enable
Router#
Router# disable
Router>
Only very little configuration can be done directly from Privileged mode.
Router(config)#
To enter Global Configuration mode, type configure terminal from Privileged Mode:
Router(config)#
Router(config)# exit
Router#
To configure an interface:
Router(config-if)#
To configure a line:
Router(config-line)#
Passwords can be configured on router lines, such as telnet (vty), console, and auxiliary ports.
To set or change the password for a console port and all telnet ports:
Router(config-line)# login
Router(config-line)# exec-timeout 0 0
Router(config-line)# login
Router(config-line)# exec-timeout 0 0
The exec-timeout 0 0 command is optional, and disables the automatic timeout of your
connection. The two zeroes represent the timeout value in minutes and seconds,
respectively. Thus, to set a timeout for 5 minutes and 20 seconds:
Router(config-line)# exec-timeout 5 20
The logging synchronous command is also optional, and prevents system messages from
interrupting your command prompt.
By default line passwords are stored in clear-text in configuration files. To ensure that these
passwords are encrypted in all configuration files:
Router(config-if)# no shutdown
On the DCE (Data Communication Equipment) side of a serial connection we must set
the speed, or clock rate, for the DTE (Data Terminal Equipment) side. Clock rate is in
BPS (bitsper-second).
To set the clock rate, if you are the DCE side of a serial connection:
Serial 0 is up, line protocol is up – This means that the interface is up and running and both
ends are sending and receiving keepalives as well as traffic can be routed across an interface.
The first part of this status Serial0 is up refers to the physical layer status of the interface. The
second part line protocol is up refers to the data-link layer status of the interface.
Serial 0 is down, line protocol is down – This means that the interface is physically down,
this may be because a defective or unplugged cable or interface.
Serial 0 is up, line protocol is down – This means that line protocol is down which refers
to data-link layer functions. This may be because of:
• Absence of keepalives being sent or received
• Clock rate not set on the DCE side of a serial connection
For internal purpose | Confidential 34
• Different encapsulation types set on either side of the link
Serial 0 is administratively down, line protocol is down – This means the interface
has been administratively shutdown.
Router# exit
To return to the router you telnetted from, without exiting the session:
Section 10
Cisco Advanced IOS Configuration
This configuration change does not take effect until the next reboot.
The Cisco IOS is stored in flash. Multiple IOS files can be loaded into flash, assuming there
is enough free space. You can view available free space, and the name of any file(s) in flash,
by typing:
CDP is a Cisco propriety protocol used to collect information about locally attached
Cisco switches and routers. CDP is enabled by default on all routers and switches, and
sends out updates every 60 seconds and hold time is 180 seconds. CDP protocol is
used to identify the VOICE VLAN information.
Routing is done by Router or Layer 3 Switch which helps in sending information from one
network to another network. Devices use paths usually based on the destination network,
and not the destination host.
To determine the best route to a destination, a router considers three important aspects Prefix-
length of the Network, Metric and Administrative distance in the same order as listed.
Prefix-length is the number of bits used to identify the network, and is used to determine the
most specific route. A longer prefix-length indicates a more specific route.
Example, if there are three routes to reach a host address of 172.16.0.0/16 in the routing table
like,
172.16.0.0/16
172.16.1.0/24
172.16.1.0/26
The router will do a bit-by-bit comparison to find the most specific route i.e., longest
matching prefix. Since the 172.16.1.0/26 network is more specific, that route will be used,
irrespective of the metric or Administrative distance.
Metric allows a router to choose the best path within a routing protocol. That means it
will choose the best among two or more paths as suggested by the same routing protocol.
Distance vector routing protocols use distance and direction as their metric. Link state
protocols utilize cost as their metric. Example: RIP uses hop count as the metric, so if
there are two paths to reach a particular destination with Hop count of 2 and 3
respectively, then the best path would be the one with lesser hops (i.e. 2 hops) as this
would be having lesser metric. Only routes with the best metric are added to the routing
table. If multiple equal-metric routes exist to a particular network, most routing protocols
will load-balance.
Administrative Distance is used to determine which routing protocol to trust the
most. This parameter will come to play when two or more routing protocols are used.
For internal purpose | Confidential 38
Always lowest administrative distance will win. If a router receives a route from RIP and
OSPF to the same network, then it will use Administrative Distance to determine which
routing path to choose.
Connected 0
Static 1
EIGRP Summary 5
External BGP 20
Internal EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
Unknown 255
So always remember that the best path to a destination is firstly based on highest Prefix-length,
then the Metric and finally AD between routing protocols.
STATIC ROUTING:
There are two basic methods of building a routing table: Statically or Dynamically.
A static routing table is created, maintained, and updated by a network administrator, manually.
Static routes have an AD of 1, will always be preferred over dynamic routes, unless the default
AD is changed. A static route with an adjusted AD is called a floating static route.
DYNAMIC ROUTING
Link state Protocol does not send periodic updates, but instead exchange updates only when
there is a topology change.
Link-state protocols can converge very quickly and are immune to routing loops.
Additionally, because updates are sent only during a link-state change, and contain only
the change and not the full table, link-state protocols are less bandwidth intensive than
distance-vector protocols.
Link-state protocol utilizes more RAM and CPU on the router itself. Link-state protocols
uses the metric of cost, usually based on bandwidth, to calculate a route‟ s metric. The
Dijkstra formula is used to determine the shortest path.
Classful routing protocols do not send subnet mask information along with their routing updates.
• If the router has a directly connected interface belonging to the same major
network, it will apply the same subnet mask as that of the interface on which it
received.
• If the router does not have any interfaces belonging to the same major network,
it will apply the classful subnet mask to the route once it is received.
• Classful routing protocol does not support VLSM (Variable Length Subnet Masks).
Examples of Classful routing protocol are RIP v1, IGRP.
• Always ensure that if networks are subnetted then all are in the same major
network and using the same subnet mask.
Router(config)# ip classless
Section 12
STATIC ROUTING
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
To add a static route on RouterA to reach the 192.168.40.0/24 network via RouterB:
RouterA(config)# ip route 192.168.40.0 255.255.255.0 192.168.30.2
RouterB(config)# ip route 192.168.20.0 255.255.255.0 192.168.20.1
The Administrative Distance of a static route can be changed to create a floating static
route. A floating static route is often used as a backup route to a dynamic routing protocol.
Static routes will only remain in the routing table as long as the interface connecting to
the next-hop router is up. To ensure a static route remains permanently in the routing
table, even if the next-hop interface is down:
Static routes can be used to discard traffic to specific networks by sending that traffic to
a logical null interface:
If a specific route to a particular network does not exist in the routing table the router will
drop all traffic destined to that network.
The default route is identified by all zeros in both the network and subnet mask that is 0.0.0.0
0.0.0.0
The word “gateway of last resort” is used since it is the lastly used route, and will be used
only if a more specific route does not exist.
RIP is an Open standard Distance Vector protocol that means it can be used on multiple vendor
environments. RIP is used for smaller networks.
RIP V1 RIP v2
Classful Classless
Does not support VLSM Does support VLSM
Send updates as Broadcast Send updates as Multicast to IP 224.0.0.9
Max Hop count 15 Max Hop count 15
Does not support Authentication of Does support Authentication of Routing
Routing updates updates
RIP v1 routers will sent only Version 1 RIP v2 routers will sent only Version 2 packets
packets
RIP v1 routers will receive both Version RIP v2 routers will receive only Version 2
1 and 2 updates updates
RIP, as a Distance Vector routing protocol, is susceptible to loops due to its slow convergence.
Let‟ s assume no loop avoidance mechanisms are configured on either router.
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
As in the above example if the 192.168.40.0 network fails, Router B will send out an update to
Router A within 30 seconds when its update timer expires informing Router A that route is
unreachable with a metric = 16. But before the update is sent from Router B to Router A, if an
update from Router A reaches Router B, then Router A believes it can reach the 192.168.40.0
network in one hop through Router B. This update will cause Router B to believe it can reach
the failed 192.168.40.0 network in two hops, through Router A. Both routers will continue to
increment the metric for the network until they reach a hop count of 16, which is unreachable.
This behavior is known as counting to infinity.
Split-Horizon – Prevents a routing update from being sent out the interface on which it was
received. In our above example, this would prevent Router A from sending an update for the
192.168.40.0 network back to Router B, as it originally learned the route from Router B.
Splithorizon is enabled by default on Cisco Routers.
Hold-Down Timers – Prevents RIP from accepting any new updates for routes in a holddown
state, until the hold-down timer expires. If Router A sends an update to Router B with a higher
The timers basic command allows us to change the update, invalid, hold-down, and flush timers.
RIP Configuration:
Router(config)#router rip
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
The first command, router rip, enables the RIP process. The network statements tell RIP which
networks you wish to advertise to other RIP routers.
Even when router sends a RIPv2 update, by default it will still summarize the network to its
Classful boundary. Thus, RIPv2 acts like RIPv1, unless we disable auto summarization:
As shown in the diagram RouterA has three paths to reach the Destination Network RouterH,
either through Router B, C, or D. If we sum up the metrics to form a distance, we can determine
the following:
• RouterB‟ s Feasible Distance to the Destination Network is 10.
• RouterC‟ s Feasible Distance to the Destination Network is 25.
• RouterD‟ s Feasible Distance to the Destination Network is 11.
RouterB sends an update to RouterA, it will provide an Advertised Distance of 10 to the
Destination Network. RouterC will provide an AD of 25, and D will provide an AD of 11.
RouterA calculates the total distance to the Destination network by adding the AD of the
advertising router, with its own distance to reach that advertising router. For example,
RouterA‟ s metric to RouterB is 9; thus, the total distance will be 19 to reach the Destination
Network through RouterB.
Hence route through RouterD (metric of 14) would become the Feasible Distance for
RouterA, and is added to the routing table as the best route.
To allow convergence to occur quickly if a link fails, EIGRP includes backup routes in the topology
table called Feasible Successors (FS). A route will only become a Successor if its Advertised
Distance is less than the current Feasible Distance. This is known as a Feasible Condition
(FC).
For example, we determined that RouterA‟ s Feasible Distance to the destination is 14, through
RouterD. RouterC‟ s Advertised Distance is 25, and thus would not become a feasible
successor, as it has a higher metric than RouterA‟ s current Feasible Distance. Routes that are
not Feasible Successors become route Possibilities. RouterB‟ s Advertised Distance is 8, which
is less than RouterA‟ s current Feasible Distance. Thus, the route through RouterB to the
Destination Network would become a Feasible Successor. Feasible Successors provide EIGRP
with redundancy, without forcing routers to re-converge (thus stopping the flow of traffic) when
a topology change occurs. If no Feasible Successor exists and a link fails, a route will enter an
Active (converging) state until an alternate route is found.
Packet Type
Hello Packet Multicast
Update Packet Unicasts or Multicast
Query Packet Multicast
Reply Packet Unicasts
Acknowledgement Packet Unicasts
EIGRP Metrics
EIGRP can utilize 5 separate metrics to determine the best route to a destination:
EIGRP Configuration:
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
The first command, router eigrp 100, enables the EIGRP process. The 100 indicates the
Autonomous System number. The Autonomous System number can range from 1 to 65535. Only
other EIGRP routers in Autonomous System 100 will form neighbor adjacencies and share
updates with this router.
An EIGRP route can exist in one of two states, in the topology table:
• Active state
• Passive State
A Passive state indicates that a route is reachable, and that EIGRP is fully converged. A stable
working EIGRP network will have all routes in a Passive state.
Routes will become Stuck-in-Active (SIA) when a router sends out an EIGRP Query packet, but
does not receive an EIGRP Reply packet within three minutes. In other words, a route will
become SIA if EIGRP fails to re-converge.
EIGRP Load-Balancing
By default, EIGRP will automatically load-balance across equal-metric routes four by default, six
maximum depending on the IOS. EIGRP also supports load-balancing across routes with an
unequal metric using the Variance command. The variance command assigns a “multiplier,” in
this instance of X. Multiply this variance value by the metric of our Successors Feasible Distance
to balance load on all paths equal or up to the value calculated.
Command Description
Router(config-if)# ip hello-interval eigrp 100 8 Changes the hello interval to 8 seconds for
AS 100
Router(config-if)# ip hold-interval eigrp 100 24 Changes the dead interval to 24 seconds for
AS 100
Router(config-router)# no auto-summary Disables auto summarization
RouterC(config-router)# passive-interface s0 Displays EIGRP updates being sent out of an
interface as well will not form neighbor
relationship
Router(config-if)# bandwidth 64000 Changes Bandwidth on an interface
Router(config-if)# ip bandwidth-percent eigrp 10 Limits EIGRP usage of bandwidth on an
30 interface.
Router(config-if)# delay 10000 Changes delay on an interface
RouterA(config-router)# variance 2 Used for Un-equal load balancing
Router# show ip eigrp neighbor View EIGRP neighbor table
Router# show ip eigrp topology View EIGRP topology table
Router# show ip eigrp traffic View EIGRP traffic sent and received
For internal purpose | Confidential 53
Router# debug eigrp neighbors
Router# debug eigrp packet Debug EIGRP
Router# debug eigrp route
Router# debug eigrp summary
• OSPF forms neighbor relationships, called adjacencies, with other routers in the same
Area by exchanging Hello packets to multicast address 224.0.0.5. Only after an
adjacency is formed can routers share routing information. Each OSPF router is
identified by a unique Router ID. The Router ID can be configured in three ways:
• The Router ID can be manually specified.
Area ID
Authentication
Subnet Mask
Hello Interval
Dead Interval
In multi-access networks such as Ethernet, we will have many neighbor relationships on the same
physical segment. As in the above example there are five routers connected into the same multi-
access segment. Hence total number of neighbor relationship would be n(n-1)/2, where n is the
number of routers, hence we require 10 separate adjacencies for a fully meshed network. As the
number of devices increases it leads to unnecessary Link State Advertisement (LSA) traffic. And
more ever if a link on one of the Router fails; it would flood this information to all neighbors and
each neighbor, in turn, would then flood that same information to all other neighbors. This is a
waste of bandwidth and processor load. To prevent this, OSPF will elect a Designated Router
For internal purpose | Confidential 57
(DR) for each multi-access networks, accessed via multicast address 224.0.0.6. As always for
redundancy purposes, a Backup Designated Router (BDR) is also elected.
OSPF routers will form adjacencies with the DR and BDR. If a change occurs to a link, the update
is forwarded only to the DR, which then forwards it to all other routers. This greatly reduces
the flooding of LSAs. DR and BDR elections are determined by a router‟ s OSPF priority, which
is configured on a per-interface basis. The router with the highest priority becomes the DR;
second highest becomes the BDR. If priorities are same then the tie breaker
As neighbor adjacencies are formed, they will progress through several “states,” including:
State Description
Down No Hellos have been heard from the neighboring router.
Init Hello packet has been heard from the neighbor, but two way communication
has not yet been initialized.
2-Way Indicates Neighbor adjacency, and is possible if a router sees its own Router
ID in its neighbor‟ s hello packet. DR and BDR is also elected in this state.
EXSTART Election of Master/slave relationships are formed between routers to
determine who will begin the exchange.
Exchange Routers exchanging Database Descriptors (DBDs). DBDs contain a
description of the router‟ s Topology Database. A router will examine a
neighbor‟ s DBD to determine if it has information to share.
Loading Exchange of Link State Advertisements, containing information about all
links connected to each router. Essentially, routers are sharing their
topology tables with each other by sending and receiving LSU’s
Full Routers are fully synchronized and have exchanges LSAcks.
T1 – 1.544 Mbps 64
Ethernet – 10 Mbps 10
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
The 100 in the router ospf statement, indicates the OSPF process ID, and can be unique on each
router. The process ID allows multiple OSPF processes to run on the same router. After the
network we are using wildcard mask instead of a subnet mask in the network statement. With
OSPF, we don‟ t advertise the networks instead we enable the interfaces to be in specific areas,
so that those routers can form neighbor relationships. The wildcard mask 0.0.0.255 tells us that
the last octet can match any number.
The first network statement places interface Fa0/0 on RouterA into Area 1, and the second
network statement places interface Fa0/1 on RouterA into Area 0. We could also have written
the network statement more specifically like
In order for Router B to form a neighbor relationship with RouterA, its connecting interface must
be put in the same Area and subnet as RouterA:
Command Description
RouterC(config-router)# passive-interface s0 Prevents Neighbor relationship as well, will
not send and receive updates.
RouterC(config-router)# router-id 1.1.1.1 Manually specifies the Router-Id
RouterC(config-router)# area 1 virtual-link 3.3.3.3 Create Virtual Links, where Virtual links can
be used as a workaround, to allow logically
connect separated areas to Area 0
Router(config-if)# bandwidth 64000 Change the bandwidth on an interface
Router(config-if)# ip ospf cost 5 Change the cost of an interface
Router(config-router)# ospf auto-cost Changes the reference used in calculating the
referencebandwidth 100 metric
Router(config-if)# ip ospf priority 2 Changes the ospf priority of an interface
Router# show ip ospf neighbor Displays Neighbor Table
Router# show ip ospf database Displays Database table
Router# show ip ospf 100 View Specific OSPF process
Router# show ip ospf interface fa0/0 View Specific OSPF process on an interface
Router# debug ip ospf adj
Router# debug ip ospf events Debug OSPF in real time
Router# debug ip ospf hello
As in above diagram six computers are connected to a Layer 2 switch. PC1, PC3 and PC5 belong
to VLAN 1, and PC2, PC4 and PC6 belong to VLAN 2. Since PC1, PC3 and PC5 belong to the
same VLAN, IP subnet and broadcast domain they can communicate to each other without the
need of a router. Similarly PC2, PC4 and PC6 belong to the same VLAN, IP subnet and broadcast
domain they can communicate to each other without a router, But PC1, PC3 and PC5 will not
be able to communicate with PC2, PC4, or PC6 as they belong to separate VLANs and separate
IP subnets. Broadcasts from VLAN 1 will never go out ports configured for VLAN 2. A router
will be necessary for both VLANs to communicate.
Most Catalyst multi-layer switches have integrated or modular routing processors. Otherwise,
an external router is required for inter-VLAN communication.
By default with Cisco Catalysts, all ports on every switch belong to VLAN 1. VLAN 1 is also
considered the management VLAN.
VLAN Membership
Statically – One or more switch-ports must be manually assigned to a VLAN. Any device
connecting to these switch-ports becomes a member of that VLAN.
Dynamically – Devices are automatically assigned into a VLAN based on its MAC address. Cisco
developed a dynamic VLAN product called the VLAN Membership Policy Server (VMPS).
In more sophisticated systems, a user‟ s network account can be used to determine VLAN
membership.
There are two types of ports supported on a VLAN-enabled switch, access ports and trunk
ports.
An access port belongs to only one VLAN. Host devices, such as computers and printers, plug
into access ports. A host automatically becomes a member of the VLAN, which the switch-port
is assigned to. This is done transparently, and the host is usually unaware of the VLAN
infrastructure. By default, all switch ports are access ports.
Trunk ports do not belong to a single VLAN. Any or all VLANs can traverse trunk links to
reach other switches. Only Fast or Gigabit Ethernet ports can be used as trunk links.
VLAN Frame-Tagging
Cisco switches support two frame-tagging protocols, Inter-Switch Link (ISL) and IEEE 802.1Q.
IEEE 802.1Q is an Open standard frame tagging protocol supported by most switch
manufacturers, including Cisco. Instead of adding an additional header and trailer, 802.1Q actually
embeds a 4-byte VLAN ID into the Layer 2 frame header. This still increases the size of a frame
from its usual 1518 bytes to 1522 bytes which is supported by most of the devices.
ISL or 802.1Q tagging can either be manually configured on Catalyst trunk ports, or dynamically
decided using Cisco‟ s proprietary Dynamic Trunking Protocol (DTP).
A port can be placed into a dynamic trunk mode, or into static trunk mode. The either ends can
be different modes to create a trunk link.
Trunk Access No
The above command configures the interface fa0/1 as an access port, and assigns this access port
to VLAN 100.
To view the list of VLANs, including which ports are assigned to each VLAN:
Switch# show vlan
The command sets the interface as a trunk port and also manually sets the tagging protocol the
trunk link will use. Both sides of the trunk line must be configured with the same tagging protocol.
For internal purpose | Confidential 69
The Catalyst switch can negotiate the tagging protocol:
In large switched networks, it will be difficult to maintain a consistent VLAN database across all
switches on the network. VLAN Trunking Protocol (VTP) allows the VLAN database to be easily
managed and consistent throughout the network.
Switches configured with VTP are joined to a VTP domain. Only switches belonging to the same
domain will share VLAN information, and a switch can only belong to a single domain. When an
update is made to the VLAN database, this information is propagated to all switches via VTP
advertisements.
By default, VTP updates are sent out every 300 seconds, or anytime a change to the database
occurs. VTP updates are sent across VLAN 1 and are only sent out trunk ports.
VTP Modes
Server – Switches can create, modify or delete entries in the VLAN database. Servers advertise
their VLAN database to all other switches on the network. Servers can synchronize their database
along with other Servers switches or Client switches. This is the default mode for Cisco Catalyst
switches. Servers can only advertise VLANs 1 - 1005.
Client – Switches cannot make modifications to the VLAN database, and will receive all of their
VLAN information from VTP servers. A client will also forward an update from a server to other
clients.
Transparent – Switches will not advertise or accept any VLAN database information from other
switches. Changes made are only local to the transparent switch. However, transparent VTP
switches will forward VTP information from servers to clients.
Catalyst switches that participate in a VTP domain support up to 1005 VLANs. Catalyst switches
configured in VTP transparent mode support up to 4094 VLANs.
Configuring VTP
All switches participating in the VTP domain must be configured with the same password.
VTP version 2 supports additional functionality, including error checking and support for token
Ring. VTP version 2 also allows transparent switches to always forward update information from
servers to clients, even if the transparent switch is in a separate domain. By default, a Catalyst
switch uses VTP version 1.
To view status information about VTP, including version, domain and mode: Switch#
show vtp status
VTP Pruning
VTP pruning is a process of preventing unnecessary VLAN broadcast or multicast traffic. With
VTP pruning, traffic is only sent out the necessary VLAN trunk ports where those VLANs exist.
VTP pruning is disabled by default on Catalyst IOS switches. To enable VTP pruning:
Access control lists is used not only to filter traffic, but also to identify traffic.
Access lists are a set of rules or written statements, organized in a rule table. Each rule or line in
an access-list provides a condition, to either permit or deny:
When access-list is used to filter traffic, and when the permit statement is used, it means to
allow the traffic and when a deny statement is used it means to block the traffic.
And as with the second functionality of using an access list to identify traffic, the permit
statement is used to include traffic and a deny statement is used to not to include the traffic.
After configuring ACL or set of rules, these ACL are applied on interfaces. When a packet enters
or exits an interface with an ACL applied, the packet is compared against the criteria of the ACL.
If the packet matches the first line of the ACL, the appropriate action as to whether permit or
deny is taken. If there is no match, then the second line criteria is examined. Again, if there is a
match, the appropriate action is taken; if there is no match, the third line of the ACL is compared
to the packet and the process continues until a match is found, at which time the ACL stops
running. If no match is found, then there is an implicit ‘deny all’ at the end of all access lists
which will deny all traffic. You don‟ t create it, and you can‟ t delete it. Thus, access lists that
contain only deny statements will prevent all traffic.
Access lists are applied either inbound or outbound Inbound ACL: Packets received on an
interface will be checked against ACL and then Routing table before sending the packets out.
Outbound ACL: Here Packets will be checked against routing table and then ACL before
leaving the Router.
For internal purpose | Confidential 73
Only one access list per interface, per protocol, per direction is allowed. More specific and
frequently used rules should be at the top of your access list, to optimize CPU usage. New entries
to an access list are added to the bottom. You cannot remove individual lines from numbered
access list. You must delete and recreate the access to truly make changes. Types of Access
Lists
Numbered access lists is based on several ranges of numbers dedicated to a specific protocol,
ACL are defined. Example:
1–99 IP standard access list
100-199 IP extended access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list (expanded range)
Named access lists provide a bit more flexibility. Descriptive names can be used to identify your
access-lists. Additionally, individual lines can be added and removed from a named accesslist.
However, like numbered lists, all new entries are still added to the bottom of the access list.
Standard IP access-lists are based upon the source host or network IP address, and should be
placed closest to the destination network.
Example:
This list allows traffic from all addresses in the range 192.168.10.0 to 192.168.10.255
Extended IP access-lists block based upon the source IP address, destination IP address, and TCP
or UDP port number. Extended access-lists should be placed closest to the source network.
Example:
Syntax: access-list [1-99] [permit | deny] [source address] [wildcard mask] [log]
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
Example: To block Hosts in network 192.168.20.0 from accessing the hosts in the 192.168.40.0
network
Syntax: access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask]
[destination address] [wildcard mask] [operator [port]] [log]
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
Even though telnet access can be restricted using extended ACL it would be of more overhead
on Routers memory since it has to check for each packet entering or leaving the router, hence
we use telnet access lists which gives us the flexibility of applying the same on telnet lines rather
on an interface.
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
Example: Create an access list that prevents anyone from 192.168.40.x network from telneting
into Router A, but allow all other networks telnet access to RouterA.
WAN spans a large geographic area, such as a state, province or country. WANs often connect
multiple smaller networks, such as local area networks or metro area networks.
The world's most popular WAN is the Internet. WANs generally utilize different and much more
expensive networking equipment than do LANs. Key technologies often found in WANs include
SONET, Frame Relay, and ATM.
Point-to-Point connection also known as leased line is used to provide full connectivity between
two sites in a point-to-point manner. This type of connection is purchased from the telephone
company and uses a permanent path through the Telco‟ s infrastructure, from one site to
another. There is no call setup and teardown, which means the circuit, is always available.
Since the company owns the line, it has full use of the bandwidth, whether it is used or not. The
speed of the link can range up to a T3, which is approximately 45 Mbps. This is a very costly
connection type as the distance increases. This type of connection is usually done with a
synchronous serial type of connection. Cisco supports this type with virtually all of their routers,
using one or more different types of synchronous serial connections, including EIA/TIA-232
V.35
HSSI
In Circuit-Switched Connections the circuit, or dedicated path, is created when the call is
initiated to the remote site and the circuit is destroyed when the call ends. The best example of
a circuit-switched network is the Public Switched Telephone Network (PSTN). There are two
For internal purpose | Confidential 78
types of circuit-switched connections available: Asynchronous and ISDN (Integrated
Services Digital Network).
Asynchronous circuits for data transfer are accomplished through a modem and the use of
the telephone network. The cost is less when compared to other types of WAN connections,
but at the same time low bandwidth is available. Depending on the setup of the connection, the
best that can be accomplished is 56 Kbps.
ISDN has two flavors that are used for WAN connections. The first is Basic Rate Interface (BRI)
and has a maximum bandwidth of 128 Kbps and the other is Primary Rate Interface (PRI) and can
reach speeds up to 2 Mbps.
Packet-Switched Connections is a method where two or more sites are connected through
a shared network, typically called a cloud. By shared network, we mean that more than one
company has access to the cloud. Remote sites are connected via a virtual circuit (VC) that allows
data to traverse the cloud and arrive at the correct location. Within the cloud, each packet can
take a different path to reach the final destination. Because the data travels through a shared
cloud, the cost tends to be lower than the same bandwidth used for a dedicated line. Although
usually more expensive and not as freely available as circuit-switched networks, the additional
bandwidth is up to T1 speeds. Also, it is cheaper over longer distances than dedicated lines.
WAN Terminologies
The Demarc refers to the point of last responsibility for the service provider. All equipment on
the Customer Premises side of the Demarc is the customer‟ s responsibility to maintain.
The Smart Jack physically terminates the T1 line. If there is a connectivity issue, the provider will
perform a ping test to the smart jack.
The Local Loop or Last Mile refers to the physical line connecting from the Customer Premises
to the provider‟ s nearest Central Office (CO).
There are many different types of protocols used on WAN. These protocols all operate at layer
2 (at least) of the OSI model (data-link layer).
High-Level Data-link Control (HDLC) is a WAN encapsulation protocol used on dedicated point-
to-point serial lines. Though HDLC is technically an ISO standard protocol, Cisco‟ s
implementation of HDLC is proprietary, and will not work with other routers. HDLC is also
Cisco‟ s default encapsulation type for serial point-to-point links. HDLC provides no
authentication mechanism.
PPP uses:
PPP Features:
• Authentication
• Compression
• Multi-link
• Error Control
Configuring HDLC
Configuring PPP
After setting the hostname the username and password used for PPP authentication is set. The
username must be the hostname of the remote router, and the password must be the same on
both routers.
The above configuration sets the authentication to chap. To instead configure pap authentication:
All customer devices connect into the frame relay cloud, this cloud contains many Frame-Relay
switches and routers. Virtual circuits (VC) must be created for each end to end
communication. A VC is a one-way path through the Frame-Relay cloud.
In the above example, in order to establish full communication between all the four, A virtual
circuit between all of them which can be calculated using the formula n(n-1)/2, which in this case
would be 6 Virtual Circuits. Frame-relay circuits can either be permanent (PVC), or switched
(SVC). A permanent virtual circuit is always kept active and most commonly used virtual circuit.
A switched virtual circuit is created and terminated as and when required like a circuit switched
network. Like in Ethernet where Layer 2 to layer 3 mapping with respect to MAC Address and
IP Address, Frame relay uses Data Link Connection Identifiers (DLCIs) to create virtual
circuits. Frame-Relay switches make forwarding decisions based on DLCIs.
INDIA SINGAPORE
INDIA(config)# int s0
INDIA(config-if)# ip address 192.168.30.1 255.255.0.0
INDIA(config-if)# encapsulation frame-relay
INDIA(config-if)# frame-relay lmi-type cisco
INDIA(config-if)# frame-relay interface-dlci 102
INDIA(config-if)# no shut
INDIA(config)# int s0
INDIA(config-if)# ip address 192.168.30.1 255.255.0.0
INDIA(config-if)# encapsulation frame-relay ietf
INDIA(config-if)# frame-relay lmi-type cisco
INDIA(config-if)# no frame-relay inverse-arp
INDIA(config-if)# frame-relay map ip 192.168.30.2 102 broadcast
INDIA(config-if)# frame-relay map ip 192.168.30.3 103 broadcast
INDIA(config-if)# no shut
MALAYSIA(config)# int s0
MALAYSIA (config-if)# ip address 192.168.30.1 255.255.0.0
MALAYSIA(config-if)# encapsulation frame-relay ietf
MALAYSIA(config-if)# frame-relay lmi-type cisco
MALAYSIA(config-if)# no frame-relay inverse-arp
MALAYSIA(config-if)# frame-relay map ip 192.168.30.1 301 broadcast
MALAYSIA(config-if)# frame-relay map ip 192.168.30.2 302 broadcast
MALAYSIA(config-if)# no shut
Full-mesh Frame-Relay environments can get quite expensive. Partial-mesh environments are
often more cost-effective. Example of partial Mesh topology is hub-and-spoke, with one central
or hub location that connects all other locations called spokes. In a partial-mesh environment,
if both spokes terminate on the Hub router‟ s physical serial interface, splithorizon will prevent
one spokes network reaching the other spokes. To overcome this, at Hub we can use sub-
interfaces with different subnets creating Point-to-point links with each spoke.
Frame-Relay Commands:
A public address is a unique address on the internet and can be routed on the Internet. Hence
devices that should be Internet accessible must be configured with public addresses.
A private address is only used within an organization, and can never be routed on the internet.
Three private addressing ranges were allocated, one for each IPv4 class:
Class Range
Class A 10.0.0.0 – 10.255.255.255
Class B 172.16.0.0 – 172.31.255.255
Class C 192.168.0.0 – 192.168.255.255
NAT is used to translate between private addresses and public addresses. NAT allows devices
configured with a private address to be changed to public address and vice versa allowing those
devices to communicate across the Internet.
NAT provides an additional benefit – hiding the specific addresses and addressing structure of
the internal network.
NAT Types
Static NAT – Static NAT does an one-to-one translation between two addresses, or between
a port on one address to a port on another address. Static NAT is most often used to assign a
public address to a device behind a NAT-enabled firewall/router.
Dynamic NAT – Uses a pool of global addresses to dynamically translate the outbound traffic
of clients.
NAT Overload or Port Address Translation (PAT) – Translates to a single global address
with unique port numbers. PAT is necessary when the number of internal clients exceeds the
available global addresses.
Inside Local – the specific IP address assigned to an inside host – usually a Private address.
Inside Global – the address that identifies an inside host to the outside world - usually a public
address.
Outside Global – the address assigned to an outside host - usually a public address at the
remote site.
Outside Local – the address that identifies an outside host to the inside network.
Configuration of NAT
The above command translates Inside Local address of 192.168.20.1 to inside global of
128.168.1.1. Also the inside and outside interfaces are identified:
The above command creates a Pool of Inside Global IP‟ s in the name of Outpool, so that the
clients as identified by the ACL can pick an address dynamically from the pool before exiting the
network. Also the inside and outside interfaces are identified:
Any inside host with a source that matches access-list 10 will be translated with overload to the
IP address configured on the Serial0/0 interface. Also the inside and outside interfaces are
identified.
NAT Commands
Router# show ip nat translations Displays all current static and dynamic translations
Router# show ip nat statistics Displays an interface Status of inside or outside, displays
NAT translations statistics:
Router# debug ip nat Displays NAT translations in real-time
Router# clear ip nat translation Clear all dynamic NAT entries from the translation table