People's Democratic Republic of Algeria

Ministry of Higher Education and Scientific Research

Constantine 2 University – Abdelhamid Mehri

Faculty of New Technologies of Information and Communication

Department of Software Technologies and Information Systems
Master 1 – Data Science and Intelligent Systems

Advanced Network and Security

Prepared by Dr. BERKANE Mohamed Lamine

2025
 General Introduction to the Advanced Network & Security course

The Advanced Network & Security course for students enrolled in the Master 1 – Data
Science and Intelligent Systems program, in the Department of Software Technologies and
Information Systems. This course aims to provide in-depth knowledge and practical skills in the
field of computer networks, with a strong focus on advanced networking protocols, security
mechanisms, and modern addressing schemes.

The module is structured into four comprehensive chapters:

 Chapter 1 explores advanced routing techniques by examining a range of dynamic

routing protocols, including RIP, RIPv2, IGRP, EIGRP, OSPF, and BGP. Students will
understand how each protocol functions, its applications, advantages, and limitations
within various network topologies.
 Chapter 2 introduces core concepts in network security, emphasizing the use of Access
Control Lists (ACLs) to control and secure data traffic within enterprise networks.
 Chapter 3 focuses on advanced switch configuration. Students will learn about VLANs,
the VLAN Trunking Protocol (VTP), and the Spanning Tree Protocol (STP), which are
essential for efficient network segmentation, traffic management, and loop prevention
in switched networks.
 Chapter 4 covers the fundamentals of IPv6, a modern IP addressing protocol that
overcomes the limitations of IPv4 and supports the growing demand for internet-
connected devices.

By the end of this course, students are expected to have a solid understanding of the underlying
mechanisms of complex network infrastructures and be capable of configuring and managing
advanced network components. This knowledge will serve as a critical foundation for future
work in data-driven systems, cybersecurity, and intelligent network design.
 General Introduction to the Advanced Network & Security course

The Advanced Network & Security course for students enrolled in the Master 1 – Data
Science and Intelligent Systems program, in the Department of Software Technologies and
Information Systems. This course aims to provide in-depth knowledge and practical skills in the
field of computer networks, with a strong focus on advanced networking protocols, security
mechanisms, and modern addressing schemes.

The module is structured into four comprehensive chapters:

 Chapter 1 explores advanced routing techniques by examining a range of dynamic

routing protocols, including RIP, RIPv2, IGRP, EIGRP, OSPF, and BGP. Students will
understand how each protocol functions, its applications, advantages, and limitations
within various network topologies.
 Chapter 2 introduces core concepts in network security, emphasizing the use of Access
Control Lists (ACLs) to control and secure data traffic within enterprise networks.
 Chapter 3 focuses on advanced switch configuration. Students will learn about VLANs,
the VLAN Trunking Protocol (VTP), and the Spanning Tree Protocol (STP), which are
essential for efficient network segmentation, traffic management, and loop prevention
in switched networks.
 Chapter 4 covers the fundamentals of IPv6, a modern IP addressing protocol that
overcomes the limitations of IPv4 and supports the growing demand for internet-
connected devices.

By the end of this course, students are expected to have a solid understanding of the underlying
mechanisms of complex network infrastructures and be capable of configuring and managing
advanced network components. This knowledge will serve as a critical foundation for future
work in data-driven systems, cybersecurity, and intelligent network design.
 Ministère de l’Enseignement

Réalisé par Mr BERKANE MOHAMED LAMINE

 Chapter
Advanced Routing (Routing Protocols)
I

1. Introduction to Routing
1.1 Definition

Routing is one of the main functionalities of the IP (network) layer. It involves choosing
how to transmit an IP datagram across various networks. Thus, a router will forward datagrams
received on one of its interfaces to another, whereas a computer will be either the initial
sender or the final recipient of a datagram.
In general, we distinguish:
 Direct delivery, which refers to the transfer of a datagram between two computers on
the same network.
 Indirect delivery, which is used in all other cases, i.e., when at least one router
separates the initial sender and the final recipient.

1.2 Routed Protocol and Routing Protocol

A routed protocol is a network protocol whose network layer address provides enough
information to enable a packet to be routed from one machine to another.
Routed protocols define the format of the fields in a packet. Typically, packets are routed
from one end system to another. The Internet Protocol (IP) is an example of a routed protocol.

Routing protocols support a routed protocol by providing mechanisms for sharing routing
information. Routers exchange routing protocol messages.
A routing protocol enables routers to communicate with each other to update and manage their
routing tables.
Examples of TCP/IP routing protocols:
• Routing Information Protocol (RIP)
• Interior Gateway Routing Protocol (IGRP)
• Enhanced Interior Gateway Routing Protocol (EIGRP)
• Open Shortest Path First (OSPF)

1.3 Operation of Network Layer Protocols

When an application running on a machine needs to send a packet to a destination located on a

different network. The machine addresses the data link frame to the router using the address of
one of the router's interfaces.

Fig 1. How a network protocol works

The router's network layer process examines the header of the incoming packet to determine
the destination network, and then consults the routing table, which maps networks to outgoing
interfaces.

The packet is re-encapsulated into the appropriate data link frame for the selected interface, and
then queued for transmission to the next hop along the path. This process occurs every time a
packet is forwarded through another router (Fig 1).
When the packet reaches the router connected to the destination machine's network. It is
encapsulated in the type of data link frame used by the destination LAN network, and then
delivered to the destination machine.

1.4 Introduction to Static Routes and Dynamic Routes

1.4.1 Static Routes: Information about static routes is managed manually by a network
administrator who records them in a router's configuration. The administrator must manually
update static route entries whenever a change in the internetwork topology requires it.

1.4.2 Dynamic Routes: Information about dynamic routes is managed differently. Once a
network administrator has entered the configuration commands to enable dynamic routing,
Route information is updated automatically by a routing process whenever the internetwork
sends new information. Changes to dynamic route information are exchanged between routers
as an integral part of the update process.

2. The Router
A router is just like any other computer. Routers share many hardware and software
components with other computers: Processor, RAM, ROM and Operating System.

2.1 Routers are located at the center of the network

A router connects multiple networks. To do this, it has several interfaces, each belonging to
a different IP network. When a router receives an IP packet on one interface, it determines
which interface to use to forward the packet to its destination.
The interface used by the router to forward the packet may be the destination network of the
packet (the one that holds the destination IP address of the packet), or it may be a network
connected to another router used to reach the destination network (Fig 2).
 Fig 2. Routers are located at the center of the network

The main function of a router is to direct packets destined for local and remote networks by:
• Determining the best path for sending the packets,
• Forwarding the packets to their destination.
The router uses its routing table to determine the best path for forwarding the packet. When
the router receives a packet, it examines the destination IP address and looks up the most
appropriate network address in the routing table.
The routing table also contains the interface to be used for forwarding the packet. Once a
match is found, the router encapsulates the IP packet in the data link frame of the outgoing
interface, and the packet is then forwarded to its destination.

2.2 Router components and their functions

Like a PC, a router also includes the following components: Central Processing Unit (CPU),
Random Access Memory (RAM) and Read-Only Memory (ROM).

2.2.2 Random Access Memory (RAM)

The Random Access Memory (RAM) stores the instructions and data required for execution
by the CPU. RAM is used to store the following components:
 Operating system: Cisco's Internetwork Operating System (IOS) is copied into RAM
during the boot process.
 Current configuration file: This is the configuration file that stores the configuration
commands currently being used by the router's IOS. With rare exceptions, all commands
configured on the router are saved in the current configuration file, called running-
config.
  IP routing table: This file stores information about directly connected networks and
remote networks. It is used to determine the best path for forwarding the packet.
 ARP cache: This cache contains the mappings of IPv4 and MAC addresses, similar to
the ARP cache of a PC. The ARP cache is used on routers with local network interfaces,
such as Ethernet interfaces.
 Packet buffer: Packets are temporarily stored in a buffer when received on an interface
or before leaving an interface.

RAM is a volatile memory: it loses its content when the router is powered off or restarted.
However, the router also contains permanent storage areas, such as ROM, flash, and NVRAM.

2.2.3 Read-Only Memory (ROM)

Read-only memory (ROM) is a form of permanent storage. Cisco devices use ROM to store
the following:
• Boot instructions
• Basic diagnostic software
• A reduced version of IOS

2.2.4 Flash Memory

Flash memory is a non-volatile memory that can be electrically stored and erased. It serves as
permanent storage for the operating system, Cisco IOS. In most Cisco router models, the IOS
is permanently stored in flash memory and copied into RAM during the boot process, where it
is then executed by the processor.

2.2.5 Non-Volatile Random Access Memory (NVRAM)

Non-volatile RAM (NVRAM) does not lose the information it contains when the system is
powered off. It contrasts with the most common forms of RAM, such as dynamic RAM
(DRAM), which requires a continuous power supply to retain information. Non-volatile RAM
(NVRAM) is used by Cisco IOS as permanent storage for the startup configuration file (startup-
config). To save these changes in case the router is restarted or powered off, the running
configuration must be copied to non-volatile RAM, where it is stored as the startup
configuration file. Non-volatile RAM retains its content even if the router is reloaded or
powered off.
2.3 Internetwork Operating System
The operating system software used in Cisco routers is called the Cisco Internetwork Operating
System (IOS). Like any computer operating system, Cisco IOS manages the router's hardware
and software resources, including memory allocation, processes, security, and file systems.

2.4 Boot Process

The boot process consists of four main phases:
1. Power-On Self-Test (POST)
2. Loading the bootloader program
3. Locating and loading the Cisco IOS software
4. Locating and loading the startup configuration file or entering Setup mode

2.4.1 Power-On Self-Test (POST)(POST)

The Power-On Self-Test (POST) is a common process that occurs on almost every computer
during boot-up. The POST process is used to test the router's hardware. When the router is
powered on, the software stored on the read-only memory (ROM) chip performs the POST.

During this self-test, the router runs diagnostics from read-only memory on various hardware
components, including the processor, RAM, and non-volatile RAM. Once the POST is
completed, the router executes the bootloader program.

2.4.2 Loading the bootloader program

After the POST, the bootloader program is copied from read-only memory to RAM. The
processor then executes the instructions in the bootloader program. The primary role of the
bootloader program is to locate Cisco IOS and load it into RAM.
Note: At this stage, if you have a console connection to the router, you will start seeing output
on the screen (Fig 3).
 Fig 3. Loading the bootloader program

2.4.3. Loading the Cisco IOS software

Locating the Cisco IOS software: IOS is typically stored in flash memory. Loading the IOS:
Some older Cisco routers used to run IOS directly from flash memory, but current models copy
IOS into RAM so it can be executed by the processor. Once the IOS loading begins, a series of
pound signs (#) may appear, as shown in the figure, during the decompression of the image
(Fig 4).

Fig 4. Loading the Cisco IOS software

2.4.4 Loading the configuration file

a) Locating the startup configuration file: Once the IOS is loaded, the bootloader program
searches for the startup configuration file, called `startup-config`, in non-volatile RAM.
This file contains previously saved configuration commands and settings, including:
► Interface addresses
► Routing information
► Passwords
► Any other configuration saved by the network administrator.
If the startup configuration file, `startup-config`, is found in non-volatile RAM, it is copied into
RAM as the running configuration file (`running-config`).
b) Executing the configuration file:
If a startup configuration file is found in non-volatile RAM, IOS loads it into RAM as the
`running-config` file and executes the commands in the file line by line. The running
configuration file contains interface addresses, starts routing processes, configures router
passwords, and defines other router features.

c) Entering Setup Mode (Optional):

If the startup configuration file cannot be located, the router prompts the user to enter Setup
mode. Setup mode is a series of questions that guide the user to input basic configuration
information. This mode is not intended for performing complex router configurations and is
generally not used by network administrators.
When you boot a router that does not contain a startup configuration file, the following question
appears after the IOS loads: Would you like to enter the initial configuration dialog? [yes/no]:
no

Fig 5. Show IOS version

3. Static Routing and Dynamic Routing

3.1 Routers Functions

Routing is one of the main features of the IP (network) layer. It involves selecting the method
for transmitting an IP datagram across various networks. Thus, a router will forward
datagrams received on one of its interfaces to another, while a computer will either be the
initial sender or the final recipient of a datagram.

3.2 Routers Interfaces

In general, we distinguish direct delivery, which refers to the transfer of a datagram between
two computers on the same network. Connecting the router to the local network (Ethernet,
Fast Ethernet, Gigabit Ethernet): It has a MAC address and its own IP address and An ARP
cache is associated with each LAN interface. And indirect delivery, which is implemented in
all other cases, meaning when at least one router separates the initial sender and the final
recipient. Connecting routers to external wide area networks (Serial, ADSL, Gigabit
Ethernet): Each WAN interface has its own IP address and the layer 2 addresses depending on
the technology (encapsulation) used.

3.3 Routing Table

The routing table contains only the best routes. A numerical value used by routing protocols to
determine the best path is called a "Metric“, The smaller the value of a metric, the better the
path it reflects.

Fig 6. Routing Table

The smaller the value of a metric, the better the path it reflects.

Fig 7. Metric example

Examples of metrics used by some (dynamic routing protocols): Hop count: The number of
routers to reach the destination network and Bandwidth: The speed of the link.

Fig 8.Administrative distance

3.4 Static Routing

A router can obtain information about remote networks based on its configuration:
  Manually, from static routes configured by the network administrator.
 Automatically, from a dynamic routing protocol (this protocol is configured on the
router).
Advantages of Static Routing: Easy to configure and More secure.
Disadvantages of Static Routing: Risk of configuration errors, Manual route updates and
Maintenance becomes difficult as small networks expand.
In Router 1:

Fig 9. Static Routing(Router 1)

In Router 2:

Fig 10. Static Routing(Router 2)

In Router 1 with a default static route:

Fig 11. Static Routing - Default Static Route (Router 1)

Static Routing - (CIDR: Classless Inter-Domain Routing) “Router 1”:
 Fig 12. Static Routing - (CIDR: Classless Inter-Domain Routing) “Router 1”

3.5 Dynamic Routing

Dynamic routing allows routers to automatically learn and exchange routing information with each
other, without manual configuration. Dynamic routing protocols can be classified based on two main
criteria:

Advantages: Dynamically share information between routers about remote networks, discover
remote networks, update routing tables whenever a topology is modified and determine the best
path to each destination.

Disadvantages: Consume processor time and network link bandwidth and security issues.

3.5.1 Dynamic Routing Classification

a) Based on the scope of routing:

IGP (Interior Gateway Protocol):

Used within a single autonomous system (AS), such as within an organization or campus network.
Examples: RIP, EIGRP, OSPF, IGRP

EGP (Exterior Gateway Protocol):

Used to exchange routing information between different autonomous systems, typically on the
Internet. Example: BGP (Border Gateway Protocol)

b) Based on the routing algorithm used:

Distance Vector Protocols:

Each router shares its routing table with its neighbors, including the distance (hop count) to each
destination. Examples: RIP, IGRP
Link State Protocols:
Each router builds a complete map of the network by exchanging information about the state of its
directly connected links. Example: OSPF

c) Dynamic routing characteristics

Algorithm: To determine the best path, Example: RIP: Bellman, OSPF: Dijkstra and EIGRP: DUAL

Data Structures/Databases: To store routing information.

Messages: Messages to discover neighboring routers and Routing information (Update).

Fig 13. Dynamic Routing Classification

3.5.2 Dynamic Routing Autonomous System

Administrative distance is a value that defines the preference of a routing source.

It is an integer value between 0 and 255. The lower the value, the more preferred the route source is.

Convergence refers to when the routing tables of all routers are perfectly consistent.

Time (Convergence) = Time (Detection) + Time (Transmission) + Time (New Path Calculation) + Time
(Routing Table Update).

A network is not fully operational until it has converged. RIP takes longer to converge, while EIGRP and
OSPF are faster.

Fig 14. Administrative Distance

3.5.3 IGP vs EGP with Autonomous System

• IGP (Interior Gateway Protocol): Routing protocols that operate within an AS (Autonomous
System). Examples: RIP, OSPF, and EIGRP.
• EGP (Exterior Gateway Protocol): Routing protocol that operates between ASs. Example:
BGP.
 • Border Gateway Protocol (BGP) is an external routing exchange protocol (an EGP), used
notably on the Internet.

3.5.4 Distance Vector Protocols (e.g., RIP – Routing Information Protocol)

In general, routing protocols do not have knowledge of the entire network topology or the complete
path to the destination. For this reason, regular updates are sent, even if there is no change in the
topology. These updates are sent to neighboring routers via broadcast to the address
255.255.255.255 and updates contain the entire routing table

The Bellman-Ford algorithm, also known as the Bellman–Ford–Moore algorithm, is an algorithm

that computes the shortest paths from a given source node in a weighted directed graph.

RIP (Routing Information Protocol :

RIP Characteristics: It work with Distance Vector Routing Protocol. In addition, the metric used is
Number of hops (Maximum hop count: 15) and Administrative distance: 120.

The Broadcast update every 30 seconds, and It Does not support CIDR. The Classful (In RIP version
1), subnet mask information is not included in updates

RIP Process (for updates): Network discovery:

 Cold start
 Initial exchange
 Next periodic update
a) Network Discovery – Cold Start: The router initially detects its own directly connected networks.

Fig 16. Network Discovery – Cold Start

b) Network Discovery: Initial Exchange:

Routers begin exchanging routing updates.
The initial exchange of routing updates includes only information about their directly connected
networks. Any new route is added to the routing table, and its metric is updated.

Fig 17. Network Discovery: Initial Exchange

c) Network Discovery: Next Update:
Routers continue to exchange updates. If no new information is found, the convergence state
is reached. Routers reach the state of convergence when all routing tables in the network
contain the same information about the networks.

Fig 17. Network Discovery: Initial Exchange

3.5.5 Link-State Protocols (e.g., Open Shortest Path First (OSPF))

Dijkstra's algorithm is used to solve the shortest path problem. For example, it can be used to
determine the shortest route from one city to another, given the road network of a region.
More precisely, it computes the shortest paths from a source to all other vertices in a directed
graph weighted with positive real numbers. It can also be used to calculate the shortest path
between a starting vertex and a destination vertex.

Open Shortest Path First (OSPF) Maintains Three Data Structures:

 Neighbor Table: Created by exchanging hello packets with neighboring routers.
 Link-State Database: Contains all paths to all destinations, built by exchanging link-
state updates.
 Routing Table: Contains the best routes.
OSPF Operations:

a) Sending Hello Packets to Neighbors: Each router is responsible for detecting its
neighbors on directly connected networks. Routers using link-state routing protocols utilize
the Hello protocol to detect neighbors.

Fig 18. Sending Hello Packets to Neighbors

b) Creating Link-State Packets (LSP): Each router constructs its own LSP containing: The
state of each directly connected link and Includes information such as router ID, link type, and
cost.
 Fig 19. Creating Link-State Packets (LSP)

c) Flooding LSPs: Once the LSPs are created, they are transmitted to neighbors. The neighbor
retransmits them to its neighbors (flooding). LSP packets are sent at router startup or routing
process startup, when there is a topology change.

Fig 20. Flooding LSPs

d) Creating a Link-State Database: The received LSPs will form the link-state database. This
database contains all the possible destinations in the network.
 Fig 21. Creating a Link-State Database
e) SPF Algorithm: The router applies the SPF algorithm on the database to create an SPF tree,
with the router as the root and the leaves being the destinations. Using the tree, SPF determines
the shortest path and installs it in the routing table.

Fig 22. SPF Algorithm

4. Conclusion

In summary, Chapter 1 provides a comprehensive overview of advanced routing techniques by

analyzing key static and dynamic routing protocols such as RIP, RIPv2, IGRP, EIGRP, OSPF,
and BGP. Through this chapter, students gain a deeper understanding of how each protocol
operates, their appropriate use cases, benefits, and limitations. This foundational knowledge
equips students with the skills needed to design, configure, and optimize routing in both small
and large-scale network environments.
Réalisé par Mr BERKANE MOHAMED LAMINE
 Chapter

II Security in computer networks

ІI

1. Introduction to Security in computer networks

1.1 Definition

Routing is one of the main functions of a router. The implementation of rules for traffic filtering is
also a function performed at Layer 3 of the OSI model. Access Control Lists (ACLs) allow network
traffic to be permitted or denied. They can be based on several parameters,

 such as source IP addresses, destination IP addresses,

 source ports, and destination ports.

ACLs (Access Control Lists) allow packets to be filtered based on user-defined criteria.

1.2 How ACLs Work:

The operation of ACLs can be summarized as follows:

1. The packet is checked against the first defined criterion.

2. If it matches the criterion, the specified action is applied.
3. If not, the packet is compared successively against the following ACL entries.
4. If it does not match any criterion, the deny action is applied.
 Fig 23. How ACLs Work

To summarize: Rules are tested one after another. If no rule is applicable, the packet is rejected.

2. Standard Access Control Lists

Defining a Rule:
access-list number [deny | permit] source [source-wildcard]

Applying an ACL to an Interface:

ip access-group [number | name] [in | out]

To Display ACLs:
show access-lists [number | name] : displays all ACLs regardless of interface

show ip access-lists [number | name] : displays ACLs related only to the IP protocol
2.1 Example :

Rule 1: Router 1 must not communicate with the 192.168.3.0 network, and all other traffic must be
allowed.

Fig 24. Example of Rule 1

On Router 2: (Mode: Global Configuration)

no access-list 1
access-list 1 deny host 192.168.1.1
access-list 1 deny host 192.168.2.1
access-list 1 permit any
interface fa0/0
ip access-group 1 out
exit
2.2 Other Request:

access-list 1 deny 192.168.1.1 0.0.0.0

The mask (also called a wildcard mask) means here that all the bits of the
IP address are significant.

access-list 1 permit 0.0.0.0 255.255.255.255

All IP packets are allowed.
The mask 255.255.255.255 means that no bits are significant.

2.3 Other Rules:

 Rule 2: Router 1 must not communicate with the 192.168.5.0 network.

 Rule 3: PC1 must not communicate with Router 1.
 Rule 4: The 192.168.5.0 network must not communicate with Router 1.
 Rule 5*: The rest of the traffic must be allowed.

2.4 Notes:

1. Standard Access Control Lists must be placed as close as possible to the destination.
2. By default, each ACL has an implicit deny applied at the end of the list (deny any any).

2.5 Extended Access Control Lists allow filtering packets based on:

 Destination IP address
 Protocol type (TCP, UDP, ICMP, IGRP, IGMP, ...)
 Source port
 Destination port
...

3. Conclusion
Chapter 2 introduces essential concepts in network security, focusing on the role of Access Control
Lists (ACLs) in regulating and protecting data traffic. By understanding how ACLs are implemented
and managed, students learn to enhance network security through traffic filtering and policy
enforcement. This knowledge forms a critical part of securing enterprise
Réalisé par Mr BERKANE MOHAMED LAMINE
 Chapter

III Advanced Switch Configuration

ІII

1. Introduction to Advanced Switch Configuration

In this chapter, we focuse on advanced switch configuration. We will present VLANs, the VLAN
Trunking Protocol (VTP), and the Spanning Tree Protocol (STP), which are essential for efficient
network segmentation, traffic management, and loop prevention in switched networks.

2. VLAN (Virtual Local Area Network)

2.1 Before VLANs

The following figure shows that the students' computers are located in one local area network (LAN),
while the faculty's computers are in another. This setup works very well because each group is
physically in the same location, making it easy to provide them with their network resources.

Fig 25. Before VLANs

A year later, the IT department expanded and now consists of three buildings. In the following figure,
the original network remains the same, but the students’ and faculty’s computers are now spread in
the three buildings. The students are still on the fifth floor, and the faculty administration is on the
third floor.

Fig 26. To prepare VLANs

However, the IT department now wants to ensure that all student computers share the same security
features and bandwidth controls.

How can the network meet the common needs of geographically separated groups?
Should you create one large local area network and physically connect each group?
Would it then be easy to modify this network?

2.2 Introduction au VLAN

The solution for the IT department is to use a network technology called a Virtual Local Area Network
(VLAN).
A VLAN allows a network administrator to create logical groups of networked devices that behave as
if they were on a separate network, even though they share a common infrastructure with other
virtual local area networks. When configuring a VLAN, you can assign it a name that describes the
primary role of its users. For example, all the computers used by students in a school can be
configured within the “Student” VLAN.
Using virtual local area networks, you can logically segment switched networks based on functions,
services, or project teams. In the following figure, one VLAN has been created for students and another
for the faculty. These VLANs allow the network administrator to implement access and security policies
for specific user groups. For instance, the administrator can allow the faculty administration—but not
the students—to access the e-Learning management servers in order to develop online course
materials.

Fig 27. Introduction to VLAN

2.3 Advantages of a Virtual Local Area Network (VLAN)

The main advantages of VLANs are as follows:

2.3.1 Security:
Groups containing sensitive data are separated from the rest of the network, which reduces the risk
of data breaches. Faculty computers are on VLAN 10 and are completely isolated from student and
guest data traffic.
 Fig 28. Advantages of a Virtual Local Area Network

2.3.2 Cost Reduction:

Savings are achieved through fewer expensive network upgrades and more efficient use of
bandwidth.

2.3.3 Improved Performance:

Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces
unnecessary network traffic and boosts performance.

2.3.4 Broadcast Storm Mitigation:

Splitting a network into multiple VLANs reduces the number of devices that could participate in a
broadcast storm. You can see that although this network has six computers, there are only three
broadcast domains: Faculty, Student, and Guest.

2.3.5 Increased Efficiency for IT Staff:

VLANs simplify network management since users with similar network requirements share the same
VLAN. When setting up a new switch, all policies and procedures already configured for the
corresponding VLAN are applied as soon as the ports are assigned.
IT staff can also easily identify a VLAN’s purpose by assigning it a meaningful name. In the following
figure, for easy identification, VLAN 20 is named "Student", VLAN 10 "Faculty", and VLAN 30 "Guest".
2.3.6 Simplified Project or Application Management:
VLANs group users and network devices to support business or geographical requirements.
Functional separation makes it easier to manage a project or use a specialized application, such as an
e-Learning development platform for the faculty administration.

2.4 Characteristics of VLANs

Access VLANs are divided into either the standard range or the extended range.

2.4.1 Standard Range VLANs:

Used in small, medium, and large enterprise networks. Identified by a VLAN ID between 1 and 1005.
VLAN IDs from 1002 to 1005 are reserved for Token Ring VLANs and Fiber Distributed Data Interface
(FDDI) VLANs. VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be deleted.
Configurations are stored in a VLAN database file called vlan.dat. The vlan.dat file is located in the
switch’s flash memory. The VLAN Trunking Protocol (VTP), which manages VLAN configurations
across switches, can only learn standard range VLANs and stores them in the VLAN database file.

2.4.2 Extended Range VLANs:

Allow service providers to extend their infrastructure to a larger number of clients. Some
multinational companies may be large enough to require an extended range of VLAN IDs. Identified
by a VLAN ID between 1006 and 4094. Support fewer VLAN features compared to standard range
VLANs. Are saved in the running configuration file. VTP does not support extended range VLANs.

2.5 Types of VLANs

2.5.1 Data VLAN

A data VLAN is a virtual local area network configured to carry only user-generated traffic.
A data VLAN is sometimes referred to as a user VLAN.

2.5.2 Default VLAN

All switch ports become members of the default VLAN after the initial boot of the switch.
Since all switch ports participate in the default VLAN, they all belong to the same broadcast domain.
This allows any device connected to any switch port to communicate with other devices on other
switch ports. The default VLAN on Cisco switches is VLAN 1. This VLAN has the same characteristics
as any other VLAN, except that it cannot be renamed or deleted.
2.5.2 Native VLAN
A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic from
multiple VLANs (tagged traffic) as well as traffic not associated with any VLAN (untagged traffic). The
802.1Q trunk port places untagged traffic on the native VLAN.
In the following figure, the native VLAN is VLAN 99. The untagged traffic is generated by a computer
connected to a switch port configured with the native VLAN.

2.5.3 Management VLAN

A management VLAN is a virtual local area network configured to provide access to the management
features of a switch. VLAN 1 serves as the management VLAN if a separate VLAN is not explicitly
designated for that purpose. The management VLAN is assigned an IP address and a subnet mask. A
switch can be managed via HTTP.

3. VTP (Vlan Trunking Protocol )

3.1 General Information

VLAN Administration Protocol. Operates at the Data Link Layer (OSI Layer 2). Allows management of
VLANs within a group of switches in the same VTP domain.

3.2 Versions
VTP Version 1 – Original version
VTP Version 2 – Added support for Token Ring VLANs, FDDI, etc.
In Transparent mode, the VTP domain is not taken into account when propagating VTP messages.

3.3 How VTP work

VTP configuration:

Fig 29. VTP Configuration

VTP Server, VTP client and VTP Transparent

Fig 30. VTP Server, VTP client and VTP Transparent

VTP Status:

Fig 31.Show VTP Status

VTP Password:

Fig 32. VTP Password

4. Spanning Tree Protocol

4.1 General Information

A network protocol used to define a loop-free topology in a LAN made up of switches. Standardized
protocol: IEEE 802.1d

4.2 Versions

 STP: Basic protocol.

 PVST: Per VLAN Spanning Tree, one STP instance per VLAN. Only works with ISL.
 PVST+: Per VLAN Spanning Tree compatible with 802.1Q.
 RSTP+: Enhanced STP that reduces the time required for a port to transition from "blocking"
to "forwarding" (IEEE 802.1w).
 MSTP: Multiple Spanning Tree Protocol, one RSTP instance per group of VLANs.

4.3 How STP work

 Bridge ID: In PVST, the priority is a multiple of 4096 added to the VLAN ID. Example: 32769 =
32768 + 1 (default priority for VLAN1)

Fig 33 STP Structure

 Dangers of Loops in a LAN: Broadcast Storm and MAC Address Table Instability
 Fig 34.STP Loop

 Root Bridge Election: The switch with the lowest Bridge ID (BID) wins the election. Each
switch initially declares itself as the root. When a switch discovers a better (lower) BID than
the current known Root Bridge (initially itself), it updates the Root ID. Once the election is
complete, only the Root Bridge sends BPDUs.

Fig 35. Root Bridge Election

 BPDU (Bridge Protocol Data Unit) Structure: Root Path Cost: Represents the cost of the path
from the root to the switch based on the path taken.

Fig 36. Bridge Protocol Data Unit

STP Port Roles: RP (Root Port): Best path to the Root Bridge. DP (Designated Port): A non-RP port in
"forwarding" state. A port that is neither RP nor DP is blocked.

Standard Interface Costs: Ethernet: 100, Fast Ethernet: 19, Gigabit Ethernet: 4, EtherChannel Gigabit:
3 and Ten-Gigabit Ethernet: 2

Port Role Determination

 The Root Bridge sends a BPDU in each direction.

Fig 37. Port Role Determination

For example, Switch S2 receives two BPDUs: one directly from S1, and another via S3. The one from
S3 has a Root Path Cost of 8 (lower than the 19 from S1), so the path via S3 is better. Therefore, S2’s
Gig0/1 interface becomes the RP. The port facing an RP becomes a DP. So Gig0/2 on S3 will be a DP.
All ports on a Root Bridge are always DPs. Thus, Fa0/1 and Gig0/1 on S1 are DPs. To eliminate a loop,
only one port needs to be blocked – in this case, Fa0/1 on S2. If the Root Path Cost is equal on both
sides of a loop, the Bridge ID is used to determine which side to block. If S2 has a higher BID than S3,
the link between S2 and S3 will be blocked on S2’s side. If both Root Path Cost and BID are equal, the
interface name is used. The lowest name wins (e.g., A < Z, 1 < 2). In this example, S1 is the Root
Bridge, so all its ports are DPs. The blocked port will be on S2. Since the cost and BID are equal, the
interface name is used: Gig0/1 < Gig0/2, so Gig0/2 will be blocked.
•
 STP Port States

(*) When transitioning states, a port remains in "Blocking" for 20 seconds to prevent unnecessary
STP recalculations (e.g., if a cable is unplugged and replugged quickly).

STP – Configuration

Configure STP Priority:

 The effect of these two commands is identical.

o The root primary option is a shortcut for setting a priority of 24576 (32768 -
2×4096).
o The command spanning-tree vlan 1 root secondary sets the priority to
28672 (32768 - 1×4096).
 If setting the priority explicitly using spanning-tree vlan 1 priority XXXXX, the
value must be a multiple of 4096.
Configure STP Interface Cost:

 Used to influence the Root Path Cost by modifying interface cost.

Display STP Information:

 Allows you to verify the current STP topology, port roles, root bridge, and more.
5. Conclusion

Chapter 3 covers key aspects of advanced switch configuration, providing students with the
foundational skills to manage complex switched networks. Through the study of VLANs, VTP, and STP,
students gain practical knowledge in network segmentation, efficient traffic handling, and loop
prevention. Mastering these technologies is essential for building scalable, stable, and well-organized
network infrastructures.
Réalisé par Mr BERKANE MOHAMED LAMINE
 Network Addressing with IPv6
Chapter

IV

VI

1. Introduction

IPv6, the successor of IPv4, addresses several limitations of its predecessor, including restricted
addressing capacity, limited routing capabilities, and lack of advanced functionalities. With a large 128-
bit address space, it enables better route aggregation in Internet routing tables, offers greater
flexibility in address allocation, and resolves the inherent weaknesses of IPv4. Additionally, IPv6
supports improved features such as Quality of Service (QoS), enhanced security, mobility, automatic
configuration, although multicast remains a challenging aspect.

2. Introduction to IPv6
IPv6 uses 128-bit addresses. The subnet size is fixed at 64 bits (variable in IPv4). There are three
types of IPv6 addresses:

 Unicast
 Multicast
 Anycast
Note: IPv6 does not use broadcast addresses.
 Fig 40. IPv6 types

Strengths (compared to IPv4):

 Much larger address space (3.4 x 10³⁸ addresses).

 Address distribution based on needs and geographic location.
 Native implementation of multicast (optional in IPv4) and security (IPsec).
 Enhanced support for mobility (roaming).
 Simplified and better-structured protocol header.

3. IPv6 Structure

3.1 IPv6 Header is specified by:

 Version: Protocol version (4 bits).

 Traffic Class: Quality of Service (QoS) management (8 bits).
 Flow Label: Flow marking for differentiated processing within the network (20 bits).
 Payload Length: Size of the content in bytes (16 bits).
 Next Header: Identifies the type of the next header (8 bits).
 Hop Limit: Packet lifetime, decremented by one each time it passes through a router. The
packet is discarded if the value reaches 0 (8 bits).
 Fig 41. IPv6 Header

3.2 Address Assignment Methods:

Static configuration

Assignment via Stateful DHCP: Traditional DHCP, provides the full IPv6 configuration of the interface.

Assignment via Stateless DHCP: Interface is auto-configured based on the prefix announced by the
router. Only options are provided by the DHCP server.

3.3 IPv6 addresses Addresses:

IPv6 addresses are coded on 128 bits, represented as 8 groups of 4 hexadecimal characters separated
by colons :

The network identifier of the address is called the prefix. The prefix length, in the form /x, indicates
the number of bits in the network part of the address.

Example:

Fig 42. IPv6 example

3.4 Simplified IPv6 Address Notation

Rule #1: Consecutive groups of zeroes can be replaced by "::", but only once in the address.
Rule #2: Leading zeroes within a group must be omitted.
Example:

Fig 43. Simplified IPv6 Address Notation

3.5 Global Unicast Addresses
These addresses are equivalent to IPv4 public addresses and are routable on both private and public
networks. The address range 2000::/3 is reserved by IANA for public addressing (includes all
addresses starting with values 2 or 3).
Standard format:

Fig 44. Standard format of Global Unicast Addresses

A company is assigned the prefix: 2001:0AD8:1234::/48

If it follows the 64-bit host identifier rule, 16 bits remain available for subnetting.

Note: IPv6 subnetting follows the same logic as in IPv4. All addresses in the same network share the
same network identifier (called the prefix). The prefix length given as /x defines the number of bits in
the network identifier.

3.6 "Unique Local" Unicast Addresses

These addresses are equivalent to IPv4 private addresses and are only routable within a private
network. The subnetting logic is the same as for global addresses, but the "unique local" prefix is not
globally managed. "Unique local" addresses fall within the range FD00::/8 (any address that starts
with FD).
Standard format:

Fig 45. Standard format of Unique Local Unicast Addresses

The subnetting principle for "unique local" addresses follows the same logic as global addresses. The
Global ID is chosen arbitrarily for the entire private network.
3.7 Link-Local Addresses
These addresses work only within the local network (in the strict sense — i.e., machines within the
same subnet, same broadcast domain, same VLAN…). They are not routable.
They are used by machines for specific protocols (such as routing protocols, Neighbor Discovery,
etc.).
Format:

Fig 46. Link-Local Addresses

When IPv6 is enabled on an interface, a link-local address is automatically generated, either by

randomly generating the 64-bit host part, or by using the EUI-64 method.

3.8 EUI-64 Method

A method for generating a 64-bit identifier based on the MAC address of an interface.

Fig 47. EUI-64 Method

3.9 Multicast Addresses

Unlike other address types, multicast addresses are not assigned to interfaces, but instead represent
a group of target interfaces, either within a local network or beyond, depending on the address
scope. The address range FF00::/8 is reserved for multicast.

Special multicast addresses:

 Fig 48. Special multicast addresses part1

Note: An Ethernet frame carrying an IPv6 multicast packet will typically have a destination MAC
address in the following format: 3333.xxxx.xxxx (IPv6 multicast MAC address).

Fig 49. Special multicast addresses part2

4. Conclusion

Chapter 4 introduces the fundamentals of IPv6, highlighting its importance as a modern solution to the
limitations of IPv4. By exploring its structure, features, and implementation, students understand how
IPv6 supports the expanding number of internet-connected devices. This knowledge is crucial for
designing future-proof network architectures and ensuring seamless connectivity in next-generation
networks.
 General Conclusion

The four chapters of the Advanced Network and Security module collectively provide students
with a solid foundation in modern networking concepts and technologies. Beginning with
advanced routing techniques, students explore key dynamic routing protocols such as RIP,
OSPF, and BGP, gaining insights into how data is efficiently routed across diverse network
topologies. The module then delves into network security, emphasizing the critical role of
Access Control Lists (ACLs) in controlling and protecting data flows within enterprise
environments.

In Chapter 3, students focus on advanced switch configuration, learning how technologies like
VLANs, VTP, and STP contribute to network segmentation, traffic management, and the
prevention of switching loops. Finally, the module concludes with the introduction of IPv6,
equipping students with the knowledge to transition from IPv4 and to design networks capable
of supporting the rapidly growing number of internet-connected devices.

By the end of the module, students are expected to have developed practical skills and
theoretical understanding necessary for managing complex and secure network infrastructures
in modern IT environments.