COMPUTER NETWORKING BASED ON CISCO

CERTIFIED NETWORK ASSOCIATE (CCNA) ROUTING

& SWITCHING.

A PROJECT REPORT

Submitted by

BIBECHAN KHANAl

In partial fulfillment for the award of the degree of

BACHELOR IN TECHNOLOGY

IN

COMPUTER SCIENCE AND TECHNOLOGY

Department of Computer Science & Engineering

Rawal Institute of Engineering and Technology
Sohna Road, Near Zakopur, Faridabad
www.rawalinstitutions.com
 ACKNOWLEDGEMENT

I am glad to take this opportunity to express my sincere gratitude to my project

guide Ms. Varsha Rathi for her guidance, support and valuable suggestions and
coordination for this project. I express my sincere gratitude to her for helping with
project & all the suggestions to complete this internship. It was indeed a great
learning experience.

I owe my deep sense of gratitude to Mr. Hari Krishnan K Sharma, Senior

Engineer of Nepal Telecom for providing me an opportunity to carry out the
Internship work under his Guidance at the organization and his encouragement.

I am also grateful to all the entire faculty members of Department of Computer

Science for their help and guidance in this project.

Finally, I would also like to take this opportunity to acknowledge the contribution
of all those who have published their reports and articles in related field in various
media for the benefit of student like me. I would also like to appreciate and thank
my family, friends for their time and suggestions.

Bibechan Khanal

15-CSE-3023
 ABSTRACT

In this era of computer and technology, networking is one of the prominent prerequisites.
Computer networking generally means communication between two end devices and process
involved during the communication. It involves designing a network, usage, maintenance,
hardware and software infrastructure required for operations and policies.

One of the important tasks in networking is to configure the router, switches and other
networking devices. And installing, monitoring, maintaining and supporting the network for
smooth communication and performance, enforcing security for secure communication.

CCNA course introduces the architecture, structure, functions, components, and models of
the Internet and other computer networks. The principles and structure of IP addressing and
the fundamentals of Ethernet concepts, media, and operations are introduced to provide a
foundation for the curriculum. By the end of the course, participants will be able to build
simple LANs, perform basic configurations for routers and switches, and implement IP
addressing schemes.

In This project the basic of CCNA Course are covered. Different Routing Protocols that are
used Widely Nowadays that we used during internship are explained.

During internship period at Nepal Telecom, we learned some of the task mentioned above
during the period of more than 2 months. We learned to design a network in network
simulator such as Cisco Packet Tracer and GNS3.
 TABLE OF CONTENTS

List of Tables ………………………………………………………… 1

List of Figures …………………………………………………………… 2
1. Chapter 1: Introduction ………………………………………………….3
2. Chapter 2: DHCP Server……………………………………………….. 4
2.1 Introduction …………………………………………………...... 4
2.2 Configuring DHCP Database……………………………..……….4
2.3 Configuring DHCP Database Agent…………………..……….....4
2.4 Configuring DHCP Pool…………………………………………..7
3. Chapter 3: DNS Server…………………………………..………………12
3.1 Introduction……………………………………..………………...12
3.2 How to configure DNS server?.................................................... 13
3.3 How to configure DNS spoofing?................................................. 14
4. Chapter 4: HTTP Server…………………….……………………....….. 16
4.1 How to Configure router to use HTTP Service ………….….. 16
5. Chapter 5: VLAN ………………………………………………………...22
5.1 Introduction …………………………………………………....22
5.2 How it works?............................................................................22
5.3 Types of VLAN………………………………………………...23
5.4 Configuring Cisco switch to use VLAN………………………..25
6. Chapter 6: VPN……………………………………………………………27
6.1 Introduction …………………………………………………….27
6.2 How it works?............................................................................27
6.3 Data encapsulation process……………………………………..29
7. Chapter 7: Firewall………………………………………………………...30
7.1 Introduction to firewall…………………………………………30
7.2 Configuring windows firewall………………………………….30
8. Chapter 8: IP address………………………………………………………35
8.1 Introduction to IPV4……………………………………………35
8.2 Types of IPV4 address………………………………………….36
8.3 Public and Private IP address…………………………………...40
8.4 NAT and PAT…………………………………………………..44

9. Chapter 9: Basic CISCO router and switch configuration………………...45

10. Chapter 10: Different Types of Dynamic Routing Protocols……………….. 48

10.1 Routing Information Protocol (RIP)………………………………… 48

10.2 Enhanced Interior Gateway Routing Protocol (EIGRP)…………….. 50
10.3 Border Gateway Protocol (BGP)……………………………………. 51
 LIST OF TABLES

Table 1:- Steps For Configuring DHCP Database Agent………………………………....5

Table 2:- Steps For Excluding IP Address From DHCP Server……………………….…6

Table 3:- Steps For Configuring DHCP Address Pool……………………………………7

Table 4:- Steps For Configuring DNS Spoofing………………………………………...15

Table 5:- Steps for configuring HTTP Server……………………………………………16

Table 6:- Steps For Configuring HTTP Client…………………………………………..20

Table 7:- Showing VLAN Configuration…………………………………………….….25

Table 8:- Showing VLAN Configuration………………………………………………..26

Table 9:- Steps To Configure Access List………….………………………………….. .31

Table 10:- Steps to Configure Inspection Rule…………………………………………..32

Table 11:- Apply Access List & Inspection Rule………………………………………..33

1
 LIST OF FIGURES

Figure 1:- DNS Client & DNS Server………………………………………………….12

Figure 2:- Network Topology Having Cisco Router To Provide DNS Service………..13

Figure 3:- Network Having 2 VLAN……………………………………………………22

Figure 4:- Trunk link between two VLAN-aware bridges…………………....……….. 23

Figure 5:- Access link between a VLAN-aware bridge and a VLAN-unaware device. .24

Figure 6:- Hybrid link containing both VLAN-aware and VLAN-unaware devices…...24

Figure 7:- Firewall In a Network………………………………………………………...30

Figure 8:- IPV4 Header…………………………………………………………………...35

Figure 9:- Network Classes………………………………………………………………41

Figure 10:- Placement and operation of NAT box……………………………………….44

Figure 11:- Network With RIP V2 Protocol…………………………………………......49

Figure 12:- RIP Configuration for Router R1…………………………………………….49

Figure 13:- RIP Configuration for Router R2 ………………………………………...….49

Figure 14:- EIGRP Topology ………………………………………………………........51

Figure 15:- Configuring EIGRP on Router R1…………………………………………...51

Figure 16:- Configuring EIGRP on Router R2………………………………………......51

Figure 17:- BGP Configuration Topology Configuring BGP on Router R2………….....52

Figure 18:- Configuring BGP on Router R2 ……...........................................................52

Figure 19:- Configuring BGP on Router R1……………………………………………..52

2
 Chapter 1: Introduction

Nepal Doorsanchar Company Ltd. (Nepali: नेपाल दूरसञ्चार कम्पनी लिमिटेड), popularly known
as Nepal Telecom (Nepali: नेपाल टेलिकम) is state owned telecommunication service provider
in Nepal with 91.49% of the government share. The company was a monopoly until 2003,
when the first private sector operator United Telecom Limited (UTL) started providing basic
telephony services. The central office of Nepal Telecom is located at Bhadrakali
Plaza, Kathmandu. It has branches, exchanges and other offices in 184 locations within the
country.
It is the sole provider of fixed line, ISDN and leased-line services in Nepal. Following the
entry of Ncell (previously called Mero Mobile) into Nepal's telecommunications industry in
2005, it is no longer the only provider of GSM mobile service. With more than 5,400
employees, it is one of the largest corporations of Nepal. It has a total of 262 telephone
exchanges in various parts of the country serving 603,291 PSTN lines, more than 5 million
GSM cellular phones and more than a million CDMA phone line as of July 2011. According
to recent data, there are about 10 million users of Nepal Telecom including all those of fixed
landline, GSM mobile, CDMA and internet service. Nepal Telecom Launched 4G
LTE Service on 1 January 2017.

3
 Chapter 2: DHCP Server

2.1. Introduction:

DHCP stands for Dynamic Host Configuration Protocol. DHCP server is a server used for
automatic assignment of IP address, default gateway and other configuration information for
a host. [1]RFCs 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF)
standard based on Bootstrap Protocol (BOOTP), a protocol with which DHCP shares many
implementation details.

2.2. Benefit of using DHCP Server

 Reliable IP address configuration. DHCP minimizes configuration errors caused by

manual IP address configuration, such as typographical errors, or address conflicts
caused by the assignment of an IP address to more than one computer at the same
time.
 Reduced network administration. DHCP includes the following features to reduce
network administration:
o Centralized and automated TCP/IP configuration.
o The ability to define TCP/IP configurations from a central location.
o The efficient handling of IP address changes for clients that must be updated
frequently, such as those for portable computers that move to different
locations on a wireless network.
o The forwarding of initial DHCP messages by using a DHCP relay agent, thus
eliminating the need to have a DHCP server on every subnet.

2.3. Configuring DHCP Database Agent

Perform this task to configure a DHCP database agent.

DHCP database agent is any host (for example, an FTP, TFTP, or rcp server) or storage
media on the DHCP server (for example, diskO) that stores the DHCP bindings database. We
can configure multiple DHCP database agents, and can configure the interval between

4
database updates and transfers for each agent. Automatic bindings are IP addresses that have
been automatically mapped to the MAC addresses of hosts that are found in the DHCP
database. Automatic binding information (such as lease expiration date and time, interface
index, and VPN routing and forwarding [VRF] name) is stored on a database agent. The
bindings are saved as text records for easy maintenance. An address conflict occurs when two
hosts use the same IP address. During address assignment, DHCP checks for conflicts using
ping and gratuitous Address Resolution Protocol (ARP). If a conflict is detected, the address
is removed from the pool. The address will not be assigned until the administrator resolves
the conflict.

Detailed Steps

Command or Action Purpose

Step 1 enable Enables privileged EXEC
Example: mode.
Router>ena
Step 2 configure terminal Enters global configuration
Example: mode.
Router# configure terminal
Step 3 Do one of the following Configures a
• ip dhcp database url [timeout seconds I write- DHCP server to
delay seconds] save automatic
• or bindings on a
• no ip dhcp conflict logging remote host called
Example: a database agent.
Router( config)# ip dhcp database Or
ftp ://user:[email protected]/router-dhcp Disables DHCP
timeout 80 address conflict logging.
Example:
Router( config)# no ip dhcp conflict logging
Table 1:- Steps For Configuring DHCP Database Agent

5
Excluding IP Addresses

Perform this task to specify IP addresses (excluded addresses) that the DHCP server should
not assign to clients.

The IP address configured on the router interface is automatically excluded from the DHCP
address pool. The DHCP server assumes that all other IP addresses in a DHCP address pool
subnet are available for assigning to DHCP clients.

We need to exclude addresses from the pool if the DHCP server should not allocate those IP
addresses. An example usage scenario is when two DHCP servers are set up to service the
same network segment (subnet) for redundancy. If the two DHCP servers do not coordinate
their services with each other using a protocol such as DHCP failover, then each DHCP
server must be configured to allocate from a non overlapping set of addresses in the shared
subnet. Here the

Configuring Manual Bindings Example" section for a configuration example

Detailed Steps

Command or Action Purpose

Step 1 enable Enables privileged EXEC

Example: mode.
Router> enable
Step 2 configure terminal. Enters global configuration
Example: mode
Router# configure terminal
Step 3 ip dhcp excluded-address low- address Specifies the IP addresses that
[high-address] the DHCP server should not
Example: assign to DHCP clients.
Router( config)# ip dhcp excluded address
172.16.1.100 172.16.1.103
Table 2:- Steps For Excluding IP Address From DHCP Server

6
2.4. Configuring the DHCP address pool

Perform this task to configure a DHCP address pool. On a per-address pool basis, specify
DHCP options for the client as necessary.
We can configure a DHCP address pool with a name that is a symbolic string (such as
“engineering”)
or an integer (such as 0). Configuring a DHCP address pool also puts the router into DHCP
pool configuration mode--identified by the (dhcp-config)# prompt--from which you can
configure pool parameter (for example, the IP subnet number and default router list).
DHCP defines a process by which the DHCP server knows the IP subnet in which the DHCP
client resides, and it can assign an IP address from a pool of valid IP addresses in that subnet.
The process by which the DHCP server identifies which DHCP address pool to use to service
a client request is described in the "Configuring Manual Bindings" task.

The DHCP server identifies which DHCP address pool to use to service a client request as
follows:

• If the client is not directly connected (the giaddr field of the DHCPDISCOVER broadcast
message is nonzero), the DHCP server matches the DHCPDISCOVER with a DHCP pool
that has the subnet that contains the IP address in the giaddr field.

• If the client is directly connected (the giaddr field is zero), the DHCP server matches the
DHCPDISCOVER with DHCP pools that contain the subnets configured on the receiving
interface. If the interface has secondary IP addresses, the subnets associated with the
secondary IP addresses are examined for possible allocation only after the subnet associated
with the primary IP address (on the interface) is exhausted.

Cisco IOS DHCP server software supports advanced capabilities for IP address allocation.
Here
the "Configuring DHCP Address Allocation Using Option" section for more information.

7
STEPS

Command Purpose
Step 1 enable Enable privileged EXEC mode.
Example:
Router>enable
Step 2 configure terminal Enter global configuration mode.
Example:
Router# configure terminal
Step 3 ip dhcp pool name Creates a name for the DHCP
Example: server address pool and enters
Router(config)# ip dhcp pool 1 DHCP pool configuration mode.
Step 4 utilization mark high percentage-number [log] (Optional) Configure the high
utilization mark of the current
address pool size.
 The log keyword enables
the logging of a system
message. A system
message will be generated
for a DHCP pool when the
pool utilization exceeds the
configured high utilization
threshold.
Step 5 utilization mark low percentage- number [log] (Optional) Configures the low
Example: utilization mark of the current
Router( dhcp-config)# utilization mark address pool size
low 70 log • The log keyword enables the
logging of a system message. A
system message will be generated
for a DHCP pool when the pool
utilization falls below the
configured low utilization

8
 threshold.

Step 6 network network-number [{ maskl Specifies the subnet network

/prefix-length} [secondary]] number and mask of the DHCP
Example: Router( dhcp-config)# network address pool.
172.16.0.0116

Step 7 domain-name domain Example: Specifies the domain name for the
Router( dhcp-config)# domain-name cisco.com client.

Step 8 dns- server address [address2 ... address8}
Example: client.
Router( dhcp-config)# dns server
172.16.1.103 172.16.2.103
Specifies the IP address of a DNS
server that is available to a DHCP
• One IP address is required;
however, we can specify up
to eight IP addresses in one
command line.
• Servers should be listed in
103order of preference

Step 9 bootfile filename (Optional) Specifies the name of the

Example: default boot image for a DHCP
,Router( dhcp-config)# bootfile xllboot client.
• The boot file is used to.store
the boot image for the client.
The boot image is generally
the operating system the client uses
to load.

9
Step 10 next- (Optional) Configures the next
server address [address2 .. . address8]Example: server in the boot process of a
Router( dhcp-config)# next-server DHCP client. • If multiple servers
172.17.1.103172.17.2.103 are specified, DHCP assigns them
. to clients in round-robin order.
The first client gets address 1, the
next client gets address 2, and so
on.
• If this command is not
configured, DHCP uses the server
specified by the ip helper address
command as the boot server
Step 11 netbios-name-server address[address2 ... (Optional) Specifies the NetBIOS
address8} WINS server that is available to a
Example: Microsoft DHCP client.
Router( dhcp-config)# netbios-nameserver • One address is required;
172.16.1.103 172.16.2.1 03 however, we can specify up to
eight addresses in one command
line.
• Servers should be listed in order
of preference.
Step 12 netbios-node-type type (Optional) Specifies the NetBIOS
Example: node type for a Microsoft DHCP
Router( dhcp-config)# netbios-node-type h-node client.
Step 13 default- router address [address2 ... address8] (Optional) Specifies the IP address
Example: of the default router for a DHCP
Router( dhcp-config)# default-router client.
172.16.1.100172.16.1.101 • The IP address should be on the
same subnet as the client.
• One IP address is required;
however, we can specify up to
eight IP addresses in one
command line. These default
routers are listed in order of

10
 preference; that is, address is the
most preferred router, address2 is
the next most preferred router, and
so on.
• When a DHCP client requests an
ip address, the router--acting as a
DHCP server--accesses the default
router list to select another router
that the DHCP client is to use as
the first hop for forwarding
messages. After a DHCP client has
booted, the client begins sending
packets to its default router.
Step 14 option code [instance number] {ascii string I (Optional) Configures DHCP
hex string lip-address} options. server
Example:
Router( dhcp-config)# option 19 hex 01
Step 15 end Returns to global configuration
Example: mode.
Router( dhcp-config)# end
Table 3:- Steps For Configuring DHCP Address Pool

Chapter 3: DNS Server

11
3.1. Introduction

The DNS is a hierarchical naming system for computers, services, or any resource connected
to the Internet or a private network. It associates various information with domain names
assigned to each of the participants. Most importantly, it translates domain names meaningful
to humans into the numerical (binary) identifiers associated with networking equipment for
the purpose of locating and addressing these devices worldwide. An often used analogy to
explain the Domain
Name System is that it serves as the "phone book" for the Internet by translating human-
friendly computer hostnames into IP addresses. For example, 209.191.122.70 as yahoo.com.

The Domain Name System distributes the responsibility of assigning domain names and
mapping those names to IP addresses by designating authoritative name servers for each
domain.
Authoritative name servers are assigned to be responsible for their particular domains, and in
turn can assign other authoritative name servers for their sub-domains. This mechanism has
made the DNS distributed, fault tolerant, and helped avoid the need for a single central
register to continually consulted and updated.
In general, the Domain Name System also stores other types of information, such as the list
of mail servers that accept email for a given Internet domain. By providing a worldwide,
distributed keyword-based redirection service, the Domain Name System is an essential
component of the functionality of the Internet.

Figure 1:- DNS Client & DNS Server

3.2. How to configure DNS server?

12
The DNS protocol is used to resolve FQDN (Fully Qualified Domain Names) to IP addresses
around the world. This allows us to successfully find and connect to Internet websites and
services no matter where they are. Its usefulness, however, local company and private
networks also rely on DNS to operate efficiently and correctly.

In many cases, where a local DNS server is not available, we are forced to either use our
ISP's DNS servers or some public DNS server; however, this can sometimes prove
troublesome. Today, small low-end routers have the ability to integrate DNS functionality,
making life easier , but so do Cisco routers - they simply have to be setup and we're done.

An example to illustrate the configuration of Cisco router to provide DNS services to network
and make client to use DNS server is shown below.

Consider a network topology as following.

Figure

First step is to enable the DNS service and domain lookup on the router:

R0# configure terminal

13
R0(config)# ip dns server

R0(config)# ip domain-lookup

Next, we need to configure the router with a public name-server, this will force the router to
perform recursive DNS lookups, in other words, for every request it receives from our
workstations the router will try to find the answer by asking as many DNS server it needs and
finally return with an answer:

R0(config)# ipname-server4.2.2.5

R0(config)# ipname-server4.2.2.6

The Cisco will allow us to enter up to 6 different name servers (essentially DNS servers).
Usually, we 'would use our ISP's DNS server to ensure you quick responses, then place a few
free public DNS servers such as the ones above. This will ensure that we’ll get a DNS
response from either ISP or public DNS servers.

Next step is to configure your DNS server with the host names of our local network, this way
when Alan’s PC tries to ping or connect to Wayne, the router will successfully resolve its netbios
name to the appropriate IP address:

R0(config)# ip host alan 192.168.1.10

R0(config)# ip host john 192.168.1.11

R0(config)# ip host wayne192.168.1.12

3.3. How to configure DNS Spoofing

Perform this task to configure DNS spoofing.

DNS spoofing is designed to allow a device to act as a proxy DNS server and "spoof' replies
to any DNS queries using either the configured IP address in the ip dnsspoofing ip-address
command or the IP address of the incoming interface for the query. This feature is useful for
devices where the interface toward the Internet service provider (ISP) is not up. Once the
interface to the ISP is up, the device forwards DNS queries to the real DNS servers.

This feature turns on DNS spoofing and is functional if any of the following conditions are
true:

14
• The no ip domain lookup command is configured.

• IP name server addresses are not configured.

• There are no valid interfaces or routes for sending to the configured name server addresses.

If these conditions are removed, DNS spoofing will not occur.

Detailed Steps

Command Purpose

Step 1 enable Enables privileged EXEC mode.

Example: • Enter password if prompted.
Device>enable
Step 2 configure terminal Enters global configuration mode.
Example:
Device# configure terminal
Step 3 ip dns server Activates the DNS server on the device.
Example:
Device( config)# ip dns
server
Step4 ip dns spoofing [ipaddress] Configures DNS spoofing.
Example: • The IP address used for DNS spoofing can be an
Device( config)# ip dns IPv4 or IPv6 address.
spoofing 192.168.15.1 • The device will respond to the DNS query
with the configured ip-address when
queried for any hostname other than its
own.
• The device will respond to the DNS query
with the IP address of the incoming
interface when queried for its own
hostname.
Table 4: Steps For Configuring DNS Spoofing

Chapter 4: HTTP Server

4.1. Introduction
15
Hypertext Transfer Protocol (HTTP) works with the World Wide Web, which is the fastest
growing and most used part of the Internet. One of the main reasons for the extraordinary
growth of the Web is the ease with which it allows access to information. A Web browser is a
client-server application, which means that it requires both a client and a server component in
order to function. A Web browser presents data in multimedia formats on Web pages that use
text, graphics, sound, and video. The Web pages are created with a format language called
Hypertext Markup Language (HTML). HTML directs a Web browser on a particular Web
page to produce the appearance of the page in a specific manner. In addition, HTML specifies
locations for the placement of text, files, and objects that are to be transferred from the Web
server to the Web browser.

4.2. How to configure Cisco router to HTTP service

4.2.1. Configuring the HTTP 1.1 Web Server

Command Purpose
Step 1 enable Enables privileged EXEC mode.
Example:
Enter your password if prompted.
Router> enable

Step 2 configure terminal Enters global configuration mode

Example:
Router# configure terminal
Step 3 ip http server Enables the HTTP 1.1 server, including the Cisco web
Example: browser user interface.
Router(config)# ip http
server
Step 4 ip httpauthentication{aaa (Optional) Specifies the authentication method to be used
| enable | local | tacacs} for login when a client connects to the HTTP server. The
Example: methods for authentication are:
Router(config)# ip http
aaa—Indicates that the authentication method used for the
authentication local
authentication, authorization, and accounting (AAA) login
service (specified by
the aaa authentication login default command) should be
used for authentication.

16
 enable—Indicates that the “enable” password should be
used for authentication. (This is the default method.)
local—Indicates that the login username, password, and
privilege-level access combination specified in the local
system configuration (by the username global
configuration command) should be used for authentication
and authorization.
tacacs—Indicates that the TACACS (or XTACACS) server
should be used for authentication

Step 5 ip httpaccountingcomma (Optional) Specifies a particular command accounting

ndslevel {default | named- method for HTTP server users.
accounting-method-list}
Command accounting for HTTP and HTTPS is
Example:
automatically enabled when AAA is configured on the
Router(config)# ip http
device. It is not possible to disable accounting for HTTP
accounting commands 15
and HTTPS. HTTP and HTTPS will default to using the
default
global AAA default method list for accounting. The CLI
can be used to configure HTTP and HTTPS to use any
predefined AAA method list.
level—Valid privilege level entries are integers from 0 to
15.
default—Indicates the default accounting method list
configured by the aaa accounting commands.
named-accounting-method-list—Indicates the name of the
predefined command accounting method list.

Step 6 ip http portport-number (Optional) Specifies the server port that should be used for
Example: HTTP communication (for example, for the Cisco web
Router(config)# ip http browser user interface)
port 8080

Step 7 (Optional) Sets the base HTTP path for HTML files. The
ip http path url base path is used to specify the location of the HTTP server

17
Example: files (HTML files) on the local system.
Router(config)# ip http
Generally, HTML files are located in the system flash
path slot1:
memory.

18
Step 8 ip http access-class acce (Optional) Specifies the access list that should be used to
ss-list-number allow access to the HTTP server.
Example:
Router(config)# ip http
access-class 20
Step 9 ip http max- (Optional) Sets the maximum number of allowed
connectionsvalue concurrent connections to the HTTP server.
Example:
The default value is 5
Router(config)# ip http
max-connections 10

Step 10 ip httptimeout- (Optional) Sets the characteristics that determine how

policyidle secondslife se
condsrequests value
Example:
Router(config)# ip http
timeout-policy idle 30
life 120 requests 100
long a connection to the HTTP server should remain
open. The characteristics include the following:
idle—The maximum number of seconds the connection
will be kept open if no data is received or if response data
cannot be sent out on the connection. Note that a new
value may not take effect on any already existing
connections. If the server is too busy or the limit on
the life time or the number of requests is reached, the
connection may be closed sooner. The default value is
180 seconds (3 minutes).
life—The maximum number of seconds the connection
will be kept open, from the time the connection is
established. Note that the new value may not take effect
on any already existing connections. If the server is too
busy or the limit on the idle time or the number of
requests is reached, it may close the connection sooner.
Also, since the server will not close the connection while
actively processing a request, the connection may remain
open longer than the specified life time if processing is
occurring when the life maximum is reached. In this case,
the connection will be closed when processing finishes.
The default value is 180 seconds (3 minutes). The
maximum value is 86400 seconds (24 hours).
requests—The maximum limit on the number of requests
processed on a persistent connection before it is closed.
Note that
19 the new value may not take effect on already
existing connections. If the server is too busy or the limit
on the idle time or the life time is reached, the connection
 Table 5:- Steps for configuring HTTP Server

Configuring the HTTP client

Command Purpose

Step 1 enable Enables privileged EXEC mode.

Example:
Enter your password if prompted.
Router> enable

Step 2 configure terminal Enables global configuration mode

Example:
configure terminal
Step 3 ip http client cache {ager interval Configures the HTTP client cache.
minutes |memory{file file-size-limit|pool
pool-size-limit
Example:
Router(config)# ip http client cache
memory file
Step 4 ip http client connection {forceclose | i Configures an HTTP client connection.
dle timeout seconds | retry count | timeo
ut seconds}
Example:Router(config)# ip http client
connection timeout 10

Step 5 ip http client password password Configures the default password used for
Example: connections to remote HTTP servers.
Router(config)# ip http client password
pswd1
Step 6 ip http client proxy-server proxy- Configures an HTTP proxy server.
nameproxy-port port-number
Example:Router(config)# ip http client
proxy-server server1 proxy-port 52

20
Step 7 ip http client response timeout seconds Specifies the timeout value, in seconds, that
Example: Router(config)# ip http client the HTTP client waits for a response from
user the server.

Step 8 ip http client username username Configures a source interface for the HTTP
Router(config)# ip http client response client.
timeout 60
Step 9 ip http client source-interface typenum Configures the default username used
ber for connections to remote HTTP servers.
Example:

Router(config)# ip http client source-

interface ethernet1/0

Table 6:- Steps For Configuring HTTP Client

Chapter 5: VLAN

5.1. Introduction

A virtual local area network (VLAN) is a logical group of workstations, servers and network
devices that appear to be on the same LAN despite their geographical distribution. A VLAN
allows a network of computers and users to communicate in a simulated environment as if
they exist in a single LAN and are sharing a single broadcast and multicast domain. VLANs
are implemented to achieve scalability, security and ease of network management and can
quickly adapt to change in network requirements and relocation of workstations and server
nodes. High end switches allow the functionality and implementation of VLAN s. The

21
purpose of implementing a VLAN is to improve the performance of a network or apply
appropriate security features.

Figure 3:- Network Having 2 VLAN

5.2. How it works?

When a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier
indicating the VLAN from which the data came. This is called explicit tagging. It is also
possible to determine to which VLAN the data received belongs using implicit tagging. In
implicit tagging the data is not tagged, but the VLAN from which the data came is
determined based on other information like the port on which the data arrived. Tagging can
be based on the port from which it came, the source Media Access Control (MAC) field, the
source network address or some other field or combination of fields. VLAN's are classified
based on the method used. To
be able to do the tagging of data using any of the methods, the bridge would have to keep an
updated database containing a mapping between VLAN's and whichever field is used for
tagging. For example, if tagging is by port, the database should indicate which ports belong to
which VLAN. This database is called a filtering database. Bridges would have to be able to
maintain this database and also to make sure that all the bridges on the LAN have the same
information in each of their databases. The bridge determines where the data is to go next
based normal LAN operations. Once the bridge determines where the data is to go, it now
needs to determine whether the VLAN identifier should be added to the data and sent. If the

22
data is to go to a device that knows about VLAN implementation (VLAN-aware), the VLAN
identifier is added to the data. If it is to go to a device that has no knowledge of VLAN
implementation (VLAN-unaware), the bridge sends the data without the VLAN identifier.
In order to understand how VLAN's work, we need to look at the types of connections
between devices on VLAN's.

5.3. Types of VLAN Connections

Devices on VLAN can be connected in three ways based on whether the connected devices
are VLAN-aware or VLAN-unaware.
1. Trunk Link
All the devices connected to a trunk link, including workstations, must be VLAN-
aware.
All frames on a trunk link must have a special header attached. These special frames
are called tagged frames.

VLAN-aware Trunk Link VLAN-aware

Bridge Bridge

Trunk Link

VLAN-aware workstation

Figure 4 : - Trunk link between two VLAN-aware bridges

2. Access Link
An access link connects a VLAN-unaware device to the port of a VLAN-aware
bridge.
All frames on access links must be implicitly tagged (untagged). The VLAN-unaware
device can be a LAN segment with VLAN-unaware workstations or it can be a
number of
LAN segments containing VLAN-unaware devices (legacy LAN).

VLAN-aware Access Link

VLAN A
Bridge

23
 Figure 5:- Access link between a VLAN-aware bridge and a VLAN-unaware device

3. Hybrid Link

This is a combination of the previous two links. This is a link where both VLAN-
aware and VLAN-unaware devices are attached. A hybrid link can have both tagged
and untagged frames, but all the frames for a specific VLAN must be either tagged or
untagged.
VLAN-aware workstation

VLAN-aware VLAN-aware

Bridge Bridge

VLAN B VLAN-unaware
workstation

Figure 6:- Hybrid link containing both VLAN-aware and VLAN-unaware devices

5.4. Configuring Cisco switch to use VLAN

5.4.1. Adding and Verifying Data and Voice VLANs

Switch# configure terminal

Switch(config)# vlan 10
Switch(config-vlan)# name VOICE
Switch(config-vlan)# vlan 50
Switch(config-vlan)# name DATA
Switch(config-vlan)# end

24
Switch# show vlan brief

VLAN Name Status Port

default active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9Fa0/10, Fa0/11, Fa0/12, Fa0/13Fa0/14, Fa0/15,
Fa0/16, Fa0/17Fa0/18, Fa0/19, Fa0/20, Fa0/21Fa0/22,
Fa0/23, Fa0/24, Gi0/1Gi0/2
10 VOICE active

50 DATA active

1002 fddi-default act/unsup

1003token-ring- act/unsup
default
1004 fddinet-default act/unsup

1005 trnet default act/unsup

Table 7:- Showing VLAN Configuration

5.4.2 Assigning Data and Voice VLAN

Switch# configure terminal

Switch(config)#interface range fa0/2 - 24
Switch(config-if-range )#switchport mode access
Switch(config-if-range )#spanning-tree portfast
Switch(config-if-range )#switchport access vlan 50
Switch(config-if-range)#switchport voice vlan 10
Switch( config-if-range )#end
Switch#show vlan brief

25
VLAN Name Status Port
default active Gi0/1Gi0/2
10 VOICE active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9Fa0/10, Fa0/11, Fa0/12, Fa0/13Fa0/14, Fa0/15,
Fa0/16, Fa0/17Fa0/18, Fa0/19, Fa0/20, Fa0/21Fa0/22,
Fa0/23, Fa0/24,
50 DATA active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8,
Fa0/9Fa0/10, Fa0/11, Fa0/12, Fa0/13Fa0/14, Fa0/15,
Fa0/16, Fa0/17Fa0/18, Fa0/19, Fa0/20, Fa0/21Fa0/22,
Fa0/23, Fa0/24,
1002 fddi-default act/unsup

1003token-ring- act/unsup
default
1004 fddinet-default act/unsup

1005 trnet default act/unsup

Table 8:- Showing VLAN Configuration

Chapter 6: VPN

6.1. Introduction

A virtual private network (VPN) is a network that uses a public telecommunication

infrastructure, such as the Internet, to provide remote offices or individual users with secure
access to their organization's network. A virtual private network can be contrasted with an
expensive system of owned or leased lines that can only be used by one organization. The
goal of VPN is to provide the organization with the same capabilities, but at a much lower
cost.
26
6.2. How it works?
VPN works by using the shared public infrastructure while maintaining privacy through
security procedures and tunneling protocols such as the Layer Two Tunneling Protocol
(L2TP).
In effect, the protocols, by encrypting data at the sending end and decrypting it at the
receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not
properly encrypted. An additional level of security involves encrypting not only the data, but
also the originating and receiving network addresses.

Many security protocols have been developed as VPN s, each offering differing levels of
security and features. Among the more common are:
• IP security (IPSec): IPSec is often used to secure Internet communications and can operate
in two modes. Transport mode only encrypts the data packet message itself while
Tunneling mode encrypts the entire data packet. This protocol can also be used in tandem
with other protocols to increase their combined level of security.
• Layer 2 Tunneling Protocol (L2TP)/IPsec: The L2TP and IPsec protocols combine their
best individual features to create a highly secure VPN client. Since L2TP isn't capable of
encryption, it instead generates the tunnel while the IPSec protocol handles encryption,
channel security, and data integrity checks to ensure all of the packets have arrived and that
the channel has not been compromised.
• Secure Sockets Layer (SSL) and Transport Layer Security (TLS): SSL and TLS are
used extensively in the security of online retailers and service providers. These protocols
operate using a handshake method. As IBM explains, "A HTTP-based SSL connection is
always initiated by the client using a URL starting with https:// instead of with http://. At the
beginning of an SSL session, an SSL handshake is performed. This handshake produces the
cryptographic parameters of the session." These parameters, typically digital certificates, are
the means by which the two systems exchange encryption keys, authenticate the session, and
create the secure connection.
• Point-to-Point Tunneling Protocol (PPTP): PPTP is a ubiquitous VPN protocol used
since the mid 1990s and can be installed on a huge variety of operating systems has been
around since the days of Windows 95. But, like L2TP, PPTP doesn't do encryption; it simply

27
tunnels and encapsulates the data packet. Instead, a secondary protocol such as GRE or TCP
has to be used as well to handle the encryption. And while the level of security PPTP
provides has been eclipsed by new methods, the protocol remains a strong one, albeit not the
most secure.
• Secure Shell (SSH): SSH creates both the VPN tunnel and the encryption that protects it.
This allows users to transfer information unsecured data by routing the traffic from remote
fileservers through an encrypted channel. The data itself isn't encrypted but the channel its
moving through is. SSH connections are created by the SSH client, which forwards traffic
from a local port one on the remote server. All data between the two ends of the tunnel flow
through these specified ports.
• These SSH tunnels are the primary means of subverting the government content filters
described earlier. For example, if the filter prohibits access to TCP port 80, which handles
HTTP, all user access to the Internet is cut off. However, by using SSH, the user can forward
traffic from port 80 to another on the local machine which will still connect to the remote
server's port 80. So as long as the remote server allows outgoing connections, the bypass will
work. SSH also allows protocols that would otherwise be blocked by the firewall, say those
for torrenting, to get past the wall by "wrapping" themselves in the skin of a protocol that the
firewall does allow.

6.3. VPN Encapsulation

Tunneling is the process of placing an entire packet within another packet before it's
transported over the Internet. That outer packet protects the contents from public view and
ensures that the packet moves within a virtual tunnel.

This layering of packets is called encapsulation. Computers or other network devices at both
ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen
incoming packets. Users (at one end of the tunnel) and IT personnel (at one or both ends of
the tunnel) configure the tunnel interfaces they're responsible for to use a tunneling protocol.

28
The purpose of the tunneling protocol is to add a layer of security that protects each packet on
its journey over the Internet. The packet is traveling with the same transport protocol it would
have used without the tunnel; this protocol defines how each computer sends and receives
data over its ISP. Each inner packet still maintains the passenger protocol, such as Internet
protocol (IP) or AppleTalk, which defines how it travels on the LANs at each end of the
tunnel. (See the sidebar for more about how computers use common network protocols to
communicate.) The tunneling protocol used for encapsulation adds a layer of security to
protect the packet on its journey over the Internet.

Chapter 7: Firewall

7.1. Introduction

29
A firewall is a defense line between an organizations network and the internet. It comprises
of hardware, software, policies, network infrastructure to prevent an organizations network
from intrusion, malware, attacking, etc. A firewall is a network security system designed to
prevent unauthorized access to or from a private network. Firewalls can be implemented as
both hardware and software, or a combination of both. Network firewalls are frequently used
to prevent unauthorized Internet users from accessing private networks connected to the
Internet, especially intranets. All messages entering or leaving the intranet pass through the
firewall, which examines each message and blocks those that do not meet the
specified security criteria.

Figu

7.2. Configuring Basic Cisco Firewall

The Cisco 1800 integrated services routers support network traffic filtering by means of
access lists. The router also supports packet inspection and dynamic temporary access lists by
means of Context-Based Access Control (CBAC).

Basic traffic filtering is limited to configured access list implementations that examine
packets at the network layer or, at most, the transport layer, permitting or denying the passage
of each packet through the firewall. However, the use of inspection rules in CBAC allows the
creation and use of dynamic temporary access lists. These dynamic lists allow temporary
openings in the configured access lists at firewall interfaces. These openings are created when
traffic for a specified user session exits the internal network through the firewall. The

30
openings allow returning traffic for the specified session (that would normally be blocked)
back through the firewall.

The configuration task includes:

 Configure Access Lists
 Configure Inspection Rules
 Applying Access Lists and Inspection Rules to Interface

Configure Access List

Command Purpose
Step 1 access-list access-list-number {deny | permi Creates an access list which
t } protocol source source-wildcard prevents Internet- initiated
[ operator [port]] destination traffic from reaching the
Example: local (inside) network of the
Router(config)# access-list 103 permit host router, and which compares
200.1.1.1 eq isakmp any source and destination ports.
Router(config)#

Step 2 access-list access-list-number {deny | permi Creates an access list that

t } protocol source source-wildcard allows network traffic to
destination destination-wildcard pass freely between the
Example: corporate network and the
Router(config)# access-list 105 permit ip local networks through the
10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 configured VPN tunnel.
Router(config)#

Table 9:- Steps To Configure Access List

Configure Inspection Rule

Command Purpose
Step 1 ip inspect name inspection-name protocol Defines an inspection rule for
Example: a particular protocol
Router(config)# ip inspect name firewall tcp

31
 Router(config)#

Step 2 ip inspect name inspection-name protocol Repeat this command for

Example: each inspection rule that you
Router(config)# ip inspect name firewall rtsp wish to use.
Router(config)# ip inspect name firewall h323
Router(config)# ip inspect name firewall netshow
Router(config)# ip inspect name firewall ftp
Router(config)# ip inspect name firewall sqlnet
Router(config)#
Table 10:- Steps to Configure Inspection Rule

Apply Access Lists and Inspection Rules

32
 Command Purpose
Step 1 interface type number Enters interface configuration
Example: mode for the inside network
Router(config)# interface vlan interface on your router.
1
Router(config-if)#

Step 2 ip inspect inspection-name Assigns the set of firewall

{ in | out } inspection rules to the inside
Example: interface on the router.
Router(config-if)# ip inspect
firewall in
Table 11:-
Router(config-if)#
Apply Access
List &
Step 3 exit Returns to global
Inspection Rule
Example: configuration mode.
Router(config-if)# exit
Router(config)#

Step 4 interface type number Enters interface configuration

Example: mode for the outside network
Router(config)# interface interface on your router.
fastethernet 0
Router(config-if)#

Step 5 ip access-group { access-list- Assigns the defined ACLs to

number | access-list-name } the outside interface on the
{ in | out } router.
Example:
Router(config-if)# ip access-
group 103 in
Router(config-if)#

Step 6 exit Returns to global

Example: configuration mode.
Router(config-if)# exit 33
Router(config)#
 Chapter 8: Internet Protocol

8.1. Introduction

An Internet Protocol (IP) address is a numerical label that is assigned to devices participating
in a computer network that uses the Internet Protocol for communication between its nodes.
Each device on a network must be uniquely defined. At the Network layer, the packets of the
communication need to be identified with the source and destination addresses of the two end
systems.
These addresses are used in the data network as binary patterns. Inside the devices, digital
logic is applied for their interpretation. For us in the human network, a string of 32 bits is
difficult to interpret and even more difficult to remember. Therefore, we represent IPv4
addresses using dotted decimal format.

Introduction to IPV4

IPv4 is a popular core protocol of standard-based internetworking method in the Internet.

IPv4 is a connectionless protocol for use on packet-switched network. . It operates on a best
effort delivery model, in that it does not guarantee delivery, nor does it assure proper
sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are
addressed by an upper layer transport protocol, such as the Transmission Control Protocol
(TCP).

IPv4 uses 32-bit addresses which limits the address space to 4294967296 addresses. IPv4
reserves special address block for private network.

34
 Figure 8:- IPV4 Header

8.2. Types of Addresses in an IPv4 Network

Network address - The address by which we refer to the network

Broadcast address - A special address used to send data to all hosts in the network
Host addresses - The addresses assigned to the end devices in the network

Network Address

The network address is a standard way to refer to a network. For example, we could refer to
the network shown in the figure as. "the 10.0.0.0 network." This is a much more convenient
and descriptive way to refer to the network than using a term like "the first network." All
hosts in the
10.0.0.0 network will have the same network bits.
Within the IPv4 address range of a network, the lowest address is reserved for the network
address. This address has a 0 for each host bit in the host portion of the address.

Broadcast Address
The IPv4 broadcast address is a special address for each network that allows communication
to all the hosts in that network. To send data to all hosts in a network, a host can send a single
packet that is addressed to the broadcast address of the network.
The broadcast address uses the highest address in the network range. This is the address in
which the bits in the host portion are all Is. For the network 10.0.0.0 with 24 network bits, the
broadcast address would be 10.0.0.255. This address is also referred to as the directed
broadcast.

Host Addresses
As described previously, every end device requires a unique address to deliver a packet to
that host. In IPv4 addresses, we assign the values between the network address and the
broadcast address to the devices in that network.
In an IPv4 network, the hosts can communicate one of three different ways:

35
Unicast - the process of sending a packet from one host to an individual host
Broadcast - the process of sending a packet from one host to all hosts in the network
Multicast - the process of sending a packet from one host to a selected group of hosts
These three types of communication are used for different purposes in the data networks. In
all three cases, the IPv4 address of the originating host is placed in the packet header as the
source address.

Unicast Traffic
Unicast communication is used for the normal host-to-host communication in both a
client/server and a peer-to-peer network. Unicast packets use the host address of the
destination device as the destination address and can be routed through an internetwork.
Broadcast and multicast, however, use special addresses as the destination address. Using
these special addresses, broadcasts are generally restricted to the local network. The scope of
multicast traffic also may be limited to the local network or routed through an internetwork.
In an IPv4 network, the unicast address applied to an end device is referred to as the host
address. For unicast communication, the host addresses assigned to the two end devices are
used as the source and destination IPv4 addresses. During the encapsulation process, the
source host places its IPv4 address in the unicast packet header as the source host address and
the IPv4 address of the destination host in the packet header as the destination address. The
communication using a unicast packet can be forwarded through an internetwork using the
same addresses.

Broadcast Transmission
Because broadcast traffic is used to send packets to all hosts in the network, a packet uses a
special broadcast address. When a host receives a packet with the broadcast address as the
destination, it processes the packet as it would a packet to its unicast address.
Broadcast transmission is used for the location of special services/devices for which the
address is not known or when a host needs to provide information to all the hosts on the
network.
Some examples for using broadcast transmission are:
Mapping upper layer addresses to lower layer addresses

36
Requesting an address

Exchanging routing information by routing protocols

When a host needs information, the host sends a request, called a query, to the broadcast
address.
All hosts in the network receive and process this query. One or more of the hosts with the
requested information will respond, typically using unicast.
Similarly, when a host needs to send information to the hosts on a network, it creates and
sends a broadcast packet with the information.
Unlike unicast, where the packets can be routed throughout the internetwork, broadcast
packets are usually restricted to the local network. This restriction is dependent on the
configuration of the router that borders the network and the type of broadcast. There are two
types of broadcasts: directed broadcast and limited broadcast.
Directed Broadcast
A directed broadcast is sent to all hosts on a specific network. This type of broadcast is useful
for sending a broadcast to all hosts on a non-local network. For example, for a host outside of
the network to communicate with the hosts within the 172.16.4.0 124 network, the
destination address of the packet would be 172.16.4.255. This is shown in the figure.
Although routers do not forward direct broadcasts by default, they may be configured to do
so.
Limited Broadcast
The limited broadcast is used for communication that is limited to the hosts on the local
network.
These packets use a destination IPv4 address 255.255.255.255. Routers do not forward this
broadcast. Packets addressed to the limited broadcast address will only appear on the local
network. For this reason, an IPv4 network is also referred to as a broadcast domain. Routers
form the boundary for a broadcast domain.
As an example, a host within the 172.16.4.0 124 network would broadcast to all the hosts in
its network using a packet with a destination address of255.255 .255.255.
As you learned earlier, when a packet is broadcast, it uses resources on the network and also
forces every host on the network that receives it to process the packet. Therefore, broadcast
traffic should be limited so that it does not adversely affect performance of the network or
37
devices. Because routers separate broadcast domains, subdividing networks with excessive
broadcast traffic can improve network performance.

Multicast transmission is designed to conserve the bandwidth of the IPv4 network. It reduces
traffic by allowing a host to send a single packet to a selected set of hosts. To reach multiple
destination hosts using unicast communication, a source host would need to send an
individual packet addressed to each host. With multicast, the source host can send a single
packet that can reach thousands of destination hosts.
Some examples of multicast transmission are:
 Video and audio broadcasts
 Routing information exchange by routing protocols
 Distribution of software
 News feeds
 Multicast Clients
Hosts that wish to receive particular multicast data are called multicast clients. The multicast
clients use services initiated by a client program to subscribe to the multicast group.

Each multicast group is represented by a single IPv4 multicast destination address. When an
IPv4 host subscribes to a multicast group, the host processes packets addressed to this
multicast address as well as packets addressed to its uniquely allocated unicast address. As
we will see,
IPv4 has set aside a special block of addresses from 224.0.0.0 to 239.255.255.255 for
multicast groups addressing.

Experimental Addresses
One major block of addresses reserved for special purposes is the IPv4 experimental address
range 240.0.0.0 to 255.255.255.254. Currently, these addresses are listed as reserved for
future use (RFC 3330). This suggests that they could be converted to usable addresses.
Currently, they cannot be used in IPv4 networks. However, these addresses could be used for
research or experimentation.
Multicast Addresses
As previously shown, another major block of addresses reserved for special purposes is the
IPv4 multicast addresses range 224.0.0.0 to 239.255.255.255. Additionally, the multicast

38
address range is subdivided into different types of addresses: reserved link local addresses
and globally scoped addresses, as shown in the graphic. One additional type of multicast
address is the administratively scoped addresses, also called limited scope addresses.
The IPv4 multicast addresses 224.0.0.0 to 224.0.0.255 are reserved link local addresses.
These addresses are to be used for multicast groups on a local network. Packets to these
destinations are always transmitted with a time-to-live (TTL) value of 1. Therefore, a router
connected to the local network should never forward them. A typical use of reserved link-
local addresses is in routing protocols using multicast transmission to exchange routing
information.
The globally scoped addresses are 224.0.1.0 to 238.255.255.255. They may be used to
multicast data across the Internet. For example, 224.0.1.1 has been reserved for Network
Time Protocol (NTP) to synchronize the time-of-day clocks of network devices.

Host Addresses
After accounting for the ranges reserved for experimental addresses and multicast addresses,
this
leaves an address range of 0.0.0.0 to 223.255.255.255 that could be used for IPv4 hosts.
However, within this range are many addresses that are already reserved for special purposes.
8.3 Public & Private IP Addresses
Although most IPv4 host addresses are public addresses designated for use in networks that
are accessible on the Internet, there are blocks of addresses that are used in networks that
require limited or no Internet access. These addresses are called private addresses.
Private Addresses
The private address blocks are:
10.0.0.0 to 10.255.255.255 (10.0.0.0/8)

172.16.0.0 to 172.31.255.255 (172.16.0.0/12)

192.168.0.0 to 192.168.255.255 (192.168.0.0/16)

Private space address blocks, as shown in the figure, are set aside for use in private networks.
The use of these addresses need not be unique among outside networks. Hosts that do not
require access to the Internet at large may make unrestricted use of private addresses.

39
However, the internal networks still must design network address schemes to ensure that the
hosts in the private networks use IP addresses that are unique within their networking
environment.
Many hosts in different networks may use the same private space addresses. Packets using
these addresses as the source or destination should not appear on the public Internet. The
router or firewall device at the perimeter of these private networks must block or translate
these addresses.
Even if these packets were to make their way to the Internet, the routers would not have
routes to forward them to the appropriate private network.
Public Addresses
The vast majority of the addresses in the IPv4 unicast host range are public addresses. These
addresses are designed to be used in the hosts that are publicly accessible from the Internet.
Even within these address blocks, there are many addresses that are designated for other
special purposes.

Historic Network Classes

Historically, RFC1700 grouped the unicast ranges into specific sizes called class A, class B,
and class C addresses. It also defined class D (multicast) and class E (experimental)
addresses, as previously presented.
The unicast address classes A, B, and C defined specifically-sized networks as well as
specific address blocks for these networks, as shown in the figure. A company or
organization was assigned an entire class A, class B, or class C address block. This use of
address space is referred to as classful addressing.

Figure 9:- Network Classes

40
Class A Blocks
A Class A address block was designed to support extremely large networks with more than
16 million host addresses. Class A IPv4 addresses used a fixed 18 prefix with the first octet to
indicate the network address. The remaining three octets were used for host addresses.
To reserve address space for the remaining address classes, all class A addresses required that
the most significant bit of the high-order octet be a zero. This meant that there were only 128
possible Class A networks, 0.0.0.0 18 to 127.0.0.0 18, before taking out the reserved address
blocks. Even though the class A addresses reserved one-half of the address space, because of
their limit of 128 networks, they could only be allocated to approximately 120 companies or
organizations.
Class B Blocks
Class B address space was designed to support the needs of moderate to large size networks
with more than 65,000 hosts. A class B IP address used the two high-order octets to indicate
the network address. The other two octets specified host addresses. As with class A, address
space for the remaining address classes needed to be reserved.
For class B addresses, the most significant two bits of the high-order octet were 10. This
restricted the address block for class B to 128.0.0.0116 to 191.255.0.0/16. Class B had
slightly more efficient allocation of addresses than class A because it equally divided 25% of
the total
IPv4 address space among approximately 16,000 networks.
Class C Blocks
The class C address space was the most commonly available of the historic address classes.
This address space was intended to provide addresses for small networks with a maximum of
254 hosts.
Class C address blocks used a 124 prefix. This meant that a class C network used only the
last octet as host addresses with the three high-order octets used to indicate the network
address.
Class C address blocks set aside address space for class D (multicast) and class E
(experimental) by using a fixed value of 110 for the three most significant bits of the high-
order octet. This restricted the address block for class C to 192.0.0.0 116 to 223.255.255.0

41
116. Although it occupied only 12.5% of the total IPv4 address space, it could provide
addresses to 2 million networks.

Limits to the Class-based System

Not all organizations' requirements fit well into one of these three classes. Classfull allocation
of address space often wasted many addresses, which exhausted the availability of IPv4
addresses.
For example, a company that had a network with 260 hosts would need to be given a class B
address with more than 65,000 addresses.
Even though this classful system was all but abandoned in the late 1990s, you will see
remnants of it in networks today. For example, when you assign an IPv4 address to a
computer, the operating system examines the address being assigned to determine if this
address is a class A, class B, or class C. The operating system then assumes the prefix used
by that class and makes the appropriate subnet mask assignment.
Another example is the assumption of the mask by some routing protocols. When some
routing protocols receive an advertised route, it may assume the prefix length based on the
class of the address.

Classless Addressing
The system that we currently use is referred to as classless addressing. With the classless
system, address blocks appropriate to the number of hosts are assigned to companies or
organizations without regard to the unicast class.

CIDR (Classless Inter Domain Routing):

CIDR was introduced in 1993 replacing the previous generation of IP address syntax- classful
networks. CIDR allowed for more efficient use of IPV4 address space and prefix aggregation,
known as route summarization or supernetting.
CIDR allows routers to group routes together to reduce the bulk of routing information
carried by core routers. With CIDR, IP addresses and their subnet mask are written as four
octets, separated by periods, followed by a forward slash and a two-digit number that
represents the network mask.
Example:
 10.1.1.0/30
42
  172.16.1.16/28
 192.168.1.32/27

4.4 NAT and PAT

NAT (Network Address Translation):

NAT is the process where a network device, usually a firewall, assigns a public address to a
computer (or group of computers) inside a private network. The main use of NAT is to limit
the number of public IP address and organization or company must use, for both economy
and security purpose.

Figure 10: Placement and operation of NAT box

Example:
The packet having the private address is passed through a NAT box that converts the
internal IP source address 10.10.0.1 into company’s true IP address 202.213.76.5.

PAT (Port Address Translation)

PAT is also called NAT overloading. With PAT, all inside hosts get translated to one single
IP address.

Port numbers are used at the Transport layer to identify the local host in this example. If we
had to use real global IP addresses to identify the source hosts, that’s called static NAT and

43
we would run out of addresses. PAT allows us to use the Transport layer to identify the hosts,
which in turn allows us to theoretically use up to about 65,000 hosts with only one real IP
address.

Chapter 9: Basic Cisco router and switch configuration

10.1. Basic Router Configuration

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTLIZ.
Router( config)#interface gigabitEthemet 0/0
Router( config-if)#ip address 172.16.0.1 255.255.254.0
Router( config-if)#no shutdown
Router( config-if)#
%LINK-5-CHANGED: Interface GigabitEthemet0/0, changed state to up exit
Router( config)#interface gigabitEthernet 0/1
Router(config -if)#ip address 172.16.4.33 255.255.255.224
Router( config-if)#no shutdown
Router( config-if)#
%LINK-5-CHANGED: Interface GigabitEthemet0/0, changed state to up exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthemet0/l, changed
state to up
exit
Router(config)#hostname abc
abc(config)#line console 0
abc(config)#password class
abc(config)#login
abc(config)#exit
abc(config)#banner mot #Unauthorized Access Prohibited#
abc(config)#enable secret pass
abc(config)#exit
abc(config)#
abc(config)#
%SYS-5-CONFIG_I: Configured from console by console

44
 abc#configure terminal
Enter configuration commands, one per line End with CNTL/Z.
abc(config)#service password-encryption
abc(config)#line vty 0 4
abc(config)#password ccna
abc(config)#
abc(config-line)#login
abc(config-line)#exit
abc(config)#ip domain name cisco.com
abc(config)#crypto key generate rsa
Choose the size of the key modulus in the range of 360 to 2048 for your General
Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus:1024
%Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

abc(config)#line vty 0 4
abc(config-line)#no password
abc(config-line)#login local
abc(config-line)#transport input ssh
abc(config)#username name secret pass
abc(config)#login block-for 300 attempts 4 within 30
abc(config)#security passwords min-length 7
abc(config)#exit
abc#
%SYS-5-CONFIG_I: Configured from console by console#

10.2. Basic Switch Configuration

Switch>en
Switch#conf t
Switch#conf terminal
Enter configuration commands, one per line. End with CNTLIZ.

45
Switch(config)#interface vlan 1
Switch(config-if)#ip address 172.16.0.2255.255.254.0
Switch(config-if)#no shutdown
Switch(config-if)#
%LINK-5-CHANGED: Interface Vlan1 changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
exit
Switch(config)#lin
Switch(config)#line vty 0 15
Switch( config -line )#password cisco
Switch( config-line )#log
Switch( config-line )#login
Swi tch( config -line )#exit
Switch( config)#

46
 Chapter 10: Different Types of Dynamic Routing Protocols

10.1 Routing Information Protocol(RIP)

Routing Information Protocol (RIP) RIP is a standardized vector distance routing protocol
and uses a form of distance as hop count metric. It is a distance vector. Through limiting the
number of hop counts allowed in paths between sources and destinations, RIP prevents
routing loops. Typically, the maximum number of hops allowed for RIP is 15. However, by
achieving this routing loop prevention, the size of supporting networks is sacrificed. Since the
maximum number of hop counts allowed for RIP is 15, as long as the number goes beyond
15, the route will be considered as unreachable.

RIP has four basic timers: Update Timer (default 30 seconds): defines how often the router
will send out a routing table update.

Invalid Timer (default 180 seconds): indicates how long a route will remain in a routing table
before being marked as invalid, if no new updates are heard about this route. The invalid
timer will be reset if an update is received for that particular route before the timer expires. A
route marked as invalid is not immediately removed from the routing table. Instead, the route
is marked with a metric of 16, which means the route is unreachable, and will be placed in a
hold-down state.

Hold-down Timer (default 180 seconds): specifies how long RIP will keep a route from
receiving updates when it is in a hold-down state. In a hold-down state, RIP will not receive
any new updates for routes until the hold-down timer expires. A route will go into a hold-
down state for the following reasons:  The invalid timer has expired  An update has been
received from another router; route goes into a 16 metric (or unreachable).  An update has
been received from another router; route goes into a higher metric than what it is currently
using.

47
Flush Timer (default 240 seconds): When no new updates are received about this route, flush
timer indicates how long a route can remain in a routing table before getting flushed out. The
flush timers operates simultaneously with the invalid timer, so every 60 seconds, after it has
been marked invalid, the route will get flushed out. When RIP timer is not in sync with all
routers on the RIP

Configuring RIP Protocol To Router

Step 1: Enable dynamic routing
To enable a dynamic routing protocol, enter global configuration mode and use the router
command.
Router(config)#router rip
Step 2: Enter classful network addresses
Router(config-router)#network <network_nr>
The network command: • Enables RIP on all interfaces that belong to this network. These
interfaces will now both send and receive RIP updates. • Advertises this network in RIP
routing updates sent to other routers every 30 seconds.

Figure 11:- Network With RIP V2 Protocol

Figure 12:- RIP Configuration For Router R1

48
Figure 13:- RIP Configuration For Router R2

10.2 Enhanced Interior Gateway Routing Protocol (EIGRP)

EIGRP (Enhanced Interior Gateway Routing Protocol) is an advanced distance vector routing
protocol. This protocol is an evolution of an earlier Cisco protocol called IGRP, which is now
considered obsolete. EIGRP supports classless routing and VLSM, route summarization,
incremental updates, load balancing and many other useful features. It is a Cisco proprietary
protocol, so all routers in a network that is running EIGRP must be Cisco routers.

Routers running EIGRP must become neighbors before exchanging routing information. To
dynamically discover neighbors, EIGRP routers use the multicast address of 224.0.0.10. Each
EIGRP router stores routing and topology information in three tables:

 Neighbor table – stores information about EIGRP neighbors

 Topology table – stores routing information learned from neighboring routers
 Routing table – stores the best routes

Administrative distance of EIGRP is 90, which is less than both the administrative distance of
RIP and the administrative distance of OSPF, so EIGRP routes will be preferred over these
routes. EIGRP uses Reliable Transport Protocol (RTP) for sending messages.

EIGRP calculates it’s metric by using bandwidth, delay, reliability and load. By default, only
bandwidth and delay are used when calculating metric, while reliability and load are set to
zero.

EIGPR uses the concept of autonomous systems. An autonomous system is a set of EIGRP
enabled routers that should become EIGRP neighbors. Each router inside an autonomous
system must have the same autonomous system number configured; otherwise routers will
not become neighbors.

EIGRP Neighbors

EIGRP must establish neighbor relationships with other EIGRP neighboring routers before
exchanging routing information. To establish neighbor relationships, routers send hello
packets every couple of seconds. Hello packets are sent to the multicast address of
224.0.0.10.

The following fields in a hello packet must be the identical in order for routers to become
neighbors:

 ASN (autonomous system number)

 subnet number
 K values (components of metric)

49
Routers send hello packets every couple of seconds to ensure that the neighbor relationship is
still active. By default, routers consider the neighbor to be down after a hold-down timer has
expired. Hold-down timer is, by default, three times the hello interval. On LAN network the
hold-down timer is 15 seconds.

EIGRP CONFIGURATION:-

Figure 14:- EIGRP Topology

Figure 15:- Configuring EIGRP on Router

R1

Figure 16:- Configuring EIGRP on Router R2

10.3 Border Gateway Protocol (BGP)

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to
exchange routing and reachability information among autonomous systems (AS) on the
Internet. The protocol is classified as a path vector protocol. The Border Gateway Protocol
makes routing decisions based on paths, network policies, or rule-sets configured by a
network administrator and is involved in making core routing decisions.

50
Border Gateway Protocol (BGP) is a routing protocol used to transfer data and information
between different host gateways, the Internet or autonomous systems. BGP is a Path Vector
Protocol (PVP), which maintains paths to different hosts, networks and gateway routers and
determines the routing decision based on that. It does not use Interior Gateway Protocol
(IGP) metrics for routing decisions, but only decides the route based on path, network
policies and rule sets.

BGP Configuration Commands:-

51
 Figure 17:- BGP Configuration Topology

Figure 18: Configuring

BGP on Router R2

Figure 19: Configuring BGP on Router R1

BIBLIOGRAPHY
[1] https://study-ccna.com/ (Internet)

[2] CCNA Routing and Switching Complete Study Guide by Todd Lammle (Book)

[3] How to Master In CCNA PDF From Internet .

[4] Wikipedia

52