Study

Guide
200-301
 Networking Today

Communication is almost as important to us as our reliance on air, water, food, and shelter. In today’s world,
through the use of networks, we are connected like never before.

No Boundaries
• World without boundaries
• Global communities
• Human network

Network Components

Host Roles
Every computer on a network is called a host or end
device.
Servers are computers that provide information to end
devices:
• email servers
• web servers Server Type Description

• file server Email Email server runs email server software.

Clients are computers that send requests to the
servers to retrieve information:
• web page from a web server
• email from an email server
Clients use client software to access email.
Web Web server runs web server software.
Clients use browser software to access web pages.
File File server stores corporate and user files.
The client devices access these files.

Peer-to-Peer
It is possible to have a device be a client and a server in a Peer-to-Peer Network. This type of network
design is only recommended for very small networks.
 Advantages Disadvantages

Easy to set up No centralized administration

Less complex Not as secure

Lower cost Not scalable
Used for simple tasks: transferring files and sharing printers Slower performance

End Devices
An end device is where a message originates from or where it is received. Data originates with an end
device, flows through the network, and arrives at an end device.

Intermediary Network Devices

An intermediary device interconnects end devices. Examples include switches, wireless access points,
routers, and firewalls.
Management of data as it flows through a network is also the role of an intermediary device, including:
• Regenerate and retransmit data signals.
• Maintain information about what pathways exist in the network.
• Notify other devices of errors and communication failures.
Network Media

Communication across a network is carried through a medium which allows a message to travel from source
to destination.

Media Types Description

Metal wires within cables Uses electrical impulses

Glass or plastic fibers within Uses pulses of light.

cables (fiber-optic cable)

Wireless transmission Uses modulation of specific

frequencies of
electromagnetic waves.

Network Representations and Topologies

Network Representations

Network diagrams, often called topology

diagrams, use symbols to represent devices
within the network.
Important terms to know include:
• Network Interface
Card (NIC)
• Physical Port
• Interface
Note: Often, the terms port and interface are
used interchangeably.
Topology Diagrams

Physical topology diagrams illustrate the Logical topology diagrams illustrate devices,
physical location of intermediary devices ports, and the addressing scheme of the
and cable installation. network.

Common Types of Networks

Networks of Many Sizes

• Small Home Networks – connect a few
computers to each other and the Internet
• Small Office/Home Office – enables computer
within a home or remote office to connect to a
corporate network
• Medium to Large Networks – many locations
Small Home SO/HO
with hundreds or thousands of interconnected
computers
• World Wide Networks – connects hundreds of
millions of computers world-wide – such as the
internet

Medium/Large World Wide

LANs and WANs
Network infrastructures vary greatly in terms of:
• Size of the area covered
• Number of users connected
• Number and types of services
available
• Area of responsibility
Two most common types of networks:
• Local Area Network (LAN)
• Wide Area Network (WAN).

A LAN is a network infrastructure that A WAN is a network infrastructure that spans a

spans a small geographical area. wide geographical area.

LAN WAN

Interconnect end devices in a limited area. Interconnect LANs over wide geographical areas.
Administered by a single organization or individual. Typically administered by one or more service providers.
Provide high-speed bandwidth to internal devices. Typically provide slower speed links between LANs.
The Converging Network

Before converged networks, an organization

would have been separately cabled for telephone,
video, and data. Each of these networks would
use different technologies to carry the signal.
Each of these technologies would use a different
set of rules and standards.
Converged data networks carry multiple services
on one link including:
• data
• voice
• video

Converged networks can deliver data, voice, and video over the same network infrastructure. The network
infrastructure uses the same set of rules and standards.
 Reliable Networks

Network Architecture

Network Architecture refers to the technologies that

support the infrastructure that moves data across the
network.
There are four basic characteristics that the
underlying architectures need to address to meet user
expectations:
• Fault Tolerance
• Scalability
• Quality of Service (QoS)
• Security

Fault Tolerance

A fault tolerant network limits the impact of a

failure by limiting the number of affected
devices. Multiple paths are required for fault
tolerance.
Reliable networks provide redundancy by
implementing a packet switched network:
• Packet switching splits traffic
into packets that are routed
over a network.
• Each packet could
theoretically take a different
path to the destination.
This is not possible with circuit-switched networks which establish dedicated circuits.
Scalability

A scalable network can expand quickly and easily

to support new users and applications without
impacting the performance of services to existing
users.
Network designers follow accepted standards and
protocols in order to make the networks scalable.

Quality of Service

Voice and live video transmissions require higher

expectations for those services being delivered.
• Quality of Service (QoS) is the primary
mechanism used to ensure reliable
delivery of content for all users.
• With a QoS policy in place, the router can
more easily manage the flow of data and
voice traffic.

Network Security

There are two main types of network

security that must be addressed:
▪ Network infrastructure security

(Physical security of network devices

Preventing unauthorized access to the
devices)
▪ Information Security

(Protection of the information or data

transmitted over the network)
Three goals of network security:
• Confidentiality – only
intended recipients can read the data
• Integrity – assurance that the data has not be altered with during transmission
• Availability – assurance of timely and reliable access to data for authorized users
Online Collaboration
▪ Collaborate and work with others
over the network on joint projects.
▪ Collaboration tools including Cisco
WebEx (shown in the figure) gives
users a way to instantly connect and
interact.
▪ Collaboration is a very high priority
for businesses and in education.
▪ Cisco Webex Teams is a
multifunctional collaboration tool.
• send instant messages
• post images
• post videos and links

Video Communication
• Video calls are made to anyone, regardless of where they are located.
• Video conferencing is a powerful tool for communicating with others.
• Video is becoming a critical requirement for effective collaboration.
• Cisco TelePresence powers is one way of working where everyone, everywhere.

Cloud Computing

Cloud computing allows us to store personal files or backup our data on servers over the internet.
• Applications can also be accessed using the Cloud.
• Allows businesses to deliver to any device anywhere in the world.
Cloud computing is made possible by data centers.
• Smaller companies that can’t afford their own data centers, lease server and storage services
from larger data center organizations in the Cloud.

Four types of Clouds:

• Public Clouds - Available to the general public through a pay-per-use model or for free.
• Private Clouds - Intended for a specific organization or entity such as the government.
• Hybrid Clouds - Made up of two or more Cloud types – for example, part custom and part public. Each part
remains a distinctive object but both are connected using the same architecture.
• Custom Clouds - Built to meet the needs of a specific industry, such as healthcare or media. Can be private or
public.
Technology Trends in the Home
• Smart home technology is a growing trend that allows technology
to be integrated into every-day appliances which allows them to
interconnect with other devices.
• Ovens might know what time to cook a meal for you by
communicating with your calendar on what time you are
scheduled to be home.
• Smart home technology is currently being developed for all
rooms within a house.

Powerline Networking
• Can allow devices to connect to a LAN
where data network cables or wireless
communications are not a viable option.
• Using a standard powerline adapter, devices
can connect to the LAN wherever there is an
electrical outlet by sending data on certain
frequencies.
• Powerline networking is especially useful
when wireless access points cannot reach all
the devices in the home.

Wireless Broadband
0

In addition to DSL and cable, wireless is another

option used to connect homes and small businesses to
the internet.
• More commonly found in rural environments,
a Wireless Internet Service Provider (WISP)
is an ISP that connects subscribers to
designated access points or hotspots.
• Wireless broadband is another solution for the
home and small businesses.
o Uses the same cellular technology
used by a smart phone.
o An antenna is installed outside the
house providing wireless or wired
connectivity for devices in the home.
 Network Security

Security Threats
• Network security is an integral of
networking regardless of the size of
the network.
• The network security that is
implemented must take into account
the environment while securing the
data, but still allowing for quality of
service that is expected of the network.
• Securing a network involves many
protocols, technologies, devices, tools,
and tpartechniques in order to secure
data and mitigate threats.
• Threat vectors might be external or internal.

External Threats: Internal Threats:

• Viruses, worms, and Trojan horses • lost or stolen devices
• Spyware and adware
• accidental misuse by employees
• Zero-day attacks
• malicious employees
• Threat Actor attacks
• Denial of service attacks
• Data interception and theft
• Identity theft

Security Solutions
Security must be implemented in multiple layers using
more than one security solution.
Network security components for home or small office
network:
• Antivirus and antispyware software should be
installed on end devices.
• Firewall filtering used to block unauthorized access to
the network

Larger networks have additional security

requirements:
• Dedicated firewall system
• Access control lists (ACL)
• Intrusion prevention systems (IPS)
• Virtual private networks (VPN)
 Basic Switch and End Device Configuration

Cisco IOS Access

Operating Systems
• Shell - The user interface that allows users to
request specific tasks from the computer. These
requests can be made either through the CLI or
GUI interfaces.
• Kernel - Communicates between the hardware
and software of a computer and manages how
hardware resources are used to meet software
requirements.
• Hardware - The physical part of a computer
including underlying electronics.

GUI
• A GUI allows the user to interact with the system
using an environment of graphical icons, menus,
and windows.
• A GUI is more user-friendly and requires less
knowledge of the underlying command structure
that controls the system.
• Examples of these are: Windows, macOS, Linux
KDE, Apple iOS and Android.
• GUIs can fail, crash, or simply not operate as
specified. For these reasons, network devices are typically accessed through a CLI.

Purpose of an OS

PC operating system enables a user to do the following:

• Use a mouse to make selections and run programs
• Enter text and text-based commands
CLI-based network operating system enables a network technician to do the following:
• Use a keyboard to run CLI-based network programs
• Use a keyboard to enter text and
text-based commands
• View output on a monitor

Access Methods

• Console – A physical management port used to access a device in order

to provide maintenance, such as performing the initial configurations.
• Secure Shell (SSH) – Establishes a secure remote CLI connection to a
device, through a virtual interface, over a network. (Note: This is the
recommended method for remotely connecting to a device.)
• Telnet – Establishes an insecure remote
CLI connection to a device over the
network. (Note: User authentication,
passwords and commands are sent over the
network in plaintext.)

Terminal Emulation Programs

• Terminal emulation programs are used to connect to a network device by either a console port or by
an SSH/Telnet connection.
• There are several terminal emulation programs to chose from such as PuTTY, Tera Term and
SecureCRT.
 IOS Navigation

Primary Command Modes

User EXEC Mode:
• Allows access to only a limited number of basic monitoring commands
• Identified by the CLI prompt that ends with the > symbol

Privileged EXEC Mode:

• Allows access to all commands and features
• Identified by the CLI prompt that ends with the # symbol

Configuration Mode and Subconfiguration Modes

Global Configuration Mode:

• Used to access configuration options on the device
Line Configuration Mode:
• Used to configure console, SSH, Telnet or AUX access
Interface Configuration Mode:
• Used to configure a switch port or router interface

Navigation Between IOS Modes

▪ Privileged EXEC Mode:
To move from user EXEC mode to privilege EXEC mode, use the enabled command.

▪ Global Configuration Mode:

To move in and out of global configuration mode, use the configure terminal
command. To return to privilege EXEC mode, use the exit command.
 ▪ Line Configuration Mode:
To move in and out of line configuration mode, use the line command
followed by the management line type. To return to global configuration mode, use the exit command.

Subconfiguration Modes:
• To move out of any subconfiguration mode to get back to global configuration mode, use the exit
command. To return to privilege EXEC mode, use the end command or key combination Ctrl +Z.

Device Names
• The first configuration command on any device should be to give it a unique hostname.
• By default, all devices are assigned a factory default name. For example, a Cisco IOS switch is
“Switch.”

Configure Passwords

Securing user EXEC mode access:

• First enter line console configuration mode using the line
console 0 command in global configuration mode.
• Next, specify the user EXEC mode password using
the password password command.
• Finally, enable user EXEC access using
the login command.

Securing privileged EXEC mode access:

• First enter global configuration mode.
• Next, use the enable secret password command.

Securing VTY line access:

• First enter line VTY configuration mode using the line
vty 0 15 command in global configuration mode.
• Next, specify the VTY password using
the password password command.
• Finally, enable VTY access using the login command.
Note: VTY lines enable remote access using Telnet or SSH to the device. Many Cisco switches support up to 16 VTY
lines that are numbered 0 to 15.
Encrypt Passwords
▪ The startup-config and running-config files display most passwords in plaintext.
▪ To encrypt all plaintext passwords, use the service password-encryption global config command.

Use the show running-config command to verify that the passwords on the device are now encrypted.

Banner Messages
▪ A banner message is important to warn unauthorized personnel from attempting to access the device.
▪ To create a banner message of the day on a network device, use the banner motd # the message of
the day # global config command.

The banner will be displayed on attempts to access the device.

Configuration Files

▪ There are two system files that store the device configuration:
startup-config - This is the saved configuration file that is stored in NVRAM. It contains all the commands that will
be used by the device upon startup or reboot. Flash does not lose its contents when the device is powered off.

running-config - This is stored in RAM. It reflects the current configuration. Modifying a running configuration
affects the operation of a Cisco device immediately. RAM is volatile memory. It loses all of its content when the
device is powered off or restarted

To save changes made to the running configuration to the startup configuration file, use the copy running-
config startup-config privileged EXEC mode command.

Alter the Running Configurations

If changes made to the running config do not have the desired effect and the running-config has not yet been
saved, you can restore the device to its previous configuration. To do this you can:
• Remove the changed commands individually.
• Reload the device using the reload
command in privilege EXEC mode. Note:
This will cause the device to briefly go offline, leading to network downtime.
If the undesired changes were saved to the startup-config, it may be necessary to clear all the configurations
using the erase startup-config command in privilege EXEC mode.
• After erasing the startup-config, reload the device to clear the running-config file from RAM.
Switch Virtual Interface Configuration
To access the switch remotely, an IP address and a subnet mask must be configured on the SVI.
To configure an SVI on a switch:
• Enter the interface vlan 1 command in global configuration mode.
• Next assign an IPv4 address using the ip address ip-address subnet-mask command.
Finally, enable the virtual interface using the no shutdown

Protocols and Models

Communications Fundamentals
Networks can vary in size and complexity. It is not enough to have a connection, devices must agree on
“how” to communicate.
There are three elements to any communication:
• There will be a source (sender).
• There will be a destination (receiver).
• There will be a channel (media) that provides for the path
of communications to occur.

Communications Protocols
• All communications are governed by
protocols.
• Protocols are the rules that communications
will follow.
• These rules will vary depending on the
protocol.
Protocols must account for the following
requirements:
• An identified sender and receiver
• Common language and grammar
• Speed and timing of delivery
• Confirmation or acknowledgment requirements
Network Protocol Requirements
Common computer protocols must be in agreement and include the following requirements:
• Message encoding
• Message formatting and encapsulation
• Message size
• Message timing
• Message delivery options

Message Encoding
• Encoding is the process of converting information into another acceptable form for transmission.
• Decoding reverses this process to interpret the information.

Message Formatting and Encapsulation

• When a message is sent, it must use a specific format or structure.
• Message formats depend on the type of message and the channel that is used to deliver the message.
Message Size
Encoding between hosts must be in an appropriate format for the medium.
• Messages sent across the network are converted to bits
• The bits are encoded into a pattern of light, sound, or electrical impulses.
• The destination host must decode the signals to interpret the message.

Message Timing

Flow Control – Manages the rate of data transmission and defines how much information can be sent and
the speed at which it can be delivered.
Response Timeout – Manages how long a device waits when it does not hear a reply from the destination.
Access method - Determines when someone can send a message.
• There may be various rules governing issues like “collisions”. This is when more than
one device sends traffic at the same time and the messages become corrupt.
• Some protocols are proactive and attempt to prevent collisions; other protocols are
reactive and establish a recovery method after the collision occurs.

Message Delivery Options

• Unicast – one to one communication
• Multicast – one to many, typically not all
• Broadcast – one to all
Note: Broadcasts are used in IPv4 networks, but are not an option for IPv6. Later we will also see “Anycast” as an
additional delivery option for IPv6.
A Note About the Node Icon
• Documents may use the node icon , typically a circle, to represent all devices.
• The figure illustrates the use of the node icon for delivery options.

Protocols

Network protocols define a common set of rules,

• Can be implemented on devices in:
▪ Software
▪ Hardware
▪ Both

• Protocols have their own:

▪ Function
▪ Format
▪ Rules

Protocol Type Description

Network Communications
Network Security
Routing
Service Discovery
enable two or more devices to communicate over one or more
networks
secure data to provide authentication, data integrity, and data
encryption
enable routers to exchange route information, compare path
information, and select best path
used for the automatic detection of devices or services
Network Protocol Functions
• Devices use agreed-upon protocols to communicate.
• Protocols may have may have one or functions.

Function Description

Addressing Identifies sender and receiver

Reliability Provides guaranteed delivery
Flow Control Ensures data flows at an efficient rate
Sequencing Uniquely labels each transmitted segment of data
Error Detection Determines if data became corrupted during transmission
Application Interface Process-to-process communications between network applications

TCP/IP Protocol
• TCP/IP protocols operate at the application, transport, and internet layers.
• The most common network access layer LAN protocols are Ethernet and WLAN (wireless LAN).
TCP/IP Communication Process

• A web server encapsulating and • A web server encapsulating and sending a

sending a web page to a client. web page to a client.

Reference Models

The Benefits of Using a Layered Model

Complex concepts such as how a network

operates can be difficult to explain and
understand. For this reason, a layered model is
used.
Two layered models describe network operations:
• Open System Interconnection (OSI)
Reference Model
• TCP/IP Reference Model

These are the benefits of using a layered model:

• Assist in protocol design because protocols that operate at a specific layer have defined information
that they act upon and a defined interface to the layers above and below
• Foster competition because products from different vendors can work together
• Prevent technology or capability changes in one layer from affecting other layers above and below
• Provide a common language to describe networking functions and capabilities
The OSI Reference Model

OSI Model Layer Description

7 - Application Contains protocols used for process-to-process communications.

Provides for common representation of the data transferred between application
6 - Presentation
layer services.
5 - Session Provides services to the presentation layer and to manage data exchange.
Defines services to segment, transfer, and reassemble the data for individual
4 - Transport
communications.
3 - Network Provides services to exchange the individual pieces of data over the network.
2 - Data Link Describes methods for exchanging data frames over a common media.
1 - Physical Describes the means to activate, maintain, and de-activate physical connections.

The TCP/IP Reference Model

TCP/IP Model Layer Description

Application Represents data to the user, plus encoding and dialog control.

Transport Supports communication between various devices across diverse networks.

Internet Determines the best path through the network.

Network Access Controls the hardware devices and media that make up the network.

OSI and TCP/IP Model Comparison

• The OSI model divides the network access
layer and the application layer of the TCP/IP
model into multiple layers.
• The TCP/IP protocol suite does not specify
which protocols to use when transmitting over
a physical medium.
• OSI Layers 1 and 2 discuss the necessary
procedures to access the media and the
physical means to send data over a network.
 Data Encapsulation

Segmenting Messages

Segmenting is the process of breaking up messages into smaller units.

Multiplexing is the processes of taking multiple streams of segmented
data and interleaving them together.
Segmenting messages has two primary benefits:
• Increases speed - Large amounts of data can be sent over the network
without tying up a communications link.

• Increases efficiency - Only segments which fail to reach the destination

need to be retransmitted, not the entire data stream.

Sequencing

Sequencing messages is the process of numbering

the segments so that the message may be
reassembled at the destination.
TCP is responsible for sequencing the individual
segments.

Protocol Data Units

Encapsulation is the process where protocols add
their information to the data.
• At each stage of the process, a PDU has a
different name to reflect its new functions.
• There is no universal naming convention for
PDUs, in this course, the PDUs are named
according to the protocols of the TCP/IP suite.
• PDUs passing down the stack are as follows:
1. Data (Data Stream)
2. Segment
3. Packet
4. Frame
5. Bits (Bit Stream)
Encapsulation

• Encapsulation is a top down process.

• The level above does its process and then passes
it down to the next level of the model. This
process is repeated by each layer until it is sent
out as a bit stream.

De-encapsulation

• Data is de-encapsulated as it moves up the stack.

• When a layer completes its process, that
layer strips off its header and passes it
up to the next level to be processed. This
is repeated at each layer until it is a data
stream that the application can process.
1. Received as Bits (Bit Stream)
2. Frame
3. Packet
4. Segment
5. Data (Data Stream)

Data Access

Addresses

Both the data link and network layers use addressing to deliver data from source to destination.
Network layer source and destination addresses - Responsible for delivering the IP packet from original
source to the final destination.
Data link layer source and destination addresses – Responsible for delivering the data link frame from
one network interface card (NIC) to another NIC on the same network.
Layer 3 Logical Address

The IP packet contains two IP addresses:

• Source IP address - The IP address of the sending device, original source of the packet.
• Destination IP address - The IP address of the receiving device, final destination of the packet.

These addresses may be on the same link or remote.

An IP address contains two parts:

• Network portion (IPv4) or Prefix (IPv6)
The left-most part of the address indicates the network group which the IP address is a member.
Each LAN or WAN will have the same network portion.

• Host portion (IPv4) or Interface ID (IPv6)

The remaining part of the address identifies a specific device within the group. This portion is unique for
each device on the network.

Devices on the Same Network

When devices are on the same network the

source and destination will have the same
number in network portion of the address.
• PC1 – 192.168.1.110
• FTP Server – 192.168.1.9
Role of the Data Link Layer Addresses: Same IP Network

When devices are on the same Ethernet

network the data link frame will use the actual
MAC address of the destination NIC.
MAC addresses are physically embedded into
the Ethernet NIC and are local addressing.
• The Source MAC address will be that of
the originator on the link.
• The Destination MAC address will
always be on the same link as the
source, even if the ultimate destination
is remote.

Devices on a Remote Network

• What happens when the actual (ultimate) destination is not on the same LAN and is remote?
• What happens when PC1 tries to reach the Web Server?
• Does this impact the network and data link layers?

Role of the Network Layer Addresses

When the source and destination have a different network portion, this means they are on different networks.
• PC1 – 192.168.1
• Web Server – 172.16.1
Role of the Data Link Layer Addresses: Different IP Networks

When the final destination is remote, Layer 3

will provide Layer 2 with the local default
gateway IP address, also known as the router
address.
• The default gateway (DGW) is the router
interface IP address that is part of this
LAN and will be the “door” or
“gateway” to all other remote locations.
• All devices on the LAN must be told
about this address or their traffic will be
confined to the LAN only.

• Once Layer 2 on PC1 forwards to the default gateway (Router), the router then can start the routing
process of getting the information to actual destination.
• The data link addressing is local addressing so it will have a source and destination for each link.
• The MAC addressing for the first segment is :
o Source – AA-AA-AA-AA-AA-AA (PC1) Sends the frame.
o Destination – 11-11-11-11-11-11 (R1- Default Gateway MAC) Receives the frame.
Note: While the L2 local addressing will change from link to link or hop to hop, the L3 addressing remains the same.

Data Link Addresses

• Since data link addressing is local
addressing, it will have a source and
destination for each segment or hop of the
journey to the destination.
• The MAC addressing for the first segment
is:
▪ Source – (PC1 NIC) sends frame
▪ Destination – (First Router- DGW
interface) receives frame
The MAC addressing for the second hop is:
• Source – (First Router- exit interface)
sends frame
• Destination – (Second Router)
receives frame

The MAC addressing for the last segment is:

• Source – (Second Router- exit interface)
sends frame
• Destination – (Web Server NIC)
receives frame
• Notice that the packet is not modified, but the
frame is changed, therefore the L3 IP
addressing does not change from segment to
segment like the L2 MAC addressing.
• The L3 addressing remains the same since it is global and the ultimate destination is still the Web Server.

Physical Layer

The Physical Connection

• Before any network communications can occur, a physical connection to a local network must be
established.
• This connection could be wired or wireless, depending on the setup of the network.
• This generally applies whether you are considering a corporate office or a home.
• A Network Interface Card (NIC) connects a device to the network.
• Some devices may have just one NIC, while others may have multiple NICs (Wired and/or Wireless,
for example).
• Not all physical connections offer the same level of performance.
The Physical Layer
• Transports bits across the network media
• Accepts a complete frame from the Data
Link Layer and encodes it as a series of
signals that are transmitted to the local
media
• This is the last step in the encapsulation
process.
• The next device in the path to the destination
receives the bits and re-encapsulates the
frame, then decides what to do with it.

Copper Cabling

Characteristics of Copper Cabling

Copper cabling is the most common type of cabling used in networks today. It is inexpensive, easy to install,
and has low resistance to electrical current flow.
Limitations:
• Attenuation – the longer the electrical signals have to travel, the weaker they get.
• The electrical signal is susceptible to interference from two sources, which can distort and
corrupt the data signals (Electromagnetic Interference (EMI) and Radio Frequency
Interference (RFI) and Crosstalk).
Mitigation:
• Strict adherence to cable length limits will mitigate attenuation.
• Some kinds of copper cable mitigate EMI and RFI by using metallic shielding and grounding.
• Some kinds of copper cable mitigate crosstalk by twisting opposing circuit pair wires
together.
Types of Copper Cabling

Unshielded Twisted Pair (UTP)

• UTP is the most common networking media.
• Terminated with RJ-45 connectors
• Interconnects hosts with intermediary network
devices.

Key Characteristics of UTP

1. The outer jacket protects the copper wires from physical damage.
2. Twisted pairs protect the signal from interference.
3. Color-coded plastic insulation electrically isolates the wires from each other and identifies each pair.

Shielded Twisted Pair (STP)

• Better noise protection than UTP
• More expensive than UTP
• Harder to install than UTP
• Terminated with RJ-45 connectors

• Interconnects hosts with intermediary network devices

Key Characteristics of STP

1. The outer jacket protects the copper wires from physical damage
2. Braided or foil shield provides EMI/RFI protection
3. Foil shield for each pair of wires provides EMI/RFI protection
4. Color-coded plastic insulation electrically isolates the wires from each other and identifies each pair
Coaxial Cable

1. Outer cable jacket to prevent minor physical damage

2. A woven copper braid, or metallic foil, acts as the second wire in the
circuit and as a shield for the inner conductor.
3. A layer of flexible plastic insulation
4. A copper conductor is used to transmit the electronic signals.

There are different types of connectors used with coax cable.

Commonly used in the following situations:
• Wireless installations - attach antennas to wireless devices
• Cable internet installations - customer premises wiring

UTP Cabling

Properties of UTP Cabling

UTP has four pairs of color-coded copper wires twisted together and
encased in a flexible plastic sheath. No shielding is used. UTP relies
on the following properties to limit crosstalk:
• Cancellation - Each wire in a pair of wires uses opposite polarity.
One wire is negative, the other wire is positive. They are twisted together and the magnetic fields effectively
cancel each other and outside EMI/RFI.

• Variation in twists per foot in each wire - Each wire is twisted a different amount, which helps prevent
crosstalk amongst the wires in the cable.

UTP Cabling Standards and Connectors

Standards for UTP are established by the TIA/EIA. TIA/EIA-568 standardizes
elements like:
• Cable Types
• Cable Lengths
• Connectors
• Cable Termination
• Testing Methods
Electrical standards for copper cabling are established by the IEEE, which rates cable according to its
performance. Examples include:
• Category 3
• Category 5 and 5e
• Category 6

RJ-45 Connector Poorly terminated UTP cable

RJ-45 Socket Properly terminated UTP cable

Straight-through and Crossover UTP Cables

Cable Type Standard Application

Ethernet Straight-through Both ends T568A or T568B Host to Network Device

Ethernet Crossover * One end T568A, other end Host-to-Host, Switch-to-Switch,
T568B Router-to-Router
* Considered Legacy due to most NICs using Auto-MDIX to sense cable type and complete connection
Rollover Cisco Proprietary Host serial port to Router or Switch
Console Port, using an adapter
 Fiber-Optic Cabling

Properties of Fiber-Optic Cabling

• Not as common as UTP because of the expense involved
• Ideal for some networking scenarios
• Transmits data over longer distances at higher bandwidth than any other networking media
• Less susceptible to attenuation, and completely immune to EMI/RFI
• Made of flexible, extremely thin strands of very pure glass
• Uses a laser or LED to encode bits as pulses of light
• The fiber-optic cable acts as a wave guide to transmit light between the two ends with minimal signal
loss

Types of Fiber Media

Single-Mode Fiber Multimode Fiber

• Larger core
• Very small core • Uses less expensive LEDs
• Uses expensive lasers • LEDs transmit at different angles
• Long-distance applications • Up to 10 Gbps over 550 meters

Dispersion refers to the spreading out of a light pulse over time. Increased dispersion means increased loss
of signal strength. MMF has greater dispersion than SMF, with a the maximum cable distance for MMF is
550 meters.

Fiber-Optic Cabling Usage

Fiber-optic cabling is now being used in four types of industry:

1. Enterprise Networks - Used for backbone cabling applications and interconnecting infrastructure devices
2. Fiber-to-the-Home (FTTH) - Used to provide always-on broadband services to homes and small businesses
3. Long-Haul Networks - Used by service providers to connect countries and cities
4. Submarine Cable Networks - Used to provide reliable high-speed, high-capacity solutions capable of
surviving in harsh undersea environments at up to transoceanic distances.
Fiber-Optic Connectors

Lucent Connector (LC) Simplex Connectors

Straight-Tip (ST) Connectors

Subscriber Connector (SC) Connectors Duplex Multimode LC Connectors

Fiber Patch Cords

SC-SC MM Patch Cord LC-LC SM Patch Cord ST-LC MM Patch Cord ST-SC SM Patch Cord

A yellow jacket is for single-mode fiber cables and orange (or aqua) for multimode fiber cables.
Fiber versus Copper
Optical fiber is primarily used as backbone cabling for high-traffic, point-to-point connections between data distribution
facilities and for the interconnection of buildings in multi-building campuses.

Implementation Issues UTP Cabling Fiber-Optic Cabling

Bandwidth supported 10 Mb/s - 10 Gb/s 10 Mb/s - 100 Gb/s

Distance Relatively short (1 - 100 meters) Relatively long ( 1 - 100,000 meters)

Immunity to EMI and RFI Low High (Completely immune)

Immunity to electrical hazards Low High (Completely immune)

Media and connector costs Lowest Highest

Installation skills required Lowest Highest

Safety precautions Lowest Highest

Wireless Media

Properties of Wireless Media

It carries electromagnetic signals representing binary digits using radio or microwave frequencies. This
provides the greatest mobility option. Wireless connection numbers continue to increase.
Some of the limitations of wireless:
• Coverage area - Effective coverage can be significantly impacted by the physical characteristics of
the deployment location.
• Interference - Wireless is susceptible to interference and can be disrupted by many common devices.
• Security - Wireless communication coverage requires no access to a physical strand of media, so
anyone can gain access to the transmission.
• Shared medium - WLANs operate in half-duplex, which means only one device can send or receive
at a time. Many users accessing the WLAN simultaneously results in reduced bandwidth for each
user.

Types of Wireless Media

The IEEE and telecommunications industry standards for wireless data communications cover both the data
link and physical layers. In each of these standards, physical layer.
specifications dictate:
• Data to radio signal encoding methods
• Frequency and power of transmission
• Signal reception and decoding requirements
• Antenna design and construction
Wireless Standards:
• Wi-Fi (IEEE 802.11) - Wireless LAN (WLAN) technology
• Bluetooth (IEEE 802.15) - Wireless Personal Area network (WPAN) standard
• WiMAX (IEEE 802.16) - Uses a point-to-multipoint topology to provide broadband wireless access
• Zigbee (IEEE 802.15.4) - Low data-rate, low power-consumption communications, primarily for Internet of
Things (IoT) applications

Wireless LAN

In general, a Wireless LAN (WLAN) requires the following devices:

• Wireless Access Point (AP) - Concentrate wireless signals from users and connect to the existing copper-
based network infrastructure
• Wireless NIC Adapters - Provide wireless communications capability to network hosts

There are a number of WLAN standards. When purchasing WLAN equipment, ensure compatibility, and
interoperability.
Network Administrators must develop and apply stringent security policies and processes to protect WLANs
from unauthorized access and damage.

Number Systems

Binary Number System

Binary and IPv4 Addresses

• Binary numbering system consists of 1s and 0s, called bits
• Decimal numbering system consists of digits 0 through 9
• Hosts, servers, and network equipment using binary addressing to identify each other.
• Each address is made up of a string of 32 bits, divided into four sections called octets.
• Each octet contains 8 bits (or 1 byte) separated by a dot.
• For ease of use by people, this dotted notation is converted to dotted decimal.
Binary Positional Notation
• Positional notation means that a digit represents different values depending on the “position” the digit
occupies in the sequence of numbers.
• The decimal positional notation system operates as shown in the tables below.

The binary positional notation system operates as shown in the tables below.

Convert Binary to Decimal

Convert 11000000.10101000.00001011.00001010 to decimal.

192

168
192.168.11.10

11

10
IPv4 Addresses
• Routers and computers only understand binary, while humans work in decimal. It is important for
you to gain a thorough understanding of these two numbering systems and how they are used in
networking.

Hexadecimal Number System

Hexadecimal and IPv6 Addresses

• To understand IPv6 addresses, you
must be able to convert hexadecimal to
decimal and vice versa.
• Hexadecimal is a base sixteen
numbering system, using the digits 0
through 9 and letters A to F.
• It is easier to express a value as a
single hexadecimal digit than as four
binary bit.
• Hexadecimal is used to represent IPv6
addresses and MAC addresses.
• IPv6 addresses are 128 bits in length. Every
4 bits is represented by a single
hexadecimal digit. That makes the IPv6
address a total of 32 hexadecimal values.
• The figure shows the preferred method of
writing out an IPv6 address, with each X
representing four hexadecimal values.
• Each four hexadecimal character group is
referred to as a hextet.
 Data Link Layer

• The Data Link layer is responsible for communications between end-device network interface cards.
• It allows upper layer protocols to access the physical layer media and encapsulates Layer 3 packets
(IPv4 and IPv6) into Layer 2 Frames.
• It also performs error detection and rejects corrupts frames.

IEEE 802 LAN/MAN Data Link Sublayers

IEEE 802 LAN/MAN standards are specific to the type of network (Ethernet, WLAN, WPAN, etc).
The Data Link Layer consists of two sublayers. Logical Link Control (LLC) and Media Access Control
(MAC).
• The LLC sublayer communicates between the networking software at the upper layers and
the device hardware at the lower layers.
• The MAC sublayer is responsible for data encapsulation and media access control.
Providing Access to Media

Packets exchanged between nodes may experience numerous data link layers and media transitions.
At each hop along the path, a router performs four basic Layer 2 functions:
• Accepts a frame from the network medium.
• De-encapsulates the frame to expose the encapsulated packet.
• Re-encapsulates the packet into a new frame.
• Forwards the new frame on the medium of the next network segment.

Data Link Layer Standards

Data link layer protocols are defined by engineering organizations:
• Institute for Electrical and Electronic
Engineers (IEEE).
• International Telecommunications Union
(ITU).
• International Organizations for
Standardization (ISO).
• American National Standards Institute
(ANSI).

Topologies

The topology of a network is the arrangement and relationship of the network devices and the
interconnections between them.
There are two types of topologies used when describing networks:
• Physical topology – shows physical connections and how devices are interconnected.
• Logical topology – identifies the virtual connections between devices using device interfaces
and IP addressing schemes.
WAN Topologies

There are three common physical WAN topologies:

• Point-to-point – the simplest and most common WAN topology. Consists of a permanent
link between two endpoints.
• Hub and spoke – similar to a star topology where a central site interconnects branch sites
through point-to-point links.
• Mesh – provides high availability but requires every end system to be connected to every
other end system.

Point-to-Point WAN Topology

• Physical point-to-point topologies directly connect two nodes.
• The nodes may not share the media with other hosts.
• Because all frames on the media can only travel to or from the two nodes, Point-to-Point WAN
protocols can be very simple.

LAN Topologies

End devices on LANs are typically interconnected

using a star or extended star topology. Star and
extended star topologies are easy to install, very
scalable and easy to troubleshoot.
Early Ethernet and Legacy Token Ring
technologies provide two additional topologies:
• Bus – All end systems chained
together and terminated on each
end.
• Ring – Each end system is
connected to its respective
neighbors to form a ring.
Half and Full Duplex Communication

Half-duplex communication
• Only allows one device to send or receive at a time on a shared medium.
• Used on WLANs and legacy bus topologies with Ethernet hubs.
Full-duplex communication
• Allows both devices to simultaneously transmit and receive on a shared medium.
• Ethernet switches operate in full-duplex mode.

Access Control Methods

Contention-based access
All nodes operating in half-duplex, competing for use of the medium. Examples are:
• Carrier sense multiple access with collision detection (CSMA/CD) as used on legacy bus-
topology Ethernet.
• Carrier sense multiple access with collision avoidance (CSMA/CA) as used on Wireless
LANs.
Controlled access
• Deterministic access where each node has its own time on the medium.
• Used on legacy networks such as Token Ring and ARCNET.

Contention-Based Access – CSMA/CD

CSMA/CD
• Used by legacy Ethernet LANs.
• Operates in half-duplex mode where only one device sends or receives at a time.
• Uses a collision detection process to govern when a device can send and what happens if
multiple devices send at the same time.
CSMA/CD collision detection process:

• Devices transmitting simultaneously will result in a signal collision on the shared media.
• Devices detect the collision.
• Devices wait a random period of time and retransmit data.
 Ethernet Frames

Ethernet Encapsulation
• Ethernet operates in the data link layer and the
physical layer.
• It is a family of networking technologies defined in
the IEEE 802.2 and 802.3 standards.

Data Link Sublayers

The 802 LAN/MAN standards, including Ethernet, use two separate sublayers of the data link layer to
operate:
• LLC Sublayer: (IEEE 802.2) Places information in the frame to identify which network layer
protocol is used for the frame.
• MAC Sublayer: (IEEE 802.3, 802.11, or 802.15) Responsible for data encapsulation and media
access control, and provides data link layer addressing.
MAC Sublayer

The MAC sublayer is responsible for data encapsulation and accessing the media.

Data Encapsulation
IEEE 802.3 data encapsulation includes the following:
1. Ethernet frame - This is the internal structure of the Ethernet frame.
2. Ethernet Addressing - The Ethernet frame includes both a source and destination MAC address to deliver the
Ethernet frame from Ethernet NIC to Ethernet NIC on the same LAN.
3. Ethernet Error detection - The Ethernet frame includes a frame check sequence (FCS) trailer used for error
detection.

Media Access
• The IEEE 802.3 MAC sublayer includes the specifications for different Ethernet communications
standards over various types of media including copper and fiber.
• Legacy Ethernet using a bus
topology or hubs, is a shared, half-
duplex medium. Ethernet over a
half-duplex medium uses a
contention-based access method,
carrier sense multiple
access/collision detection
(CSMA/CD).
• Ethernet LANs of today use
switches that operate in full-duplex.
Full-duplex communications with
Ethernet switches do not require
access control through CSMA/CD.
Ethernet Frame Fields

• The minimum Ethernet frame size is 64 bytes and the maximum is 1518 bytes. The preamble field is
not included when describing the size of the frame.
• Any frame less than 64 bytes in length is considered a “collision fragment” or “runt frame” and is
automatically discarded. Frames with more than 1500 bytes of data are considered “jumbo” or “baby
giant frames”.
• If the size of a transmitted frame is less than the minimum, or greater than the maximum, the
receiving device drops the frame. Dropped frames are likely to be the result of collisions or other
unwanted signals. They are considered invalid. Jumbo frames are usually supported by most Fast
Ethernet and Gigabit Ethernet switches and NICs.

Ethernet MAC Address

MAC Address and Hexadecimal

• An Ethernet MAC address consists of a 48-bit binary value, expressed using 12 hexadecimal values.
• Given that 8 bits (one byte) is a common binary grouping, binary 00000000 to 11111111 can be
represented in hexadecimal as the range 00 to FF,
• When using hexadecimal, leading zeroes are always displayed to complete the 8-bit representation.
For example the binary value 0000 1010 is represented in hexadecimal as 0A.
• Hexadecimal numbers are often represented by the value preceded by 0x (e.g., 0x73) to distinguish
between decimal and hexadecimal values in documentation.
• Hexadecimal may also be represented by a subscript 16, or the hex number followed by an H (e.g.,
73H).
Ethernet MAC Address
• In an Ethernet LAN, every network device is connected to the same, shared media. MAC addressing
provides a method for device identification at the data link layer of the OSI model.
• An Ethernet MAC address is a 48-bit address expressed using 12 hexadecimal digits. Because a byte
equals 8 bits, we can also say that a MAC address is 6 bytes in length.
• All MAC addresses must be unique to the Ethernet device or Ethernet interface. To ensure this, all
vendors that sell Ethernet devices must register with the IEEE to obtain a unique 6 hexadecimal (i.e.,
24-bit or 3-byte) code called the organizationally unique identifier (OUI).
• An Ethernet MAC address consists of a 6 hexadecimal vendor OUI code followed by a 6
hexadecimal vendor-assigned value.

Frame Processing
• When a device is forwarding a message to an Ethernet network, the Ethernet header include a Source
MAC address and a Destination MAC address.
• When a NIC receives an Ethernet frame, it examines the destination MAC address to see if it
matches the physical MAC address that is stored in RAM. If there is no match, the device discards
the frame. If there is a match, it passes the frame up the OSI layers, where the de-encapsulation
process takes place.
Note: Ethernet NICs will also accept frames if the destination MAC address is a broadcast or a multicast group of
which the host is a member.

• Any device that is the source or destination of an Ethernet frame, will have an Ethernet NIC and
therefore, a MAC address. This includes workstations, servers, printers, mobile devices, and routers.
Unicast MAC Address

In Ethernet, different MAC addresses are used for Layer 2 unicast, broadcast, and multicast
communications.
• A unicast MAC address is the unique
address that is used when a frame is sent
from a single transmitting device to a
single destination device.
• The process that a source host uses to
determine the destination MAC address
associated with an IPv4 address is
known as Address Resolution Protocol
(ARP). The process that a source host
uses to determine the destination MAC
address associated with an IPv6 address
is known as Neighbor Discovery (ND).
Note: The source MAC address must always be a unicast.

Broadcast MAC Address

An Ethernet broadcast frame is received and

processed by every device on the Ethernet LAN.
The features of an Ethernet broadcast are as
follows:
• It has a destination MAC address of FF-FF-
FF-FF-FF-FF in hexadecimal (48 ones in
binary).
• It is flooded out all Ethernet switch ports
except the incoming port. It is not forwarded
by a router.
• If the encapsulated data is an IPv4 broadcast packet, this means the packet contains a destination
IPv4 address that has all ones (1s) in the host portion. This numbering in the address means that all
hosts on that local network (broadcast domain) will receive and process the packet.
Multicast MAC Address

An Ethernet multicast frame is received and processed by a group of devices that belong to the same
multicast group.
• There is a destination MAC address of 01-
00-5E when the encapsulated data is an
IPv4 multicast packet and a destination
MAC address of 33-33 when the
encapsulated data is an IPv6 multicast
packet.
• There are other reserved multicast
destination MAC addresses for when the
encapsulated data is not IP, such as
Spanning Tree Protocol (STP).
• It is flooded out all Ethernet switch ports
except the incoming port, unless the switch
is configured for multicast snooping. It is not forwarded by a router, unless the router is configured
to route multicast packets.
• Because multicast addresses represent a group of addresses (sometimes called a host group), they can
only be used as the destination of a packet. The source will always be a unicast address.
• As with the unicast and broadcast addresses, the multicast IP address requires a corresponding
multicast MAC address.

The MAC Address Table

Switch Fundamentals
• A Layer 2 Ethernet switch uses Layer 2 MAC addresses to make forwarding decisions. It is
completely unaware of the data (protocol) being carried in the data portion of the frame, such as an
IPv4 packet, an ARP message, or an IPv6 ND packet. The switch makes its forwarding decisions
based solely on the Layer 2 Ethernet MAC addresses.
• An Ethernet switch examines its MAC address table to make a forwarding decision for each frame,
unlike legacy Ethernet hubs that repeat bits out all ports except the incoming port.
• When a switch is turned on, the MAC address table is empty
Note: The MAC address table is sometimes referred to as a content addressable memory (CAM) table.
Switch Learning and Forwarding

Examine the Source MAC Address (Learn)

Every frame that enters a switch is checked for new information to learn. It does this by examining the
source MAC address of the frame and the port number where the frame entered the switch. If the source
MAC address does not exist, it is added to the table along with the incoming port number. If the source
MAC address does exist, the switch updates the refresh timer for that entry. By default, most Ethernet
switches keep an entry in the table for 5 minutes.
Note: If the source MAC address does exist in the table but on a different port, the switch treats this as a new entry.
The entry is replaced using the same MAC address but with the more current port number.

Find the Destination MAC Address (Forward)

If the destination MAC address is a unicast address, the switch will look for a match between the destination
MAC address of the frame and an entry in its MAC address table. If the destination MAC address is in the
table, it will forward the frame out the specified port. If the destination MAC address is not in the table, the
switch will forward the frame out all ports except the incoming port. This is called an unknown unicast.
Note: If the destination MAC address is a broadcast or a multicast, the frame is also flooded out all ports except the
incoming port.

Filtering Frames

As a switch receives frames from different devices, it is able to populate its MAC address table by
examining the source MAC address of every frame. When the MAC address table of the switch contains the
destination MAC address, it is able to filter the frame and forward out a single port.
 Switch Speeds and Forwarding Methods

Frame Forwarding Methods on Cisco Switches

Switches use one of the following forwarding methods for switching data between network ports:
• Store-and-forward switching - This frame forwarding method receives the entire frame and
computes the CRC. If the CRC is valid, the switch looks up the destination address, which
determines the outgoing interface. Then the frame is forwarded out of the correct port.
• Cut-through switching - This frame forwarding method forwards the frame before it is entirely
received. At a minimum, the destination address of the frame must be read before the frame can be
forwarded.
• A big advantage of store-and-forward switching is that it determines if a frame has errors before
propagating the frame. When an error is detected in a frame, the switch discards the frame.
Discarding frames with errors reduces the amount of bandwidth consumed by corrupt data.
• Store-and-forward switching is required for quality of service (QoS) analysis on converged networks
where frame classification for traffic prioritization is necessary. For example, voice over IP (VoIP)
data streams need to have priority over web-browsing traffic.

Cut-Through Switching

In cut-through switching, the switch acts upon the data as soon as it is received, even if the transmission is
not complete. The switch buffers just enough of the frame to read the destination MAC address so that it can
determine to which port it should forward out the data. The switch does not perform any error checking on
the frame.
There are two variants of cut-through switching:
• Fast-forward switching - Offers the lowest level of latency by immediately forwarding a
packet after reading the destination address. Because fast-forward switching starts forwarding
before the entire packet has been received, there may be times when packets are relayed with
errors. The destination NIC discards the faulty packet upon receipt. Fast-forward switching is
the typical cut-through method of switching.
• Fragment-free switching - A compromise between the high latency and high integrity of
store-and-forward switching and the low latency and reduced integrity of fast-forward
switching, the switch stores and performs an error check on the first 64 bytes of the frame
before forwarding. Because most network errors and collisions occur during the first 64
bytes, this ensures that a collision has not occurred before forwarding the frame.
Memory Buffering on Switches
An Ethernet switch may use a buffering technique to store frames before forwarding them or when the
destination port is busy because of congestion.

Method Description

• Frames are stored in queues that are linked to specific incoming and outgoing ports.
• A frame is transmitted to the outgoing port only when all the frames ahead in the queue have
been successfully transmitted.
Port-based memory
• It is possible for a single frame to delay the transmission of all the frames in memory
because of a busy destination port.
• This delay occurs even if the other frames could be transmitted to open destination ports.

• Deposits all frames into a common memory buffer shared by all switch ports and the amount
of buffer memory required by a port is dynamically allocated.
Shared memory • The frames in the buffer are dynamically linked to the destination port enabling a packet to
be received on one port and then transmitted on another port, without moving it to a
different queue.

Shared memory buffering also results in larger frames that can be transmitted with fewer dropped frames. This is
important with asymmetric switching which allows for different data rates on different ports. Therefore, more
bandwidth can be dedicated to certain ports (e.g., server port).

Duplex and Speed Settings

Two of the most basic settings on a switch are the bandwidth (“speed”) and duplex settings for each
individual switch port. It is critical that the duplex and bandwidth settings match between the switch port
and the connected devices.
There are two types of duplex settings used for communications on an Ethernet network:
• Full-duplex - Both ends of the connection can send and receive simultaneously.
• Half-duplex - Only one end of the connection can send at a time.
Autonegotiation is an optional function found on most Ethernet switches and NICs. It enables two devices to
automatically negotiate the best speed and duplex capabilities.
Note: Gigabit Ethernet ports only operate in full-duplex.
• Duplex mismatch is one of the most common causes of performance issues on 10/100 Mbps Ethernet links. It
occurs when one port on the link operates at half-duplex while the other port operates at full-duplex.
• This can occur when one or both ports on a link are reset, and the autonegotiation process does not result in
both link partners having the same configuration.
• It also can occur when users reconfigure one side of a link and forget to reconfigure the other. Both sides of a
link should have autonegotiation on,
or both sides should have it off. Best
practice is to configure both
Ethernet switch ports as full-duplex.
Auto-MDIX

Connections between devices once required the use of either a crossover or straight-through cable. The type
of cable required depended on the type of interconnecting devices.
Note: A direct connection between a router and a host requires a cross-over connection.
• Most switch devices now support the automatic medium-dependent interface crossover (auto-MDIX) feature.
When enabled, the switch automatically detects the type of cable attached to the port and configures the
interfaces accordingly.
• The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later.
However, the feature could be disabled. For this reason, you should always use the correct cable type and not
rely on the auto-MDIX feature.
• Auto-MDIX can be re-enabled using the mdix auto interface configuration command.

Network Layer

• Provides services to allow end devices to

exchange data
• IP version 4 (IPv4) and IP version 6 (IPv6)
are the principle network layer
communication protocols.
• The network layer performs four basic
operations:
Addressing end devices
Encapsulation
Routing
De-encapsulation
IP Encapsulation
• IP encapsulates the transport
layer segment.
• IP can use either an IPv4 or IPv6
packet and not impact the layer 4
segment.
• IP packet will be examined by all
layer 3 devices as it traverses the
network.
• The IP addressing does not
change from source to
destination.
Note: NAT will change addressing, but will be discussed in a later module.

IPv4 Packet

IPv4 Packet Header

IPv4 is the primary communication protocol for the network layer.
The network header has many purposes:
• It ensures the packet is sent in the correct direction (to the destination).
• It contains information for network layer processing in various fields.
• The information in the header is used by all layer 3 devices that handle the packet

IPv4 Packet Header Fields

The IPv4 network header characteristics:

• It is in binary.
• Contains several fields of information
• Diagram is read from left to right, 4
bytes per line
• The two most important fields are the
source and destination.

Protocols may have one or more functions.

Significant fields in the IPv4 header:

Function Description

Version This will be for v4, as opposed to v6, a 4 bit field= 0100

Differentiated Services Used for QoS: DiffServ – DS field or the older IntServ – ToS or Type of Service

Header Checksum Detect corruption in the IPv4 header

Time to Live (TTL) Layer 3 hop count. When it becomes zero the router will discard the packet.

Protocol I.D.s next level protocol: ICMP, TCP, UDP, etc.

Source IPv4 Address 32 bit source address

Destination IPV4 Address 32 bit destination address

IPv6 Packets

Limitations of IPv4
IPv4 has three major limitations:
• IPv4 address depletion – We have basically run out of IPv4 addressing.
• Lack of end-to-end connectivity – To make IPv4 survive this long, private addressing and NAT were
created. This ended direct communications with public addressing.
• Increased network complexity – NAT was meant as temporary solution and creates issues on the
network as a side effect of manipulating the network headers addressing. NAT causes latency and
troubleshooting issues.

IPv6 Overview
• IPv6 was developed by Internet
Engineering Task Force (IETF).
• IPv6 overcomes the limitations of
IPv4.
• Improvements that IPv6 provides:
Increased address space – based on 128
bit address, not 32 bits
Improved packet handling – simplified
header with fewer fields
Eliminates the need for NAT – since
there is a huge amount of addressing,
there is no need to use private addressing
internally and be mapped to a shared
public address
IPv4 Packet Header Fields in the IPv6 Packet Header

• The IPv6 header is simplified, but not smaller.

• The header is fixed at 40 Bytes or octets long.
• Several IPv4 fields were removed to improve
performance.
• Some IPv4 fields were removed to improve
performance:
Flag
Fragment Offset
Header Checksum

IPv6 Packet Header

Significant fields in the IPv4 header:

Function Description

Version This will be for v6, as opposed to v4, a 4 bit field= 0110

Traffic Class Used for QoS: Equivalent to DiffServ – DS field

Flow Label Informs device to handle identical flow labels the same way, 20 bit field

Payload Length This 16-bit field indicates the length of the data portion or payload of the IPv6 packet

Next Header I.D.s next level protocol: ICMP, TCP, UDP, etc.

Hop Limit Replaces TTL field Layer 3 hop count

Source IPv4 Address 128 bit source address

Destination IPV4 Address 128 bit destination address

IPv6 packet may also contain extension headers (EH).

EH headers characteristics:
• provide optional network layer information
• are optional
• are placed between IPv6 header and the payload
• may be used for fragmentation, security, mobility support, etc.
Note: Unlike IPv4, routers do not fragment IPv6 packets.
Default Gateway
A router or layer 3 switch can be a default-gateway.
Features of a default gateway (DGW):
• It must have an IP address in the same range as the rest of the LAN.
• It can accept data from the LAN and is capable of forwarding traffic off of the LAN.
• It can route to other networks.
If a device has no default gateway or a bad default gateway, its traffic will not be able to leave the LAN.

A Host Routes to the Default Gateway

• The host will know the default
gateway (DGW) either statically
or through DHCP in IPv4.
• IPv6 sends the DGW through a
router solicitation (RS) or can be
configured manually.
• A DGW is static route which will
be a last resort route in the
routing table.
• All device on the LAN will need the DGW of the router if they intend to send traffic remotely.

Host Routing Tables

• On Windows, route print or netstat -r

to display the PC routing table
• Three sections displayed by these two
commands:
• Interface List – all
potential interfaces and
MAC addressing
• IPv4 Routing Table
• IPv6 Routing Table
 Introduction to Routing

Router Packet Forwarding Decision

What happens when the router receives the frame from the host device?

IP Router Routing Table

There three types of routes in a router’s routing table:

• Directly Connected – These routes are automatically added by the router, provided the interface is
active and has addressing.
• Remote – These are the routes the router does not have a direct connection and may be learned:
• Manually – with a static route
• Dynamically – by using a routing protocol to have the routers share
their information with each other

• Default Route – this forwards all traffic to a specific direction when there is not a match in the
routing table
Static Routing
Static Route Characteristics:
• Must be configured manually
• Must be adjusted manually by the
administrator when there is a change
in the topology
• Good for small non-redundant
networks
• Often used in conjunction with a
dynamic routing protocol for
configuring a default route

Dynamic Routing
Dynamic Routes Automatically:
• Discover remote networks
• Maintain up-to-date information
• Choose the best path to the
destination
• Find new best paths when there is
a topology change

Dynamic routing can also share static default routes with the other routers.
Introduction to an IPv4 Routing Table

The show ip route command shows the

following route sources:
• L - Directly connected local interface IP
address
• C – Directly connected network
• S – Static route was manually configured
by an administrator
• O – OSPF
• D – EIGRP

This command shows types of routes:

• Directly Connected – C and L
• Remote Routes – O, D, etc.
• Default Routes – S*

Address Resolution

MAC and IP

Destination on Same Network

There are two primary addresses assigned to a device on an Ethernet LAN:
• Layer 2 physical address (the MAC address) – Used for NIC to NIC communications on
the same Ethernet network.
• Layer 3 logical address (the IP address) – Used to send the packet from the source device
to the destination device.
Layer 2 addresses are used to deliver frames from one NIC to another NIC on the same network. If a
destination IP address is on the same network, the destination MAC address will be that of the destination
device.
Destination on Remote Network

When the destination IP address is on a remote network, the destination MAC address is that of the default
gateway.
• ARP is used by IPv4 to associate the IPv4 address of a device with the MAC address of the device
NIC.
• ICMPv6 is used by IPv6 to associate the IPv6 address of a device with the MAC address of the device
NIC.

ARP

A device uses ARP to determine the destination

MAC address of a local device when it knows its
IPv4 address.
ARP provides two basic functions:
• Resolving IPv4 addresses to MAC
addresses
• Maintaining an ARP table of IPv4
to MAC address mappings

ARP Functions

To send a frame, a device will search its ARP table for a destination IPv4 address and a corresponding MAC
address.
• If the packet’s destination IPv4 address is on the same network, the device will search the ARP table
for the destination IPv4 address.
• If the destination IPv4 address is on a different network, the device will search the ARP table for the
IPv4 address of the default gateway.
• If the device locates the IPv4 address, its corresponding MAC address is used as the destination MAC
address in the frame.
• If there is no ARP table entry is found, then the device sends an ARP request.
Removing Entries from an ARP Table

• Entries in the ARP table are

not permanent and are
removed when an ARP cache
timer expires after a specified
period of time.
• The duration of the ARP cache
timer differs depending on the
operating system.
• ARP table entries can also be
removed manually by the
administrator.

ARP Tables on Networking Devices

• The show ip arp command displays the ARP table on a Cisco router.
• The arp –a command displays the ARP table on a Windows 10 PC.
R1# show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.10.1 - a0e0.af0d.e140 ARPA GigabitEthernet0/0/0

C:\Users\PC> arp -a

Interface: 192.168.1.124 --- 0x10

Internet Address Physical Address Type
192.168.1.1 c8-d7-19-cc-a0-86 dynamic
192.168.1.101 08-3e-0c-f5-f7-77 dynamic

ARP Issues – ARP Broadcasting and ARP Spoofing

• ARP requests are received

and processed by every
device on the local network.
• Excessive ARP broadcasts
can cause some reduction in
performance.
• ARP replies can be spoofed
by a threat actor to perform
an ARP poisoning attack.
• Enterprise level switches
include mitigation
techniques to protect
against ARP attacks.
 Basic Router Configuration

Configure Router Interfaces Example

The commands to configure
interface G0/0/0 on R1 are shown
here:

R1(config)# interface gigabitEthernet 0/0/0

R1(config-if)# description Link to LAN
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# ipv6 address 2001:db8:acad:10::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
*Aug 1 01:43:53.435: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0,
changed state to down
*Aug 1 01:43:56.447: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0,
changed state to up
*Aug 1 01:43:57.447: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/0/0, changed state to up

The commands to configure interface G0/0/1 on R1 are shown here:

R1(config)# interface gigabitEthernet 0/0/1
R1(config-if)# description Link to R2
R1(config-if)# ip address 209.165.200.225 255.255.255.252
R1(config-if)# ipv6 address 2001:db8:feed:224::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
*Aug 1 01:46:29.170: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to down
*Aug 1 01:46:32.171: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to up
*Aug 1 01:46:33.171: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state
to up

Verify Interface Configuration

To verify interface configuration use the show ip interface brief and show ipv6 interface brief commands
shown here:
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 192.168.10.1 YES manual up up
GigabitEthernet0/0/1 209.165.200.225 YES manual up up
Vlan1 unassigned YES unset administratively down down

R1# show ipv6 interface brief

GigabitEthernet0/0/0 [up/up]
FE80::201:C9FF:FE89:4501
2001:DB8:ACAD:10::1
GigabitEthernet0/0/1 [up/up]
FE80::201:C9FF:FE89:4502
2001:DB8:FEED:224::1
Vlan1 [administratively down/down]
unassigned
R1#
Default Gateway on a Switch
MEDIA IS WORKING ON A CORRECTED
VERSION OF THE GRAPHIC FROM 10.3.2.

• A switch must have a default gateway address IT IS WRONG ON AR, AND ON THE GLOBAL
configured to remotely manage the switch from BUG LIST

another network.
•
STOP
To configure an IPv4 default gateway on a switch, use the
ip default-gateway ip-address global configuration command.

IPv4 Addressing

Network and Host Portions

• An IPv4 address is a 32-bit hierarchical address that is made up of a network portion and a host
portion.
• When determining the network portion versus the host portion, you must look at the 32-bit stream.
• A subnet mask is used to determine the network and host portions.

The Subnet Mask

• To identify the network and host

portions of an IPv4 address, the subnet
mask is compared to the IPv4 address
bit for bit, from left to right.
• The actual process used to identify the
network and host portions is called
ANDing.
The Prefix Length
Prefix
Subnet Mask 32-bit Address
Length

• A prefix length is a less 255.0.0.0 11111111.00000000.00000000.00000000 /8

cumbersome method used to 255.255.0.0 11111111.11111111.00000000.00000000 /16
identify a subnet mask address.
255.255.255.0 11111111.11111111.11111111.00000000 /24
• The prefix length is the number of 255.255.255.128 11111111.11111111.11111111.10000000 /25
bits set to 1 in the subnet mask. 255.255.255.192 11111111.11111111.11111111.11000000 /26
• It is written in “slash notation” 255.255.255.224 11111111.11111111.11111111.11100000 /27
therefore, count the number of bits 255.255.255.240 11111111.11111111.11111111.11110000 /28
in the subnet mask and prepend it
255.255.255.248 11111111.11111111.11111111.11111000 /29
with a slash.
255.255.255.252 11111111.11111111.11111111.11111100 /30

Network, Host, and Broadcast Addresses

• Within each network are three types of IP

addresses:
o Network address
o Host addresses
o Broadcast address

Network Portion Host Portion Host Bits

Subnet mask 255 255 255 0

255.255.255.0 or /24 11111111 11111111 11111111 00000000
Network address 192 168 10 0
All 0s
192.168.10.0 or /24 11000000 10100000 00001010 00000000
First address 192 168 10 1
All 0s and a 1
192.168.10.1 or /24 11000000 10100000 00001010 00000001
Last address 192 168 10 254
All 1s and a 0
192.168.10.254 or /24 11000000 10100000 00001010 11111110

Broadcast address 192 168 10 255

All 1s
192.168.10.255 or /24 11000000 10100000 00001010 11111111
 IPv4 Unicast, Broadcast, and Multicast

Unicast
• Unicast transmission is sending a packet to one destination IP address.
• For example, the PC at 172.16.4.1 sends a unicast packet to the printer at 172.16.4.253.

Broadcast
• Broadcast transmission is sending a packet to all other destination IP addresses.
• For example, the PC at 172.16.4.1 sends a broadcast packet to all IPv4 hosts.

Multicast
• Multicast transmission is sending a packet to a multicast address group.
• For example, the PC at 172.16.4.1 sends a multicast packet to the multicast group address
224.10.10.5.
 Types of IPv4 Addresses

Public and Private IPv4 Addresses

• As defined in in RFC 1918, public IPv4 addresses are globally routed between internet service provider (ISP)
routers.
Network Address and
RFC 1918 Private Address Range
• Private addresses are common blocks of Prefix
addresses used by most organizations to assign 10.0.0.0/8 10.0.0.0 - 10.255.255.255
IPv4 addresses to internal hosts.
172.16.0.0/12 172.16.0.0 - 172.31.255.255
• Private IPv4 addresses are not unique and can be 192.168.0.0/16 192.168.0.0 - 192.168.255.255
used internally within any network.
• However, private addresses are not globally routable.

Routing to the Internet

• Network Address Translation (NAT)
translates private IPv4 addresses to
public IPv4 addresses.
• NAT is typically enabled on the
edge router connecting to the
internet.
• It translates the internal private
address to a public global IP address.

Special Use IPv4 Addresses

Loopback addresses
• 127.0.0.0 /8 (127.0.0.1 to 127.255.255.254)
• Commonly identified as only 127.0.0.1
• Used on a host to test if TCP/IP is operational.

Link-Local addresses
• 169.254.0.0 /16 (169.254.0.1 to 169.254.255.254)
• Commonly known as the Automatic Private IP Addressing (APIPA) addresses or self-assigned addresses.
• Used by Windows DHCP clients to self-configure when no DHCP servers are available.
Legacy Classful Addressing

RFC 790 (1981) allocated IPv4 addresses in classes

• Class A (0.0.0.0/8 to 127.0.0.0/8)
• Class B (128.0.0.0 /16 – 191.255.0.0 /16)
• Class C (192.0.0.0 /24 – 223.255.255.0 /24)
• Class D (224.0.0.0 to 239.0.0.0)
• Class E (240.0.0.0 – 255.0.0.0)
• Classful addressing wasted many IPv4 addresses.

Classful address allocation was replaced with classless

addressing which ignores the rules of classes (A, B, C).

Assignment of IP Addresses
• The Internet Assigned Numbers Authority
(IANA) manages and allocates blocks of IPv4
and IPv6 addresses to five Regional Internet
Registries (RIRs).
• RIRs are responsible for allocating IP
addresses to ISPs who provide IPv4 address
blocks to smaller ISPs and organizations.

Subnet on an Octet Boundary

• Networks are most easily subnetted at the octet boundary of /8, /16, and /24.
• Notice that using longer prefix lengths decreases the number of hosts per subnet.
Prefix Length Subnet Mask Subnet Mask in Binary (n = network, h = host) # of hosts

nnnnnnnn.hhhhhhhh.hhhhhhhh.hhhhhhhh
/8 255.0.0.0 16,777,214
11111111.00000000.00000000.00000000
nnnnnnnn.nnnnnnnn.hhhhhhhh.hhhhhhhh
/16 255.255.0.0 65,534
11111111.11111111.00000000.00000000
nnnnnnnn.nnnnnnnn.nnnnnnnn.hhhhhhhh
/24 255.255.255.0 254
11111111.11111111.11111111.00000000
Subnet Private versus Public IPv4 Address Space
Enterprise networks will have an:
• Intranet - A company’s internal network typically
using private IPv4 addresses.
• DMZ – A companies internet facing servers.
Devices in the DMZ use public IPv4 addresses.
• A company could use the 10.0.0.0/8 and subnet on
the /16 or /24 network boundary.
• The DMZ devices would have to be configured with
public IP addresses.

Minimize Unused Host IPv4 Addresses and Maximize Subnets

There are two considerations when planning subnets:
• The number of host addresses required for each network
• The number of individual subnets needed

Prefix Subnet Mask in Binary # of # of

Subnet Mask
Length (n = network, h = host) subnets hosts

nnnnnnnn.nnnnnnnn.nnnnnnnn.nhhhhhhh
/25 255.255.255.128 2 126
11111111.11111111.11111111.10000000
nnnnnnnn.nnnnnnnn.nnnnnnnn.nnhhhhhh
/26 255.255.255.192 4 62
11111111.11111111.11111111.11000000
nnnnnnnn.nnnnnnnn.nnnnnnnn.nnnhhhhh
/27 255.255.255.224 8 30
11111111.11111111.11111111.11100000
nnnnnnnn.nnnnnnnn.nnnnnnnn.nnnnhhhh
/28 255.255.255.240 16 14
11111111.11111111.11111111.11110000
nnnnnnnn.nnnnnnnn.nnnnnnnn.nnnnnhhh
/29 255.255.255.248 32 6
11111111.11111111.11111111.11111000
nnnnnnnn.nnnnnnnn.nnnnnnnn.nnnnnnhh
/30 255.255.255.252 64 2
11111111.11111111.11111111.11111100
Example: Efficient IPv4 Subnetting

• In this example, corporate headquarters has been

allocated a public network address of 172.16.0.0/22 (10
host bits) by its ISP providing 1,022 host addresses.
• There are five sites and therefore five internet
connections which means the organization requires
10 subnets with the largest subnet requires 40
addresses.
• It allocated 10 subnets with a /26 (i.e.,
255.255.255.192) subnet mask.

VLSM

IPv4 Address Conservation

Given the topology, 7 subnets are required (i.e, four LANs and three WAN links) and the largest number of
host is in Building D with 28 hosts.
• A /27 mask would provide 8 subnets of 30 host IP addresses and therefore support this topology.

However, the point-to-point WAN links only require two addresses and
therefore waste 28 addresses each for a total of 84 unused addresses.
• Applying a traditional subnetting scheme to this scenario is not
very efficient and is wasteful.
• VLSM was developed to avoid wasting addresses by enabling us to subnet a subnet.
VLSM
• The left side displays the traditional subnetting scheme (i.e., the same subnet mask) while the right
side illustrates how VLSM can be used to subnet a subnet and divided the last subnet into eight /30
subnets.
• When using VLSM, always begin by satisfying the host requirements of the largest subnet and
continue subnetting until the host requirements of the smallest subnet are satisfied.

The resulting topology with VLSM applied.

VLSM Topology Address Assignment

Using VLSM subnets,

the LAN and inter-
router networks can be
addressed without
unnecessary waste as
shown in the logical
topology diagram.
 IPv6 Addressing

IPv4 Issues
Need for IPv6
• IPv4 is running out of addresses. IPv6 is the successor to IPv4. IPv6 has a much larger 128-bit
address space.
• The development of IPv6 also included fixes for IPv4 limitations and other enhancements.
• With an increasing internet population, a limited IPv4 address space, issues with NAT and the IoT,
the time has come to begin the transition to IPv6.

IPv4 and IPv6 Coexistence

Both IPv4 and IPv6 will coexist in the near future and the transition will take several years.
The IETF has created various protocols and tools to help network administrators migrate their networks to
IPv6. These migration techniques can be divided into three categories:
• Dual stack -The devices run both IPv4 and IPv6 protocol stacks simultaneously.
• Tunneling – A method of transporting an IPv6 packet over an IPv4 network. The IPv6 packet is
encapsulated inside an IPv4 packet.
• Translation - Network Address Translation 64 (NAT64) allows IPv6-enabled devices to
communicate with IPv4-enabled devices using a translation technique similar to NAT for IPv4.
Note: Tunneling and translation are for transitioning to native IPv6 and should only be used where needed. The goal
should be native IPv6 communications from source to destination.
IPv6 Addressing Formats
• IPv6 addresses are 128 bits in length and written in hexadecimal.
• IPv6 addresses are not case-sensitive and can be written in either lowercase or uppercase.
• The preferred format for writing an IPv6 address is x:x:x:x:x:x:x:x, with each “x” consisting of four
hexadecimal values.
• In IPv6, a hextet is the unofficial term used to refer to a segment of 16 bits, or four hexadecimal values.
• Examples of IPv6 addresses in the preferred format:
2001:0db8:0000:1111:0000:0000:0000:0200
2001:0db8:0000:00a3:abcd:0000:0000:1234

Rule 1 – Omit Leading Zero

The first rule to help reduce the notation of IPv6 addresses is to omit any leading 0s (zeros).
Examples:
• 01ab can be represented as 1ab
• 09f0 can be represented as 9f0
• 0a00 can be represented as a00
• 00ab can be represented as ab

Note: This rule only applies to leading 0s, NOT to trailing 0s, otherwise the address would be ambiguous.

Type Format

Preferred 2001 : 0db8 : 0000 : 1111 : 0000 : 0000 : 0000 : 0200

No leading zeros 2001 : db8 : 0 : 1111 : 0 : 0 : 0 : 200

Rule 2 – Double Colon

A double colon (::) can replace any single, contiguous string of one or more 16-bit hextets consisting of all
zeros.
Example:
• 2001:db8:cafe:1:0:0:0:1 (leading 0s omitted) could be represented as 2001:db8:cafe:1::1

Note: The double colon (::) can only be used once within an address, otherwise there would be more than one possible
resulting address.

Type Format

Preferred 2001 : 0db8 : 0000 : 1111 : 0000 : 0000 : 0000 : 0200

Compressed 2001:db8:0:1111::200
 IPv6 Address Types

Unicast, Multicast, Anycast

There are three broad categories of IPv6 addresses:
• Unicast – Unicast uniquely identifies an interface on an IPv6-enabled device.
• Multicast – Multicast is used to send a single IPv6 packet to multiple destinations.
• Anycast – This is any IPv6 unicast address that can be assigned to multiple devices. A packet sent to an
anycast address is routed to the nearest device having that address.
Note: Unlike IPv4, IPv6 does not have a broadcast address. However, there is an IPv6 all-nodes multicast address that
essentially

IPv6 Prefix Length

Prefix length is represented in slash notation and is

used to indicate the network portion of an IPv6
address.
The IPv6 prefix length can range from 0 to 128. The
recommended IPv6 prefix length for LANs and most
other types of networks is /64.

Note: It is strongly recommended to use a 64-bit Interface ID for most networks. This is because stateless address
autoconfiguration (SLAAC) uses 64 bits for the Interface ID. It also makes subnetting easier to create and manage.

Types of IPv6 Unicast Addresses

Unlike IPv4 devices that have only a single address, IPv6

addresses typically have two unicast addresses:
• Global Unicast Address (GUA) – This is similar to a
public IPv4 address. These are globally unique,
internet-routable addresses.
• Link-local Address (LLA) - Required for every
IPv6-enabled device and used to communicate with
other devices on the same local link. LLAs are not
routable and are confined to a single link.
A Note About the Unique Local Address

The IPv6 unique local addresses (range fc00::/7 to fdff::/7) have some similarity to RFC 1918 private
addresses for IPv4, but there are significant differences:
• Unique local addresses are used for local addressing within a site or between a limited number of sites.
• Unique local addresses can be used for devices that will never need to access another network.
• Unique local addresses are not globally routed or translated to a global IPv6 address.
Note: Many sites use the private nature of RFC 1918 addresses to attempt to secure or hide their network from
potential security risks. This was never the intended use of ULAs.

Subnet an IPv6 Network

Subnet Using the Subnet ID

IPv6 was designed with subnetting in mind.
• A separate subnet ID field in the IPv6 GUA is used to create subnets.
• The subnet ID field is the area between the Global Routing Prefix and the interface ID.

IPv6 Subnetting Example

Given the 2001:db8:acad::/48 global routing

prefix with a 16 bit subnet ID.
• Allows 65,536 /64 subnets
• The global routing prefix is the same for
all subnets.
• Only the subnet ID hextet is
incremented in hexadecimal for each
subnet.
IPv6 Subnet Allocation

The example topology requires five subnets, one for each LAN as well as for the serial link between R1 and
R2.
The five IPv6 subnets were allocated, with the subnet ID field 0001 through 0005. Each /64 subnet will
provide more addresses than will ever be needed.

Router Configured with IPv6 Subnets

The example shows that each of the router interfaces on R1 has been configured to be on a different IPv6
subnet.
R1(config)# interface gigabitethernet 0/0/0
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface gigabitethernet 0/0/1
R1(config-if)# ipv6 address 2001:db8:acad:2::1/64
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface serial 0/1/0
R1(config-if)# ipv6 address 2001:db8:acad:3::1/64
R1(config-if)# no shutdown
 ICMP

ICMPv4 and ICMPv6 Messages

• Internet Control Message Protocol (ICMP) provides feedback about issues related to the processing
of IP packets under certain conditions.
• ICMPv4 is the messaging protocol for IPv4. ICMPv6 is the messaging protocol for IPv6 and
includes additional functionality.
• The ICMP messages common to both ICMPv4 and ICMPv6 include:
Host reachability
Destination or Service Unreachable
Time exceeded
Note: ICMPv4 messages are not required and are often not allowed within a network for security reasons.

Host Reachability
ICMP Echo Message can be used to test the reachability
of a host on an IP network.
In the example:
• The local host sends an ICMP Echo
Request to a host.
• If the host is available, the destination
host responds with an Echo Reply.

Destination or Service Unreachable

• An ICMP Destination Unreachable message can be used to notify the source that a destination or
service is unreachable.
• The ICMP message will include a code indicating why the packet could not be delivered.

A few Destination Unreachable codes A few Destination Unreachable codes for

for ICMPv4 are as follows: ICMPv6 are as follows:
• 0 - Net unreachable • 0 - No route to destination
• 1 - Host unreachable • 1 - Communication with the destination is
• 2 - Protocol unreachable administratively prohibited (e.g., firewall)
• 3 - Port unreachable • 2 – Beyond scope of the source address
• 3 - Address unreachable
Note: ICMPv6 has similar but slightly different codes for • 4 - Port unreachable
Destination Unreachable messages.
Time Exceeded
• When the Time to Live (TTL) field in a packet is decremented to 0, an ICMPv4 Time Exceeded
message will be sent to the source host.
• ICMPv6 also sends a Time Exceeded message. Instead of the IPv4 TTL field, ICMPv6 uses the IPv6
Hop Limit field to determine if the packet has expired.

Note: Time Exceeded messages are used by the traceroute tool.

ICMPv6 Messages
ICMPv6 has new features and improved functionality not found in ICMPv4, including four new protocols as
part of the Neighbor Discovery Protocol (ND or NDP).

Messaging between an IPv6 router and an IPv6 device, including dynamic address allocation are as follows:
• Router Solicitation (RS) message
• Router Advertisement (RA) message
Messaging between IPv6 devices, including duplicate address detection and address resolution are as
follows:
• Neighbor Solicitation (NS) message
• Neighbor Advertisement (NA) message

Note: ICMPv6 ND also includes the redirect message, which has a similar function to the redirect message used in
ICMPv4.

• RA messages are sent by IPv6-enabled routers every

200 seconds to provide addressing information to
IPv6-enabled hosts.
• RA message can include addressing information for
the host such as the prefix, prefix length, DNS
address, and domain name.
• A host using Stateless Address Autoconfiguration
(SLAAC) will set its default gateway to the link-
local address of the router that sent the RA.
• An IPv6-enabled router will also send out an RA message in response to an RS message.
In the figure, PC1 sends a RS message to determine
how to receive its IPv6 address information
dynamically. R1 replies to the RS with an RA
message.
PC1 sends an RS message, “Hi, I just booted up. Is
there an IPv6 router on the network? I need to know
how to get my IPv6 address information dynamically.”
R1 replies with an RA message. “Hi all IPv6-enabled
devices. I’m R1 and you can use SLAAC to create an
IPv6 global unicast address. The prefix is
2001:db8:acad:1::/64. By the way, use my link-local address fe80::1 as your default gateway."

• A device assigned a global IPv6 unicast or link-

local unicast address, may perform duplicate
address detection (DAD) to ensure that the Ipv6
address is unique.
• To check the uniqueness of an address, the device
will send an NS message with its own Ipv6 address
as the targeted Ipv6 address.
• If another device on the network has this address, it will respond with an NA message notifying to the sending
device that the address is in use.

Note: DAD is not required, but RFC 4861 recommends that DAD is performed on unicast addresses.

• To determine the MAC address for the

destination, the device will send an NS message
to the solicited node address.
• The message will include the known (targeted)
IPv6 address. The device that has the targeted
IPv6 address will respond with an NA message
containing its Ethernet MAC address.
• In the figure, R1 sends a NS message to
2001:db8:acad:1::10 asking for its MAC address.

Ping – Test Connectivity

• The ping command is an IPv4 and IPv6
testing utility that uses ICMP echo request
and echo reply messages to test connectivity
between hosts and provides a summary that
includes the success rate and average round-
trip time to the destination.
• If a reply is not received within the timeout,
ping provides a message indicating that a response was not received.
• It is common for the first ping to timeout if address resolution (ARP or ND) needs to be performed before
sending the ICMP Echo Request.
Ping the Loopback

Ping can be used to test the internal configuration of

IPv4 or IPv6 on the local host. To do this, ping the
local loopback address of 127.0.0.1 for IPv4 (::1 for
IPv6).
• A response from 127.0.0.1 for IPv4, or ::1 for
IPv6, indicates that IP is properly installed on
the host.
• An error message indicates that TCP/IP is not
operational on the host.

Ping the Default Gateway

The ping command can be used to test the ability of a host to communicate on the local network.
The default gateway address is most often used because the router is normally always operational.
• A successful ping to the default gateway indicates that the host and the router interface serving as the
default gateway are both operational on the local network.
• If the default gateway address does not respond, a ping can be sent to the IP address of another host
on the local network that is known to be operational.
Ping a Remote Host
Ping can also be used to test the ability of a local host to communicate across an internetwork.
A local host can ping a host on a remote network. A successful ping across the internetwork confirms
communication on the local network.

Note: Many network administrators limit or prohibit the entry of ICMP messages therefore, the lack of
a ping response could be due to security restrictions.

Traceroute – Test the Path

• Traceroute (tracert) is a utility that is used to test the
path between two hosts and provide a list of hops
that were successfully reached along that path.
• Traceroute provides round-trip time for each hop
along the path and indicates if a hop fails to respond.
An asterisk (*) is used to indicate a lost or unreplied packet.
• This information can be used to locate a problematic router in the path or may indicate that the router is
configured not to reply.
Note: Traceroute makes use of a function of the TTL field in IPv4 and the Hop Limit field in IPv6 in the Layer 3
headers, along with the ICMP Time Exceeded message.

• The first message sent from traceroute will have

a TTL field value of 1. This causes the TTL to
time out at the first router. This router then
responds with a ICMPv4 Time Exceeded
message.
• Traceroute then progressively increments the
TTL field (2, 3, 4...) for each sequence of
messages. This provides the trace with the
address of each hop as the packets time out
further down the path.
• The TTL field continues to be increased until
the destination is reached, or it is incremented to a predefined maximum.
 Transport Layer

Transportation of Data

Role of the Transport Layer

The transport layer is:
• responsible for logical communications between applications running on different hosts.
• The link between the application layer and the lower layers that are responsible for network
transmission.

Transport Layer Responsibilities

The transport layer has the following responsibilities:
• Tracking individual conversations
• Segmenting data and
reassembling segments
• Adds header information
• Identify, separate, and manage
multiple conversations
• Uses segmentation and
multiplexing to enable different
communication conversations to
be interleaved on the same
network
Transport Layer Protocols

• IP does not specify how the delivery or transportation

of the packets takes place.
• Transport layer protocols specify how to transfer
messages between hosts, and are responsible for
managing reliability requirements of a conversation.
• The transport layer includes the TCP and UDP
protocols.

Transmission Control Protocol

TCP provides reliability and flow control. TCP basic operations:
• Number and track data segments
transmitted to a specific host from a
specific application
• Acknowledge received data
• Retransmit any unacknowledged data
after a certain amount of time
• Sequence data that might arrive in wrong
order
• Send data at an efficient rate that is
acceptable by the receiver

User Datagram Protocol (UDP)

UDP provides the basic functions for

delivering datagrams between the appropriate
applications, with very little overhead and
data checking.
• UDP is a connectionless protocol.

• UDP is known as a best-effort delivery

protocol because there is no
acknowledgment that the data is received
at the destination.
The Right Transport Layer Protocol for the Right Application

UDP is also used by request-and-reply applications where the data is minimal, and retransmission can be
done quickly.
If it is important that all the data arrives and that it can be processed in its proper sequence, TCP is used as
the transport protocol.

TCP Overview

TCP Features
▪ Establishes a Session - TCP is a connection-oriented protocol that negotiates and establishes a
permanent connection (or session) between source and destination devices prior to forwarding any
traffic.
▪ Ensures Reliable Delivery - For many reasons, it is possible for a segment to become corrupted or
lost completely, as it is transmitted over the network. TCP ensures that each segment that is sent by
the source arrives at the destination.
▪ Provides Same-Order Delivery - Because networks may provide multiple routes that can have
different transmission rates, data can arrive in the wrong order.
▪ Supports Flow Control - Network hosts have limited resources (i.e., memory and processing
power). When TCP is aware that these resources are overtaxed, it can request that the sending
application reduce the rate of data flow.
TCP Header
TCP is a stateful protocol which means it keeps track of the state of the communication session.
TCP records which information it has sent, and which information has been acknowledged.

TCP Header Fields

TCP Header Field Description

Source Port A 16-bit field used to identify the source application by port number.

Destination Port A 16-bit field used to identify the destination application by port number.

Sequence Number A 32-bit field used for data reassembly purposes.

A 32-bit field used to indicate that data has been received and the next byte expected from
Acknowledgment Number
the source.

Header Length A 4-bit field known as ʺdata offsetʺ that indicates the length of the TCP segment header.

Reserved A 6-bit field that is reserved for future use.

A 6-bit field used that includes bit codes, or flags, which indicate the purpose and function of
Control bits
the TCP segment.

Window size A 16-bit field used to indicate the number of bytes that can be accepted at one time.

Checksum A 16-bit field used for error checking of the segment header and data.

Urgent A 16-bit field used to indicate if the contained data is urgent.

Applications that use TCP

TCP handles all tasks associated with dividing the data stream into
segments, providing reliability, controlling data flow, and reordering
segments.
 UDP Overview

UDP Features
UDP features include the following:
• Data is reconstructed in the order that it is received.
• Any segments that are lost are not resent.
• There is no session establishment.
• The sending is not informed about resource availability.

UDP Header
The UDP header is far simpler than the TCP header because it only has four fields and requires 8 bytes (i.e.
64 bits).

UDP Header Fields

UDP Header Field Description

Source Port A 16-bit field used to identify the source application by port number.

Destination Port A 16-bit field used to identify the destination application by port number.
Length A 16-bit field that indicates the length of the UDP datagram header.

Checksum A 16-bit field used for error checking of the datagram header and data.

Applications that use UDP

▪ Live video and multimedia applications - These applications
can tolerate some data loss but require little or no delay.
Examples include VoIP and live streaming video.
▪ Simple request and reply applications - Applications with
simple transactions where a host sends a request and may or
may not receive a reply. Examples include DNS and DHCP.
▪ Applications that handle reliability themselves -
Unidirectional communications where flow control, error
detection, acknowledgments, and error recovery is not
required, or can be handled by the application. Examples
include SNMP and TFTP.
 Port Numbers

Multiple Separate Communications

TCP and UDP transport layer protocols use port numbers to manage multiple, simultaneous conversations.
The source port number is associated with the originating application on the local host whereas the
destination port number is associated with the destination application on the remote host.

Socket Pairs
• The source and destination ports are placed within the segment.
• The segments are then encapsulated within an IP packet.
• The combination of the source IP address and source port number, or the destination IP address and
destination port number is known as a socket.
• Sockets enable multiple processes, running on a client, to distinguish themselves from each other,
and multiple connections to a server process to be distinguished from each other.
Port Number Groups

Port Group Number Range Description

• These port numbers are reserved for common or popular services and applications
Well-known such as web browsers, email clients, and remote access clients.
0 to 1,023
Ports • Defined well-known ports for common server applications enables clients to
easily identify the associated service required.

• These port numbers are assigned by IANA to a requesting entity to use with
specific processes or applications.
• These processes are primarily individual applications that a user has chosen to
Registered
1,024 to 49,151 install, rather than common applications that would receive a well-known port
Ports
number.
• For example, Cisco has registered port 1812 for its RADIUS server authentication
process.

• These ports are also known as ephemeral ports.

Private and/or • The client’s OS usually assign port numbers dynamically when a connection to a
Dynamic 49,152 to 65,535 service is initiated.
Ports • The dynamic port is then used to identify the client application during
communication.

Well-Known Port Numbers

Port Number Protocol Application

20 TCP File Transfer Protocol (FTP) - Data

21 TCP File Transfer Protocol (FTP) - Control

22 TCP Secure Shell (SSH)

23 TCP Telnet

25 TCP Simple Mail Transfer Protocol (SMTP)

53 UDP, TCP Domain Name Service (DNS)

67 UDP Dynamic Host Configuration Protocol (DHCP) - Server

68 UDP Dynamic Host Configuration Protocol - Client

69 UDP Trivial File Transfer Protocol (TFTP)

80 TCP Hypertext Transfer Protocol (HTTP)

110 TCP Post Office Protocol version 3 (POP3)

143 TCP Internet Message Access Protocol (IMAP)

161 UDP Simple Network Management Protocol (SNMP)

443 TCP Hypertext Transfer Protocol Secure (HTTPS)

The netstat Command
Unexplained TCP connections can pose a major security threat. Netstat is an important tool to verify
connections.
C:\> netstat
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.124:3126 192.168.0.2:netbios-ssn ESTABLISHED
TCP 192.168.1.124:3158 207.138.126.152:http ESTABLISHED
TCP 192.168.1.124:3159 207.138.126.169:http ESTABLISHED
TCP 192.168.1.124:3160 207.138.126.169:http ESTABLISHED
TCP 192.168.1.124:3161 sc.msn.com:http ESTABLISHED
TCP 192.168.1.124:3166 www.cisco.com:http ESTABLISHED

TCP Server Processes

Each application process running on a server is configured to use a port number.
• An individual server cannot have two services assigned to the same port number within the same transport
layer services.
• An active server application assigned to a specific port is considered open, which means that the transport
layer accepts, and processes segments addressed to that port.
• Any incoming client request addressed to the correct socket is accepted, and the data is passed to the server
application.

TCP Connection Establishment

Step 1: The initiating client requests a client-to-server

communication session with the server.
Step 2: The server acknowledges the client-to-server
communication session and requests a server-to-client
communication session.
Step 3: The initiating client acknowledges the server-to-client
communication session.
Session Termination

Step 1: When the client has no more data to send in the stream, it
sends a segment with the FIN flag set.
Step 2: The server sends an ACK to acknowledge the receipt of
the FIN to terminate the session from client to server.
Step 3: The server sends a FIN to the client to terminate the server-
to-client session.
Step 4: The client responds with an ACK to acknowledge the FIN
from the server.

TCP Three-Way Handshake Analysis

Functions of the Three-Way Handshake:

• It establishes that the destination device is present on the network.
• It verifies that the destination device has an active service and is accepting requests on the destination port
number that the initiating client intends to use.
• It informs the destination device that the source client intends to establish a communication session on that
port number.

After the communication is completed the sessions are closed, and the connection is terminated. The
connection and session mechanisms enable TCP reliability function.

The six control bit flags are as follows:

• URG - Urgent pointer field significant
• ACK - Acknowledgment flag used in connection establishment and session termination
• PSH - Push function
• RST - Reset the connection when an error or timeout occurs
• SYN - Synchronize sequence numbers used in connection establishment
• FIN - No more data from sender and used in session termination
 Reliability and Flow Control

TCP Reliability- Guaranteed and Ordered Delivery

• TCP can also help maintain the

flow of packets so that devices do
not become overloaded.
• There may be times when TCP
segments do not arrive at their
destination or arrive out of order.
• All the data must be received and
the data in these segments must be
reassembled into the original order.
• Sequence numbers are assigned in
the header of each packet to
achieve this goal.

TCP Reliability – Data Loss and Retransmission

No matter how well designed a network is, data loss occasionally occurs.
TCP provides methods of managing these segment losses. Among these is a mechanism to retransmit
segments for unacknowledged data.

Host operating systems today typically employ an optional TCP feature called selective acknowledgment (SACK),
negotiated during the three-way handshake.
If both hosts support SACK, the receiver can explicitly acknowledge which segments (bytes) were received including
any discontinuous segments.
TCP Flow Control – Window Size and Acknowledgments
TCP also provides mechanisms for flow control as
follows:
• Flow control is the amount of data that the
destination can receive and process reliably.
• Flow control helps maintain the reliability of TCP
transmission by adjusting the rate of data flow
between source and destination for a given session.

TCP Flow Control – Maximum Segment Size

Maximum Segment Size (MSS) is the maximum amount of data that the destination device can receive.
• A common MSS is 1,460 bytes when using IPv4.
• A host determines the value of its MSS field by subtracting the IP and TCP headers from the Ethernet
maximum transmission unit (MTU), which is 1500 bytes be default.
• 1500 minus 60 (20 bytes for the IPv4 header and 20 bytes for the TCP header) leaves 1460 bytes.

TCP Flow Control – Congestion Avoidance

When congestion occurs on a network, it results in packets being discarded by the overloaded router.
To avoid and control congestion, TCP employs several congestion handling mechanisms, timers, and
algorithms.
 UDP Communication

UDP Low Overhead versus Reliability

UDP does not establish a connection. UDP provides low overhead data transport because it has a small
datagram header and no network management traffic.

UDP Datagram Reassembly

• UDP does not track sequence
numbers the way TCP does.
• UDP has no way to reorder the
datagrams into their
transmission order.
• UDP simply reassembles the
data in the order that it was
received and forwards it to the
application.

UDP Server Processes and Requests

UDP-based server applications are assigned well-known

or registered port numbers.
UDP receives a datagram destined for one of these ports,
it forwards the application data to the appropriate
application based on its port number.
UDP Client Processes
• The UDP client process dynamically selects a port number from the range of port numbers and uses
this as the source port for the conversation.
• The destination port is usually the well-known or registered port number assigned to the server
process.
• After a client has selected the source and destination ports, the same pair of ports are used in the
header of all datagrams in the transaction.

Application, Presentation, and Session

Application Layer

• The upper three layers of the OSI model (application, presentation, and session) define functions of the
TCP/IP application layer.
• The application layer
provides the interface
between the applications
used to communicate, and
the underlying network over
which messages are
transmitted.
• Some of the most widely
known application layer
protocols include HTTP,
FTP, TFTP, IMAP and
DNS.
Presentation and Session Layer

The presentation layer has three primary functions:

• Formatting, or presenting, data at the source device into a compatible format for receipt by the destination
device
• Compressing data in a way that can be decompressed by the destination device
• Encrypting data for transmission and decrypting data upon receipt

The session layer functions:

• It creates and maintains dialogs between source and destination applications.
• It handles the exchange of information to initiate dialogs, keep them active, and to restart sessions that
are disrupted or idle for a long period of time.

TCP/IP Application Layer Protocols

• The TCP/IP application protocols specify the format and control information necessary for many
common internet communication functions.
• Application layer protocols are used by both the source and destination devices during a
communication session.
• For the communications to be successful, the application layer protocols that are implemented on the
source and destination host must be compatible.

Name System
DNS - Domain Name System (or Service)
• TCP, UDP client 53
• Translates domain names, such as cisco.com, into IP addresses.
Host Config
DHCP - Dynamic Host Configuration Protocol
• UDP client 68, server 67
• Dynamically assigns IP addresses to be re-used when no longer needed

Web
HTTP - Hypertext Transfer Protocol
• TCP 80, 8080
• A set of rules for exchanging text, graphic images, sound, video, and other multimedia files on the World
Wide Web

Dynamic Host Configuration Protocol

• The Dynamic Host Configuration Protocol (DHCP) for IPv4 service automates the assignment of IPv4
addresses, subnet masks, gateways, and other IPv4 networking parameters.
• DHCP is considered dynamic addressing compared to static addressing. Static addressing is manually entering
IP address information.
• When a host connects to the network, the DHCP server is contacted, and an address is requested. The DHCP
server chooses an address from a configured range of addresses called a pool and assigns (leases) it to the
host.
• Many networks use both DHCP and static addressing. DHCP is used for general purpose hosts, such as end
user devices. Static addressing is used for network devices, such as gateway routers, switches, servers, and
printers.

Note: DHCP for IPv6 (DHCPv6) provides similar services for IPv6 clients. However, DHCPv6 does not provide a
default gateway address. This can only be obtained dynamically from the Router Advertisement message of the router.
DHCP Operation
The DHCP Process:
• When an IPv4, DHCP-configured device boots up or connects to the network, the client broadcasts a DHCP
discover (DHCPDISCOVER) message to identify any available DHCP servers on the network.
• A DHCP server replies with a DHCP offer (DHCPOFFER) message, which offers a lease to the client. (If a
client receives more than one offer due to multiple
DHCP servers on the network, it must choose one.)
• The client sends a DHCP request (DHCPREQUEST)
message that identifies the explicit server and lease
offer that the client is accepting.
• The server then returns a DHCP acknowledgment
(DHCPACK) message that acknowledges to the client
that the lease has been finalized.
• If the offer is no longer valid, then the selected server
responds with a DHCP negative acknowledgment
(DHCPNAK) message and the process must begin
with a new DHCPDISCOVER message.

Note: DHCPv6 has a set of messages that is similar to those for DHCPv4. The DHCPv6 messages are SOLICIT,
ADVERTISE, INFORMATION REQUEST, and REPLY.

File Sharing Services

File Transfer Protocol

FTP was developed to allow for data transfers between a client and a server. An FTP client is an application
which runs on a computer that is being used to push and pull data from an FTP server.
Step 1 - The client establishes the first connection to the
server for control traffic using TCP port 21. The traffic
consists of client commands and server replies.
Step 2 - The client establishes the second connection to the
server for the actual data transfer using TCP port 20. This
connection is created every time there is data to be
transferred.
Step 3 - The data transfer can happen in either direction.
The client can download (pull) data from the server, or the
client can upload (push) data to the server.
Server Message Block

The Server Message Block (SMB) is a client/server, request-response file sharing protocol. Servers can
make their own resources available to clients on the network.
Three functions of SMB messages:
• Start, authenticate, and terminate sessions
• Control file and printer access
• Allow an application to send or receive messages to
or from another device

Unlike the file sharing supported by FTP, clients

establish a long-term connection to servers. After the
connection is established, the user of the client can
access the resources on the server as though the resource
is local to the client host.

Security Threats and Vulnerabilities

Types of Threats

Attacks on a network can be devastating and can result in a loss of time and money due to damage, or theft
of important information or assets. Intruders can gain access to a network through software vulnerabilities,
hardware attacks, or through guessing someone's username and password. Intruders who gain access by
modifying software or exploiting software vulnerabilities are called threat actors.
After the threat actor gains access to the network, four types of threats may arise:
• Information Theft
• Data Loss and manipulation
• Identity Theft
• Disruption of Service

Types of Vulnerabilities

Vulnerability is the degree of weakness in a network or a device. Some degree of vulnerability is inherent in
routers, switches, desktops, servers, and even security devices. Typically, the network devices under attack
are the endpoints, such as servers and desktop computers.

There are three primary vulnerabilities or weaknesses:

• Technological Vulnerabilities might include TCP/IP Protocol weaknesses, Operating System
Weaknesses, and Network Equipment weaknesses.
Configuration Vulnerabilities might include unsecured user accounts, system accounts with easily guessed
passwords, misconfigured internet services, unsecure default settings, and misconfigured network
equipment.
Security Policy Vulnerabilities might include lack of a written security policy, politics, lack of
authentication continuity, logical access controls not applied, software and hardware installation and
changes not following policy, and a nonexistent disaster recovery plan.
All three of these sources of vulnerabilities can leave a network or device open to various attacks, including
malicious code attacks and network attacks.

Physical Security

If network resources can be physically compromised, a threat actor can deny the use of network resources.
The four classes of physical threats are as follows:
• Hardware threats - This includes physical damage to servers, routers, switches, cabling plant, and
workstations.
• Environmental threats - This includes temperature extremes (too hot or too cold) or humidity
extremes (too wet or too dry).
• Electrical threats - This includes voltage spikes, insufficient supply voltage (brownouts),
unconditioned power (noise), and total power loss.
• Maintenance threats - This includes poor handling of key electrical components (electrostatic
discharge), lack of critical spare parts, poor cabling, and poor labeling.

A good plan for physical security must be created and implemented to address these issues.

Network Attacks

Types of Malware

Malware is short for malicious software. It is code or software specifically designed to damage, disrupt,
steal, or inflict “bad” or illegitimate action on data, hosts, or networks. The following are types of malware:
• Viruses - A computer virus is a type of malware that propagates by inserting a copy of itself into, and
becoming part of, another program. It spreads from one computer to another, leaving infections as it travels.

• Worms - Computer worms are similar to viruses in that they replicate functional copies of themselves and can
cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file,
worms are standalone software and do not require a host program or human help to propagate.

• Trojan Horses - It is a harmful piece of software that looks legitimate. Unlike viruses and worms, Trojan
horses do not reproduce by infecting other files. They self-replicate. Trojan horses must spread through user
interaction such as opening an email attachment or downloading and running a file from the internet.
Reconnaissance Attacks

In addition to malicious code attacks, it is also possible for networks to fall prey to various network attacks.
Network attacks can be classified into three major categories:
• Reconnaissance attacks - The discovery and mapping of systems, services, or vulnerabilities.
• Access attacks - The unauthorized manipulation of data, system access, or user privileges.
• Denial of service - The disabling or corruption of networks, systems, or services.

For reconnaissance attacks, external threat actors can use internet tools, such as
the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or
entity. After the IP address space is determined, a threat actor can then ping the publicly available IP
addresses to identify the addresses that are active.

Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to
gain entry to web accounts, confidential databases, and other sensitive information.
Access attacks can be classified into four types:
• Password attacks - Implemented using brute force, trojan horse, and packet sniffers
• Trust exploitation - A threat actor uses unauthorized privileges to gain access to a system, possibly
compromising the target.
• Port redirection: - A threat actor uses a compromised system as a base for attacks against other targets. For
example, a threat actor using SSH (port 22) to connect to a compromised host A. Host A is trusted by host B
and, therefore, the threat actor can use Telnet (port 23) to access it.
• Man-in-the middle - The threat actor is positioned in between two legitimate entities in order to read or
modify the data that passes between the two parties.

Denial of Service Attacks

Denial of service (DoS) attacks are the most publicized form of attack and among the most difficult to
eliminate. However, because of their ease of implementation and potentially significant damage, DoS
attacks deserve special attention from security administrators.
• DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming
system resources. To help prevent DoS attacks it is important to stay up to date with the latest security updates
for operating systems and applications.
• DoS attacks are a major risk because they interrupt communication and cause significant loss of time and
money. These attacks are relatively simple to conduct, even by an unskilled threat actor.
• A DDoS is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, a threat
actor builds a network of infected hosts, known as zombies. A network of zombies is called a botnet. The
threat actor uses a command and control (CnC) program to instruct the botnet of zombies to carry out a DDoS
attack.
 Network Attack Mitigations

The Defense-in-Depth Approach

To mitigate network attacks, you must first secure devices including routers, switches, servers, and hosts.
Most organizations employ a defense-in-depth approach (also known as a layered approach) to security.
This requires a combination of networking devices and
services working in tandem.
Several security devices and services are implemented
to protect an organization’s users and assets against
TCP/IP threats:
• VPN
• ASA Firewall
• IPS
• ESA/WSA
• AAA Server

Keep Backups

Backing up device configurations and data is one of the most effective ways of protecting against data loss.
Backups should be performed on a regular basis as identified in the security policy. Data backups are usually
stored offsite to protect the backup media if anything happens to the main facility.

The table shows backup considerations and their descriptions.

Consideration Description

• Perform backups on a regular basis as identified in the security policy.

Frequency • Full backups can be time-consuming, therefore perform monthly or weekly backups with frequent
partial backups of changed files.

• Always validate backups to ensure the integrity of the data and validate the file restoration
Storage
procedures.

• Backups should be transported to an approved offsite storage location on a daily, weekly, or monthly
Security
rotation, as required by the security policy.

Validation • Backups should be protected using strong passwords. The password is required to restore the data.
Upgrade, Update, and Patch

As new malware is released, enterprises need to

keep current with the latest versions of antivirus
software.
• The most effective way to mitigate a worm
attack is to download security updates from
the operating system vendor and patch all
vulnerable systems.
• One solution to the management of critical
security patches is to make sure all end
systems automatically download updates.

Authentication, Authorization, and Accounting

Authentication, authorization, and accounting

(AAA, or “triple A”) network security services
provide the primary framework to set up
access control on network devices.
• AAA is a way to control who is permitted
to access a network (authenticate), what
actions they perform while accessing the
network (authorize), and making a record
of what was done while they are there
(accounting).
• The concept of AAA is similar to the use
of a credit card. The credit card identifies
who can use it, how much that user can
spend, and keeps account of what items
the user spent money on.
Firewalls
Network firewalls reside between two or more networks, control the traffic between them, and help prevent
unauthorized access.
A firewall could allow outside users controlled access to specific services. For example, servers accessible
to outside users are usually located on a special network referred to as the demilitarized zone (DMZ). The
DMZ enables a network administrator to apply specific policies for hosts connected to that network.

Types of Firewalls

Firewall products come packaged in various forms. These products use different techniques for determining
what will be permitted or denied access to a network. They include the following:
• Packet filtering - Prevents or allows access based on IP or MAC addresses
• Application filtering - Prevents or allows access by specific application types based on port numbers
• URL filtering - Prevents or allows access to websites based on specific URLs or keywords
• Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from
internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the
capability to recognize and filter out specific types of attacks, such as denial of service (DoS).

Endpoint Security
An endpoint, or host, is an individual computer system or device that acts as a network client. Common
endpoints are laptops, desktops, servers, smartphones, and tablets.
Securing endpoint devices is one of the most challenging jobs of a network administrator because it involves
human nature. A company must have well-documented policies in place and employees must be aware of
these rules.
Employees need to be trained on proper use of the network. Policies often include the use of antivirus
software and host intrusion prevention. More comprehensive endpoint security solutions rely on network
access control.
 Device Security

Cisco AutoSecure

The security settings are set to the default values when a new operating system is installed on a device. In
most cases, this level of security is inadequate. For Cisco routers, the Cisco AutoSecure feature can be used
to assist securing the system.
In addition, there are some simple steps that should be taken that apply to most operating systems:
• Default usernames and passwords should be changed immediately.
• Access to system resources should be restricted to only the individuals that are authorized to use those
resources.
• Any unnecessary services and applications should be turned off and uninstalled when possible.
• Often, devices shipped from the manufacturer have been sitting in a warehouse for a period of time
and do not have the most up-to-date patches installed. It is important to update any software and
install any security patches prior to implementation.

Passwords
To protect network devices, it is important to use strong passwords. Here are standard guidelines to follow:
• Use a password length of at least eight characters, preferably 10 or more characters.
• Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and
spaces, if allowed.
• Avoid passwords based on repetition, common dictionary words, letter or number sequences,
usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor
names, or other easily identifiable pieces of information.
• Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly compromised, the window of opportunity for
the threat actor to use the password is limited.
• Do not write passwords down and leave them in obvious places such as on the desk or monitor.

On Cisco routers, leading spaces are ignored for passwords, but spaces after the first character are not.
Therefore, one method to create a strong password is to use the space bar and create a phrase made of many
words. This is called a passphrase. A passphrase is often easier to remember than a simple password. It is
also longer and harder to guess.
Additional Password Security

There are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and
switch including these:
• Encrypt all plaintext passwords with the
service password-encryption command.
• Set a minimum acceptable password length
with the security passwords min-length
command.
• Deter brute-force password guessing attacks
with the login block-
for # attempts # within # command.
• Disable an inactive privileged EXEC mode
access after a specified amount of time with
the exec-timeout command.

Enable SSH

It is possible to configure a Cisco device to support SSH using the following steps:
1. Configure a unique device hostname. A device must have a unique hostname other than the default.
2. Configure the IP domain name. Configure the IP domain name of the network by using the global
configuration mode command ip-domain name.
3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to do
so, a unique authentication key must be generated by using the global configuration command crypto key
generate rsa general-keys modulus bits. The modulus bits determines the size of the key and can be
configured from 360 bits to 2048 bits. The larger the bit value, the more secure the key. However, larger bit
values also take longer to encrypt and decrypt information. The minimum recommended modulus length is
1024 bits.
4. Verify or create a local database entry. Create a local database username entry using the username global
configuration command.
5. Authenticate against the local database. Use the login local line configuration command to authenticate the
vty line against the local database.
6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify
multiple input protocols including Telnet and SSH using the transport input [ssh | telnet] command.
Disable Unused Services
Cisco routers and switches start with a list of active services that may or may not be required in your
network. Disable any unused services to preserve system resources, such as CPU cycles and RAM, and
prevent threat actors from exploiting these services.
• The type of services that are on by default will vary depending on the IOS version. For example, IOS-XE
typically will have only HTTPS and DHCP ports open. You can verify this with the show ip ports
all command.

• IOS versions prior to IOS-XE use the show control-plane host open-ports command.

Build a Small Network

Small Network Topologies

• The majority of businesses are small most of the business networks are also small.
• A small network design is usually simple.
• Small networks typically have a single WAN connection provided by DSL, cable, or an Ethernet
connection.
• Large networks require an IT department to maintain, secure, and troubleshoot network devices and
to protect organizational data. Small networks are managed by a local IT technician or by a
contracted professional.

Device Selection for a Small Network

Like large networks, small networks require planning and design to meet user requirements. Planning
ensures that all requirements, cost factors, and deployment options are given due consideration. One of the
first design considerations is the type of intermediary devices to use to support the network.
Factors that must be considered when selecting network devices include:
• cost
• speed and types of ports/interfaces
• expandability
• operating system features and services
IP Addressing for a Small Network
When implementing a network, create an IP addressing scheme and use it. All hosts and devices within an
internetwork must have a unique address. Devices that will factor into the IP addressing scheme include the
following:
• End user devices - The number and type of connections (i.e., wired, wireless, remote access)
• Servers and peripherals devices (e.g., printers and security cameras)
• Intermediary devices including switches and access points

It is recommended that you plan, document, and maintain an IP addressing scheme based on device type.
The use of a planned IP addressing scheme makes it easier to identify a type of device and to troubleshoot
problems.

Redundancy in a Small Network

In order to maintain a high degree of

reliability, redundancy is required in the network
design. Redundancy helps to eliminate single points
of failure.
Redundancy can be accomplished by installing
duplicate equipment. It can also be accomplished by
supplying duplicate network links for critical areas.

Traffic Management
• The goal for a good network design is to enhance the productivity of the employees and minimize
network downtime.
• The routers and switches in a small
network should be configured to
support real-time traffic, such as
voice and video, in an appropriate
manner relative to other data traffic.
A good network design will
implement quality of service (QoS).
• Priority queuing has four queues.
The high-priority queue is always
emptied first.
 Small Network Applications and Protocols

Common Applications
After you have set it up, your network still needs certain types of applications and protocols in order to
work. The network is only as useful as the applications that are on it.
There are two forms of software programs or processes that provide access to the network:
• Network Applications: Applications that implement application layer protocols and are able to
communicate directly with the lower layers of the protocol stack.
• Application Layer Services: For applications that are not network-aware, the programs that interface
with the network and prepare the data for transfer.

Common Protocols

Network protocols support the applications and services used by employees in a small network.
• Network administrators commonly require access to network devices and servers. The two most common
remote access solutions are Telnet and Secure Shell (SSH).
• Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTP) are used between web
clients and web servers.
• Simple Mail Transfer Protocol (SMTP) is used to send email, Post Office Protocol (POP3) or Internet Mail
Access Protocol (IMAP) are used by clients to retrieve email.
• File Transfer Protocol (FTP) and Security File Transfer Protocol (SFTP) are used to download and upload
files between a client and an FTP server.
• Dynamic Host Configuration Protocol (DHCP) is used by clients to acquire an IP configuration from a DHCP
Server.
• The Domain Name Service (DNS) resolves domain names to IP addresses.
Note: A server could provide multiple network services. For instance, a server could be an email, FTP and SSH
server.

These network protocols comprise the fundamental toolset of a network professional, defining:
• Processes on either end of a communication session.
• Types of messages.
• Syntax of the messages.
• Meaning of informational fields.
• How messages are sent and the expected response.
• Interaction with the next lower layer.
Many companies have established a policy of using secure versions (e.g., SSH, SFTP, and HTTPS) of these protocols
whenever possible.
Voice and Video Applications
• Businesses today are increasingly using IP telephony and streaming media to communicate with
customers and business partners, as well as enabling their employees to work remotely.
• The network administrator must ensure the proper equipment is installed in the network and that the
network devices are configured to ensure priority delivery.
• The factors that a small network administrator must consider when supporting real-time applications:
o Infrastructure - Does it have the capacity and capability to support real-time applications?
o VoIP - VoIP is typically less expensive than IP Telephony, but at the cost of quality and features.
o IP Telephony - This employs dedicated servers form call control and signaling.
o Real-Time Applications - The network must support Quality of Service (QoS) mechanisms to
minimize latency issues. Real-Time Transport Protocol (RTP) and Real-Time Transport Control
Protocol (RTCP) and two protocols that support real-time applications.

Scale to Larger Networks

Small Network Growth

Growth is a natural process for many small businesses, and their networks must grow accordingly. Ideally,
the network administrator has enough lead-time to make intelligent decisions about growing the network in
alignment with the growth of the company.
To scale a network, several elements are required:
• Network documentation - Physical and logical topology
• Device inventory - List of devices that use or comprise the network
• Budget - Itemized IT budget, including fiscal year equipment purchasing budget
• Traffic analysis - Protocols, applications, and services and their respective traffic requirements
should be documented
These elements are used to inform the decision-making that accompanies the scaling of a small network.

Protocol Analysis
It is important to understand the type of traffic that is crossing the network as well as the current traffic flow.
There are several network management tools that can be used for this purpose.
To determine traffic flow patterns, it is important to do the following:
• Capture traffic during peak utilization times to get a good representation of the different traffic types.
• Perform the capture on different network segments and devices as some traffic will be local to a
particular segment.
• Information gathered by the protocol analyzer is evaluated based on the source and destination of the
traffic, as well as the type of traffic being sent.
• This analysis can be used to make decisions on how to manage the traffic more efficiently.
Employee Network Utilization

Many operating systems provide built-in tools to display such network utilization information. These tools
can be used to capture a “snapshot” of information such as the following:
• OS and OS Version
• CPU utilization
• RAM utilization
• Drive utilization
• Non-Network applications
• Network applications
Documenting snapshots for employees in a small network over a period of time is very useful to identify
evolving protocol requirements and associated traffic flows.

Verify Connectivity with Ping

Whether your network is small and new, or you are scaling an existing network, you will always want to be
able to verify that your components are properly connected to each other and to the internet.
• The ping command, available on most operating systems, is the most effective way to quickly test Layer 3
connectivity between a source and destination IP address.
• The ping command uses the Internet Control Message Protocol (ICMP) echo (ICMP Type 8) and echo reply
(ICMP Type 0) messages.

On a Windows 10 host, the ping command sends four consecutive ICMP echo messages and expects four
consecutive ICMP echo replies from the destination. The IOS ping sends five ICMP echo messages and
displays an indicator for each ICMP echo reply received.
IOS Ping Indicators are as follows:

Element Description

• Exclamation mark indicates successful receipt of an echo reply message.

!
• It validates a Layer 3 connection between source and destination.

• A period means that time expired waiting for an echo reply message.
.
• This indicates a connectivity problem occurred somewhere along the path.

• Uppercase U indicates a router along the path responded with an ICMP Type 3 “destination
unreachable” error message.
U
• Possible reasons include the router does not know the direction to the destination network or it could
not find the host on the destination network.

Note: Other possible ping replies include Q, M, ?, or &. However, the meaning of these are out of scope for this
module.

Extended Ping

The Cisco IOS offers an "extended" mode of

the ping command.
Extended ping is entered in privileged EXEC mode by
typing ping without a destination IP address. You will then
be given several prompts to customize the extended ping.
Note: Pressing Enter accepts the indicated default values.
The ping ipv6 command is used for IPv6 extended pings.

Verify Connectivity with Traceroute

The ping command is useful to quickly determine if there is a Layer 3 connectivity problem. However,
it does not identify where the problem is located along the path.
• Traceroute can help locate Layer 3 problem areas in a network. A trace returns a list of hops as a packet is
routed through a network.
• The syntax of the trace command varies between operating systems.

• The following is a sample output of tracert command on a Windows 10 host.

Note: Use Ctrl-C to interrupt a tracert in Windows.
• The only successful response was from the gateway on R1. Trace requests to the next hop timed out as
indicated by the asterisk (*), meaning that the next hop router did not respond or there is a failure in the
network path. In this example there appears to be a problem between R1 and R2.

The following are sample outputs of traceroute command from R1:

• On the left, the trace validated that it could successfully reach PC B.

• On the right, the 10.1.1.10 host was not available, and the output shows asterisks where replies timed
out. Timeouts indicate a potential network problem.
• Use Ctrl-Shift-6 to interrupt a traceroute in Cisco IOS.
Note: Windows implementation of traceroute (tracert) sends ICMP Echo Requests. Cisco IOS and Linux use UDP
with an invalid port number. The final destination will return an ICMP port unreachable message.

Extended Traceroute
Like the extended ping command, there is also an extended traceroute command. It allows the
administrator to adjust parameters related to the command operation.
The Windows tracert command allows the input of several parameters through options in the command
line. However, it is not guided like the extended traceroute IOS command. The following output displays the
available options for the Windows tracert command:
 • The Cisco IOS extended traceroute option enables the user to
create a special type of trace by adjusting parameters related to
the command operation.
• Extended traceroute is entered in privileged EXEC mode by
typing traceroute without a destination IP address. IOS will
guide you through the command options by presenting a number
of prompts related to the setting of all the different parameters.

Note: Pressing Enter accepts the indicated default values.

Network Baseline

• One of the most effective tools for monitoring and troubleshooting network performance is to
establish a network baseline.
• One method for starting a baseline is to copy and paste the results from an executed ping, trace, or
other relevant commands into a text file. These text files can be time stamped with the date and
saved into an archive for later retrieval and comparison.
• Among items to consider are error messages and the response times from host to host.
• Corporate networks should have extensive baselines; more extensive than we can describe in this
course. Professional-grade software tools are available for storing and maintaining baseline
information.

Host and IOS Commands

IP Configuration on a Windows Host

In Windows 10, you can access the IP address details from the Network and Sharing Center to quickly
view the four important settings: address, mask, router, and DNS. Or you can issue the ipconfig command at
the command line of a Windows computer.
• Use the ipconfig /all command to view the MAC address, as well as a number of details regarding the Layer 3
addressing of the device.
• If a host is configured as a DHCP client, the IP address
configuration can be renewed using the ipconfig
/release and ipconfig /renew commands.
• The DNS Client service on Windows PCs also
optimizes the performance of DNS name resolution by
storing previously resolved names in memory.
The ipconfig /displaydns command displays all of the
cached DNS entries on a Windows computer system.
IP Configuration on a Linux Host
• Verifying IP settings using the GUI on a Linux
machine will differ depending on the Linux
distribution and desktop interface.
• On the command line, use the ifconfig command
to display the status of the currently active
interfaces and their IP configuration.
• The Linux ip address command is used to display
addresses and their properties. It can also be used
to add or delete IP addresses.
Note: The output displayed may vary depending on the Linux distribution.

IP Configuration on a macOS Host

• In the GUI of a Mac host, open Network
Preferences > Advanced to get the IP addressing
information.
• The ifconfig command can also be used to verify the
interface IP configuration at the command line.
• Other useful macOS commands to verify the host IP
settings include networksetup -
listallnetworkservices and the networksetup -
getinfo <network service>.

The arp Command

The arp command is executed from the Windows, Linux, or Mac command prompt. The command lists all
devices currently in the ARP cache of the host.
• The arp -a command displays the known IP address and MAC address binding. The ARP cache only displays
information from devices that have been recently accessed.
• To ensure that the ARP cache is populated, ping a device so that it will have an entry in the ARP table.
• The cache can be cleared by using the netsh interface ip delete arpcache command in the event the network
administrator wants to repopulate the cache with updated information.
Note: You may need administrator access on the host to be able to use the netsh interface ip delete
arpcache command.
Common show Commands Revisited
Command Description

show running-config Verifies the current configuration and settings

show interfaces Verifies the interface status and displays any error messages
show ip interface Verifies the Layer 3 information of an interface
show arp Verifies the list of known hosts on the local Ethernet LANs
show ip route Verifies the Layer 3 routing information
show protocols Verifies which protocols are operational
show version Verifies the memory, interfaces, and licenses of the device

The show cdp neighbors Command

CDP provides the following information about each CDP neighbor device:
• Device identifiers - The configured host name of a switch, router, or other device
• Address list - Up to one network layer address for each protocol supported
• Port identifier - The name of the local and remote port in the form of an ASCII character string, such
as FastEthernet 0/0
• Capabilities list - Whether a specific device is a Layer 2 switch or a Layer 3 switch
• Platform - The hardware platform of the device.
The show cdp neighbors detail command reveals the IP address of a neighboring device.

The show ip interface brief Command

One of the most frequently used commands is

the show ip interface brief command. This
command provides a more abbreviated output
than the show ip interface command. It provides
a summary of the key information for all the
network interfaces on a router.
Troubleshooting Methodologies

Basic Troubleshooting Approaches

Step Description

• This is the first step in the troubleshooting process.

Step 1. Identify the Problem • Although tools can be used in this step, a conversation with the user is often
very helpful.

Step 2. Establish a Theory of • After the problem is identified, try to establish a theory of probable causes.
Probable Causes • This step often yields more than a few probable causes to the problem.

• Based on the probable causes, test your theories to determine which one is
the cause of the problem.
Step 3. Test the Theory to
• A technician may apply a quick fix to test and see if it solves the problem.
Determine Cause
• If a quick fix does not correct the problem, you might need to research the
problem further to establish the exact cause.

Step 4. Establish a Plan of Action After you have determined the exact cause of the problem, establish a plan of action
and Implement the Solution to resolve the problem and implement the solution.

Step 5. Verify Solution and • After you have corrected the problem, verify full functionality.
Implement Preventive Measures • If applicable, implement preventive measures.

• In the final step of the troubleshooting process, document your findings,

Step 6. Document Findings,
actions, and outcomes.
Actions, and Outcomes
• This is very important for future reference.

Resolve or Escalate?
• In some situations, it may not be possible to resolve the problem immediately. A problem should be
escalated when it requires a manager decision, some specific expertise, or network access level
unavailable to the troubleshooting technician.
• A company policy should clearly state when and how a technician should escalate a problem.

The debug Command

• The IOS debug command allows the administrator to display OS process, protocol, mechanism and event
messages in real-time for analysis.
• All debug commands are entered in privileged EXEC mode. The Cisco IOS allows for narrowing the output
of debug to include only the relevant feature or subfeature. Use debug commands only to troubleshoot
specific problems.

To list a brief description of all the debugging command options, use the debug ? command in privileged
EXEC mode at the command line.
To turn off a specific debugging feature, add the no keyword in front of the debug command
Alternatively, you can enter the undebug form of the command in privileged EXEC mode.
To turn off all active debug commands at once, use the undebug all command.
• Be cautious using some debug commands, as they may generate a substantial amount of output and
use a large portion of system resources. The router could get so busy displaying debug messages that
it would not have enough processing power to perform its network functions, or even listen to
commands to turn off debugging.

The terminal monitor Command

• debug and certain other IOS message

output is not automatically displayed on
remote connections. This is because log
messages are prevented from being
displayed on vty lines.
• To display log messages on a terminal
(virtual console), use the terminal
monitor privileged EXEC command. To
stop logging messages on a terminal, use
the terminal no monitor privileged EXEC
command.

Troubleshooting Scenarios

Duplex Operation and Mismatch Issues

• Interconnecting Ethernet interfaces must operate in the same duplex mode for best communication
performance and to avoid inefficiency and latency on the link.
• The Ethernet autonegotiation feature facilitates configuration, minimizes problems and maximizes
link performance between two interconnecting Ethernet links. The connected devices first announce
their supported capabilities and then choose the highest performance mode supported by both ends.
• If one of the two connected devices is operating in full-duplex and the other is operating in half-
duplex, a duplex mismatch occurs. While data communication will occur through a link with a
duplex mismatch, link performance will be very poor.
• Duplex mismatches are typically caused by a misconfigured interface or in rare instances by a failed
autonegotiation. Duplex mismatches may be difficult to troubleshoot as the communication between
devices still occurs.
IP Addressing Issues on IOS Devices
• Two common causes of incorrect IPv4 assignment are manual assignment mistakes or DHCP-related issues.
• Network administrators often have to manually assign IP addresses to devices such as servers and routers. If a
mistake is made during the assignment, then communications issues with the device are very likely to occur.

IP Addressing Issues on End Devices

• On Windows-based machines, when the device cannot contact a DHCP server, Windows will automatically
assign an address belonging to the 169.254.0.0/16 range. This feature is called Automatic Private IP
Addressing (APIPA).
• A computer with an APIPA address will not be able to communicate with other devices in the network
because those devices will most likely not belong to the 169.254.0.0/16 network.
Note: Other operating systems, such Linux and OS X, do not use APIPA.
• If the device is unable to communicate with the DHCP server, then the server cannot assign an IPv4 address
for the specific network and the device will not be able to communicate.
• To verify the IP addresses assigned to a Windows-based computer, use the ipconfig command.

Default Gateway Issues

• The default gateway for an end device is the closest networking device, belonging to the same network as the
end device, that can forward traffic to other networks. If a device has an incorrect or nonexistent default
gateway address, it will not be able to communicate with devices in remote networks.
• Similar to IPv4 addressing issues, default gateway problems can be related to misconfiguration (in the case of
manual assignment) or DHCP problems (if automatic assignment is in use).
• To verify the default gateway on Windows-based computers, use the ipconfig command.
• Known as a default route, has been set. This route is used when the destination address of the packet does not
match any other routes in its routing table.

Troubleshooting DNS Issues

• It is common for users to mistakenly relate the operation of an internet link to the availability of the DNS.
• DNS server addresses can be manually or automatically assigned via DHCP.
• Although it is common for companies and organizations to manage their own DNS servers, any reachable
DNS server can be used to resolve names.
• Cisco offers OpenDNS which provides secure DNS service by filtering phishing and some malware sites.
OpenDNS addresses are 208.67.222.222 and 208.67.220.220. Advanced features such as web content filtering
and security are available to families and businesses.
• Use the ipconfig /all as shown to verify which DNS server is in use by the Windows computer.
• The nslookup command is another useful DNS troubleshooting tool for PCs. With nslookup a user can
manually place DNS queries and analyze the DNS response.
 Basic Device Configuration

Switch Boot Sequence

After a Cisco switch is powered on, it goes through the following five-step boot sequence:

Step 1: First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks the CPU subsystem.
It tests the CPU, DRAM, and the portion of the flash device that makes up the flash file system.
Step 2: Next, the switch loads the boot loader software. The boot loader is a small program stored in ROM that is run
immediately after POST successfully completes.
Step 3: The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control where
physical memory is mapped, the quantity of memory, and its speed.
Step 4: The boot loader initializes the flash file system on the system board.
Step 5: Finally, the boot loader locates and loads a default IOS operating system software image into memory and gives
control of the switch over to the IOS.

The boot system Command

• The switch attempts to automatically boot by using information in the BOOT environment variable. If this
variable is not set, the switch attempts to load and execute the first executable file it can find.
• The IOS operating system then initializes the interfaces using the Cisco IOS commands found in the startup-
config file. The startup-config file is called config.text and is located in flash.
• In the example, the BOOT environment variable is set using the boot system global configuration mode
command. Notice that the IOS is located in a distinct folder and the folder path is specified. Use the
command show boot to see what the current IOS boot file is set to.

Command Definition

boot system The main command

flash: The storage device

c2960-lanbasek9-mz.150-2.SE/ The path to the file system

c2960-lanbasek9-mz.150-2.SE.bin The IOS file name

Switch SVI Configuration Example

By default, the switch is configured to have its management controlled through VLAN 1. All ports are
assigned to VLAN 1 by default. For security purposes, it is considered a best practice to use a VLAN other
than VLAN 1 for the management VLAN,
Step 1: Configure the Management Interface: From VLAN interface configuration mode, an IPv4 address
and subnet mask is applied to the management SVI of the switch.
Note: The SVI for VLAN 99 will not appear as “up/up” until VLAN 99 is created and there is a device connected to a
switch port associated with VLAN 99.
Note: The switch may need to be configured for IPv6. For example, before you can configure IPv6 addressing on a
Cisco Catalyst 2960 running IOS version 15.0, you will need to enter the global configuration command sdm prefer
dual-ipv4-and-ipv6 default and then reload the switch.

Switch SVI Configuration Example

Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode for the SVI. S1(config)# interface vlan 99

Configure the management interface IPv4 address. S1(config-if)# ip address 172.17.99.11 255.255.255.0

Configure the management interface IPv6 address S1(config-if)# ipv6 address 2001:db8:acad:99::1/64

Enable the management interface. S1(config-if)# no shutdown

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config

Step 2: Configure the Default Gateway

• The switch should be configured with a default gateway if it will be managed remotely from networks
that are not directly connected.
• Note: Because, it will receive its default gateway information from a router advertisement (RA) message, the
switch does not require an IPv6 default gateway.

Task IOS Commands

Enter global configuration mode. S1# configure terminal

Configure the default gateway for the switch. S1(config)# ip default-gateway 172.17.99.1

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config
Step 3: Verify Configuration
• The show ip interface brief and show ipv6
interface brief commands are useful for
determining the status of both physical and
virtual interfaces. The output shown confirms
that interface VLAN 99 has been configured
with an IPv4 and IPv6 address.
Note: An IP address applied to the SVI is only for remote
management access to the switch; this does not allow the switch to route Layer 3 packets.

Configure Switch Ports

Duplex Communication
• Full-duplex communication increases bandwidth efficiency by allowing both ends of a connection to transmit
and receive data simultaneously. This is also known as bidirectional communication and it requires micro
segmentation.
• A micro segmented LAN is created when a switch port has only one device connected and is operating in full-
duplex mode. There is no collision domain associated with a switch port operating in full-duplex mode.
• Unlike full-duplex communication, half-duplex communication is unidirectional. Half-duplex communication
creates performance issues because data can flow in only one direction at a time, often resulting in collisions.
• Gigabit Ethernet and 10 Gb NICs require full-duplex connections to operate. In full-duplex mode, the collision
detection circuit on the NIC is disabled. Full-duplex offers 100 percent efficiency in both directions
(transmitting and receiving). This results in a doubling of the potential use of the stated bandwidth.

Configure Switch Ports at the Physical Layer

• Switch ports can be manually configured with specific duplex and speed settings. The respective interface
configuration commands are duplex and speed.
• The default setting for both duplex and speed for switch ports on Cisco Catalyst 2960 and 3560 switches is auto.
The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mbps and
operate only in full-duplex mode when it is set to 1000 Mbps (1 Gbps).
• Autonegotiation is useful when the speed and duplex settings of the device connecting to the port are unknown
or may change. When connecting to known devices such as servers, dedicated workstations, or network devices,
a best practice is to manually set the speed and duplex settings.
• When troubleshooting switch port issues, it is important that the duplex and speed settings are checked.
Note: Mismatched settings for the duplex mode and
speed of switch ports can cause connectivity issues.
Autonegotiation failure creates mismatched settings.
All fiber-optic ports, such as 1000BASE-SX ports,
operate only at one preset speed and are always full-
duplex

Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode. S1(config)# interface FastEthernet 0/1

Configure the interface duplex. S1(config-if)# duplex full

Configure the interface speed. S1(config-if)# speed 100

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config

Verify Switch Port Configuration

• Fast Ethernet 0/18 interface configured with the
management VLAN 99
• VLAN 99 configured with an IPv4 address of
172.17.99.11 255.255.255.0
• Default gateway set to 172.17.99.1

Verify Switch Port Configuration

The show interfaces command is another commonly used command, which displays status and statistics
information on the network interfaces of the switch. The show interfaces command is frequently used when
configuring and monitoring network devices.
The first line of the output for
the show interfaces fastEthernet
0/18 command indicates that the
FastEthernet 0/18 interface is
up/up, meaning that it is
operational. Further down, the
output shows that the duplex is full
and the speed is 100 Mbps.
 Secure Remote Access

Telnet Operation

Telnet uses TCP port 23. It is an older protocol

that uses unsecure plaintext transmission of
both the login authentication (username and
password) and the data transmitted between the
communicating devices.
A threat actor can monitor packets using
Wireshark. For example, in the figure the threat
actor captured the username admin and
password ccna from a Telnet session.

SSH Operation

Secure Shell (SSH) is a secure protocol that uses TCP port 22. It provides a secure (encrypted) management
connection to a remote device. SSH should replace Telnet for management connections. SSH provides
security for remote connections by providing strong encryption when a device is authenticated (username
and password) and also for the transmitted data between the communicating devices.

Verify the Switch Supports SSH

To enable SSH on a Catalyst 2960 switch, the switch must be using a version of the IOS software including
cryptographic (encrypted) features and capabilities. Use the show version command on the switch to see which IOS
the switch is currently running. An IOS filename that includes the combination “k9” supports cryptographic
(encrypted) features and capabilities.
The example shows the output of the show version command.
Configure SSH
Before configuring SSH, the switch must be minimally configured with a unique hostname and the correct
network connectivity settings.
Step 1: Verify SSH support - Use the show ip ssh command to verify that the switch supports SSH. If the switch is not
running an IOS that supports cryptographic features, this command is unrecognized.
Step 2: Configure the IP domain - Configure the IP domain name of the network using the ip domain-name domain-
name global configuration mode command.
Step 3: Generate RSA key pairs - Generating an RSA key pair automatically enables SSH. Use the crypto key
generate rsa global configuration mode command to enable the SSH server on the switch and generate an RSA key
pair.

Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration mode command. After the RSA
key pair is deleted, the SSH server is automatically disabled.

Step 4: Configure user authentication - The SSH server can authenticate users locally or using an authentication
server. To use the local authentication method, create a username and password pair using
the username username secret password global configuration mode command.
Step 5: Configure the vty lines - Enable the SSH protocol on the vty lines by using the transport input ssh line
configuration mode command. Use the line vty global configuration mode command and then the login local line
configuration mode command to require local authentication for SSH connections from the local username database.
Step 6: Enable SSH version 2 - By default, SSH supports both versions 1 and 2. When supporting both versions, this
is shown in the show ip ssh output as supporting version 2. Enable SSH version using the ip ssh version 2 global
configuration command.

Verify SSH is Operational

On a PC, an SSH client such as PuTTY, is used to connect to an SSH server. For example, assume the
following is configured:
• SSH is enabled on switch S1
• Interface VLAN 99 (SVI) with IPv4 address 172.17.99.11 on switch S1
• PC1 with IPv4 address 172.17.99.21
Using a terminal emulator, initiate an SSH connection to the SVI VLAN IPv4 address of S1 from PC1.
When connected, the user is prompted for a username and
password as shown in the example. Using the configuration
from the previous example, the username admin and
password ccna are entered. After entering the correct
combination, the user is connected via SSH to the command line
interface (CLI) on the Catalyst 2960 switch.
Verify SSH is Operational

To display the version and configuration data for SSH on the device that you configured as an SSH server,
use the show ip ssh command. In the example, SSH version 2 is enabled.

Basic Router Configuration

Configure Basic Router Settings

Cisco routers and Cisco switches have many

similarities. They support a similar modal operating
system, similar command structures, and many of
the same commands. In addition, both devices have
similar initial configuration steps. For example, the
following configuration tasks should always be
performed. Name the device to distinguish it from
other routers and configure passwords, as shown in
the example.

Configure a banner to provide legal notification of unauthorized access, as shown in the example.

Save the changes on a router, as shown in the example.

 Dual Stack Topology

One distinguishing feature between switches and routers is the type of interfaces supported by each. For
example, Layer 2 switches support LANs; therefore, they have multiple FastEthernet or Gigabit Ethernet
ports. The dual stack topology in the figure is used to demonstrate the configuration of router IPv4 and IPv6
interfaces.

Configure Router Interfaces

Routers support LANs and WANs and can interconnect different types of networks; therefore, they support
many types of interfaces. For example, G2 ISRs have one or two integrated Gigabit Ethernet interfaces and
High-Speed WAN Interface Card (HWIC) slots to accommodate other types of network interfaces, including
serial, DSL, and cable interfaces.
To be available, an interface must be:
• Configured with at least one IP address - Use
the ip address ip-address subnet-mask and
the ipv6 address ipv6-address/prefix interface
configuration commands.
• Activated - By default, LAN and WAN interfaces
are not activated (shutdown). To enable an
interface, it must be activated using the no
shutdown command. (This is similar to powering
on the interface.) The interface must also be
connected to another device (a hub, a switch, or
another router) for the physical layer to be active.
• Description - Optionally, the interface could also
be configured with a short description of up to
240 characters. It is good practice to configure a description on each interface. On production networks, the
benefits of interface descriptions are quickly realized as they are helpful in troubleshooting and in identifying
a third-party connection and contact information.
IPv4 Loopback Interfaces
• The loopback interface is a logical interface that is internal to the router. It is not assigned to a
physical port and can never be connected to any other device. It is considered a software interface
that is automatically placed in an “up” state, as long as the router is functioning.
• The loopback interface is useful in testing and managing a Cisco IOS device because it ensures that
at least one interface will always be available. For example, it can be used for testing purposes, such
as testing internal routing processes, by emulating networks behind the router.
• Loopback interfaces are also commonly used in lab environments to create additional interfaces. For
example, you can create multiple loopback interfaces on a router to simulate more networks for
configuration practice and testing purposes. The IPv4 address for each loopback interface must be
unique and unused by any other interface. In this curriculum, we often use a loopback interface to
simulate a link to the internet.

Enabling and assigning a loopback address is simple:

Router(config)# interface loopback number
Router(config-if)# ip address ip-address subnet-mask

Interface Verification Commands

There are several show commands that can be used to verify the operation and configuration of an interface.
The following commands are especially useful to quickly identify the status of an interface:
• show ip interface brief and show ipv6 interface brief - These display a summary for all
interfaces including the IPv4 or IPv6 address of the interface and current operational status.
• show running-config interface interface-id - This displays the commands applied to the
specified interface.
• show ip route and show ipv6 route - These display the contents of the IPv4 or IPv6 routing
table stored in RAM. In Cisco IOS 15, active interfaces should appear in the routing table
with two related entries identified by the code ‘C’ (Connected) or ‘L’ (Local). In previous
IOS versions, only a single entry with the code ‘C’ will appear.
Verify Interface Status

The output of the show ip interface brief and show ipv6 interface brief commands can be used to quickly
reveal the status of all interfaces on the router. You can verify that the interfaces are active and operational
as indicated by the Status of “up” and Protocol of “up”, as shown in the example. A different output would
indicate a problem with either the configuration

Verify IPv6 Link Local and Multicast Addresses

The output of the show ipv6 interface brief command displays two configured IPv6 addresses per interface.
One address is the IPv6 global unicast address that was manually entered. The other address, which begins
with FE80, is the link-local unicast address for the interface. A link-local address is automatically added to
an interface whenever a global unicast address is assigned. An IPv6 network interface is required to have a
link-local address, but not necessarily a global unicast address.
The show ipv6 interface gigabitethernet 0/0/0 command displays the interface status and all of the IPv6
addresses belonging to the interface. Along with the link local address and global unicast address, the output
includes the multicast addresses assigned to the interface, beginning with prefix FF02, as shown in the
example.
Verify Interface Configuration

The output of the show running-config interface command displays the current commands applied to the
specified interface, as shown.
The following two commands are used to gather more detailed interface information:
• show interfaces- Displays interface information and packet flow count for all interfaces on
the device.
• show ip interface and show ipv6 interface - Displays the IPv4 and IPv6 related information
for all interfaces on a router..

Verify Routes

The output of the show ip route and show ipv6

route commands reveal the three directly connected
network entries and the three local host route
interface entries, as shown in the example.
The local host route has an administrative distance of
0. It also has a /32 mask for IPv4, and a /128 mask
for IPv6. The local host route is for routes on the
router that owns the IP address. It is used to allow the
router to process packets destined to that IP.
A ‘C’ next to a route within the routing table
indicates that this is a directly connected network.
When the router interface is configured with a global
unicast address and is in the “up/up” state, the IPv6
prefix and prefix length are added to the IPv6 routing
table as a connected route.
The IPv6 global unicast address applied to the
interface is also installed in the routing table as a local
route. The local route has a /128 prefix. Local routes
are used by the routing table to efficiently process
packets with the interface address of the router as the
destination.
 Switching

Frame Forwarding

Switching in Networking
Two terms are associated with frames entering or leaving an
interface:
• Ingress – entering the interface
• Egress – exiting the interface

A switch forwards based on the ingress interface and the

destination MAC address.
A switch uses its MAC address table to make forwarding decisions.
Note: A switch will never allow traffic to be forwarded out the interface it
received the traffic.

The Switch MAC Address Table

A switch will use the destination MAC address to determine the egress interface.
Before a switch can make this decision it must learn what interface the destination is located.
A switch builds a MAC address table, also known as a Content Addressable Memory (CAM) table, by
recording the source MAC address into the table along with the port it was received.

The Switch Learn and Forward Method

The switch uses a two step process:

Step 1. Learn – Examines Source Address
• Adds the source MAC if not in table
• Resets the time out setting back to 5 minutes if source is in the table

Step 2. Forward – Examines Destination Address

• If the destination MAC is in the MAC address table it is forwarded out the specified port.
• If a destination MAC is not in the table, it is flooded out all interfaces except the one it was
received.
Switches use software on application-specific-integrated circuits (ASICs) to make very quick decisions.
A switch will use one of two methods to make forwarding decisions after it receives a frame:
• Store-and-forward switching - Receives the entire frame and ensures the frame is valid. Store-and-forward
switching is Cisco’s preferred switching method.
• Cut-through switching – Forwards the frame immediately after determining the destination MAC address of
an incoming frame and the egress port.

Store-and-Forward Switching
Store-and-forward has two primary characteristics:
• Error Checking – The switch will check the Frame Check Sequence (FCS) for CRC errors. Bad
frames will be discarded.
• Buffering – The ingress interface will buffer the frame while it checks the FCS. This also allows the
switch to adjust to a potential difference in speeds between the ingress and egress ports.

Cut-Through Switching
• Cut-through forwards the frame immediately after determining the destination MAC.
• Fragment (Frag) Free method will check the destination and ensure that the frame is at least 64 Bytes. This
will eliminate runts.
Concepts of Cut-Through switching:
• Is appropriate for switches needing
latency to be under 10 microseconds
• Does not check the FCS, so it can
propagate errors
• May lead to bandwidth issues if the
switch propagates too many errors
• Cannot support ports with differing
speeds going from ingress to egress
 Switching Domains

Collision Domains

Switches eliminate collision domains and reduce

congestion.
• When there is full duplex on the link the collision
domains are eliminated.
• When there is one or more devices in half-duplex there
will now be a collision domain.

There will now be contention for the bandwidth.

Collisions are now possible.
• Most devices, including Cisco and Microsoft use auto-
negotiation as the default setting for duplex and speed.

Broadcast Domains

A broadcast domain extends across all Layer 1 or Layer 2 devices on a LAN.

Only a layer 3 device (router) will break the broadcast
domain, also called a MAC broadcast domain.
The broadcast domain consists of all devices on the LAN
that receive the broadcast traffic.
• When the layer 2 switch receives the broadcast it will
flood it out all interfaces except for the ingress interface.
• Too many broadcasts may cause congestion and poor
network performance.
• Increasing devices at Layer 1 or layer 2 will cause the
broadcast domain to expand.
Alleviated Network Congestion

Switches use the MAC address table and full-duplex to eliminate collisions and avoid congestion.
Features of the switch that alleviate congestion are as follows:

Protocol Function

Fast Port Speeds
Fast Internal Switching
Large Frame Buffers
High Port Density
Depending on the model, switches may have up to 100Gbps port speeds.
This uses fast internal bus or shared memory to improve performance.
This allows for temporary storage while processing large quantities of frames.
This provides many ports for devices to be connected to LAN with less cost. This
also provides for more local traffic with less congestion.

STP

Redundancy in Layer 2 Switched Networks

• Redundancy is an important part of the hierarchical design for eliminating single points of failure
and preventing disruption of network services to users. Redundant networks require the addition of
physical paths, but logical redundancy must also be part of the design. Having alternate physical
paths for data to traverse the network makes it possible for users to access network resources, despite
path disruption. However, redundant paths in a switched Ethernet network may cause both physical
and logical Layer 2 loops.
• Ethernet LANs require a loop-free topology with a single path between any two devices. A loop in
an Ethernet LAN can cause continued propagation of Ethernet frames until a link is disrupted and
breaks the loop.

Spanning Tree Protocol

• Spanning Tree Protocol (STP) is a loop-

prevention network protocol that allows for
redundancy while creating a loop-free Layer 2
topology.
• STP logically blocks physical loops in a Layer 2
network, preventing frames from circling the
network forever.
STP Recalculation
STP compensates for a failure in the network by recalculating and opening up previously blocked ports.

Issues with Redundant Switch Links

• Path redundancy provides multiple network services by eliminating the possibility of a single point
of failure. When multiple paths exist between two devices on an Ethernet network, and there is no
spanning tree implementation on the switches, a Layer 2 loop occurs. A Layer 2 loop can result in
MAC address table instability, link saturation, and high CPU utilization on switches and end-devices,
resulting in the network becoming unusable.
• Layer 2 Ethernet does not include a mechanism to recognize and eliminate endlessly looping frames.
Both IPv4 and IPv6 include a mechanism that limits the number of times a Layer 3 networking
device can retransmit a packet. A router will decrement the TTL (Time to Live) in every IPv4
packet, and the Hop Limit field in every IPv6 packet. When these fields are decremented to 0, a
router will drop the packet. Ethernet and Ethernet switches have no comparable mechanism for
limiting the number of times a switch retransmits a Layer 2 frame. STP was developed specifically
as a loop prevention mechanism for Layer 2 Ethernet.

Layer 2 Loops
• Without STP enabled, Layer 2 loops can form, causing broadcast, multicast and unknown unicast
frames to loop endlessly. This can bring down a network quickly.
• When a loop occurs, the MAC address table on a switch will constantly change with the updates
from the broadcast frames, which results in MAC database instability. This can cause high CPU
utilization, which makes the switch unable to forward frames.
• An unknown unicast frame is when the switch does not have the destination MAC address in its
MAC address table and must forward the frame out all ports, except the ingress port.
Broadcast Storm
• A broadcast storm is an abnormally high number of broadcasts overwhelming the network during a
specific amount of time. Broadcast storms can disable a network within seconds by overwhelming
switches and end devices. Broadcast storms can be caused by a hardware problem such as a faulty
NIC or from a Layer 2 loop in the network.
• Layer 2 broadcasts in a network, such as ARP Requests are very common. Layer 2 multicasts are
typically forwarded the same way as a broadcast by the switch. IPv6 packets are never forwarded as
a Layer 2 broadcast, ICMPv6 Neighbor Discovery uses Layer 2 multicasts.
• A host caught in a Layer 2 loop is not accessible to other hosts on the network. Additionally, due to
the constant changes in its MAC address table, the switch does not know out of which port to
forward unicast frames.
• To prevent these issues from occurring in a redundant network, some type of spanning tree must be
enabled on the switches. Spanning tree is enabled, by default, on Cisco switches to prevent Layer 2
loops from occurring.

The Spanning Tree Algorithm

• STP is based on an algorithm invented by Radia Perlman while working for Digital Equipment
Corporation, and published in the 1985 paper "An Algorithm for Distributed Computation of a
Spanning Tree in an Extended LAN.” Her spanning tree algorithm (STA) creates a loop-free
topology by selecting a single root bridge where all other switches determine a single least-cost path.
STP prevents loops from occurring by configuring a loop-free path through the network using strategically
placed "blocking-state" ports. The switches running STP are able to compensate for failures by dynamically
unblocking the previously blocked ports and permitting traffic to traverse the alternate paths.

How does the STA create a loop-free topology?

• Selecting a Root Bridge: This bridge (switch) is the reference point for the entire network to build a spanning
tree around.
• Block Redundant Paths: STP ensures that there is only one logical path between all destinations on the
network by intentionally blocking redundant paths that could cause a loop. When a port is blocked, user data
is prevented from entering or leaving that port.
• Create a Loop-Free Topology: A blocked port has the effect of making that link a non-forwarding link
between the two switches. This creates a topology where each switch has only a single path to the root bridge,
similar to branches on a tree that connect to the root of the tree.
• Recalculate in case of Link Failure: The physical paths still exist to provide redundancy, but these paths are
disabled to prevent the loops from occurring. If the path is ever needed to compensate for a network cable or
switch failure, STP recalculates the paths and unblocks the necessary ports to allow the redundant path to
become active. STP recalculations can also occur any time a new switch or new inter-switch link is added to
the network.
Steps to a Loop-Free Topology

Using the STA, STP builds a loop-free topology in a four-step process:

1. Elect the root bridge.
2. Elect the root ports.
3. Elect designated ports.
4. Elect alternate (blocked) ports.

• During STA and STP functions, switches use Bridge Protocol Data Units (BPDUs) to share
information about themselves and their connections. BPDUs are used to elect the root bridge, root
ports, designated ports, and alternate ports.
• Each BPDU contains a bridge ID (BID) that identifies which switch sent the BPDU. The BID is
involved in making many of the STA decisions including root bridge and port roles.
• The BID contains a priority value, the MAC address of the switch, and an extended system ID. The
lowest BID value is determined by the combination of these three fields.

Bridge Priority: The default priority value for all Cisco switches is the decimal value 32768. The range is 0 to 61440
in increments of 4096. A lower bridge priority is preferable. A bridge priority of 0 takes precedence over all other
bridge priorities.
Extended System ID: The extended system ID value is a decimal value added to the bridge priority value in the BID
to identify the VLAN for this BPDU.
MAC address: When two switches are configured with the same priority and have the same extended system ID, the
switch having MAC address with the lowest value, expressed in hexadecimal, will have the lower BID. the

1. Elect the Root Bridge

• The STA designates a single switch as the root bridge and uses it as the reference point for all path
calculations. Switches exchange BPDUs to build the loop-free topology beginning with selecting the root
bridge.
• All switches in the broadcast domain participate in the election process. After a switch boots, it begins to send
out BPDU frames every two seconds. These BPDU frames contain the BID of the sending switch and the BID
of the root bridge, known as the Root ID.
• The switch with the lowest BID will become the root bridge. At first, all switches declare themselves as the
root bridge with their own BID set as the Root ID. Eventually, the switches learn through the exchange of
BPDUs which switch has the lowest BID and will agree on one root bridge.
Impact of Default BIDs

• Because the default BID is 32768, it is

possible for two or more switches to
have the same priority. In this scenario,
where the priorities are the same, the
switch with the lowest MAC address
will become the root bridge. The
administrator should configure the
desired root bridge switch with a lower
priority.
• In the figure, all switches are
configured with the same priority of
32769. Here the MAC address becomes
the deciding factor as to which switch
becomes the root bridge. The switch with the lowest hexadecimal MAC address value is the preferred root
bridge. In this example, S2 has the lowest value for its MAC address and is elected as the root bridge for that
spanning tree instance.

Note: The priority of all the switches is 32769. The value is based on the 32768 default bridge priority and the
extended system ID (VLAN 1 assignment) associated with each switch (32768+1).

• When the root bridge has been elected for a given spanning tree instance, the STA starts determining the best
paths to the root bridge from all destinations in the broadcast domain. The path information, known as the
internal root path cost, is determined by the sum of all the individual port costs along the path from the switch
to the root bridge.
• When a switch receives the BPDU, it adds the ingress port cost of the segment to determine its internal root
path cost.
• The default port costs are defined by the speed at which the port operates. The table shows the default port
costs suggested by IEEE. Cisco switches by default
use the values as defined by the IEEE 802.1D STP Cost: IEEE RSTP Cost: IEEE
Link Speed
standard, also known as the short path cost, for both 802.1D-1998 802.1w-2004
STP and RSTP.
10 Gbps 2 2,000
• Although switch ports have a default port cost
1 Gbps 4 20,000
associated with them, the port cost is configurable.
The ability to configure individual port costs gives the 100 Mbps 19 200,000
administrator the flexibility to manually control the
10 Mbps 100 2,000,000
spanning tree paths to the root bridge.
2. Elect the Root Ports
• Every non-root switch will select one root port.
The root port is the port closest to the root
bridge in terms of overall cost to the root
bridge. This overall cost is known as the
internal root path cost.
• The internal root path cost is equal to the sum
of all the port costs along the path to the root
bridge, as shown in the figure. Paths with the
lowest cost become preferred, and all other
redundant paths are blocked. In the example,
the internal root path cost from S2 to the root
bridge S1 over path 1 is 19 while the internal
root path cost over path 2 is 38. Because path 1
has a lower overall path cost to the root bridge,
it is the preferred path and F0/1 becomes the root port on S2.

3. Elect Designated Ports

• Every segment between two switches will have one
designated port. The designated port is a port on the
segment that has the internal root path cost to the root
bridge. In other words, the designated port has the
best path to receive traffic leading to the root bridge.
• What is not a root port or a designated port becomes
an alternate or blocked port.
• All ports on the root bridge are designated ports.
• If one end of a segment is a root port, the other end is
a designated port.
• All ports attached to end devices are designated ports.
• On segments between two switches where neither of the switches is the root bridge, the port on the switch
with the least-cost path to the root bridge is a designated port.

4. Elect Alternate (Blocked) Ports

If a port is not a root port or a designated port, then it

becomes an alternate (or backup) port. Alternate
ports are in discarding or blocking state to prevent
loops. In the figure, the STA has configured port
F0/2 on S3 in the alternate role. Port F0/2 on S3 is in
the blocking state and will not forward Ethernet
frames. All other inter-switch ports are in forwarding
state. This is the loop-prevention part of STP.
Elect a Root Port from Multiple Equal-Cost Paths
When a switch has multiple equal-cost paths to the root bridge, the switch will determine a port using the
following criteria:
• Lowest sender BID
• Lowest sender port priority
• Lowest sender port ID

Lowest Sender BID: This topology has four switches with switch S1 as the root bridge. Port F0/1 on switch S3 and
port F0/3 on switch S4 have been selected as root ports because they have the root path cost to the root bridge for their
respective switches. S2 has two ports, F0/1 and F0/2 with equal cost paths to the root bridge. The bridge IDs of S3 and
S4, will be used to break the tie. This is known as the sender’s BID. S3 has a BID of 32769.5555.5555.5555 and S4
has a BID of 32769.1111.1111.1111. Because S4 has a lower BID, the F0/1 port of S2, which is the port connected to
S4, will be the root port.

Lowest Sender Port Priority: This topology has two switches which are connected with two equal-cost
paths between them. S1 is the root bridge, so both of its ports are designated ports.
• S4 has two ports with equal-cost paths to the root bridge. Because both ports are connected to the same
switch, the sender’s BID (S1) is equal. So the first step is a tie.
• Next, is the sender’s (S1) port priority. The default port priority is 128, so both ports on S1 have the same port
priority. This is also a tie. However, if either port on S1 was configured with a lower port priority, S4 would
put its adjacent port in forwarding state. The other port on S4 would be a blocking state.
Lowest Sender Port ID: The last tie-breaker is the lowest sender’s port ID. Switch S4 has received BPDUs from
port F0/1 and port F0/2 on S1. The decision is based on the sender’s port ID, not the receiver’s port ID. Because the
port ID of F0/1 on S1 is lower than port F0/2, the port F0/6 on switch S4 will be the root port. This is the port on S4
that is connected to the F0/1 port on S1.
• Port F0/5 on S4 will become an alternate port and placed in the blocking state.

STP Timers and Port States

STP convergence requires three timers, as follows:

• Hello Timer -The hello time is the interval between BPDUs. The default is 2 seconds but can be modified to
between 1 and 10 seconds.

• Forward Delay Timer -The forward delay is the time that is spent in the listening and learning state. The
default is 15 seconds but can be modified to between 4 and 30 seconds.

• Max Age Timer -The max age is the maximum length of time that a switch waits before attempting to
change the STP topology. The default is 20 seconds but can be modified to between 6 and 40 seconds.
Note: The default times can be changed on the root bridge, which dictates the value of these timers for the STP
domain.
STP facilitates the logical loop-free path throughout the broadcast domain. The spanning tree is determined through
the information learned by the exchange of the BPDU frames between the interconnected switches. If a switch port
transitions directly from the blocking state to the forwarding state without information about the full topology during
the transition, the port can temporarily create a data loop. For this reason, STP has five ports states, four of which are
operational port states as shown in the figure. The disabled state is considered non-operational.
Operational Details of Each Port State
Port State BPDU MAC Address Table Forwarding Data Frames

Blocking Receive only No update No

Listening Receive and send No update No

Learning Receive and send Updating table No

Forwarding Receive and send Updating table Yes

Disabled None sent or received No update No

Per-VLAN Spanning Tree

STP can be configured to operate in an environment with multiple VLANs. In Per-VLAN Spanning Tree
(PVST) versions of STP, there is a root bridge elected for each spanning tree instance. This makes it
possible to have different root bridges for different sets of VLANs. STP operates a separate instance of STP
for each individual VLAN. If all ports on all switches are members of VLAN 1, then there is only one
spanning tree instance.

Evolution of STP

Different Versions of STP

• Many professionals generically use spanning tree and STP to refer to the various implementations of
spanning tree, such as Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol
(MSTP). In order to communicate spanning tree concepts correctly, it is important to refer to the
implementation or standard of spanning tree in context.
• The latest IEEE documentation on spanning tree (IEEE-802-1D-2004) says, "STP has now been
superseded by the Rapid Spanning Tree Protocol (RSTP)."The IEEE uses "STP" to refer to the
original implementation of spanning tree and "RSTP" to describe the version of spanning tree
specified in IEEE-802.1D-2004.
• Because the two protocols share much of the same terminology and methods for the loop-free path,
the primary focus will be on the current standard and the Cisco proprietary implementations of STP
and RSTP.
• Cisco switches running IOS 15.0 or later, run PVST+ by default. This version incorporates many of
the specifications of IEEE 802.1D-2004, such as alternate ports in place of the former non-
designated ports. Switches must be explicitly configured for rapid spanning tree mode in order to run
the rapid spanning tree protocol.
STP
Description
Variety

This is the original IEEE 802.1D version (802.1D-1998 and earlier) that provides a loop-free topology in a
STP network with redundant links. Also called Common Spanning Tree (CST), it assumes one spanning tree instance
for the entire bridged network, regardless of the number of VLANs.

Per-VLAN Spanning Tree (PVST+) is a Cisco enhancement of STP that provides a separate 802.1D spanning tree
PVST+ instance for each VLAN configured in the network. PVST+ supports PortFast, UplinkFast, BackboneFast, BPDU
guard, BPDU filter, root guard, and loop guard.

802.1D-
This is an updated version of the STP standard, incorporating IEEE 802.1w.
2004

Rapid Spanning Tree Protocol (RSTP) or IEEE 802.1w is an evolution of STP that provides faster convergence
RSTP
than STP.

Rapid This is a Cisco enhancement of RSTP that uses PVST+ and provides a separate instance of 802.1w per VLAN.
PVST+ Each separate instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard.

Multiple Spanning Tree Protocol (MSTP) is an IEEE standard inspired by the earlier Cisco proprietary Multiple
MSTP
Instance STP (MISTP) implementation. MSTP maps multiple VLANs into the same spanning tree instance.

Multiple Spanning Tree (MST) is the Cisco implementation of MSTP, which provides up to 16 instances of RSTP
MST and combines many VLANs with the same physical and logical topology into a common RSTP instance. Each
instance supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard.

RSTP

• RSTP (IEEE 802.1w) supersedes the original 802.1D while retaining backward compatibility. The
802.1w STP terminology remains primarily the same as the original IEEE 802.1D STP terminology.
Most parameters have been left unchanged. Users that are familiar with the original STP standard
can easily configure RSTP. The same spanning tree algorithm is used for both STP and RSTP to
determine port roles and topology.
• RSTP increases the speed of the recalculation of the spanning tree when the Layer 2 network
topology changes. RSTP can achieve much faster convergence in a properly configured network,
sometimes in as little as a few hundred milliseconds. If a port is configured to be an alternate port it
can immediately change to a forwarding state without waiting for the network to converge.
Note: Rapid PVST+ is the Cisco implementation of RSTP on a per-VLAN basis. With Rapid PVST+ an independent
instance of RSTP runs for each VLAN.
RSTP Port States and Port Roles

There are only three port states in
RSTP that correspond to the three
possible operational states in STP.
The 802.1D disabled, blocking, and
listening states are merged into a
unique 802.1w discarding state.
Root ports and designated ports are the same for
both STP and RSTP. However, there are two RSTP
port roles that correspond to the blocking state of
STP. In STP, a blocked port is defined as not being
the designated or root port. RSTP has two port
roles for this purpose.

The alternate port has an alternate path to the root bridge. The
backup port is a backup to a shared medium, such as a hub. A
backup port is less common because hubs are now considered
legacy devices.

PortFast and BPDU Guard

• When a device is connected to a switch port or when a switch powers up, the switch port goes through both
the listening and learning states, each time waiting for the Forward Delay timer to expire. This delay is 15
seconds for each state for a total of 30 seconds. This can present a problem for DHCP clients trying to
discover a DHCP server because the DHCP process may timeout. The result is that an IPv4 client will not
receive a valid IPv4 address.
• When a switch port is configured with PortFast, that port transitions from blocking to forwarding state
immediately, avoiding the 30 second delay. You can use PortFast on access ports to allow devices connected
to these ports to access the network immediately. PortFast should only be used on access ports. If you enable
PortFast on a port connecting to another switch, you risk creating a spanning tree loop.
• A PortFast-enabled switch port should never receive BPDUs because that would indicate that switch is
connected to the port, potentially causing a spanning tree loop. Cisco switches support a feature called BPDU
guard. When enabled, it immediately puts the switch port in an errdisabled (error-disabled) state upon receipt
of any BPDU. This protects against potential loops by effectively shutting down the port. The administrator
must manually put the interface back into service.
Alternatives to STP

• Over the years, organizations required greater resiliency and availability in the LAN. Ethernet LANs
went from a few interconnected switches connected to a single router, to a sophisticated hierarchical
network design including access, distribution and core layer switches.
• Depending on the implementation, Layer 2 may include not only the access layer, but also the
distribution or even the core layers. These designs may include hundreds of switches, with hundreds
or even thousands of VLANs. STP has adapted to the added redundancy and complexity with
enhancements, as part of RSTP and MSTP.
• An important aspect to network design is fast and predictable convergence when there is a failure or
change in the topology. Spanning tree does not offer the same efficiencies and predictabilities
provided by routing protocols at Layer 3.
• Layer 3 routing allows for redundant paths and loops in the topology, without blocking ports. For
this reason, some environments are transitioning to Layer 3 everywhere except where devices
connect to the access layer switch. In other words, the connections between access layer switches
and distribution switches would be Layer 3 instead of Layer 2.

VLANs

VLANs are logical connections with other similar

devices.
Placing devices into various VLANs have the following
characteristics:
o Provides segmentation of the various groups
of devices on the same switches
o Provide organization that is more
manageable

Broadcasts, multicasts and unicasts are isolated in the

individual VLAN
Each VLAN will have its own unique range of IP addressing
Smaller broadcast domains
Benefits of a VLAN Design

Benefits Description

Smaller Broadcast Domains Dividing the LAN reduces the number of broadcast domains

Improved Security Only users in the same VLAN can communicate together

Improved IT Efficiency
Reduced Cost
Better Performance
Simpler Management
VLANs can group devices with similar requirements, e.g. faculty vs.
students
One switch can support multiple groups or VLANs
Small broadcast domains reduce traffic, improving bandwidth
Similar groups will need similar applications and other network resources

Types of VLANs

Default VLAN

VLAN 1 is the following:

• The default VLAN
• The default Native VLAN
• The default Management VLAN
• Cannot be deleted or renamed
Note: While we cannot delete VLAN1 Cisco will
recommend that we assign these default features to
other VLANs.
Data VLAN
• Dedicated to user-generated traffic (email and web traffic).
• VLAN 1 is the default data VLAN because all interfaces are assigned to this VLAN.

Native VLAN
• This is used for trunk links only.
• All frames are tagged on an 802.1Q trunk link except for those on the native VLAN.

Management VLAN
• This is used for SSH/Telnet VTY traffic and should not be carried with end user traffic.
• Typically, the VLAN that is the SVI for the Layer 2 switch.

Voice VLAN

A separate VLAN is required because Voice traffic

requires:
• Assured bandwidth
• High QoS priority
• Ability to avoid congestion
• Delay less that 150 ms from source to
destination
The entire network must be designed to support voice.

VLANs in a Multi-Switched Environment

Defining VLAN Trunks

A trunk is a point-to-point link between two network

devices.
Cisco trunk functions:
• Allow more than one VLAN
• Extend the VLAN across the entire network
• By default, supports all VLANs
• Supports 802.1Q trunking
Networks without VLANs
Without VLANs, all devices connected to the switches will receive all unicast, multicast, and broadcast
traffic.

With VLANs, unicast, multicast, and broadcast traffic is confined to a VLAN. Without a Layer 3 device to
connect the VLANs, devices in different VLANs cannot communicate.

VLAN Identification with a Tag

• The IEEE 802.1Q header is 4 Bytes
• When the tag is created the FCS must be
recalculated.
• When sent to end devices, this tag must be
removed and the FCS recalculated back to its
original number.
 802.1Q VLAN Tag Field Function

Type • 2-Byte field with hexadecimal 0x8100

• This is referred to as Tag Protocol ID (TPID)
User Priority • 3-bit value that supports
Canonical Format Identifier (CFI) • 1-bit value that can support token ring frames on Ethernet
VLAN ID (VID) • 12-bit VLAN identifier that can support up to 4096 VLANs

Native VLANs and 802.1Q Tagging

802.1Q trunk basics:

• Tagging is typically done on all VLANs.
• The use of a native VLAN was designed for legacy
use, like the hub in the example.
• Unless changed, VLAN1 is the native VLAN.
• Both ends of a trunk link must be configured with
the same native VLAN.
• Each trunk is configured separately, so it is possible
to have a different native VLANs on separate
trunks.

Voice VLAN Tagging

The VoIP phone is a three port switch:

• The switch will use CDP to inform the phone of the
Voice VLAN.
• The phone will tag its own traffic (Voice) and can
set Cost of Service (CoS). CoS is QoS for layer 2.
• The phone may or may not tag frames from the PC.

Traffic Tagging Function

Voice VLAN tagged with an appropriate Layer 2 class of service (CoS) priority value
Access VLAN can also be tagged with a Layer 2 CoS priority value
Access VLAN is not tagged (no Layer 2 CoS priority value)
The show interfaces fa0/18 switchport command can show us both data and voice VLANs assigned to the
interface.

VLAN Ranges on Catalyst Switches

Catalyst switches 2960 and 3650 support over 4000 VLANs.

Normal Range VLAN 1 – 1005 Extended Range VLAN 1006 - 4095

Used in Small to Medium sized businesses Used by Service Providers

1002 – 1005 are reserved for legacy VLANs Are in Running-Config
1, 1002 – 1005 are auto created and cannot be deleted Supports fewer VLAN features
Stored in the vlan.dat file in flash Requires VTP configurations
VTP can synchronize between switches

VLAN Creation Commands

VLAN details are stored in the vlan.dat file. You create VLANs in the global configuration mode.

Task IOS Command

Enter global configuration mode. Switch# configure terminal

Create a VLAN with a valid ID number. Switch(config)# vlan vlan-id
Specify a unique name to identify the VLAN. Switch(config-vlan)# name vlan-name
Return to the privileged EXEC mode. Switch(config-vlan)# end
Enter global configuration mode. Switch# configure terminal
VLAN Creation Example
• If the Student PC is going to be in VLAN 20, we will create the VLAN first and then name it.
• If you do not name it, the Cisco IOS will give it a default name of vlan and the four digit number of the
VLAN. E.g. vlan0020 for VLAN 20.

Prompt Command

S1# Configure terminal

S1(config)# vlan 20
S1(config-vlan)# name student
S1(config-vlan)# end

VLAN Port Assignment Commands

Task Command

Enter global configuration mode. Switch# configure terminal

Enter interface configuration mode. Switch(config)# interface interface-id
Set the port to access mode. Switch(config-if)# switchport mode access
Assign the port to a VLAN. Switch(config-if)# switchport access vlan vlan-id
Return to the privileged EXEC mode. Switch(config-if)# end

Data and Voice VLANs

An access port may only be assigned to one data VLAN.

However it may also be assigned to one Voice VLAN for
when a phone and an end device are off of the same
switchport.
Data and Voice VLAN Example
• We will want to create and name both Voice and
Data VLANs.
• In addition to assigning the data VLAN, we will
also assign the Voice VLAN and turn on QoS for
the voice traffic to the interface.
• The newer catalyst switch will automatically create
the VLAN, if it does not already exist, when it is
assigned to an interface.
Note: QoS is beyond the scope of this course. Here we do
show the use of the mls qos trust [cos | device cisco-phone
| dscp | ip-precedence] command.

Verify VLAN Information

Use the show vlan command. The complete

syntax is:
show vlan [brief | id vlan-id | name vlan-
name | summary]

Task Command Option

Display VLAN name, status, and its ports one VLAN per line. brief
Display information about the identified VLAN ID number. id vlan-id
Display information about the identified VLAN name. The vlan-name is an ASCII string
name vlan-name
from 1 to 32 characters.
Display VLAN summary information. summary

Change VLAN Port Membership

There are a number of ways to change VLAN

membership:
• re-enter switchport access vlan vlan-id command
• use the no switchport access vlan to place interface
back in VLAN 1
Use the show vlan brief or the show interface fa0/18 switchport commands to verify the correct VLAN
association.

Delete VLANs

Delete VLANs with the no vlan vlan-id command.

Caution: Before deleting a VLAN, reassign all member ports to a different VLAN.
• Delete all VLANs with the delete flash:vlan.dat or delete vlan.dat commands.
• Reload the switch when deleting all VLANs.

Note: To restore to factory default – unplug all data cables, erase the startup-configuration and delete the vlan.dat file,
then reload the device.

VLAN Trunks

Trunk Configuration Commands

Configure and verify VLAN trunks. Trunks are layer 2 and carry traffic for all VLANs.

Task IOS Command

Enter global configuration mode. Switch# configure terminal

Enter interface configuration mode. Switch(config)# interface interface-id
Set the port to permanent trunking mode. Switch(config-if)# switchport mode trunk
Sets the native VLAN to something other
Switch(config-if)# switchport trunk native vlan vlan-id
than VLAN 1.
Specify the list of VLANs to be allowed on
Switch(config-if)# switchport trunk allowed vlan vlan-list
the trunk link.
Return to the privileged EXEC mode. Switch(config-if)# end
Trunk Configuration Example

The subnets associated with each VLAN are:

• VLAN 10 - Faculty/Staff - 172.17.10.0/24
• VLAN 20 - Students - 172.17.20.0/24
• VLAN 30 - Guests - 172.17.30.0/24
• VLAN 99 - Native - 172.17.99.0/24

F0/1 port on S1 is configured as a trunk Prompt Command

port.
S1(config)# Interface fa0/1
Note: This assumes a 2960 switch using
802.1q tagging. Layer 3 switches require the S1(config-if)# Switchport mode trunk
encapsulation to be configured before the
S1(config-if)# Switchport trunk native vlan 99
trunk mode.
S1(config-if)# Switchport trunk allowed vlan 10,20,30,99
S1(config-if)# end

Verify Trunk Configuration

Set the trunk mode and native vlan.

Notice sh int fa0/1 switchport command:
• Is set to trunk administratively
• Is set as trunk operationally (functioning)
• Encapsulation is dot1q
• Native VLAN set to VLAN 99
• All VLANs created on the switch will
pass traffic on this trunk
Reset the Trunk to the Default State

Reset the default trunk settings with the no

command.
• All VLANs allowed to pass traffic
• Native VLAN = VLAN 1
Verify the default settings with a show
interfaces fa0/1 switchport command.

Reset the trunk to an access mode with the switchport mode

access command:
• Is set to an access interface administratively
• Is set as an access interface operationally (functioning)

Dynamic Trunking Protocol

Introduction to DTP

Dynamic Trunking Protocol (DTP) is a proprietary Cisco protocol. DTP characteristics are as follows:
• On by default on Catalyst 2960 and 2950 switches
• Dynamic-auto is default on the 2960 and 2950 switches
• May be turned off with the nonegotiate command
• May be turned back on by setting the interface to dynamic-auto
• Setting a switch to a static trunk or static access will avoid negotiation issues with the switchport
mode trunk or the switchport mode access commands.
Negotiated Interface Modes

The switchport mode command has additional options.

Use the switchport nonegotiate interface configuration command to stop DTP negotiation.

Option Description

Access Permanent access mode and negotiates to convert the neighboring link into an access link

dynamic auto Will becomes a trunk interface if the neighboring interface is set to trunk or desirable mode

dynamic desirable Actively seeks to become a trunk by negotiating with other auto or desirable interfaces

Trunk Permanent trunking mode and negotiates to convert the neighboring link into a trunk link

Results of a DTP Configuration

DTP configuration options are as follows:

Dynamic Auto Dynamic Desirable Trunk Access

Dynamic Auto Access Trunk Trunk Access

Dynamic Desirable Trunk Trunk Trunk Access

Limited
Trunk Trunk Trunk Trunk
connectivity

Access Access Access Limited connectivity Access

Verify DTP Mode

The default DTP configuration is dependent on the

Cisco IOS version and platform.
▪ Use the show dtp interface command to
determine the current DTP mode.
▪ Best practice recommends that the interfaces
be set to access or trunk and to turnoff DTP
 Inter-VLAN Routing

What is Inter-VLAN Routing?

VLANs are used to segment switched Layer 2 networks for a variety of reasons. Regardless of the reason,
hosts in one VLAN cannot communicate with hosts in another VLAN unless there is a router or a Layer 3
switch to provide routing services.
Inter-VLAN routing is the process of forwarding network traffic from one VLAN to another VLAN.
There are three inter-VLAN routing options:
• Legacy Inter-VLAN routing - This is a legacy solution. It does not scale well.
• Router-on-a-Stick - This is an acceptable solution for a small to medium-sized network.
• Layer 3 switch using switched virtual interfaces (SVIs) - This is the most scalable solution for
medium to large organizations.

Legacy Inter-VLAN Routing

• The first inter-VLAN routing solution relied on using a router with multiple Ethernet interfaces.
Each router interface was connected to a switch port in different VLANs. The router interfaces
served as the default gateways to the local hosts on the VLAN subnet.
• Legacy inter-VLAN routing using physical
interfaces works, but it has a significant limitation. It
is not reasonably scalable because routers have a
limited number of physical interfaces. Requiring one
physical router interface per VLAN quickly exhausts
the physical interface capacity of a router.
Note: This method of inter-VLAN routing is no longer
implemented in switched networks and is included for
explanation purposes only.
Router-on-a-Stick Inter-VLAN Routing

The ‘router-on-a-stick’ inter-VLAN routing method overcomes the limitation of the legacy inter-VLAN
routing method. It only requires one physical Ethernet interface to route traffic between multiple VLANs on
a network.
• A Cisco IOS router Ethernet interface is configured as an 802.1Q trunk and connected to a trunk port on a
Layer 2 switch. Specifically, the router interface is configured using subinterfaces to identify routable
VLANs.
• The configured subinterfaces are software-based virtual interfaces. Each is associated with a single physical
Ethernet interface. Subinterfaces are configured in software on a router. Each subinterface is independently
configured with an IP address and VLAN assignment. Subinterfaces are configured for different subnets that
correspond to their VLAN assignment. This facilitates logical routing.
• When VLAN-tagged traffic enters the router interface, it is forwarded to the VLAN subinterface. After a
routing decision is made based on the destination IP network address, the router determines the exit interface
for the traffic. If the exit interface is configured as an 802.1q subinterface, the data frames are VLAN-tagged
with the new VLAN and sent back out the physical interface
Note: The router-on-a-stick method of inter-VLAN routing does not scale beyond 50 VLANs.

Router-on-a-Stick Scenario

• In the figure, the R1 GigabitEthernet 0/0/1 interface is connected to

the S1 FastEthernet 0/5 port. The S1 FastEthernet 0/1 port is
connected to the S2 FastEthernet 0/1 port. These are trunk links that
are required to forward traffic within and between VLANs.
• To route between VLANs, the R1 GigabitEthernet 0/0/1 interface is
logically divided into three subinterfaces, as shown in the table. The
table also shows the three VLANs that will be configured on the
switches.
• Assume that R1, S1, and S2 have initial basic configurations.
Currently, PC1 and PC2 cannot ping each other because they are on
separate networks. Only S1 and S2 can ping each other, but
they but are unreachable by PC1 or PC2 because they are Subinterface VLAN IP Address
also on different networks.
G0/0/1.10 10 192.168.10.1/24
• To enable devices to ping each other, the switches must be
G0/0/1.20 20 192.168.20.1/24
configured with VLANs and trunking, and the router must be
configured for inter-VLAN routing. G0/0/1.30 99 192.168.99.1/24
S2 VLAN and Trunking Configuration

R1 Subinterface Configuration

The router-on-a-stick method requires you to create a subinterface for each VLAN to be routed. A subinterface is
created using the interface interface_id subinterface_id global configuration mode command. The subinterface syntax
is the physical interface followed by a period and a subinterface number. Although not required, it is customary to
match the subinterface number with the VLAN number.

Each subinterface is then configured with the following two commands:

• encapsulation dot1q vlan_id [native] - This command configures the subinterface to respond to
802.1Q encapsulated traffic from the specified vlan-id. The native keyword option is only appended
to set the native VLAN to something other than VLAN 1.
• ip address ip-address subnet-mask - This command configures the IPv4 address of the subinterface.
This address typically serves as the default gateway for the identified VLAN.
Repeat the process for each VLAN to
be routed. Each router subinterface
must be assigned an IP address on a
unique subnet for routing to occur.
When all subinterfaces have been
created, enable the physical interface
using the no shutdown interface
configuration command. If the physical
interface is disabled, all subinterfaces
are disabled.

R1 Subinterface Configuration
In the configuration, the R1 G0/0/1
subinterfaces are configured for
VLANs 10, 20, and 99.
Verify Connectivity Between PC1 and PC2

From a host, verify connectivity to a host in VLAN using

the ping command. It is a good idea to first verify the current
host IP configuration using the ipconfig Windows host
command.
The ping output successfully confirms inter-VLAN routing is
operating.

In addition to using ping between devices, the

following show commands can be used to verify and troubleshoot the router-on-a-stick configuration.
• show ip route
• show ip interface brief
• show interfaces
• show interfaces trunk

Inter-VLAN Routing on a Layer 3 Switch

The modern method of performing inter-VLAN routing is to

use Layer 3 switches and switched virtual interfaces (SVI). An
SVI is a virtual interface that is configured on a Layer 3 switch,
as shown in the figure.
Note: A Layer 3 switch is also called a multilayer switch as it
operates at Layer 2 and Layer 3. However, in this course we use the
term Layer 3 switch.

Inter-VLAN SVIs are created the same way that the management VLAN interface is configured. The SVI is
created for a VLAN that exists on the switch. Although virtual, the SVI performs the same functions for the
VLAN as a router interface would. Specifically, it provides Layer 3 processing for packets that are sent to or
from all switch ports associated with that VLAN.
The following are advantages of using Layer 3 switches for inter-VLAN routing:
• They are much faster than router-on-a-stick because everything is hardware switched and routed.
• There is no need for external links from the switch to the router for routing.
• They are not limited to one link because Layer 2 EtherChannels can be used as trunk links between
the switches to increase bandwidth.
• Latency is much lower because data does not need to leave the switch in order to be routed to a
different network.
• They more commonly deployed in a campus LAN than routers.
• The only disadvantage is that Layer 3 switches are more expensive.
Inter-VLAN routing using the router-on-a-stick method is simple to implement for a small to medium-sized
organization. However, a large enterprise requires a faster, much more scalable method to provide inter-
VLAN routing.
Enterprise campus LANs use Layer 3 switches to provide inter-VLAN routing. Layer 3 switches use
hardware-based switching to achieve higher-packet processing rates than routers. Layer 3 switches are also
commonly implemented in enterprise distribution layer wiring closets.
Capabilities of a Layer 3 switch include the ability to do the following:
• Route from one VLAN to another using multiple switched virtual interfaces (SVIs).
• Convert a Layer 2 switchport to a Layer 3 interface (i.e., a routed port). A routed port is similar to a
physical interface on a Cisco IOS router.
• To provide inter-VLAN routing, Layer 3 switches use SVIs. SVIs are configured using the
same interface vlan vlan-id command used to create the management SVI on a Layer 2 switch. A
Layer 3 SVI must be created for each of the routable VLANs.

Layer 3 Switch Scenario

In the figure, the Layer 3 switch, D1, is connected to two hosts on

different VLANs. PC1 is in VLAN 10 and PC2 is in VLAN 20, as
shown. The Layer 3 switch will provide inter-VLAN routing services
to the two hosts.

Complete the following steps to configure S1 with VLANs and

trunking:
• Step 1. Create the VLANs. In the example, VLANs 10 and 20
are used.
• Step 2. Create the SVI VLAN interfaces. The IP address configured will serve as the default gateway for
hosts in the respective VLAN.
• Step 3. Configure access ports. Assign the appropriate port to the required VLAN.
• Step 4. Enable IP routing. Issue the ip routing global configuration command to allow traffic to be exchanged
between VLANs 10 and 20. This command must be configured to enable inter-VAN routing on a Layer 3
switch for IPv4.

After the configuration is complete, the configuration can be verified by testing connectivity between the
hosts.
• From a host, verify connectivity to a host in another VLAN using the ping command. It is a good idea to first
verify the current host IP configuration using the ipconfig Windows host command.
• Next, verify connectivity with PC2 using the ping Windows host command. The successful ping output
confirms inter-VLAN routing is operating.
If VLANs are to be reachable by other Layer 3 devices, then they must be advertised using static or dynamic
routing. To enable routing on a Layer 3 switch, a routed port must be configured.
A routed port is created on a Layer 3 switch by disabling the switchport feature on a Layer 2 port that is
connected to another Layer 3 device. Specifically, configuring the no switchport interface configuration
command on a Layer 2 port converts it into a Layer 3 interface. Then the interface can be configured with an
IPv4 configuration to connect to a router or another Layer 3 switch.

EtherChannel

Link Aggregation

• There are scenarios in which more bandwidth or redundancy between devices is needed than what
can be provided by a single link. Multiple links could be connected between devices to increase
bandwidth.
• A link aggregation technology is needed that allows redundant links between devices that will not be
blocked by STP. That technology is known as EtherChannel.
• EtherChannel is a link aggregation technology that groups multiple physical Ethernet links together
into one single logical link. It is used to provide fault-tolerance, load sharing, increased bandwidth,
and redundancy between switches, routers, and servers.
• EtherChannel technology makes it possible to combine the number of physical links between the
switches to increase the overall speed of switch-to-switch communication.

EtherChannel
EtherChannel technology was originally developed by
Cisco as a LAN switch-to-switch technique of grouping
several Fast Ethernet or Gigabit Ethernet ports into one
logical channel.
When an EtherChannel is configured, the resulting virtual
interface is called a port channel. The physical interfaces are
bundled together into a port channel interface, as shown in
the figure.
Advantages of EtherChannel
• Most configuration tasks can be done on the EtherChannel interface instead of on each individual
port, ensuring configuration consistency throughout the links.
• EtherChannel relies on existing switch ports. There is no need to upgrade the link to a faster and
more expensive connection to have more bandwidth.
• Load balancing takes place between links that are part of the same EtherChannel.
• EtherChannel creates an aggregation that is seen as one logical link. When several EtherChannel
bundles exist between two switches, STP may block one of the bundles to prevent switching loops.
When STP blocks one of the redundant links, it blocks the entire EtherChannel. This blocks all the
ports belonging to that EtherChannel link. Where there is only one EtherChannel link, all physical
links in the EtherChannel are active because STP sees only one (logical) link.
• EtherChannel provides redundancy because the overall link is seen as one logical connection.
Additionally, the loss of one physical link within the channel does not create a change in the
topology.

Implementation Restrictions

EtherChannel has certain implementation restrictions, including the following:

• Interface types cannot be mixed. For example, Fast Ethernet and Gigabit Ethernet cannot be mixed within a
single EtherChannel.
• Currently each EtherChannel can consist of up to eight compatibly-configured Ethernet ports. EtherChannel
provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit EtherChannel)
between one switch and another switch or host.
• The Cisco Catalyst 2960 Layer 2 switch currently supports up to six EtherChannels.
• The individual EtherChannel group member port configuration must be consistent on both devices. If the
physical ports of one side are configured as trunks, the physical ports of the other side must also be configured
as trunks within the same native VLAN. Additionally, all ports in each EtherChannel link must be configured
as Layer 2 ports.
• Each EtherChannel has a logical port channel interface. A configuration applied to the port channel interface
affects all physical interfaces that are assigned to that interface.

Auto Negotiation Protocols

EtherChannels can be formed through negotiation using one of two protocols, Port Aggregation Protocol
(PAgP) or Link Aggregation Control Protocol (LACP). These protocols allow ports with similar
characteristics to form a channel through dynamic negotiation with adjoining switches.
Note: It is also possible to configure a static or unconditional EtherChannel without PAgP or LACP.
PAgP

PAgP (pronounced “Pag - P”) is a Cisco-proprietary protocol that aids in the automatic creation of
EtherChannel links. When an EtherChannel link is configured using PAgP, packets are sent between
EtherChannel-capable ports to negotiate the forming of a channel. When PAgP identifies matched Ethernet
links, it groups the links into an EtherChannel. The EtherChannel is then added to the spanning tree as a
single port.
When enabled, PAgP also manages the EtherChannel. PAgP packets are sent every 30 seconds. PAgP
checks for configuration consistency and manages link additions and failures between two switches. It
ensures that when an EtherChannel is created, all ports have the same type of configuration.
Note: In EtherChannel, it is mandatory that all ports have the same speed, duplex setting, and VLAN information.
Any port modification after the creation of the channel also changes all other channel ports.

PAgP helps create the EtherChannel link by detecting the configuration of each side and ensuring that links
are compatible so that the EtherChannel link can be enabled when needed.
The modes for PAgP as follows:

• On - This mode forces the interface to channel without PAgP. Interfaces configured in the on mode
do not exchange PAgP packets.
• PAgP desirable - This PAgP mode places an interface in an active negotiating state in which the
interface initiates negotiations with other interfaces by sending PAgP packets.
• PAgP auto - This PAgP mode places an interface in a passive negotiating state in which the interface
responds to the PAgP packets that it receives but does not initiate PAgP negotiation.

If all modes are disabled by using the no command, or if no mode is configured, then the EtherChannel is
disabled. The on mode manually places the interface in an EtherChannel, without any negotiation. It works
only if the other side is also set to on. If the other side is set to negotiate parameters through PAgP, no
EtherChannel forms, because the side that is set to on mode does not negotiate. No negotiation between the
two switches means there is no checking to make sure that all the links in the EtherChannel are terminating
on the other side, or that there is PAgP compatibility on the other switch.

PAgP Mode Settings

The table shows the various combination of PAgP modes on S1 and S2 and the resulting channel
establishment outcome.

S1 S2 Channel Establishment

On On Yes

On Desirable/Auto No

Desirable Desirable Yes

Desirable Auto Yes

Auto Desirable Yes

Auto Auto No
LACP

LACP is part of an IEEE specification (802.3ad) that allows several physical ports to be bundled to form a
single logical channel. LACP allows a switch to negotiate an automatic bundle by sending LACP packets to
the other switch. It performs a function similar to PAgP with Cisco EtherChannel. Because LACP is an
IEEE standard, it can be used to facilitate EtherChannels in multivendor environments. On Cisco devices,
both protocols are supported.
LACP provides the same negotiation benefits as PAgP. LACP helps create the EtherChannel link by
detecting the configuration of each side and making sure that they are compatible so that the EtherChannel
link can be enabled when needed. The modes for LACP are as follows:
• On - This mode forces the interface to channel without LACP. Interfaces configured in the on mode
do not exchange LACP packets.
• LACP active - This LACP mode places a port in an active negotiating state. In this state, the port
initiates negotiations with other ports by sending LACP packets.
• LACP passive - This LACP mode places a port in a passive negotiating state. In this state, the port
responds to the LACP packets that it receives but does not initiate LACP packet negotiation.

LACP Mode Settings

The table shows the various combination of LACP modes on S1 and S2 and the resulting channel
establishment outcome.

S1 S2 Channel Establishment

On On Yes

On Active/Passive No

Active Active Yes

Active Passive Yes

Passive Active Yes

Passive Passive No

Configure EtherChannel
The following guidelines and restrictions are useful for configuring EtherChannel:
• EtherChannel support - All Ethernet interfaces must support EtherChannel with no requirement that interfaces
be physically contiguous.
• Speed and duplex - Configure all interfaces in an EtherChannel to operate at the same speed and in the same
duplex mode.
• VLAN match - All interfaces in the EtherChannel bundle must be assigned to the same VLAN or be configured
as a trunk (shown in the figure).
• Range of VLANs - An EtherChannel supports the same allowed range of VLANs on all the interfaces in a
trunking EtherChannel. If the allowed range of VLANs is not the same, the interfaces do not form an
EtherChannel, even when they are set to auto or desirable mode.
 • The figure shows a configuration that would allow an EtherChannel to form between S1 and S2.
• If these settings must be changed, configure them in port channel interface configuration mode. Any
configuration that is applied to the port channel interface also affects individual interfaces. However,
configurations that are applied to the individual
interfaces do not affect the port channel interface.
Therefore, making configuration changes to an
interface that is part of an EtherChannel link may
cause interface compatibility issues.
• The port channel can be configured in access mode,
trunk mode (most common), or on a routed port.

LACP Configuration

Configuring EtherChannel with LACP requires the following three steps:

Step 1. Specify the interfaces that compose the EtherChannel group using the interface range interface global
configuration mode command. The range keyword allows you to select several interfaces and configure them all
together.
Step 2. Create the port channel interface with the channel-group identifier mode active command in interface range
configuration mode. The identifier specifies a channel group number. The mode active keywords identify this as an
LACP EtherChannel configuration.
Step3. To change Layer 2 settings on the port channel interface, enter port channel interface configuration mode using
the interface port-channel command, followed by the interface identifier. In the example, S1 is configured with an
LACP EtherChannel. The port channel is configured as a trunk interface with the allowed VLANs specified.

Verify and Troubleshoot EtherChannel

Verify EtherChannel
• The show interfaces port-channel command displays the general status of the port channel interface.
• The show etherchannel summary command displays one line of information per port channel.
• The show etherchannel port-channel command displays information about a specific port channel interface.
• The show interfaces etherchannel command can provide information about the role of a physical member
interface of the EtherChannel.
 DHCPv4

DHCPv4 Server and Client

• Dynamic Host Configuration Protocol v4 (DHCPv4) assigns IPv4 addresses and other network
configuration information dynamically. Because desktop clients typically make up the bulk of
network nodes, DHCPv4 is an extremely useful and timesaving tool for network administrators.
• A dedicated DHCPv4 server is scalable and relatively easy to manage. However, in a small branch or
SOHO location, a Cisco router can be configured to provide DHCPv4 services without the need for a
dedicated server. Cisco IOS software supports an optional, full-featured DHCPv4 server.
• The DHCPv4 server dynamically assigns, or leases, an IPv4 address from a pool of addresses for a
limited period of time chosen by the server, or until the client no longer needs the address.
• Clients lease the information from the server for an administratively defined period. Administrators
configure DHCPv4 servers to set the leases to time out at different intervals. The lease is typically
anywhere from 24 hours to a week or more. When the lease expires, the client must ask for another
address, although the client is typically reassigned the same address.

DHCPv4 Operation
DHCPv4 works in a client/server mode. When a client communicates with a DHCPv4 server, the server
assigns or leases an IPv4 address to that client.
• The client connects to the network with that leased IPv4 address until the lease expires. The client must
contact the DHCP server periodically to extend the lease.
• This lease mechanism ensures that clients that move or power off do not keep addresses that they no longer
need.
• When a lease expires, the DHCP server returns the address to the pool where it can be reallocated as
necessary.

Steps to Obtain a Lease

When the client boots (or otherwise wants to join a
network), it begins a four-step process to obtain a
lease:
1. DHCP Discover (DHCPDISCOVER)
2. DHCP Offer (DHCPOFFER)
3. DHCP Request (DHCPREQUEST)
4. DHCP Acknowledgment (DHCPACK)
Steps to Renew a Lease

Prior to lease expiration, the client begins a two-step process to renew the lease with the DHCPv4 server, as
shown in the figure:
1. DHCP Request (DHCPREQUEST)
Before the lease expires, the client sends a
DHCPREQUEST message directly to the DHCPv4
server that originally offered the IPv4 address. If a
DHCPACK is not received within a specified
amount of time, the client broadcasts another
DHCPREQUEST so that one of the other DHCPv4
servers can extend the lease.

2. DHCP Acknowledgment (DHCPACK)

On receiving the DHCPREQUEST message, the server verifies the lease information by returning a DHCPACK.
Note: These messages (primarily the DHCPOFFER and DHCPACK) can be sent as unicast or broadcast according to
IETF RFC 2131.

Cisco IOS DHCPv4 Server

A Cisco router running Cisco IOS software can be configured to act as a DHCPv4 server. The Cisco IOS
DHCPv4 server assigns and manages IPv4 addresses from specified address pools within the router to
DHCPv4 clients.

Use the following steps to configure a Cisco IOS DHCPv4 server:

• Step 1. Exclude IPv4 addresses. A single address or a range of addresses can be excluded by specifying
the low-address and high-address of the range. Excluded addresses should be those addresses that are
assigned to routers, servers, printers, and other devices that have been, or will be, manually configured. You
can also enter the command multiple times. The command is ip dhcp excluded-address low-address [high-
address]
• Step 2. Define a DHCPv4 pool name. The ip dhcp pool pool-name command creates a pool with the
specified name and puts the router in DHCPv4 configuration mode, which is identified by the prompt
Router(dhcp-config)#.
• Step 3. Configure the DHCPv4 pool. The address pool and default gateway router must be configured. Use
the network statement to define the range of available addresses. Use the default-router command to define
the default gateway router. These commands and other optional commands are shown in the table.
Task IOS Command

Define the address pool. network network-number [mask | / prefix-length]

Define the default router or gateway. default-router address [ address2….address8]

Define a DNS server. dns-server address [ address2…address8]

Define the domain name. domain-name domain

Define the duration of the DHCP lease. lease {days [hours [ minutes]] | infinite}

Define the NetBIOS WINS server. netbios-name-server address [ address2…address8]

Configuration Example

DHCPv4 Verification
Use the commands in the table to verify that the Cisco IOS DHCPv4 server is operational.

Command Description

show running-config | section dhcp Displays the DHCPv4 commands configured on the router.

Displays a list of all IPv4 address to MAC address bindings provided

show ip dhcp binding
by the DHCPv4 service.

Displays count information regarding the number of DHCPv4

show ip dhcp server statistics
messages that have been sent and received

Verify DHCPv4 is Operational

Verify the DHCPv4 Configuration: As shown in the example,
the show running-config | section dhcp command output
displays the DHCPv4 commands configured on R1. The |
section parameter displays only the commands associated with
DHCPv4 configuration.
Verify DHCPv4 Bindings: As shown in the example, the operation of DHCPv4 can be verified using
the show ip dhcp binding command. This command displays a list of all IPv4 address to MAC address
bindings that have been provided by the DHCPv4 service.

Verify DHCPv4 Statistics: The output of the show ip dhcp server statistics is used to verify that messages
are being received or sent by the router. This command displays count information regarding the number of
DHCPv4 messages that have been sent and received.

Verify DHCPv4 Client Received IPv4

Addressing: The ipconfig /all command, when
issued on PC1, displays the TCP/IP parameters,
as shown in the example. Because PC1 was
connected to the network segment
192.168.10.0/24, it automatically received a
DNS suffix, IPv4 address, subnet mask, default
gateway, and DNS server address from that pool.
No DHCP-specific router interface configuration
is required. If a PC is connected to a network
segment that has a DHCPv4 pool available, the
PC can obtain an IPv4 address from the
appropriate pool automatically.
Disable the Cisco IOS DHCPv4 Server
The DHCPv4 service is enabled by default. To disable the service, use the no service dhcp global
configuration mode command. Use the service dhcp global configuration mode command to re-enable the
DHCPv4 server process, as shown in the example. Enabling the service has no effect if the parameters are
not configured.
Note: Clearing the DHCP bindings or stopping and restarting the
DHCP service may result in duplicate IP addresses being temporarily
assigned on the network.

DHCPv4 Relay
• In a complex hierarchical network, enterprise servers are usually located centrally. These servers
may provide DHCP, DNS, TFTP, and FTP services for the network. Network clients are not
typically on the same subnet as those servers. In order to locate the servers and receive services,
clients often use broadcast messages.
• In the figure, PC1 is attempting to acquire an IPv4 address from a DHCPv4 server using a broadcast
message. In this scenario, R1 is not configured as a DHCPv4 server and does not forward the
broadcast. Because the DHCPv4 server is located on a different network, PC1 cannot receive an IP
address using DHCP. R1 must be configured to relay DHCPv4 messages to the DHCPv4 server.

• Configure R1 with the ip helper-address address interface

configuration command. This will cause R1 to relay
DHCPv4 broadcasts to the DHCPv4 server. As shown in the
example, the interface on R1 receiving the broadcast from
PC1 is configured to relay DHCPv4 address to the DHCPv4
server at 192.168.11.6.
• When R1 has been configured as a DHCPv4 relay agent, it
accepts broadcast requests for the DHCPv4 service and then
forwards those requests as a unicast to the IPv4 address
192.168.11.6. The network administrator can use the show ip
interface command to verify the configuration.
Configuration Example
• To configure an Ethernet interface as a DHCP client, use the ip address dhcp interface configuration mode
command, as shown in the example. This configuration assumes that the ISP has been configured to provide
select customers with IPv4 addressing information.
• The show ip interface g0/1 command confirms that the interface is up and that the address was allocated by a
DHCPv4 server.

SLAAC and DHCPv6

IPv6 GUA Assignment

IPv6 Host Configuration
On a router, an IPv6 global unicast address (GUA) is
manually configured using the ipv6 address ipv6-
address/prefix-length interface configuration command.
• A Windows host can also be manually configured
with an IPv6 GUA address configuration, as shown
in the figure.
• However, manually entering an IPv6 GUA can be
time consuming and somewhat error prone.
• Therefore, most Windows host are enabled to
dynamically acquire an IPv6 GUA configuration.
IPv6 Host Link-Local Address

If automatic IPv6 addressing is selected, the host will use an Internet Control Message Protocol version 6
(ICMPv6) Router Advertisement (RA) message to help it autoconfigure an IPv6 configuration.
• The IPv6 link-local address is automatically
created by the host when it boots and the
Ethernet interface is active.
• The interface did not create an IPv6 GUA in
the output because the network segment did not
have a router to provide network configuration
instructions for the host.
Note: The "%" and number at the end of the link-local address is known as a Zone ID or Scope ID and is used by the
OS to associate the LLA with a specific interface.
Note: DHCPv6 is defined in RFC 3315.

By default, an IPv6-enabled router periodically send ICMPv6 RAs which simplifies how a host can
dynamically create or acquire its IPv6 configuration.
• A host can dynamically be assigned a GUA using stateless and stateful services.
• All stateless and stateful methods in this module use ICMPv6 RA messages to suggest to the host how to
create or acquire its IPv6 configuration.
• Although host operating systems follow the suggestion of the RA, the actual decision is ultimately up to the
host
Three RA Message Flags
How a client obtains an IPv6 GUA depends on settings in the RA message.
An ICMPv6 RA message includes the following three flags:
• A flag - The Address
Autoconfiguration flag signifies to
use Stateless Address
Autoconfiguration (SLAAC) to
create an IPv6 GUA
• O flag - The Other Configuration flag
signifies that additional information
is available from a stateless DHCPv6
server.
• M flag - The Managed Address
Configuration flag signifies to use a
stateful DHCPv6 server to obtain an
IPv6 GUA.

Using different combinations of the A, O and M flags, RA messages inform the host about the dynamic
options available.

SLAAC

SLAAC Overview
Not every network has access to a DHCPv6 server but every device in an IPv6 network needs a GUA. The
SLAAC method enables hosts to create their own unique IPv6 global unicast address without the services of
a DHCPv6 server.
• SLAAC is a stateless service which means there is no server that maintains network address
information to know which IPv6 addresses are being used and which ones are available.
• SLAAC sends periodic ICMPv6 RA messages (i.e., every 200 seconds) providing addressing and
other configuration information for hosts to autoconfigure their IPv6 address based on the information
in the RA.
• A host can also send a Router Solicitation (RS) message requesting an RA.
• SLAAC can be deployed as SLAAC only, or SLAAC with DHCPv6.
Enabling SLAAC
R1 G0/0/1 has been configured with the indicated IPv6
GUA and link-local addresses.
The R1 G0/0/01 IPv6 addresses include:
• Link-local IPv6 address - fe80::1
• GUA / subnet - 2001:db8:acad:1::1,
2001:db8:acad:1::/64
• IPv6 all-nodes group - ff02::1

R1 is configured to join the all IPv6 multicast group and start sending RA
messages containing address configuration information to hosts using
SLAAC.

The IPv6 all-routers group responds to the IPv6 multicast address ff02::2.
• The show ipv6 interface command verifies that
R1 has joined the IPv6 all-routers group (i.e.,
ff02::2).
• R1 will now begin to send RA messages every
200 seconds to the IPv6 all-nodes multicast
address ff02::1.

SLAAC Only Method

RA messages from R1 have the following flags set:
• A = 1 – Informs the client to use the IPv6 GUA prefix in the RA and dynamically create its own Interface ID.
• O = 0 and M = 0 – Informs the client to also use the additional information in the RA message (i.e., DNS
server, MTU, and default gateway information).
• The ipconfig Windows command confirms that PC1 has generated an IPv6 GUS using the R1 RA.
• The default gateway address is LLA of the R1 G0/0/1 interface.
ICMPv6 Ra Messages
A router sends RA messages every 200 seconds or when it receives an RS message from a host.
• IPv6 enabled hosts wishing to obtain IPv6 addressing information send an RS message to the IPv6 all-routers
multicast address of ff02::2.

The figure illustrates how a host initiates the SLAAC

method
1. PC1 has just booted and sends an RS message to the
IPv6 all-routers multicast address of ff02::2 requesting
an RA.
2. R1 generates an RA and then sends the RA message to
the IPv6 all-nodes multicast address of ff02::1. PC1 uses
this information to create a unique IPv6 GUA.

Host Process to Generate Interface ID

Using SLAAC, a host acquires its 64-bit IPv6 subnet information from the router RA and must generate the
remainder 64-bit interface identifier (ID) using either:
• Randomly generated - The 64-bit interface ID is randomly generated by the client operating system.
This is the method now used by Windows 10 hosts.
• EUI-64 - The host creates an interface ID using its 48-bit MAC address and inserts the hex value of
fffe in the middle of the address. Some operating systems default to the randomly generated interface
ID instead of the EUI-64 method, due to privacy concerns. This is because the Ethernet MAC address
of the host is used by EUI-64 to create the interface ID.
Note: Windows, Linux, and Mac OS allow for the user to modify the generation of the interface ID to be either
randomly generated or to use EUI-64.

Duplicate Address Detection

A SLAAC host may use the following Duplicate Address Detection (DAD) process to ensure that the IPv6
GUA is unique.
• The host sends an ICMPv6 Neighbor Solicitation (NS) message with a specially constructed solicited-
node multicast address containing the last 24 bits of IPv6 address of the host.
• If no other devices respond with a Neighbor Advertisement (NA) message, then the address is
virtually guaranteed to be unique and can be used by the host.
• If an NA is received by the host, then the address is not unique, and the host must generate a new
interface ID to use.
Note: DAD is really not required because a 64-bit interface ID provides 18 quintillion possibilities. Therefore, the
chance of a duplicate address is remote. However, the Internet Engineering Task Force (IETF) recommends that DAD
is used. Therefore, most operating systems perform DAD on all IPv6 unicast addresses, regardless of how the address
is configured.
 DHCPv6

DHCPv6 Operation Steps

Stateful DHCPv6 does not require SLAAC while

stateless DHCPv6 does.
Regardless, when an RA indicates to use DHCPv6 or
stateful DHCPv6:
1. The host sends an RS message.
2. The router responds with an RA message.
3. The host sends a DHCPv6 SOLICIT message.
4. The DHCPv6 server responds with an ADVERTISE
message.
5. The host responds to the DHCPv6 server.
6. The DHCPv6 server sends a REPLY message.
Note: Server to client DHCPv6 messages use UDP
destination port 546 while client to server DHCPv6 messages use UDP destination port 547.

Stateless DHCPv6 Operation

If an RA indicates the stateless DHCPv6 method, the host uses the information in the RA message for
addressing and contacts a DHCPv6 server for additional information.
Note: The DHCPv6 server only provides configuration parameters for clients and does not maintain a list of IPv6
address bindings (i.e. stateless).

For example, PC1 receives a stateless RA message containing:

• The IPv6 GUA network prefix and prefix
length.
• A flag set to 1 informing the host to use
SLAAC.
• O flag set to 1 informing the host to seek that
additional configuration information from a
DHCPv6 server.
• M flag set to the default value 0.
• PC1 sends a DHCPv6 SOLICIT message
seeking additional information from a stateless
DHCPv6 server.
Enable Stateless DHCPv6 on an Interface

Stateless DHCPv6 is enabled using the ipv6 nd other-config-

flag interface configuration command setting the O flag to 1.
The highlighted output confirms the RA will tell receiving hosts
to use stateless autoconfigure (A flag = 1) and contact a DHCPv6
server to obtain another configuration information (O flag = 1).
Note: You can use the no ipv6 nd other-config-flag to reset the
interface to the default SLAAC only option (O flag = 0).

Stateful DHCPv6 Operation

If an RA indicates the stateful DHCPv6 method, the host contacts a DHCPv6 server for all configuration
information.
Note: The DHCPv6 server is stateful and maintains a list of IPv6 address bindings.

For example, PC1 receives a stateful RA message containing:

• The IPv6 GUA network prefix and prefix
length.
• A flag set to 0 informing the host to contact
a DHCPv6 server.
• O flag set to 0 informing the host to contact
a DHCPv6 server.
• M flag set to the value 1.
• PC1 sends a DHCPv6 SOLICIT message
seeking additional information from a
stateful DHCPv6 server.

Enable Stateful DHCPv6 on an Interface

Stateful DHCPv6 is enabled using the ipv6 nd managed-

config-flag interface configuration command setting the M
flag to 1.
The highlighted output in the example confirms that the RA
will tell the host to obtain all IPv6 configuration information
from a DHCPv6 server (M flag = 1).
DHCPv6 Router Roles
Cisco IOS routers are powerful devices. In smaller networks, you do not have to have separate devices to
have a DHCPv6 server, client, or relay agent. A Cisco IOS router can be configured to provide DHCPv6
server services.
Specifically, it can be configured to be one of the following:
• DHCPv6 Server - Router provides stateless or stateful DHCPv6 services.
• DHCPv6 Client - Router interface acquires an IPv6 IP configuration from a DHCPv6 server.
• DHCPv6 Relay Agent - Router provides DHCPv6 forwarding services when the client and the server
are located on different networks.

Configure a Stateless DHCPv6 Server

The stateless DHCPv6 server option requires that the router advertise the IPv6 network addressing
information in RA messages.
There are five steps to configure and verify a router as a stateless DHCPv6 server:
1. Enable IPv6 routing using the ipv6 unicast-routing command.
2. Define a DHCPv6 pool name using the ipv6 dhcp pool POOL-NAME global config command.
3. Configure the DHCPv6 pool with options. Common options include dns-server X:X:X:X:X:X:X:X and
domain-name name.
4. Bind the interface to the pool using the ipv6 dhcp server POOL-NAME interface config command.
Manually change the O flag from 0 to 1 using the ipv6 nd other-config-flag interface command. RA messages sent on
this interface indicate that additional information is available from a stateless DHCPv6 server. The A flag is 1 by
default, telling clients to SLAAC use to create their own GUA.
5. Verify that the hosts have received IPv6 addressing information using the ipconfig /all command.

Configure a Stateless DHCPv6 Client

A router can also be a DHCPv6 client and get an IPv6 configuration from a DHCPv6 server, such as a router
functioning as a DHCPv6 server.
1. Enable IPv6 routing using the ipv6 unicast-routing command.
2. Configure the client router to create an LLA. An IPv6 link-local address is created on a router interface when
a global unicast address is configured, or without a GUA using the ipv6 enable interface configuration
command. Cisco IOS uses EUI-64 to create the Interface ID.
3. Configure the client router to use SLAAC using the ipv6 address autoconfig command.
4. Verify that the client router is assigned a GUA using the show ipv6 interface brief command.
5. Verify that the client router received other necessary DHCPv6 information. The show ipv6 dhcp interface
g0/0/1 command confirms DHCP option information, such as DNS server and domain name, have been
received by the client.
Configure a Stateful DHCPv6 Server

The stateful DHCP server option requires that the IPv6 enabled router tells the host to contact a DHCPv6
server to obtain all necessary IPv6 network addressing information.
There are five steps to configure and verify a router as a stateful DHCPv6 server:
1. Enable IPv6 routing using the ipv6 unicast-routing command.
2. Define a DHCPv6 pool name using the ipv6 dhcp pool POOL-NAME global config command.
3. Configure the DHCPv6 pool with options. Common options include the address prefix command, domain
name, DHS server IP address, and more.
4. Bind the interface to the pool using the ipv6 dhcp server POOL-NAME interface config command.
Manually change the M flag from 0 to 1 using the interface command ipv6 nd managed-config-flag. Manually
change the A flag from 1 to 0 using the ipv6 nd prefix default no-autoconfig interface command to inform the client
to not to use SLAAC to create a GUA. The router will now respond to stateful DHCPv6 requests with the information
contained in the pool.
5. Verify that the hosts have received IPv6 addressing information using the ipconfig /all command.

Configure a Stateful DHCPv6 Client

A router can also be a DHCPv6 client. The client router needs to have ipv6 unicast-routing enabled and an
IPv6 link-local address to send and receive IPv6 messages.
There are five steps to configure and verify a router as a stateless DHCPv6 client.
1. Enable IPv6 routing using the ipv6 unicast-routing command.
2. Configure the client router to create an LLA. An IPv6 link-local address is created on a router interface when
a global unicast address is configured, or without a GUA using the ipv6 enable interface configuration
command. Cisco IOS uses EUI-64 to create an Interface ID.
3. Configure the client router to use DHCPv6 using the ipv6 address dhcp interface config command.
4. Verify that the client router is assigned a GUA using the show ipv6 interface brief command.
5. Verify that the client router received other necessary DHCPv6 information using the show ipv6 dhcp
interface g0/0/1 command.

DHCPv6 Server Verification Commands

The show ipv6 dhcp pool command
verifies the name of the DHCPv6
pool and its parameters. The
command also identifies the number
of active clients.
Use the show ipv6 dhcp binding command output to
display the IPv6 link-local address of the client and the
global unicast address assigned by the server.
• This information is maintained by a stateful DHCPv6
server.
• A stateless DHCPv6 server would not maintain this
information.

Configure a DHCPv6 Relay Agent

If the DHCPv6 server is located on a different network than the client, then the IPv6 router can be
configured as a DHCPv6 relay agent.
• The configuration of a DHCPv6 relay agent is similar to the configuration of an IPv4 router as a DHCPv4
relay.
• This command is configured on the interface facing the DHCPv6 clients and specifies the DHCPv6 server
address and egress interface to reach the server, as shown in the output. The egress interface is only required
when the next-hop address is an LLA.

Verify the DHCPv6 Relay Agent

Verify that the DHCPv6 relay agent is operational with

the show ipv6 dhcp interface and show ipv6 dhcp
binding commands.

Verify Windows hosts received IPv6 addressing

information with the ipconfig /all command.
 FHRP (First Hop Redundancy Protocols)

Default Gateway Limitations

End devices are typically configured with a single default gateway

IPv4 address.
• If the default gateway router interface fails, LAN hosts lose
outside LAN connectivity.
• This occurs even if a redundant router or Layer 3 switch that could
serve as a default gateway exists.

First hop redundancy protocols (FHRPs) are mechanisms that

provide alternate default gateways in switched networks where two
or more routers are connected to the same VLANs.

Router Redundancy

One way to prevent a single point of failure at the default gateway is to implement a virtual router. To
implement this type of router redundancy, multiple routers are configured to work together to present the
illusion of a single router to the hosts on the LAN. By sharing an IP address and a MAC address, two or
more routers can act as a single virtual router.
• The IPv4 address of the virtual router is configured as the default gateway for the workstations on a
specific IPv4 segment.
• When frames are sent from host devices to the default gateway, the hosts use ARP to resolve the
MAC address that is associated with the IPv4 address of the default gateway. The ARP resolution
returns the MAC address of the virtual router. Frames that are sent to the MAC address of the virtual
router can then be physically processed by the currently active router within the virtual router group.
• A protocol is used to identify two or more routers as the devices that are responsible for processing
frames that are sent to the MAC or IP address of a single virtual router. Host devices send traffic to
the address of the virtual router. The physical router that forwards this traffic is transparent to the
host devices.
• A redundancy protocol provides the mechanism for determining which router should take the active
role in forwarding traffic. It also determines when the forwarding role must be taken over by a
standby router. The transition from one forwarding router to another is transparent to the end
devices.
• The ability of a network to dynamically recover from the failure of a device acting as a default
gateway is known as first-hop redundancy.
Steps for Router Failover

When the active router fails, the

redundancy protocol transitions the standby
router to the new active router role, as
shown in the figure. These are the steps
that take place when the active router fails:
1. The standby router stops seeing
Hello messages from the forwarding
router.
2. The standby router assumes the role
of the forwarding router.
3. Because the new forwarding router
assumes both the IPv4 and MAC
addresses of the virtual router, the
host devices see no disruption in service.

FHRP Options

FHRP Options Description

HRSP is a Cisco-proprietary FHRP that is designed to allow for transparent failover of a first-hop IPv4 device.
Hot Standby Router HSRP is used in a group of routers for selecting an active device and a standby device. The active device is the
Protocol (HSRP) device that is used for routing packets; the standby device is the device that takes over when the active device fails,
or when pre-set conditions are met.

This is a Cisco-proprietary FHRP that provides the same functionality of HSRP, but in an IPv6 environment. An
HSRP IPv6 group has a virtual MAC address derived from the HSRP group number and a virtual IPv6 link-local
HSRP for IPv6 address derived from the HSRP virtual MAC address. Periodic router advertisements (RAs) are sent for the HSRP
virtual IPv6 link-local address when the HSRP group is active. When the group becomes inactive, these RAs stop
after a final RA is sent.

This is a non-proprietary election protocol that dynamically assigns responsibility for one or more virtual routers to
Virtual Router
the VRRP routers on an IPv4 LAN. This allows several routers on a multiaccess link to use the same virtual IPv4
Redundancy Protocol
address. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as
version 2 (VRRPv2)
backups, in case the virtual router master fails.

This provides the capability to support IPv4 and IPv6 addresses. VRRPv3 works in multi-vendor environments and
VRRPv3
is more scalable than VRRPv2.

Gateway Load
This is a Cisco-proprietary FHRP that protects data traffic from a failed router or circuit, like HSRP and VRRP,
Balancing Protocol
while also allowing load balancing (also called load sharing) between a group of redundant routers.
(GLBP)

This is a Cisco-proprietary FHRP that provides the same functionality of GLBP, but in an IPv6 environment.
GLBP for IPv6 provides automatic router backup for IPv6 hosts configured with a single default gateway on a
GLBP for IPv6
LAN. Multiple first-hop routers on the LAN combine to offer a single virtual first-hop IPv6 router while sharing
the IPv6 packet forwarding load.

ICMP Router
Specified in RFC 1256, IRDP is a legacy FHRP solution. IRDP allows IPv4 hosts to locate routers that provide
Discovery Protocol
IPv4 connectivity to other (nonlocal) IP networks.
(IRDP)
 HSRP

Cisco provides HSRP and HSRP for IPv6 as a way to avoid losing outside network access if your default
router fails. HSRP is a Cisco-proprietary FHRP that is designed to allow for transparent failover of a first-
hop IP device.
HSRP ensures high network availability by providing first-hop routing redundancy for IP hosts on networks
configured with an IP default gateway address. HSRP is used in a group of routers for selecting an active
device and a standby device. In a group of device interfaces, the active device is the device that is used for
routing packets; the standby device is the device that takes over when the active device fails, or when pre-set
conditions are met. The function of the HSRP standby router is to monitor the operational status of the
HSRP group and to quickly assume packet-forwarding responsibility if the active router fails.

HSRP Priority and Preemption

The role of the active and standby routers is determined during the HSRP election process. By default, the
router with the numerically highest IPv4 address is elected as the active router. However, it is always better
to control how your network will operate under normal conditions rather than leaving it to chance.
• HSRP priority can be used to determine
the active router.
• The router with the highest HSRP
priority will become the active router.
• By default, the HSRP priority is 100.
• If the priorities are equal, the router
with the numerically highest IPv4
address is elected as the active router.
• To configure a router to be the active
router, use the standby
priority interface command. The range
of the HSRP priority is 0 to 255.

By default, after a router becomes the active router, it will remain the active router even if another router
comes online with a higher HSRP priority.
• To force a new HSRP election process to take place when a higher priority router comes online, preemption
must be enabled using the standby preempt interface command. Preemption is the ability of an HSRP router
to trigger the re-election process. With preemption enabled, a router that comes online with a higher HSRP
priority will assume the role of the active router.
• Preemption only allows a router to become the active router if it has a higher priority. A router enabled for
preemption, with equal priority but a higher IPv4 address will not preempt an active router. Refer to the
topology in the figure.
Note: With preemption disabled, the router that boots up first will become the active router if there are no other
routers online during the election process.
HSRP States and Times

HSRP State Description

Initial This state is entered through a configuration change or when an interface first becomes available.

The router has not determined the virtual IP address and has not yet seen a hello message from
Learn
the active router. In this state, the router waits to hear from the active router.

The router knows the virtual IP address, but the router is neither the active router nor the standby
Listen
router. It listens for hello messages from those routers.

The router sends periodic hello messages and actively participates in the election of the active
Speak
and/or standby router.

Standby The router is a candidate to become the next active router and sends periodic hello messages.

The active and standby HSRP routers send hello packets to the HSRP group multicast address every 3 seconds by
default. The standby router will become active if it does not receive a hello message from the active router after 10
seconds. You can lower these timer settings to speed up the failover or preemption. However, to avoid increased CPU
usage and unnecessary standby state changes, do not set the hello timer below 1 second or the hold timer below 4
seconds.

LAN Security

Endpoint Security

Network Attacks Today

The news media commonly covers attacks on enterprise networks. Most likely, these attacks will involve
one or more of the following:
• Distributed Denial of Service (DDoS) – This is a coordinated attack from many devices, called
zombies, with the intention of degrading or halting public access to an organization’s website and
resources.
• Data Breach – This is an attack in which an organization’s data servers or hosts are compromised to
steal confidential information.
• Malware – This is an attack in which an organization’s hosts are infected with malicious software
that cause a variety of problems. For example, ransomware such as WannaCry encrypts the data on a
host and locks access to it until a ransom is paid.
Network Security Devices

Various network security devices are required to protect the network perimeter from outside access. These
devices could include the following:
• Virtual Private Network (VPN) enabled router - provides a secure connection to remote users across a
public network and into the enterprise network. VPN services can be integrated into the firewall.
• Next-Generation Firewall (NGFW) - provides stateful packet inspection, application visibility and control, a
next-generation intrusion prevention system (NGIPS), advanced malware protection (AMP), and URL
filtering.
• Network Access Control (NAC) - includes authentication, authorization, and accounting (AAA) services. In
larger enterprises, these services might be incorporated into an appliance that can manage access policies
across a wide variety of users and device types. The Cisco Identity Services Engine (ISE) is an example of a
NAC device.

Endpoint Protection
• Endpoints are hosts which commonly consist of
laptops, desktops, servers, and IP phones, as well
as employee-owned devices. Endpoints are
particularly susceptible to malware-related
attacks that originate through email or web
browsing.
• Endpoints have typically used traditional host-
based security features, such as
antivirus/antimalware, host-based firewalls, and
host-based intrusion prevention systems (HIPSs).
• Endpoints today are best protected by a
combination of NAC, AMP software, an email
security appliance (ESA), and a web security appliance (WSA).

Cisco Email Security Appliance

The Cisco ESA device is designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco ESA is
constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and
solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the
Cisco ESA every three to five minutes.
These are some of the functions of the Cisco ESA:
• Block known threats
• Remediate against stealth malware that evaded initial detection
• Discard emails with bad links
• Block access to newly infected sites.
• Encrypt content in outgoing email to prevent data loss.
Cisco Web Security Appliance
• The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats. It helps
organizations address the challenges of securing and controlling web traffic.
• The Cisco WSA combines advanced malware protection, application visibility and control, acceptable use
policy controls, and reporting.
• Cisco WSA provides complete control over how users access the internet. Certain features and applications,
such as chat, messaging, video and audio, can be allowed, restricted with time and bandwidth limits, or
blocked, according to the organization’s requirements.
• The WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, Web
application filtering, and encryption and decryption of web traffic.

Access Control

Authentication with a Local Password

Many types of authentication can be performed on networking devices, and each method offers varying
levels of security.
The simplest method of remote access authentication is to configure a login and password combination on
console, vty lines, and aux ports.
SSH is a more secure form of remote access:
• It requires a username and a password.
• The username and password can be authenticated locally.
The local database method has some limitations:
• User accounts must be configured locally on
each device which is not scalable.
• The method provides no fallback
authentication method.

AAA Components

AAA stands for Authentication, Authorization, and Accounting, and provides the primary framework to set
up access control on a network device.
AAA is a way to control who is permitted to access a network (authenticate), what they can do while they
are there (authorize), and to audit what actions they performed while accessing the network (accounting).
Authentication

Local and server-based are two common methods of implementing AAA authentication.
Local AAA Authentication:
• Method stores usernames and passwords locally in a network device (e.g., Cisco router).
• Users authenticate against the local database.
• Local AAA is ideal for small networks.

Server-Based AAA Authentication:

• With the server-based method, the router accesses a central AAA server.
• The AAA server contains the usernames and password for all users.
• The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access
Controller Access Control System (TACACS+) protocols to communicate with the AAA server.
• When there are multiple routers and switches, server-based AAA is more appropriate.

Authorization

• AAA authorization is automatic and does not require users to perform additional steps after authentication.
• Authorization governs what users can and cannot do on the network after they are authenticated.
• Authorization uses a set of attributes that describes the user’s access to the network. These attributes are used
by the AAA server to determine privileges and restrictions for that user.

Accounting

AAA accounting collects and reports usage data. This data can be used for such purposes as auditing or
billing. The collected data might include the start and stop connection times, executed commands, number of
packets, and number of bytes.
A primary use of accounting is to combine it with AAA authentication.
• The AAA server keeps a detailed log of exactly what the authenticated user does on the device, as
shown in the figure. This includes all EXEC and configuration commands issued by the user.
• The log contains numerous data fields, including the username, the date and time, and the actual
command that was entered by the user. This information is useful when troubleshooting devices. It
also provides evidence for when individuals perform malicious acts.
802.1X
The IEEE 802.1X standard is a port-based access control and authentication protocol. This protocol restricts
unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The
authentication server authenticates each workstation that is connected to a switch port before making
available any services offered by the switch or the LAN.
With 802.1X port-based authentication, the devices in the network have specific roles:
• Client (Supplicant) - This is a
device running 802.1X-
compliant client software, which
is available for wired or wireless
devices.
• Switch (Authenticator) –The switch acts as an intermediary between the client and the authentication
server. It requests identifying information from the client, verifies that information with the
authentication server, and relays a response to the client. Another device that could act as
authenticator is a wireless access point.
• Authentication server –The server validates the identity of the client and notifies the switch or
wireless access point that the client is or is not authorized to access the LAN and switch services.

Layer 2 Security Threats

Layer 2 Vulnerabilities

Recall that the OSI reference model is divided into

seven layers which work independently of each other.
The figure shows the function of each layer and the
core elements that can be exploited.
Network administrators routinely implement security
solutions to protect the elements in Layer 3 up through
Layer 7. They use VPNs, firewalls, and IPS devices to
protect these elements. However, if Layer 2 is
compromised, then all the layers above it are also
affected. For example, if a threat actor with access to
the internal network captured Layer 2 frames, then all
the security implemented on the layers above would
be useless. The threat actor could cause a lot of damage on the Layer 2 LAN networking infrastructure.
Switch Attack Categories

Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weak link.
This is because LANs were traditionally under the administrative control of a single organization. We
inherently trusted all persons and devices connected to our LAN. Today, with BYOD and more
sophisticated attacks, our LANs have become more vulnerable to penetration.

Category Examples

MAC Table Attacks Includes MAC address flooding attacks.

Includes VLAN hopping and VLAN double-tagging attacks. It also includes attacks
VLAN Attacks
between devices on a common VLAN.

DHCP Attacks Includes DHCP starvation and DHCP spoofing attacks.

ARP Attacks Includes ARP spoofing and ARP poisoning attacks.

Address Spoofing Attacks Includes MAC address and IP address spoofing attacks.

STP Attacks Includes Spanning Tree Protocol manipulation attacks.

Switch Attack Mitigation Techniques

Solution Description

Prevents many types of attacks including MAC address flooding attacks and
Port Security
DHCP starvation attacks.

DHCP Snooping Prevents DHCP starvation and DHCP spoofing attacks.

Dynamic ARP Inspection (DAI) Prevents ARP spoofing and ARP poisoning attacks.

IP Source Guard (IPSG) Prevents MAC and IP address spoofing attacks.

These Layer 2 solutions will not be effective if the management protocols are not secured. The following
strategies are recommended:
• Always use secure variants of management protocols such as SSH, Secure Copy Protocol (SCP), Secure FTP
(SFTP), and Secure Socket Layer/Transport Layer Security (SSL/TLS).
• Consider using out-of-band management network to manage devices.
• Use a dedicated management VLAN where nothing but management traffic resides.
• Use ACLs to filter unwanted access.
 MAC Address Table Attack

Switch Operation Review

Recall that to make forwarding decisions, a Layer 2

LAN switch builds a table based on the source MAC
addresses in received frames. This is called a MAC
address table. MAC address tables are stored in
memory and are used to more efficiently switch
frames.

MAC Address Table Flooding

All MAC tables have a fixed size and consequently, a switch can run out of resources in which to store
MAC addresses. MAC address flooding attacks take advantage of this limitation by bombarding the switch
with fake source MAC addresses until the switch MAC address table is full.
When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic
out all ports on the same VLAN without referencing the MAC table. This condition now allows a threat
actor to capture all of the frames sent from one host to another on the local LAN or local VLAN.
Note: Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic within the local
LAN or VLAN to which the threat actor is connected.

MAC Address Table Attack Mitigation

What makes tools such as macof so dangerous is that an attacker can create a MAC table overflow attack
very quickly. For instance, a Catalyst 6500 switch can store 132,000 MAC addresses in its MAC address
table. A tool such as macof can flood a switch with up to 8,000 bogus frames per second; creating a MAC
address table overflow attack in a matter of a few seconds.
Another reason why these attack tools are dangerous is because they not only affect the local switch, they
can also affect other connected Layer 2 switches. When the MAC address table of a switch is full, it starts
flooding out all ports including those connected to other Layer 2 switches.
To mitigate MAC address table overflow attacks, network administrators must implement port security. Port
security will only allow a specified number of source MAC addresses to be learned on the port. Port security
is further discussed in another module.
 LAN Attacks

VLAN Hopping Attacks

A VLAN hopping attack enables traffic from one VLAN to be seen by another VLAN without the aid of a
router. In a basic VLAN hopping attack, the threat actor configures a host to act like a switch to take
advantage of the automatic trunking port feature enabled by default on most switch ports.
The threat actor configures the host to spoof 802.1Q
signaling and Cisco-proprietary Dynamic Trunking
Protocol (DTP) signaling to trunk with the connecting
switch. If successful, the switch establishes a trunk link
with the host, as shown in the figure. Now the threat
actor can access all the VLANs on the switch. The
threat actor can send and receive traffic on any VLAN,
effectively hopping between VLANs.

VLAN Double-Tagging Attacks

A threat actor is specific situations could embed a hidden 802.1Q tag inside the frame that already has an
802.1Q tag. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify.
• Step 1: The threat actor sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN
tag of the threat actor, which is the same as the native VLAN of the trunk port.
• Step 2: The frame arrives on the first switch, which looks at the first 4-byte 802.1Q tag. The switch sees that
the frame is destined for the native VLAN. The switch forwards the packet out all native VLAN ports after
stripping the VLAN tag. The frame is not retagged because it is part of the native VLAN. At this point, the
inner VLAN tag is still intact and has not been inspected by the first switch.
• Step 3: The frame arrives at the second switch which has no knowledge that it was supposed to be for the
native VLAN. Native VLAN traffic is not tagged by the sending switch as specified in the 802.1Q
specification. The second switch looks only at the inner 802.1Q tag that the threat actor inserted and sees that
the frame is destined the target VLAN. The second switch sends the frame on to the target or floods it,
depending on whether there is an existing MAC address table entry for the target.

A VLAN double-tagging attack is unidirectional and works only when the attacker is connected to a port
residing in the same VLAN as the native VLAN of the trunk port. The idea is that double tagging allows the
attacker to send data to hosts or servers on a VLAN that otherwise would be blocked by some type of access
control configuration. Presumably the return traffic will also be permitted, thus giving the attacker the ability
to communicate with devices on the normally blocked VLAN.

VLAN Attack Mitigation - VLAN hopping and VLAN double-tagging attacks can be prevented by
implementing the following trunk security guidelines:
• Disable trunking on all access ports.
• Disable auto trunking on trunk links so that trunks must be manually enabled.
• Be sure that the native VLAN is only used for trunk links.
DHCP Messages
DHCP servers dynamically provide IP configuration information including IP address, subnet mask, default
gateway, DNS servers, and more to clients. A review of the sequence of the DHCP message exchange
between client and server is show in the figure.

DHCP Attacks

Two types of DHCP attacks are DHCP starvation and DHCP spoofing. Both attacks are mitigated by
implementing DHCP snooping.
• DHCP Starvation Attack – The goal of this attack is to create a DoS for connecting clients. DHCP
starvation attacks require an attack tool such as Gobbler. Gobbler has the ability to look at the entire scope of
leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus
MAC addresses.
• DHCP Spoofing Attack – This occurs when a rogue DHCP server is connected to the network and provides
false IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading
information, including the following:
• Wrong default gateway - The rogue server provides an invalid gateway or the IP
address of its host to create a man-in-the-middle attack. This may go entirely
undetected as the intruder intercepts the data flow through the network.
• Wrong DNS server - The rogue server provides an incorrect DNS server address
pointing the user to a nefarious website.
• Wrong IP address - The rogue server provides an invalid IP address effectively
creating a DoS attack on the DHCP client.
ARP Attacks

• Hosts broadcast ARP Requests to determine the MAC address of a host with a destination IP
address. All hosts on the subnet receive and process the ARP Request. The host with the matching IP
address in the ARP Request sends an ARP Reply.
• A client can send an unsolicited ARP Reply called a “gratuitous ARP”. Other hosts on the subnet
store the MAC address and IP address contained in the gratuitous ARP in their ARP tables.
• An attacker can send a gratuitous ARP message containing a spoofed MAC address to a switch, and
the switch would update its MAC table accordingly. In a typical attack, a threat actor sends
unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the threat actor and
the IP address of the default gateway, effectively setting up a man-in-the-middle attack.
• There are many tools available on the internet to create ARP man-in-the-middle attacks.
• IPv6 uses ICMPv6 Neighbor Discovery Protocol for Layer 2 address resolution. IPv6 includes
strategies to mitigate Neighbor Advertisement spoofing, similar to the way IPv6 prevents a spoofed
ARP Reply.
• ARP spoofing and ARP poisoning are mitigated by implementing Dynamic ARP Inspection (DAI).

Address Spoofing Attacks

• IP address spoofing is when a threat actor hijacks a valid IP address of another device on the subnet
or uses a random IP address. IP address spoofing is difficult to mitigate, especially when it is used
inside a subnet in which the IP belongs.
• MAC address spoofing attacks occur when the threat actors alter the MAC address of their host to
match another known MAC address of a target host. The switch overwrites the current MAC table
entry and assigns the MAC address to the new port. It then inadvertently forwards frames destined
for the target host to the attacking host.
• When the target host sends traffic, the switch will correct the error, realigning the MAC address to
the original port. To stop the switch from returning the port assignment to its correct state, the threat
actor can create a program or script that will constantly send frames to the switch so that the switch
maintains the incorrect or spoofed information.
• There is no security mechanism at Layer 2 that allows a switch to verify the source of MAC
addresses, which is what makes it so vulnerable to spoofing.
• IP and MAC address spoofing can be mitigated by implementing IP Source Guard (IPSG).
STP Attack

• Network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by
spoofing the root bridge and changing the topology of a network. Attackers can then capture all
traffic for the immediate switched domain.
• To conduct an STP manipulation attack, the attacking host broadcasts STP bridge protocol data units
(BPDUs) containing configuration and topology changes that will force spanning-tree recalculations.
The BPDUs sent by the attacking host announce a lower bridge priority in an attempt to be elected as
the root bridge.
• This STP attack is mitigated by implementing BPDU Guard on all access ports. BPDU Guard is
discussed in more detail later in the course.

CDP Reconnaissance

The Cisco Discovery Protocol (CDP) is a proprietary Layer 2 link discovery protocol. It is enabled on all
Cisco devices by default. Network administrators also use CDP to help configure and troubleshoot network
devices. CDP information is sent out CDP-enabled ports in periodic, unencrypted, unauthenticated
broadcasts. CDP information includes the IP address of the device, IOS software version, platform,
capabilities, and the native VLAN. The device receiving the CDP message updates its CDP database.
To mitigate the exploitation of CDP, limit the use of CDP on devices or ports. For example, disable CDP on
edge ports that connect to untrusted devices.
• To disable CDP globally on a device, use the no cdp run global configuration mode command. To
enable CDP globally, use the cdp run global configuration command.
• To disable CDP on a port, use the no cdp enable interface configuration command. To enable CDP
on a port, use the cdp enable interface configuration command.
Note: Link Layer Discovery Protocol (LLDP) is also vulnerable to reconnaissance attacks. Configure no lldp run to
disable LLDP globally. To disable LLDP on the interface, configure no lldp transmit and no lldp receive.
 Switch Security Configuration

Implement Port Security

Secure Unused Ports

Layer 2 attacks are some of the easiest for hackers to deploy but these threats can also be mitigated with
some common Layer 2 solutions.
• All switch ports (interfaces) should be secured before the switch is deployed for production use. How a port is
secured depends on its function.
• A simple method that many administrators use to help secure the network from unauthorized access is to
disable all unused ports on a switch. Navigate to each unused port and issue the Cisco
IOS shutdown command. If a port must be reactivated at a later time, it can be enabled with the no
shutdown command.
• To configure a range of ports, use the interface range command.

Switch(config)# interface range type module/first-number – last-number

Mitigate MAC Address Table Attacks

The simplest and most effective method to prevent MAC address table overflow attacks is to enable port
security.
• Port security limits the number of valid MAC addresses allowed on a port. It allows an administrator to
manually configure MAC addresses for a port or to permit the switch to dynamically learn a limited number
of MAC addresses. When a port configured with port security receives a frame, the source MAC address of
the frame is compared to the list of secure source MAC addresses that were manually configured or
dynamically learned on the port.
• By limiting the number of permitted MAC addresses on a port to one, port security can be used to control
unauthorized access to the network.

Enable Port Security

Port security is enabled with the switchport port-security interface configuration command.
Notice in the example, the switchport port-security command was rejected. This is because port security
can only be configured on manually configured access ports or manually configured trunk ports. By default,
Layer 2 switch ports are set to dynamic auto (trunking on).
Therefore, in the example, the port is configured with
the switchport mode access interface configuration
command.
Note: Trunk port security is beyond the scope of this course.
Use the show port-security interface command to display the current port security settings for FastEthernet
0/1.
• Notice how port security is enabled, the violation mode is
shutdown, and how the maximum number of MAC addresses is 1.
• If a device is connected to the port, the switch will automatically
add the device’s MAC address as a secure MAC. In this example,
no device is connected to the port.
Note: If an active port is configured with the switchport port-
security command and more than one device is connected to that port, the
port will transition to the error-disabled state.

After port security is enabled, other port security specifics can be configured, as shown in the example.

Limit and Learn MAC Addresses

To set the maximum number of MAC addresses allowed on a port, use the following command:
• The default port security value is 1.
• The maximum number of secure MAC addresses that can be configured depends the switch and the IOS.
• In this example, the maximum is 8192.

Switch(config-if)# switchport port-security maximum

value

The switch can be configured to learn about MAC addresses on a secure port in one of three ways:
1. Manually Configured: The administrator manually configures a static MAC address(es) by using the following
command for each secure MAC address on the port:

Switch(config-if)# switchport port-security mac-address mac-address

2. Dynamically Learned: When the switchport port-security command is entered, the current source MAC for the
device connected to the port is automatically secured but is not added to the running configuration. If the switch is
rebooted, the port will have to re-learn the device’s MAC address.
3. Dynamically Learned – Sticky: The administrator can enable the switch to dynamically learn the MAC address
and “stick” them to the running configuration by using the following command:
Switch(config-if)# switchport port-security mac-address sticky

Saving the running configuration will commit the dynamically learned MAC address to NVRAM.
The example demonstrates a complete port security
configuration for FastEthernet 0/1.
• The administrator specifies a maximum of 4
MAC addresses, manually configures one secure
MAC address, and then configures the port to
dynamically learn additional secure MAC
addresses up to the 4 secure MAC address
maximum.
• Use the show port-security interface and
the show port-security address command to
verify the configuration.

Port Security Aging

Port security aging can be used to set the aging time for static and dynamic secure addresses on a port and
two types of aging are supported per port:
• Absolute - The secure addresses on the port are deleted after the specified aging time.
• Inactivity - The secure addresses on the port are deleted if they are inactive for a specified time.

Use aging to remove secure MAC addresses on a secure port without manually deleting the existing secure
MAC addresses.
• Aging of statically configured secure addresses can be enabled or disabled on a per-port basis.

Use the switchport port-security aging command to enable or disable static aging for the secure port, or to
set the aging time or type.
Switch(config-if)# switchport port-security aging {static | time time | type {absolute
| inactivity}}

The example shows an administrator configuring the aging

type to 10 minutes of inactivity.
The show port-security command confirms the changes.
interface command to verify the configuration
Port Security Violation Modes

If the MAC address of a device attached to a port differs from the list of secure addresses, then a port
violation occurs and the port enters the error-disabled state.
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

Mode Description

The port transitions to the error-disabled state immediately, turns off the port LED, and sends a syslog message. It
shutdown
increments the violation counter. When a secure port is in the error-disabled state, an administrator must re-enable it
(default)
by entering the shutdown and no shutdown commands.

The port drops packets with unknown source addresses until you remove a sufficient number of secure MAC
restrict addresses to drop below the maximum value or increase the maximum value. This mode causes the Security
Violation counter to increment and generates a syslog message.

This is the least secure of the security violation modes. The port drops packets with unknown MAC source addresses
protect until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the
maximum value. No syslog message is sent.

The example shows an administrator changing the security

violation to “Restrict”.
The output of the show port-security interface command
confirms that the change has been made.

Ports in error-disabled State

When a port is shutdown and placed in the error-disabled state, no traffic is sent or received on that port.
A series of port security related messages display on the console, as shown in the following example.
Note: The port protocol and link status are changed to down and the port LED is turned off.
 • In the example, the show interface command identifies
the port status as err-disabled. The output of the show
port-security interface command now shows the port
status as secure-shutdown. The Security Violation
counter increments by 1.
• The administrator should determine what caused the
security violation If an unauthorized device is
connected to a secure port, the security threat is
eliminated before re-enabling the port.
• To re-enable the port, first use the shutdown command,
then, use the no shutdown command.

Mitigate VLAN Attacks

VLAN Attacks Review

A VLAN hopping attack can be launched in one of three ways:

• Spoofing DTP messages from the attacking host to cause the switch to enter trunking mode. From here, the
attacker can send traffic tagged with the target VLAN, and the switch then delivers the packets to the
destination.
• Introducing a rogue switch and enabling trunking. The attacker can then access all the VLANs on the victim
switch from the rogue switch.
• Another type of VLAN hopping attack is a double-tagging (or double-encapsulated) attack. This attack takes
advantage of the way hardware on most switches operate.

Steps to Mitigate VLAN Hopping Attacks

Use the following steps to mitigate VLAN hopping attacks:

Step 1: Disable DTP (auto trunking) negotiations on non-trunking
ports by using the switchport mode access interface configuration
command.
Step 2: Disable unused ports and put them in an unused VLAN.
Step 3: Manually enable the trunk link on a trunking port by using
the switchport mode trunk command.
Step 4: Disable DTP (auto trunking) negotiations on trunking ports
by using the switchport nonegotiate command.
Step 5: Set the native VLAN to a VLAN other than VLAN 1 by
using the switchport trunk native vlan vlan_number command.
 Mitigate DHCP Attacks

DHCP Attack Review

The goal of a DHCP starvation attack is to an attack tool such as Gobbler to create a Denial of Service
(DoS) for connecting clients.
Recall that DHCP starvation attacks can be effectively mitigated by using port security because Gobbler
uses a unique source MAC address for each DHCP request sent. However, mitigating DHCP spoofing
attacks requires more protection.
Gobbler could be configured to use the actual interface MAC address as the source Ethernet address, but
specify a different Ethernet address in the DHCP payload. This would render port security ineffective
because the source MAC address would be legitimate.
DHCP spoofing attacks can be mitigated by using DHCP snooping on trusted ports.

DHCP Snooping

DHCP snooping filters DHCP messages and rate-limits DHCP traffic on untrusted ports.
• Devices under administrative control (e.g., switches, routers, and servers) are trusted sources.
• Trusted interfaces (e.g., trunk links, server ports) must be explicitly configured as trusted.
• Devices outside the network and all access ports are generally treated as untrusted sources.

A DHCP table is built that includes the source MAC address of a device on an untrusted port and the IP
address assigned by the DHCP server to that device.
• The MAC address and IP address are bound together.
• Therefore, this table is called the DHCP snooping binding table.

Steps to Implement DHCP Snooping

Use the following steps to enable DHCP snooping:

Step 1. Enable DHCP snooping by using the ip dhcp snooping global configuration command.
Step 2. On trusted ports, use the ip dhcp snooping trust interface configuration command.
Step 3: On untrusted interfaces, limit the number of DHCP discovery messages that can be received using the ip dhcp
snooping limit rate packets-per-second interface configuration command.
Step 4. Enable DHCP snooping by VLAN, or by a range of VLANs, by using the ip dhcp snooping vlan global
configuration command.
DHCP Snooping Configuration Example

Refer to the DHCP snooping sample topology with trusted and untrusted ports.

• DHCP snooping is first enabled on S1.

• The upstream interface to the DHCP server is explicitly
trusted.
• F0/5 to F0/24 are untrusted and are, therefore, rate limited
to six packets per second.
• Finally, DHCP snooping is enabled on VLANS 5, 10, 50,
51, and 52.

Use the show ip dhcp snooping privileged EXEC command to verify DHCP snooping settings.
Use the show ip dhcp snooping binding command to view the clients that have received DHCP
information.
Note: DHCP snooping is also required by Dynamic ARP Inspection (DAI).
 Mitigate ARP Attacks

Dynamic ARP Inspection

In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the subnet with the
MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and
the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.
Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:
• Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
• Intercepting all ARP Requests and Replies on untrusted ports.
• Verifying each intercepted packet for a valid IP-to-MAC binding.
• Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
• Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

DAI Implementation Guidelines

To mitigate the chances of ARP spoofing and ARP
poisoning, follow these DAI implementation guidelines:
• Enable DHCP snooping globally.
• Enable DHCP snooping on selected VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP snooping and
ARP inspection.
It is generally advisable to configure all access switch ports
as untrusted and to configure all uplink ports that are
connected to other switches as trusted.

DAI Configuration Example

In the previous topology, S1 is connecting two users on VLAN 10.
• DAI will be configured to mitigate against ARP spoofing and ARP
poisoning attacks.
• DHCP snooping is enabled because DAI requires the DHCP
snooping binding table to operate.
• Next, DHCP snooping and ARP inspection are enabled for the PCs
on VLAN10.
• The uplink port to the router is trusted, and therefore, is configured
as trusted for DHCP snooping and ARP inspection.
DAI can also be configured to check for both destination or source MAC and IP addresses:
• Destination MAC - Checks the destination MAC address in the Ethernet header against the target
MAC address in ARP body.
• Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC
address in the ARP body.
• IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses
0.0.0.0, 255.255.255.255, and all IP multicast addresses.

The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to
configure DAI to drop ARP packets when the IP addresses are invalid.
• It can be used when the MAC addresses in the
body of the ARP packets do not match the
addresses that are specified in the Ethernet header.
• Notice in the following example how only one
command can be configured.
• Therefore, entering multiple ip arp inspection
validate commands overwrites the previous
command.
• To include more than one validation method, enter
them on the same command line as shown in the output.

Mitigate STP Attacks

PortFast and BPDU Guard

Recall that network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by
spoofing the root bridge and changing the topology of a network.
To mitigate STP attacks, use PortFast and Bridge Protocol Data Unit (BPDU) Guard:
PortFast
• PortFast immediately brings a port to the forwarding state from a blocking state, bypassing the
listening and learning states.
• Apply to all end-user access ports.

BPDU Guard
• BPDU guard immediately error disables a port that receives a BPDU.
• Like PortFast, BPDU guard should only be configured on interfaces attached to end devices.
Configure PortFast

PortFast bypasses the STP listening and learning states to minimize the time that access ports must wait for
STP to converge.
• Only enable PortFast on access ports.
• PortFast on inter switch links can create a spanning-tree loop.

PortFast can be enabled:

• On an interface – Use the spanning-tree
portfast interface configuration command.
• Globally – Use the spanning-tree portfast
default global configuration command to
enable PortFast on all access ports.

To verify whether PortFast is enabled globally you can use either the:
• show running-config | begin span command
• show spanning-tree summary command

To verify if PortFast is enabled an interface, use the show running-config interface type/number command.
The show spanning-tree interface type/number detail command can also be used for verification.

Configure BPDU Guard

An access port could receive an unexpected BPDUs accidentally or because a user connected an
unauthorized switch to the access port.
• If a BPDU is received on a BPDU Guard enabled access port,
the port is put into error-disabled state.
• This means the port is shut down and must be manually re-
enabled or automatically recovered through the errdisable
recovery cause psecure_violation global command.

BPDU Guard can be enabled:

• On an interface – Use the spanning-tree bpduguard enable
interface configuration command.
• Globally – Use the spanning-tree portfast bpduguard
default global configuration command to enable BPDU Guard
on all access ports.
 WLAN

Benefits of Wireless

• A Wireless LAN (WLAN) is a type of wireless network that is

commonly used in homes, offices, and campus environments.
• WLANs make mobility possible within the home and business
environments.
• Wireless infrastructures adapt to rapidly changing needs and
technologies.

Types of Wireless Networks

• Wireless Personal-Area Network (WPAN) – Low power and short-range (20-30ft or 6-9 meters). Based on
IEEE 802.15 standard and 2.4 GHz frequency. Bluetooth and Zigbee are WPAN examples.
• Wireless LAN (WLAN) – Medium sized networks up to about 300 feet. Based on IEEE 802.11 standard and
2.4 or 5.0 GHz frequency.
• Wireless MAN (WMAN) – Large geographic area such as city or district. Uses specific licensed frequencies.
• Wireless WAN (WWAN) – Extensive geographic area for national or global communication. Uses specific
licensed frequencies.

Wireless Technologies

Bluetooth – IEEE WPAN standard used for device pairing at up to 300ft

(100m) distance.
• Bluetooth Low Energy (BLE) – Supports mesh topology to large scale
network devices.
• Bluetooth Basic Rate/Enhanced Rate (BR/EDR) – Supports point-to-point
topologies and is optimized for audio streaming.

WiMAX (Worldwide Interoperability for Microwave Access) – Alternative

broadband wired internet connections. IEEE 802.16 WLAN standard for up 30 miles
(50 km).

Cellular Broadband – Carry both voice and data. Used by phones, automobiles, tablets,
and laptops.
• Global System of Mobile (GSM) – Internationally recognized
• Code Division Multiple Access (CDMA) – Primarily used on the US.
Satellite Broadband – Uses directional satellite dish aligned with satellite in
geostationary orbit. Needs clear line of site. Typically used in rural locations where
cable and DSL are unavailable.

802.11 Standards
802.11 WLAN standards define how radio frequencies are used for wireless links.

IEEE Standard Radio Frequency Description

802.11 2.4 GHz Data rates up to 2 Mb/s

802.11a 5 GHz Data rates up to 54 Mb/s

Not interoperable with 802.11b or 802.11g

802.11b 2.4 GHz Data rates up to 11 Mb/s

Longer range than 802.11a and better able to penetrate building structures

802.11g 2.4 GHz Data rates up to 54 Mb/s

Backward compatible with 802.11b

802.11n 2.4 and 5 GHz Data rates 150 – 600 Mb/s

Require multiple antennas with MIMO technology

802.11ac 5 GHz Data rates 450 Mb/s – 1.3 Gb/s

Supports up to eight antennas

802.11ax 2.4 and 5 GHz High-Efficiency Wireless (HEW)

Capable of using 1 GHz and 7 GHz frequencies

Radio Frequencies
All wireless devices operate in the range of the electromagnetic spectrum. WLAN networks operate in the
2.4 and 5 GHz frequency bands.
• 2.4 GHz (UHF) – 802.11b/g/n/ax
• 5 GHz (SHF) – 802.11a/n/ac/ax
Wireless Standards Organizations

Standards ensure interoperability between devices that are made by different manufacturers. Internationally,
the three organizations influencing WLAN standards:
• International Telecommunication Union (ITU) – Regulates the allocation of radio spectrum and
satellite orbits.
• Institute of Electrical and Electronics Engineers (IEEE) – Specifies how a radio frequency is
modulated to carry information. Maintains the standards for local and metropolitan area networks
(MAN) with the IEEE 802 LAN/MAN family of standards.
• Wi-Fi Alliance – Promotes the growth and acceptance of WLANs. It is an association of vendors
whose objective is to improve the interoperability of products that are based on the 802.11 standard

WLAN Components

Wireless NICs
To communicate wirelessly, laptops, tablets, smart phones, and even the
latest automobiles include integrated wireless NICs that incorporate a radio
transmitter/receiver.
If a device does not have an integrated wireless NIC, then a USB wireless
adapter can be used.

Wireless Home Router

A home user typically interconnects wireless devices using a small, wireless router.
Wireless routers serve as the following:
• Access point – To provide wires access
• Switch – To interconnect wired devices
• Router - To provide a default gateway to other networks and the
Internet

Wireless Access Point

Wireless clients use their wireless NIC to discover nearby access points (APs).
Clients then attempt to associate and authenticate with an AP.
After being authenticated, wireless users have access to network resources.

Cisco Meraki Go access points

AP Categories
APs can be categorized as either autonomous APs or controller-based APs.
• Autonomous APs – Standalone devices configured through a command
line interface or GUI. Each autonomous AP acts independently of the
others and is configured and managed manually by an administrator.

• Controller-based APs – Also known as lightweight APs (LAPs). Use

Lightweight Access Point Protocol (LWAPP) to communicate with a
LWAN controller (WLC). Each LAP is automatically configured and
managed by the WLC.

Wireless Antennas

Types of external antennas:

• Omnidirectional – Provide 360-degree coverage. Ideal in houses and
office areas.
• Directional – Focus the radio signal in a specific direction. Examples are the Yagi
and parabolic dish.
• Multiple Input Multiple Output (MIMO) – Uses multiple antennas (Up to eight)
to increase bandwidth.

802.11 Wireless Topology Modes

Ad hoc mode - Used to connect clients in peer-to-peer manner without an AP.

Infrastructure mode - Used to connect clients to the network using an AP.

Tethering - Variation of the ad hoc topology is when a smart phone or tablet

with cellular data access is enabled to create a personal hotspot.
BSS and ESS
Infrastructure mode defines two topology blocks:
Basic Service Set (BSS)
• Uses single AP to interconnect all associated wireless
clients.
• Clients in different BSSs cannot communicate.

Extended Service Set (ESS)

• A union of two or more BSSs interconnected by a wired
distribution system.
• Clients in each BSS can communication through the ESS.

802.11 Frame Structure

The 802.11 frame format is similar to the Ethernet frame format, except that it contains more fields.

CSMA/CA

WLANs are half-duplex and a client cannot “hear” while it is sending, making it impossible to detect a
collision.
WLANs use carrier sense multiple access with collision avoidance (CSMA/CA) to determine how and when
to send data. A wireless client does the following:
1. Listens to the channel to see if it is idle, i.e. no other traffic currently on the channel.
2. Sends a ready to send (RTS) message the AP to request dedicated access to the network.
3. Receives a clear to send (CTS) message from the AP granting access to send.
4. Waits a random amount of time before restarting the process if no CTS message received.
5. Transmits the data.
6. Acknowledges all transmissions. If a wireless client does not receive an acknowledgment, it assumes
a collision occurred and restarts the process
Wireless Client and AP Association

For wireless devices to communicate over a network,

they must first associate with an AP or wireless router.
Wireless devices complete the following three stage
process:
• Discover a wireless AP
• Authenticate with the AP

To achieve successful association, a wireless client and

an AP must agree on specific parameters:
• SSID – The client needs to know the name of the network to connect.
• Password – This is required for the client to authenticate to the AP.
• Network mode – The 802.11 standard in use.
• Security mode – The security parameter settings, i.e. WEP, WPA, or WPA2.
• Channel settings – The frequency bands in use.

Passive and Active Discover Mode

Wireless clients connect to the AP using a passive or active scanning (probing) process.
• Passive mode – AP openly advertises its service by periodically sending broadcast beacon frames
containing the SSID, supported standards, and security settings.
• Active mode – Wireless clients must know the name of the SSID. The wireless client initiates the
process by broadcasting a probe request frame on multiple channels.

Passive mode

Active mode
 CAPWAP Operation

Introduction to CAPWAP
• CAPWAP is an IEEE standard protocol that enables a WLC to
manage multiple APs and WLANs.
• Based on LWAPP but adds additional security with Datagram
Transport Layer Security (DLTS).
• Encapsulates and forwards WLAN client traffic between an AP
and a WLC over tunnels using UDP ports 5246 and 5247.
• Operates over both IPv4 and IPv6. IPv4 uses IP protocol 17 and
IPv6 uses IP protocol 136.

Split MAC Architecture

The CAPWAP split MAC concept does all AP MAC Functions WLC MAC Functions
the functions normally performed by
Beacons and probe responses Authentication
individual APs and distributes them between
two functional components: Packet acknowledgements Association and re-association of
and retransmissions roaming clients
• AP MAC Functions
Frame queueing and packet Frame translation to other
• WLC MAC Functions prioritization protocols

MAC layer data encryption Termination of 802.11 traffic on a

and decryption wired interface

DTLS Encryption

• DTLS provides security between the AP and

the WLC.
• It is enabled by default to secure the
CAPWAP control channel and encrypt all
management and control traffic between AP
and WLC.
• Data encryption is disabled by default and
requires a DTLS license to be installed on
the WLC before it can be enabled on the AP.
Flex Connect Aps

FlexConnect enables the configuration and control of Aps over a WAN link.
There are two modes of option for the FlexConnect AP:
• Connected mode – The WLC is reachable. The FlexConnect AP has CAPWAP connectivity with the WLC
through the CAPWAP tunnel. The WLC performs all CAPWAP functions.
• Standalone mode – The WLC is unreachable. The FlexConnect AP has lost CAPWAP connectivity with the
WLC. The FlexConnect AP can assume some of the WLC functions such as switching client data traffic
locally and performing client authentication locally.

Channel Management

Frequency Channel Saturation

If the demand for a specific wireless channel is too high, the channel may become oversaturated, degrading
the quality of the communication.
Channel saturation can be mitigated using techniques that use the channels more efficiently.
• Direct-Sequence Spread Spectrum (DSSS) - A modulation technique designed to spread a signal over a
larger frequency band. Used by 802.11b devices to avoid interference from other devices using the same 2.4
GHz frequency.
• Frequency-Hopping Spread Spectrum (FHSS) - Transmits radio signals by rapidly switching a carrier
signal among many frequency channels. Sender and receiver must be synchronized to “know” which channel
to jump to. Used by the original 802.11 standard.
• Orthogonal Frequency-Division Multiplexing (OFDM) - A subset of frequency division multiplexing in
which a single channel uses multiple sub-channels on adjacent frequencies. OFDM is used by a number of
communication systems including 802.11a/g/n/ac.

Channel Selection
• The 2.4 GHz band is subdivided into multiple
channels each allotted 22 MHz bandwidth and
separated from the next channel by 5 MHz.
• A best practice for 802.11b/g/n WLANs requiring
multiple APs is to use non-overlapping channels
such as 1, 6, and 11.
 • For the 5GHz standards 802.11a/n/ac, there
are 24 channels. Each channel is separated
from the next channel by 20 MHz.
• Non-overlapping channels are 36, 48, and 60.

Plan a WLAN Deployment

The number of users supported by a WLAN depends on the
following:
• The geographical layout of the facility
• The number of bodies and devices that can fit in a space
• The data rates users expect
• The use of non-overlapping channels by multiple APs
and transmit power settings

When planning the location of APs, the approximate

circular coverage area is important.

WLAN Threats

Wireless Security Overview

A WLAN is open to anyone within range of an AP and the appropriate credentials to associate to it.
Attacks can be generated by outsiders, disgruntled employees, and even unintentionally by employees.
Wireless networks are specifically susceptible to several threats, including the following:
• Interception of data
• Wireless intruders
• Denial of Service (DoS) Attacks
• Rogue APs

DoS Attacks

Wireless DoS attacks can be the result of the following:

• Improperly configured devices
• A malicious user intentionally interfering with the wireless communication
• Accidental interference
To minimize the risk of a DoS attack due to improperly configured devices and malicious attacks, harden all
devices, keep passwords secure, create backups, and ensure that all configuration changes are incorporated
off-hours.
Rogue Access Points

• A rogue AP is an AP or wireless router that has been connected to a corporate network without
explicit authorization and against corporate policy.
• Once connected, the rogue AP can be used by an attacker to capture MAC addresses, capture data
packets, gain access to network resources, or launch a man-in-the-middle attack.
• A personal network hotspot could also be used as a rogue AP. For example, a user with secure
network access enables their authorized Windows host to become a Wi-Fi AP.
• To prevent the installation of rogue APs, organizations must configure WLCs with rogue AP policies
and use monitoring software to actively monitor the radio spectrum for unauthorized APs.

Man-in-the-Middle Attack

In a man-in-the-middle (MITM) attack, the hacker is positioned in between two legitimate entities in order
to read or modify the data that passes between the two parties. A popular wireless MITM attack is called the
“evil twin AP” attack, where an attacker introduces a rogue AP and configures it with the same SSID as a
legitimate AP.
Defeating a MITM attack begins with identifying legitimate devices on the WLAN. To do this, users must
be authenticated. After all of the legitimate devices are known, the network can be monitored for abnormal
devices or traffic.

Secure WLANs

SSID Cloaking and MAC Address Filtering

To address the threats of keeping wireless intruders out and protecting data, two early security features were
used and are still available on most routers and APs:
SSID Cloaking
• APs and some wireless routers allow the SSID beacon frame to be disabled. Wireless clients must be
manually configured with the SSID to connect to the network.

MAC Address Filtering

• An administrator can manually permit or deny clients wireless access based on their physical MAC hardware
address. In the figure, the router is configured to permit two MAC addresses. Devices with different MAC
addresses will not be able to join the 2.4GHz WLAN.
802.11 Original Authentication Methods
The best way to secure a wireless network is to use authentication and encryption systems. Two types of
authentication were introduced with the original 802.11 standard:
Open system authentication
• No password required. Typically used to provide free internet access in public areas like cafes, airports, and
hotels.
• Client is responsible for providing security such as through a VPN.
Shared key authentication
• Provides mechanisms, such as WEP, WPA, WPA2, and WPA3 to authenticate and encrypt data between a
wireless client and AP. However, the password must be pre-shared between both parties to connect.

Shared Key Authentication Methods

Authentication Method Description

Wired Equivalent Privacy The original 802.11 specification designed to secure the data using the Rivest Cipher 4
(WEP) (RC4) encryption method with a static key. WEP is no longer recommended and should
never be used.

Wi-Fi Protected Access A Wi-Fi Alliance standard that uses WEP but secures the data with the much stronger
(WPA) Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP changes the key for
each packet, making it much more difficult to hack.

WPA2 It uses the Advanced Encryption Standard (AES) for encryption. AES is currently
considered the strongest encryption protocol.

WPA3 This is the next generation of Wi-Fi security. All WPA3-enabled devices use the latest
security methods, disallow outdated legacy protocols, and require the use of Protected
Management Frames (PMF).

Authenticating a Home User

Home routers typically have two choices for
authentication: WPA and WPA2, with WPA
2 having two authentication methods.
• Personal – Intended for home or small
office networks, users authenticate using
a pre-shared key (PSK). Wireless clients
authenticate with the wireless router using
a pre-shared password. No special
authentication server is required.
• Enterprise – Intended for enterprise
networks. Requires a Remote
Authentication Dial-In User Service (RADIUS) authentication server. The device must be authenticated by
the RADIUS server and then users must authenticate using 802.1X standard, which uses the Extensible
Authentication Protocol (EAP) for authentication.
Encryption Methods

WPA and WPA2 include two encryption protocols:

• Temporal Key Integrity Protocol
(TKIP) – Used by WPA and provides
support for legacy WLAN equipment.
Makes use of WEP but encrypts the
Layer 2 payload using TKIP.
• Advanced Encryption Standard (AES)
– Used by WPA2 and uses the Counter
Cipher Mode with Block Chaining
Message Authentication Code Protocol
(CCMP) that allows destination hosts to
recognize if the encrypted and non-
encrypted bits have been altered.

Authentication in the Enterprise

Enterprise security mode choice requires an

Authentication, Authorization, and Accounting
(AAA) RADIUS server.
There pieces of information are required:
• RADIUS server IP address – IP address of
the server.
• UDP port numbers –UDP ports 1812 for
RADIUS Authentication, and 1813 for
RADIUS Accounting, but can also operate
using UDP ports 1645 and 1646. Note: User authentication and authorization is handled by the
802.1X standard, which provides a centralized, server-based
• Shared key – Used to authenticate the AP with
authentication of end users.
the RADIUS server.

WPA 3
Because WPA2 is no longer considered secure, WPA3 is recommended when available. WPA3 Includes
four features:
• WPA3 – Personal : Thwarts brute force attacks by using Simultaneous Authentication of Equals (SAE).
• WPA3 – Enterprise : Uses 802.1X/EAP authentication. However, it requires the use of a 192-bit
cryptographic suite and eliminates the mixing of security protocols for previous 802.11 standards.
• Open Networks : Does not use any authentication. However, uses Opportunistic Wireless Encryption (OWE)
to encrypt all wireless traffic.
• IoT Onboarding : Uses Device Provisioning Protocol (DPP) to quickly onboard IoT devices.
 Remote Site WLAN Configuration

The Wireless Router

Remote workers, small branch offices, and home networks

often use a small office and home router.
• These “integrated” routers typically include a switch
for wired clients, a port for an internet connection
(sometimes labeled “WAN”), and wireless
components for wireless client access.
• These wireless routers typically provide WLAN
security, DHCP services, integrated Name Address Translation (NAT),
quality of service (QoS), as well as a variety of other features.
• The feature set will vary based on the router model.
Note: Cable or DSL modem configuration is usually done by the service provider’s
representative either on-site or remotely.

Log in to the Wireless Router

Most wireless routers are preconfigured to be connected to the network and provide services.
• Wireless router default IP addresses, usernames, and passwords can easily be found on the internet.
• Therefore, your first priority should be to change these defaults for security reasons.

To gain access to the wireless router’s configuration GUI

• Open a web browser and enter the default IP address for your wireless router.
• The default IP address can be found in the documentation that came with the wireless router or you can search
the internet.
• The word admin is commonly used as the default username and password.

Basic Network Setup

Basic network setup includes the following steps:
• Log in to the router from a web browser.
• Change the default administrative password.
• Log in with the new administrative password.
• Change the default DHCP IPv4 addresses.
• Renew the IP address.
• Log in to the router with the new IP address.
Basic Wireless Setup
Basic wireless setup includes the following steps:
• View the WLAN defaults.
• Change the network mode, identifying which 802.11 standard is to be implemented.
• Configure the SSID.
• Configure the channel, ensuring there are no overlapping channels in use.
• Configure the security mode, selecting from Open, WPA, WPA2 Personal, WPA2 Enterprise, etc..
• Configure the passphrase, as required for the selected security mode.

Configure a Wireless Mesh Network

In a small office or home network, one wireless router may suffice to provide wireless access to all the
clients.
• If you want to extend the range
beyond approximately 45
meters indoors and 90 meters
outdoors, you create a wireless
mesh.
• Create the mesh by adding
access points with the same
settings, except using different
channels to prevent interference.
• Extending a WLAN in a small
office or home has become
increasingly easier.
• Manufacturers have made
creating a wireless mesh network (WMN) simple through smartphone apps.

NAT for IPv4

Typically, the wireless router is assigned a publicly routable address by the ISP and uses a private network
address for addressing on the LAN.
• To allow hosts on the LAN to communicate
with the outside world, the router will use a
process called Network Address Translation
(NAT).
• NAT translates a private (local) source IPv4
address to a public (global) address (the
process is reversed for incoming packets).
• NAT makes sharing one public IPv4 address
possible by tracking the source port numbers
for every session established by a device.
• If your ISP has IPv6 enabled, you will see a
unique IPv6 address for each device.
Quality of Service
Many wireless routers have an option for configuring
Quality of Service (QoS).
• By configuring QoS, you can guarantee that
certain traffic types, such as voice and video, are
prioritized over traffic that is not as time-
sensitive, such as email and web browsing.
• On some wireless routers, traffic can also be
prioritized on specific ports.

Port Forwarding
Wireless routers typically block TCP and UDP ports to prevent unauthorized access in and out of a LAN.
• However, there are situations when specific ports must be opened so that certain programs and applications
can communicate with devices on different networks.
• Port forwarding is a rule-based method of directing traffic between devices on separate networks.
• Port triggering allows the router to temporarily forward data through inbound ports to a specific device.
• You can use port triggering to forward data to a computer only when a designated port range is used to make
an outbound request.

WLC Topology
The topology and addressing scheme used for this topic are shown in the figure and the table.
• The access point (AP) is a controller-based AP as opposed to an autonomous AP, so it requires no initial
configuration and is often called lightweight APs (LAPs).
• LAPs use the Lightweight Access Point Protocol (LWAPP) to communicate with a WLAN controller (WLC).
• Controller-based APs are useful in situations where many APs are required in the network.
• As more APs are added, each AP is automatically configured and managed by the WLC.

Device Interface IP Address Subnet Mask

R1 F0/0 172.16.1.1 255.255.255.0

R1 F0/1.1 192.168.200.1 255.255.255.0

S1 VLAN 1 DHCP

WLC Management 192.168.200.254 255.255.255.0

AP1 Wired 0 192.168.200.3 255.255.255.0

PC-A NIC 172.16.1.254 255.255.255.0

PC-B NIC DHCP

Wireless
NIC DHCP
Laptop
Log in to the WLC

Configuring a wireless LAN controller (WLC) is not that much different from configuring a wireless router.
The WLC controls APs and provides more services and management capabilities.
• The user logs into the WLC using
credentials that were configured during
initial setup.
• The Network Summary page is a
dashboard that provides a quick overview
of configured wireless networks,
associated access points (APs), and active
clients.
• You can also see the number of rogue
access points and clients.

View AP Information

Click Access Points from the left menu to view an overall picture of the AP’s system information and
performance.
• The AP is using IP address 192.168.200.3.
• Because Cisco Discovery Protocol (CDP) is active on this network, the WLC knows that the AP is connected
to the FastEthernet 0/1 port on the switch.
• This AP in the topology is a Cisco Aironet 1815i which means you can use the command-line and a limited
set of familiar IOS commands.
Advanced Settings

Most WLC will come with some basic settings and menus that users can quickly access to implement a
variety of common configurations.
• However, as a network administrator, you will typically access the advanced settings.
• For the Cisco 3504 Wireless Controller, click Advanced in the upper right-hand corner to access the advanced
Summary page.
• From here, you can access all the features of the WLC.

Configure a WLAN
Wireless LAN Controllers have Layer 2 switch ports and virtual interfaces that are created in software and
are very similar to VLAN interfaces.
• Each physical port can support many APs and WLANs.
• The ports on the WLC are essentially trunk ports that
can carry traffic from multiple VLANs to a switch for
distribution to multiple APs.

• Each AP can support multiple WLANs.

Basic WLAN configuration on the WLC includes the following steps:

1. Create the WLAN
2. Apply and Enable the WLAN
3. Select the Interface
4. Secure the WLAN
5. Verify the WLAN is Operational
6. Monitor the WLAN
7. View Wireless Client Information
1. Create the WLAN: In the figure, a new WLAN with an SSID name Wireless_LAN is created.

2. Apply and Enable the WLAN: Next the WLAN is enabled the WLAN settings are configured.

3. Select the Interface: The interface that will carry the WLAN traffic must be selected.

4. Secure the WLAN: The Security tab is used to access all the available options for securing the
LAN.
5. Verify the WLAN is Operational: The WLANs menu on the left is used to view the newly
configured WLAN and its settings.

6. Monitor the WLAN: The Monitor tab is used to access the advanced Summary page and confirm
that the Wireless_LAN now has one client using its services.

7. View Wireless Client Details: Click Clients in the left menu to view more information about the
clients connected to the WLAN.
 Configure a WPA2 Enterprise WLAN on the WLC

SNMP and RADIUS

PC-A is running Simple Network Management Protocol (SNMP) and Remote Authentication Dial-In User
Service (RADIUS) server software.
• The network administrator wants the WLC to
forward all SNMP log messages (i.e., traps) to the
SNMP server.
• The network administrator wants to use a
RADIUS server for authentication, authorization,
and accounting (AAA) services.
• Users will enter their username and password
credentials which will be verified by the RADIUS
server.
• The RADIUS server is required for WLANs that
are using WPA2 Enterprise authentication.
Note: SNMP server and RADIUS server configuration
is beyond the scope of this module.

Configure SNMP Server Information

To enable SNMP and configure settings:
1. Click the MANAGEMENT tab to access a variety of management features.
2. Click SNMP to expand the
sub-menus.
3. Click Trap Receivers.
4. Click New... to configure a
new SNMP trap receiver.

• Enter the SNMP

Community name and the
IP address (IPv4 or IPv6)
for the SNMP server and
then click Apply.
• The WLC will now
forward SNMP log messages to the SNMP server.
Configure RADIUS Server Information
To configure the WLC with the RADIUS server information:
1. Click SECURITY.
2. Click RADIUS
3. Click Authentication
4. Click New... to add PC-A as
the RADIUS server.

Enter the IPv4 address for PC-A and the shared secret that will be used between the WLC and the RADIUS
server and then click Apply.

After clicking Apply, the list of configured RADIUS Authentication Servers refreshes with the new server
listed.

Topology with VLAN 5 Addressing

Each WLAN configured on the WLC needs its own virtual interface.
• The WLC has five physical data ports that can be configured to
support multiple WLANs and virtual interface.
• The new WLAN will use interface VLAN 5 and network
192.168.5.0/24 and therefore R1 has been configured for VLAN
5 as shown in the topology and show ip interface brief output.
Configure a New Interface
VLAN interface configuration on the WLC includes the following steps:
1. Create a new interface.
2. Configure the VLAN name and ID.
3. Configure the port and interface address.
4. Configure the DHCP server address.
5. Apply and Confirm.
6. Verify Interfaces.

1. Create a new interface:

Click CONTROLLER >
Interfaces > New...

1. Configure the VLAN name

and ID: In the example, the
new interface is named
vlan5, the VLAN ID is 5,
and applied.

3. Configure the port and

interface address: On the
interface Edit page, configure
the physical port number (i.e.,
the WLC G1 interface is Port
Number 1 on the WLC), the
VLAN 5 interface addressing
(i.e., 192.168.5.254/24), and the
default gateway (i.e.,
192.168.5.1)

4. Configure the DHCP

server address: The
example configures a
primary DHCP server at
IPv4 address 192.168.5.1
which is the default
gateway router address
which is enabled as a
DHCP server.
 4. Apply and Confirm:
Scroll to the top and
click Apply and then
click OK for the warning
message.

6. Verify Interfaces: Click

Interfaces to verify that
the new vlan5 interface
is shown in the list of
interfaces with its IPv4
address.

Configure a DHCP Scope

DHCP scope configuration includes the following steps:
1. Create a new DHCP scope.
2. Name the DHCP scope.
3. Verify the new DHCP scope.
4. Configure and enable the new DHCP scope.
5. Verify the enable DHCP scope

1. Create a new DHCP scope: To

configure a new DHCP scope,
click Internal DHCP Server >
DHCP Scope > New....

1. Name the DHCP scope:

The scope is named
Wireless_Management
and then applied.

3. Verify the new DHCP

scope: In the DHCP
Scopes page click the
new Scope Name to
configure the DHCP
scope.
 4. Configure and enable the new DHCP scope: On the Edit screen for
the Wireless_Management scope, configure a pool of addresses (i.e., 192.168.200.240/24 to .249),
the default router IPv4 address (i.e., 192.168.200.1), then Enabled and Apply.

5. Verify the enable DHCP scope: The network administrator is returned to the DHCP Scopes page
and can verify the scope is ready to be allocated to a new WLAN.

Configure a WPA2 Enterprise WLAN

By default, all newly created WLANs on the WLC will use WPA2 with Advanced Encryption System
(AES).
• 802.1X is the default key management protocol used to communicate with the RADIUS server.
• Next, create a new WLAN to use interface vlan5.
Configuring a new WLAN on the WLC includes the following steps:
1. Create a new WLAN.
2. Configure the WLAN name and SSID.
3. Enable the WLAN for VLAN 5.
4. Verify AES and 802.1X defaults.
5. Configure WLAN security to use the RADIUS server.
6. Verify the new WLAN is available.

1. Create a new WLAN:

Click the WLANs tab
and then Go to create a
new WLAN.
2. Configure the WLAN
name and SSID: Enter
the profile name and
SSID, choose an ID of 5,
and then click Apply to
create the new WLAN.

3. Enable the WLAN for

VLAN 5: Once the WLAN,
change the status to
Enabled, choose vlan5
from the Interface/Interface
Group(G) dropdown list,
and then click Apply and
click OK to accept the
popup message.

4. Verify AES and 802.1X defaults: Click the Security tab to view the default security configuration
for the new WLAN.

5. Configure the
RADIUS server: To
select the RADIUS
server that will be used
to authenticate WLAN
users, click the AAA
Servers tab and in the
dropdown box, select
the RADIUS server that
was configured on the
WLC previously, and
then Apply your
changes.
 6. Verify that the new WLAN is available: To verify that the new WLAN is listed and enabled click
on the WLANs submenu.

Troubleshoot WLAN Issues

Troubleshooting Approaches
Network problems can be simple or complex, and can result from a combination of hardware, software, and
connectivity issues.
• Technicians must be able to analyze the problem and determine the cause of the error before they can resolve
the network issue.
• This process is called troubleshooting.
Troubleshooting any sort of network problem should follow a systematic approach.
A common and efficient troubleshooting methodology is based on the scientific method and can be broken
into the six main steps shown in the table.

Step Title Description

The first step in the troubleshooting process is to identify the problem. While
1 Identify the Problem
tools can be used in this step, a conversation with the user is often very helpful.

After you have talked to the user and identified the problem, you can try and
Establish a Theory of Probable
2 establish a theory of probable causes. This step often yields more than a few
Causes
probable causes to the problem.

Based on the probable causes, test your theories to determine which one is the
Test the Theory to Determine cause of the problem. A technician will often apply a quick procedure to test and
3
Cause see if it solves the problem. If a quick procedure does not correct the problem, you
might need to research the problem further to establish the exact cause.

Establish a Plan of Action to

After you have determined the exact cause of the problem, establish a plan of
4 Resolve the Problem and
action to resolve the problem and implement the solution.
Implement the Solution

Verify Full System Functionality

After you have corrected the problem, verify full functionality and, if applicable,
5 and Implement Preventive
implement preventive measures.
Measures

Document Findings, Actions, and In the final step of the troubleshooting process, document your findings, actions,
6
Outcomes and outcomes. This is very important for future reference.
Wireless Client Not Connecting
If there is no connectivity, check the following:
• Confirm the network configuration on the PC using the ipconfig command.
• Confirm that the device can connect to the wired network. Ping a known IP address.
• If needed, reload drivers as appropriate for the client or try a different wireless NIC.
• If the wireless NIC of the client is working, check the security mode and encryption settings on the
client.
If the PC is operational but the wireless connection is performing poorly, check the following:
• Is the PC out of the planned coverage area (BSA)?
• Check the channel settings on the wireless client.
• Check for interference with the 2.4 GHz band.
Next, ensure that all the devices are actually in place.
• Consider a possible physical security issue.
• Is there power to all devices and are they powered on?
Finally, inspect links between cabled devices looking for bad connectors or damaged or missing cables.
• If the physical plant is in place, verify the wired LAN by pinging devices, including the AP.
• If connectivity still fails at this point, perhaps something is wrong with the AP or its configuration.
• When the user PC is eliminated as the source of the problem, and the physical status of devices is
confirmed, begin investigating the performance of the AP.
• Check the power status of the AP.

Troubleshooting When the Network Is Slow

To optimize and increase the bandwidth of 802.11 dual-band routers and APs, either:
• Upgrade your wireless clients - Older 802.11b, 802.11g, and even 802.11n devices can slow the entire
WLAN. For the best performance, all wireless devices should support the same highest acceptable standard.
• Split the traffic - The easiest way to improve wireless performance is to split the wireless traffic between the
802.11n 2.4 GHz band and the 5 GHz band. Therefore, 802.11n (or better) can use the two bands as two
separate wireless networks to help manage the traffic.

There are several reasons for using a split-the-traffic approach:

• The 2.4 GHz band may be suitable for basic Internet traffic that is not time-sensitive.
• The bandwidth may still be shared with other nearby WLANs.
• The 5 GHz band is much less crowded than the 2.4 GHz band; ideal for streaming multimedia.
• The 5 GHz band has more channels; therefore, the channel chosen is likely interference-free.
By default, dual-band routers and APs use the same network name on both the 2.4 GHz band and the 5 GHz
band.
• It may be useful to segment the traffic.
• The simplest way to segment traffic is to rename one of the wireless networks.
To improve the range of a wireless network, ensure the wireless router or AP location is free of obstructions,
such as furniture, fixtures, and tall appliances.
• These block the signal, which shortens the range of the WLAN.
• If this still does not solve the problem, then a Wi-Fi Range Extender or deploying the Powerline wireless
technology may be used.

Updating Firmware

Most wireless routers and APs offer upgradable firmware that should be periodically verified.
On a WLC, there will most likely be the ability to upgrade the firmware on all APs that the WLC controls.
• In the figure, the firmware
image that will be used to
upgrade all the APs is
downloaded.
• On a Cisco 3504 Wireless
Controller,
click WIRELESS > Access
Points > Global
Configuration and then
scroll to the bottom of the
page for the AP Image Pre-download section.

Routing

Path Determination
Two Functions of a Router
When a router receives an IP packet on one interface, it determines which interface to use to forward the
packet to the destination. This is known as routing. The interface that the router uses to forward the packet
may be the final destination, or it may be a network connected to another router that is used to reach the
destination network. Each network that a router connects to typically requires a separate interface, but this
may not always be the case.
The primary functions of a router are to determine the best path to forward packets based on the information
in its routing table, and to forward packets toward their destination.
Router Functions Example
The router uses its IP routing table to determine
which path (route) to use to forward a packet. R1
and R2 will use their respective IP routing tables
to first determine the best path, and then forward
the packet.

Best Path Equals Longest Match

• The best path in the routing table is also known as the longest match.
• The routing table contains route entries consisting of a prefix (network address) and prefix length.
For there to be a match between the destination IP address of a packet and a route in the routing
table, a minimum number of far-left bits must match between the IP address of the packet and the
route in the routing table. The prefix length of the route in the routing table is used to determine the
minimum number of far-left bits that must match.
• The longest match is the route in the routing table that has the greatest number of far-left matching
bits with the destination IP address of the packet. The longest match is always the preferred route.
Note: The term prefix length will be used to refer to the network portion of both IPv4 and IPv6 addresses.

Build the Routing Table

Directly Connected Networks: Added to the routing table when a local interface is configured with an IP
address and subnet mask (prefix length) and is active (up and up).
Remote Networks: Networks that are not directly connected to the router. Routers learn about remote
networks in two ways:
• Static routes - Added to the routing table when a route is manually configured.
• Dynamic routing protocols - Added to the routing table when routing protocols dynamically learn
about the remote network.

Default Route: Specifies a next-hop router to use when the routing table does not contain a specific route
that matches the destination IP address. The default route can be entered manually as a static route, or
learned automatically from a dynamic routing protocol.
• A default route has a /0 prefix length. This means that no bits need to match the destination IP address
for this route entry to be used. If there are no routes with a match longer than 0 bits, the default route
is used to forward the packet. The default route is sometimes referred to as a gateway of last resort.
 Packet Forwarding

Packet Forwarding Decision Process

1. The data link frame with an encapsulated IP packet arrives on the ingress interface.
2. The router examines the destination IP address in the packet header and consults its IP routing table.
3. The router finds the longest matching prefix in the routing table.
4. The router encapsulates the packet in a data link frame and forwards it out the egress interface. The
destination could be a device connected to the network or a next-hop router.
5. However, if there is no matching route entry the packet is dropped.

After a router has determined the best path, it could do the following:
Forward the Packet to a Device on a Directly Connected Network
• If the route entry indicates that the egress interface is a directly connected network, the packet can be
forwarded directly to the destination device. Typically this is an Ethernet LAN.
• To encapsulate the packet in the Ethernet frame, the router needs to determine the destination MAC address
associated with the destination IP address of the packet. The process varies based on whether the packet is an
IPv4 or IPv6 packet.
After a router has determined the best path, it could do the following:
Forward the Packet to a Next-Hop Router
• If the route entry indicates that the destination IP address is on a remote network, meaning a device on
network that is not directly connected. The packet must be forwarded to the next-hop router. The next-hop
address is indicated in the route entry.
• If the forwarding router and the next-hop router are on an Ethernet network, a similar process (ARP and
ICMPv6 Neighbor Discovery) will occur for determining the destination MAC address of the packet as
described previously. The difference is that the router will search for the IP address of the next-hop router in
its ARP table or neighbor cache, instead of the destination IP address of the packet.
Note: This process will vary for other types of Layer 2 networks.

After a router has determined the best path, it could do the following:
Drop the Packet - No Match in Routing Table
• If there is no match between the destination IP address and a prefix in the routing table, and if there is no
default route, the packet will be dropped.

End-to-End Packet Forwarding

The primary responsibility of the packet forwarding function is to encapsulate packets in the appropriate
data link frame type for the outgoing interface. For example, the data link frame format for a serial link
could be Point-to-Point (PPP) protocol, High-Level Data Link Control (HDLC) protocol, or some other
Layer 2 protocol.

Packet Forwarding Mechanisms

The primary responsibility of the packet forwarding function is to encapsulate packets in the appropriate
data link frame type for the outgoing interface. The more efficiently a router can perform this task, the faster
packets can be forwarded by the router.
Routers support the following three packet forwarding mechanisms:
• Process switching
• Fast switching
• Cisco Express Forwarding (CEF)
Process Switching: An older packet forwarding mechanism still
available for Cisco routers. When a packet arrives on an interface, it is
forwarded to the control plane where the CPU matches the destination
address with an entry in its routing table, and then determines the exit
interface and forwards the packet. It is important to understand that
the router does this for every packet, even if the destination is the
same for a stream of packets.

Fast Switching: Another, older packet forwarding mechanism which

was the successor to process switching. Fast switching uses a fast-
switching cache to store next-hop information. When a packet arrives
on an interface, it is forwarded to the control plane where the CPU
searches for a match in the fast-switching cache. If it is not there, it is
process-switched and forwarded to the exit interface. The flow
information for the packet is then stored in the fast-switching cache.
If another packet going to the same destination arrives on an
interface, the next-hop information in the cache is re-used without
CPU intervention.

Cisco Express Forwarding (CEF): The most recent and default

Cisco IOS packet-forwarding mechanism. CEF builds a Forwarding
Information Base (FIB), and an adjacency table. The table entries are
not packet-triggered like fast switching but change-triggered, such as
when something changes in the network topology. When a network
has converged, the FIB and adjacency tables contain all the
information that a router would have to consider when forwarding a
packet.

Topology

The topology in the figure will be used for configuration and verification examples. It will also be used in
the next topic to discuss the IP routing table.
 IP Routing Table

Route Sources
A routing table contains a list of routes to known networks (prefixes and prefix lengths). The source of this
information is derived from the following:
• Directly connected networks
• Static routes
• Dynamic routing protocols

The source for each route in the routing table is identified by a code. Common codes include the following:
• L - Identifies the address assigned to a router interface.
• C - Identifies a directly connected network.
• S - Identifies a static route created to reach a specific network.
• O - Identifies a dynamically learned network from another router using the OSPF routing protocol.
• * - This route is a candidate for a default route.

Routing Table Principles

There are three routing table principles as described in the table. These are issues that are addressed by the
proper configuration of dynamic routing protocols or static routes on all the routers between the source and
destination devices.

Routing Table Principle Example

Every router makes its decision alone, based • R1 can only forward packets using its own routing table.
on the information it has in its own routing • R1 does not know what routes are in the routing tables of other
table. routers (e.g., R2).

The information in a routing table of one

Just because R1 has route in its routing table to a network in the internet via
router does not necessarily match the routing
R2, that does not mean that R2 knows about that same network.
table of another router.

R1 receives a packet with the destination IP address of PC1 and the source IP
Routing information about a path does not address of PC3. Just because R1 knows to forward the packet out its G0/0/0
provide return routing information. interface, doesn’t necessarily mean that it knows how to forward packets
originating from PC1 back to the remote network of PC3
Routing Table Entries

In the figure, the numbers identify the following information:

• Route source - This identifies how the route was
learned.
• Destination network (prefix and prefix
length) - This identifies the address of the remote
network.
• Administrative distance - This identifies the
trustworthiness of the route source. Lower values
indicate preferred route source.
• Metric - This identifies the value assigned to reach
the remote network. Lower values indicate preferred
routes.
• Next-hop - This identifies the IP address of the next Note: The prefix length of the destination network
router to which the packet would be forwarded. specifies the minimum number of far-left bits that
must match between the IP address of the packet
• Route timestamp - This identifies how much time and the destination network (prefix) for this route to
has passed since the route was learned. be used.
• Exit interface - This identifies the egress interface to
use for outgoing packets to reach their final destination.

Directly Connected Networks

To learn about any remote networks, the router must have at least one active interface configured with an IP
address and subnet mask (prefix length). This is known as a directly connected network or a directly
connected route. Routers add a directly connected route to its routing table when an interface is configured
with an IP address and is activated.
• A directly connected network is denoted by a status code of C in the routing table. The route contains a
network prefix and prefix length.
• The routing table also contains a local route for each of its directly connected networks, indicated by the status
code of L.
• For IPv4 local routes the prefix length is /32 and for IPv6 local routes the prefix length is /128. This means the
destination IP address of the packet must match all the bits in the local route for this route to be a match. The
purpose of the local route is to efficiently determine when it receives a packet for the interface instead of a
packet that needs to be forwarded.
Static Routes
After directly connected interfaces are configured and added to the routing table, static or dynamic routing
can be implemented for accessing remote networks. Static routes are manually configured. They define an
explicit path between two networking devices. They are not automatically updated and must be manually
reconfigured if the network topology changes.
Static routing has three primary uses:
• It provides ease of routing table maintenance in smaller networks that are not expected to grow
significantly.
• It uses a single default route to represent a path to any network that does not have a more specific
match with another route in the routing table. Default routes are used to send traffic to any destination
beyond the next upstream router.
• It routes to and from stub networks. A stub network is a network accessed by a single route, and the
router has only one neighbor.

Static Routes in the IP Routing Table

The topology in the figure is

simplified to show only one LAN
attached to each router. The figure
shows IPv4 and IPv6 static routes
configured on R1 to reach the
10.0.4.0/24 and
2001:db8:acad:4::/64 networks on
R2.

Dynamic Routing Protocols

Dynamic routing protocols are

used by routers to automatically
share information about the
reachability and status of remote
networks. Dynamic routing
protocols perform several
activities, including network
discovery and maintaining
routing tables.
Dynamic Routes in the Routing Table
OSPF is now being used in our sample topology to dynamically learn all the networks connected to R1 and
R2. The routing table entries use the status code of O to indicate the route was learned by the OSPF routing
protocol. Both entries also include the IP address of the next-hop router, via ip-address.
Note: IPv6 routing protocols use the link-local address of the next-hop router.

R1# show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX
- EIGRP external, O - OSPF, IA - OSPF inter area
(output omitted for brevity)
O 10.0.4.0/24 [110/50] via 10.0.3.2, 00:24:22, Serial0/1/1
O 10.0.5.0/24 [110/50] via 10.0.3.2, 00:24:15, Serial0/1/1
R1# show ipv6 route
IPv6 Routing Table - default - 10 entries
(Output omitted)
NDr - Redirect, RL - RPL, O - OSPF Intra, OI - OSPF Inter
O 2001:DB8:ACAD:4::/64 [110/50]
via FE80::2:C, Serial0/1/1
O 2001:DB8:ACAD:5::/64 [110/50]
via FE80::2:C, Serial0/1/1

Default Route
The default route specifies a next-hop
router to use when the routing table
does not contain a specific route that
matches the destination IP address. A
default route can be either a static route
or learned automatically from a
dynamic routing protocol. A default
route has an IPv4 route entry of
0.0.0.0/0 or an IPv6 route entry of ::/0.
This means that zero or no bits need to
match between the destination IP
address and the default route.

Structure of an IPv4 Routing Table

• An indented entry is known as a child route. A route Router# show ip route
entry is indented if it is the subnet of a classful address (Output omitted)
(class A, B or C network). 192.168.1.0/24 is variably..
C 192.168.1.0/24 is direct..
L 192.168.1.1/32 is direct..
• Directly connected networks will always be indented O 192.168.2.0/24 [110/65]..
(child routes) because the local address of the interface is O 192.168.3.0/24 [110/65]..
always entered in the routing table as a /32. 192.168.12.0/24 is variab..
C 192.168.12.0/30 is direct..
L 192.168.12.1/32 is direct..
• The child route will include the route source and all the 192.168.13.0/24 is variably..
forwarding information such as the next-hop address. C 192.168.13.0/30 is direct..
L 192.168.13.1/32 is direct..
• The classful network address of this subnet will be shown 192.168.23.0/30 is subnette..
O 192.168.23.0/30 [110/128]..
above the route entry, less indented, and without a source Router#
code. That route is known as a parent route.
Structure of an IPv6 Routing Table R1# show ipv6 route
(output omitted for brevity)
OE2 ::/0 [110/1], tag 2
via FE80::2:C, Serial0/0/1
C 2001:DB8:ACAD:1::/64 [0/0]
via GigabitEthernet0/0/0, directly connected
The concept of classful addressing was never part L 2001:DB8:ACAD:1::1/128 [0/0]
of IPv6, so the structure of an IPv6 routing table via GigabitEthernet0/0/0, receive
C 2001:DB8:ACAD:2::/64 [0/0]
is very straight forward. Every IPv6 route entry is via GigabitEthernet0/0/1, directly connected
formatted and aligned the same way. L 2001:DB8:ACAD:2::1/128 [0/0]
via GigabitEthernet0/0/1, receive
C 2001:DB8:ACAD:3::/64 [0/0]
via Serial0/1/1, directly connected
L 2001:DB8:ACAD:3::1/128 [0/0]
via Serial0/1/1, receive
O 2001:DB8:ACAD:4::/64 [110/50]
via FE80::2:C, Serial0/1/1
O 2001:DB8:ACAD:5::/64 [110/50]
via FE80::2:C, Serial0/1/1
L FF00::/8 [0/0]
via Null0, receive
R1#

Administrative Distance

A route entry for a specific network address (prefix and prefix length) can only appear once in the routing
table. However, it is possible that the routing table learns about the same network address from more than
one routing source. Except for very specific circumstances, only one dynamic routing protocol should be
implemented on a router. Each routing protocol may decide on a different path to reach the destination based
on the metric of that routing protocol.
This raises a few questions, such as the following:
• How does the router know which source to use?
• Which route should it install in the routing table?
Cisco IOS uses what is known as the Route Source Administrative Distance
administrative distance (AD) to determine the
route to install into the IP routing table. The AD Directly connected 0
represents the "trustworthiness" of the route. The Static route 1
lower the AD, the more trustworthy the route
source. EIGRP summary route 5

External BGP 20

Internal EIGRP 90
The table lists various routing protocols and their
associated ADs. OSPF 110

IS-IS 115

RIP 120

External EIGRP 170

Internal BGP 200

 Static and Dynamic Routing

Static or Dynamic?

Static and dynamic routing are not mutually exclusive. Rather, most networks use a combination of dynamic
routing protocols and static routes.
Static routes are commonly used in the following scenarios:
• As a default route forwarding packets to a service provider
• For routes outside the routing domain and not learned by the dynamic routing protocol
• When the network administrator wants to explicitly define the path for a specific network
• For routing between stub networks
Static routes are useful for smaller networks with only one path to an outside network. They also provide
security in a larger network for certain types of traffic, or links to other networks that need more control.
Dynamic routing protocols are implemented in any type of network consisting of more than just a few
routers. Dynamic routing protocols are scalable and automatically determine better routes if there is a
change in the topology.

Dynamic routing protocols are commonly used in the following scenarios:

• In networks consisting of more than just a few routers
• When a change in the network topology requires the network to automatically determine another path
• For scalability. As the network grows, the dynamic routing protocol automatically learns about any
new networks.

The table shows a comparison of some the differences between dynamic and static routing.

Feature Dynamic Routing Static Routing

Configuration complexity Independent of network size Increases with network size

Topology changes Automatically adapts to topology changes Administrator intervention required

Suitable for simple to complex network

Scalability Suitable for simple topologies
topologies

Security Security must be configured Security is inherent

Resource Usage Uses CPU, memory, and link bandwidth No additional resources needed

Route depends on topology and routing

Path Predictability Explicitly defined by the administrator
protocol used
Dynamic Routing Evolution

Dynamic routing protocols have been used in

networks since the late 1980s. One of the first
routing protocols was RIP. RIPv1 was
released in 1988, but some of the basic
algorithms within the protocol were used on
the Advanced Research Projects Agency
Network (ARPANET) as early as 1969. As
networks evolved and became more complex,
new routing protocols emerged.

The table classifies the current routing protocols. Interior Gateway Protocols (IGPs) are routing protocols
used to exchange routing information within a routing domain administered by a single organization. There
is only one EGP and it is BGP. BGP is used to exchange routing information between different
organizations, known as autonomous systems (AS). BGP is used by ISPs to route packets over the internet.
Distance vector, link-state, and path vector routing protocols refer to the type of routing algorithm used to
determine best path.

Interior Gateway Protocols Exterior Gateway Protocols

Distance Vector Link-State Path Vector

IPv4 RIPv2 EIGRP OSPFv2 IS-IS BGP-4

IPv6 RIPng EIGRP for OSPFv3 IS-IS for BGP-MP

IPv6 IPv6

Dynamic Routing Protocol

A routing protocol is a set of processes, algorithms, and messages that are used to exchange routing
information and populate the routing table with the choice of best paths. The purpose of dynamic routing
protocols includes the following:
• Discovery of remote networks
• Maintaining up-to-date routing information
• Choosing the best path to destination networks
• Ability to find a new best path if the current path is no longer available

The main components of dynamic routing protocols include the following:

• Data structures - Routing protocols typically use tables or databases for their operations. This
information is kept in RAM.
• Routing protocol messages - Routing protocols use various types of messages to discover
neighboring routers, exchange routing information, and other tasks to learn and maintain accurate
information about the network.
• Algorithm - An algorithm is a finite list of steps used to accomplish a task. Routing protocols use
algorithms for facilitating routing information and for the best path determination.
Routing protocols determine the best path, or route, to each network. That route is then offered to the routing
table. The route will be installed in the routing table if there is not another routing source with a lower AD.
Best Path
The best path is selected by a routing protocol based on the value or metric it uses to determine the distance
to reach a network. A metric is the quantitative value used to measure the distance to a given network. The
best path to a network is the path with the lowest metric.
Dynamic routing protocols typically use their own rules and metrics to build and update routing tables. The
following table lists common dynamic protocols and their metrics.

Routing Protocol Metric

• The metric is “hop count”.

Routing Information Protocol
• Each router along a path adds a hop to the hop count.
(RIP)
• A maximum of 15 hops allowed.

• The metric is “cost” which is the based on the cumulative bandwidth from
Open Shortest Path First (OSPF) source to destination.
• Faster links are assigned lower costs compared to slower (higher cost) links.

Enhanced Interior Gateway • It calculates a metric based on the slowest bandwidth and delay values.
Routing Protocol (EIGRP) • It could also include load and reliability into the metric calculation.

Load Balancing
When a router has two or more paths to a destination with equal cost metrics, then the router forwards the
packets using both paths equally. This is called equal cost load balancing.
• The routing table contains the single destination network, but has multiple exit interfaces, one for each equal
cost path. The router forwards packets using the multiple exit interfaces listed in the routing table.
• If configured correctly, load balancing can increase the effectiveness and performance of the network.
• Equal cost load balancing is implemented automatically by dynamic routing protocols. It is enabled with static
routes when there are multiple static routes to the same destination network using different next-hop routers.
Note: Only EIGRP supports unequal cost load balancing.

Static Routes

Types of Static Routes

Static routes are commonly implemented on a network. This is true even when there is a dynamic routing
protocol configured. Static routes can be configured for IPv4 and IPv6. Both protocols support the following
types of static routes:
• Standard static route
• Default static route
• Floating static route
• Summary static route

Static routes are configured using the ip route and ipv6 route global configuration commands.
Next-Hop Options
When configuring a static route, the next hop can be identified by an IP address, exit interface, or both. How
the destination is specified creates one of the three following types of static route:
• Next-hop route - Only the next-hop IP address is specified
• Directly connected static route - Only the router exit interface is specified
• Fully specified static route - The next-hop IP address and exit interface are specified

IPv4 Static Route Command

Router(config)# ip route network-address subnet-mask { ip-address | exit-intf [ip-address]} [distance]
Note: Either the ip-address, exit-intf, or the ip-address and exit-intf parameters must be configured.

IPv6 Static Route Command

Router(config)# ipv6 route ipv6-prefix/prefix-length {ipv6-address | exit-intf [ipv6-address]} [distance]
Most of parameters are identical to the IPv4 version of the command.

Dual-Stack Topology
The figure shows a dual-stack network topology. Currently, no static routes are configured for either IPv4 or
IPv6.
IPv4 Starting Routing Tables
• Each router has entries only for directly connected networks and associated local addresses.
• R1 can ping R2, but cannot ping the R3 LAN
R1# show ip route | begin Gateway
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.2.0/24 is directly connected, Serial0/1/0
L 172.16.2.1/32 is directly connected, Serial0/1/0
C 172.16.3.0/24 is directly connected, GigabitEthernet0/0/0
L 172.16.3.1/32 is directly connected, GigabitEthernet0/0/0
R1#
R1# ping 172.16.2.2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)
R1# ping 192.168.2.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

IPv6 Starting Routing Tables

• Each router has entries only for directly connected networks and associated local addresses.
• R1 can ping R2, but cannot ping the R3 LAN.
R1# show ipv6 route | begin C
C 2001:DB8:ACAD:2::/64 [0/0]
via Serial0/1/0, directly connected
L 2001:DB8:ACAD:2::1/128 [0/0]
via Serial0/1/0, receive
C 2001:DB8:ACAD:3::/64 [0/0]
via GigabitEthernet0/0/0, directly connected
L 2001:DB8:ACAD:3::1/128 [0/0]
via GigabitEthernet0/0/0, receive
L FF00::/8 [0/0]
via Null0, receive
R1#
R1# ping 2001:db8:acad:2::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:ACAD:2::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms)
R1# ping 2001:DB8:cafe:2::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:CAFE:2::1, timeout is 2 seconds:
% No valid route for destination
Success rate is 0 percent (0/1)
 Configure IP Static Routes

IPv4 Next-Hop Static Route

In a next-hop static route, only the next-hop IP address is specified. The exit interface is derived from the
next hop. For example, three next-hop IPv4 static routes are configured on R1 using the IP address of the
next hop, R2.
R1(config)# ip route 172.16.1.0 255.255.255.0 172.16.2.2
R1(config)# ip route 192.168.1.0 255.255.255.0 172.16.2.2
R1(config)# ip route 192.168.2.0 255.255.255.0 172.16.2.2

The resulting routing table entries on R1:

IPv6 Next-Hop Static Route

The commands to configure R1 with the IPv6 static routes to the three remote networks are as follows:
R1(config)# ipv6 unicast-routing
R1(config)# ipv6 route 2001:db8:acad:1::/64 2001:db8:acad:2::2
R1(config)# ipv6 route 2001:db8:cafe:1::/64 2001:db8:acad:2::2
R1(config)# ipv6 route 2001:db8:cafe:2::/64 2001:db8:acad:2::2

The routing table for R1 now has routes to the three remote IPv6 networks.
IPv4 Directly Connected Static Route

When configuring a static route, another option is to use the exit interface to specify the next-hop
address. Three directly connected IPv4 static routes are configured on R1 using the exit interface.
Note: Using a next-hop address is generally recommended. Directly connected static routes should only be used with
point-to-point serial interfaces.

R1(config)# ip route 172.16.1.0 255.255.255.0 s0/1/0

R1(config)# ip route 192.168.1.0 255.255.255.0 s0/1/0
R1(config)# ip route 192.168.2.0 255.255.255.0 s0/1/0

IPv6 Directly Connected Static Route

In the example, three directly connected IPv6 static

routes are configured on R1 using the exit interface.
Note: Using a next-hop address is generally recommended.
Directly connected static routes should only be used with
point-to-point serial interfaces.

R1(config)# ipv6 route 2001:db8:acad:1::/64 s0/1/0

R1(config)# ipv6 route 2001:db8:cafe:1::/64 s0/1/0
R1(config)# ipv6 route 2001:db8:cafe:2::/64 s0/1/0

IPv4 Fully Specified Static Route

• In a fully specified static route, both the exit interface and the next-hop IP address are specified. This form of
static route is used when the exit interface is a multi-access interface and it is necessary to explicitly identify
the next hop. The next hop must be directly connected to the specified exit interface. Using an exit interface is
optional, however it is necessary to use
a next-hop address.
• It is recommended that when the exit
interface is an Ethernet network, that the static
route includes a next-hop address. You can
also use a fully specified static route that
includes both the exit interface and the next-
hop address.
IPv6 Fully Specified Static Route

In a fully specified static route, both the exit interface and the next-hop IPV6 address are specified.
There is a situation in IPv6 when a fully specified static route must be used. If the IPv6 static route uses an
IPv6 link-local address as the next-hop address, use a fully specified static route. The figure shows an
example of a fully specified IPv6 static route using an IPv6 link-local address as the next-hop address.

The reason a fully specified static route must be used is because IPv6 link-local addresses are not contained
in the IPv6 routing table. Link-local addresses are only unique on a given link or network. The next-hop
link-local address may be a valid address on multiple networks connected to the router. Therefore, it is
necessary that the exit interface be included.
The following example shows the IPv6 routing table
entry for this route. Notice that both the next-hop link-
local address and the exit interface are included.

Verify a Static Route

Along with show ip route, show ipv6 route, ping and traceroute, other useful commands to verify static
routes include the following:
• show ip route static
• show ip route network
• show running-config | section ip route
Replace ip with ipv6 for the IPv6 versions of the command.
 Configure IP Default Static Routes

Default Static Route

• A default route is a static route that
matches all packets. A single default
route represents any network that is not
in the routing table.
• Routers commonly use default routes
that are either configured locally or
learned from another router. The
default route is used as the Gateway of
Last Resort.
• Default static routes are commonly
used when connecting an edge router to
a service provider network, or a stub router (a router with only one upstream neighbor router).
• The figure shows a typical default static route scenario.
IPv4 Default Static Route: The command syntax for an IPv4 default static route is similar to any other
IPv4 static route.
Router(config)# ip route 0.0.0.0 0.0.0.0 {ip-address | exit-intf}
Note: An IPv4 default static route is commonly referred to as a quad-zero route.

IPv6 Default Static Route: The command syntax for an IPv6 default static route is similar to any other
IPv6 static route, except that the ipv6-prefix/prefix-length is ::/0, which matches all routes.
Router(config)# ipv6 route ::/0 {ipv6-address | exit-intf}

Configure a Default Static Route

The example shows an IPv4 default static route configured on R1. With the configuration shown in the
example, any packets not matching more specific route entries are forwarded to R2 at 172.16.2.2.
R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.2.2

An IPv6 default static route is configured in similar fashion. With this configuration any packets not
matching more specific IPv6 route entries are forwarded to R2 at 2001:db8:acad:2::2
R1(config)# ipv6 route ::/0 2001:db8:acad:2::2
Verify a Default Static Route

The show ip route static command output from R1

displays the contents of the static routes in the
routing table. Note the asterisk (*) next to the route
with code ‘S’. The asterisk indicates that this static
route is a candidate default route, which is why it is
selected as the Gateway of Last Resort.
Notice that the static default route configuration
uses the /0 mask for IPv4 default routes. Remember
that the IPv4 subnet mask in a routing table determines how many bits must match between the destination
IP address of the packet and the route in the routing table. A /0 mask indicates that none of the bits are
required to match. As long as a more specific match does not exist, the default static route matches all
packets.

This example shows the show ipv6 route static command output to display the contents of the routing table.
Notice that the static default route configuration
uses the ::/0 prefix for IPv6 default routes.
Remember that the IPv6 prefix-length in a routing
table determines how many bits must match
between the destination IP address of the packet
and the route in the routing table. A ::/0 prefix
indicates that none of the bits are required to
match. As long as a more specific match does not
exist, the default static route matches all packets.

Configure Floating Static Routes

Floating Static Routes

• Floating static routes are static routes that are used to provide a backup path to a primary static or
dynamic route. The floating static route is only used when the primary route is not available.
• To accomplish this, the floating static route is configured with a higher administrative distance than
the primary route. The administrative distance represents the trustworthiness of a route. If multiple
paths to the destination exist, the router will choose the path with the lowest administrative distance.
• By default, static routes have an administrative distance of 1, making them preferable to routes
learned from dynamic routing protocols.
• The administrative distance of a static route can be increased to make the route less desirable than
that of another static route or a route learned through a dynamic routing protocol. In this way, the
static route “floats” and is not used when the route with the better administrative distance is active.
Configure IPv4 and IPv6 Floating Static Routes
The commands to configure default and floating IP default routes are as follows:
R1(config)# ip route 0.0.0.0 0.0.0.0 172.16.2.2
R1(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.2 5
R1(config)# ipv6 route ::/0 2001:db8:acad:2::2
R1(config)# ipv6 route ::/0 2001:db8:feed:10::2 5

The show ip route and show ipv6 route output verifies that the default routes to R2 are installed in the
routing table. Note that the IPv4 floating static route to R3 is not present in the routing table.

Test the Floating Static Routes

• What would happen if R2 failed? To simulate

this, R2 shuts down both of its serial interfaces.
• R1 automatically generates syslog messages for
the link going down.
• A look at R1’s routing table would show the
secondary route being used.
 Configure Static Host Routes

Host Routes
A host route is an IPv4 address with a 32-bit mask, or an IPv6 address with a 128-bit mask. The following
shows the three ways a host route can be added to the routing table:
• Automatically installed when an IP address is configured on the router
• Configured as a static host route
• Host route automatically obtained through other methods

Automatically Installed Host Routes

• Cisco IOS automatically installs a host route, also known as a local host route, when an interface address is
configured on the router. A host route allows for a more efficient process for packets that are directed to the
router itself, rather than for packet forwarding.
• This is in addition to the connected route, designated with a C in the routing table for the network address of
the interface.
• The local routes are marked with L in the output of the routing table.

Static Host Routes

A host route can be a manually configured static route to direct

traffic to a specific destination device, such as the server shown
in the figure. The static route uses a destination IP address and a
255.255.255.255 (/32) mask for IPv4 host routes, and a /128
prefix length for IPv6 host routes.

Configure Static Host Routes

The example shows the IPv4 and IPv6 static host route configuration on the Branch router to access the
server.
Branch(config)# ip route 209.165.200.238 255.255.255.255 198.51.100.2
Branch(config)# ipv6 route 2001:db8:acad:2::238/128 2001:db8:acad:1::2
Branch(config)# exit
Branch#
Verify Static Host Routes
A review of both the IPv4 and IPv6 route tables verifies that the routes are active.

Configure IPv6 Static Host Route with Link-Local Next-Hop

For IPv6 static routes, the next-hop address can be the link-local address of the adjacent router. However,
you must specify an interface type and an
interface number when using a link-local
address as the next hop, as shown in the
example. First, the original IPv6 static host
route is removed, then a fully specified
route configured with the IPv6 address of
the server and the IPv6 link-local address
of the ISP router.

Troubleshoot Static and Default Routes

Packet Processing with Static Routes

Static Routes and Packet Forwarding

• PC1 addresses a packet to PC3 and sends it to the
default gateway address.
• When the packet arrives on the R1 G0/0/0 interface,
R1 decapsulates the packet and searches the routing
table for a matching destination network entry.
If the destination IP address:
• Matches a static route entry, R1 will use the static route to identify the next-hop IP address or exit interface.
• Does not match a specific route to the destination network, then R1 will use the default static route (if
configured).
• Does not match a route table entry, then R1 will drop the packet and send an ICMP message back to the
source (i.e., PC1).

Assuming R1 matched a routing table entry, it encapsulates the packet in a new frame and forwards it out of
interface S0/1/0 to R2.
• R2 receives the packet on its S0/1/0 interface.
• It decapsulates and processes the packet the same
way R1 did.
• When R2 finds a match in the routing table, it uses
the identified next-hop IP address or exit interface
and sends the packet out of its interface S0/1/1
towards R3.
• R3 receives the packet, decapsulates it, and searches
the routing table for a match.
• The destination IP address of PC3 matches the
directly connected G0/0/0 interface. Therefore, R3
searches the ARP table for the Layer 2 MAC address
of PC3.
• If no ARP entry exists, then R3 sends an ARP request
out of the G0/0/0 interface.
• PC3 responds with an ARP reply containing its MAC
address.
• R3 encapsulates the packet in a new frame and uses the PC3 MAC address as the destination MAC address
and the G0/0/0 MAC address as the source MAC address.
• The frame is forwarded out of interface G0/0/0 and PC3 receives and processes it accordingly.

Network Changes
Networks fail for a number of reasons:
• An interface can fail
• A service provider drops a connection
• Links can become oversaturated
• An administrator may enter a wrong configuration.
Network administrators are responsible for pinpointing and solving the problem.
To efficiently find and solve these issues, it is advantageous to be intimately familiar with tools to help
isolate routing problems quickly.
Common Troubleshooting Commands
Command Description

ping • Verify Layer 3 connectivity to destination.

• Extended pings provide additional options.

traceroute • Verify path to destination network.

• It uses ICMP echo reply messages to determine the hops to the destination.

show ip route • Displays the routing table.

• Used to verify route entries for destination IP addresses.

show ip interface brief • Displays the status of device interfaces.

• Used to verify the operational status and IP address of an interface.

show cdp neighbors • Displays a list of directly connected Cisco devices.

• Also used to validate Layer 1 and 2 connectivity.

Solve a Connectivity Problem

Connectivity from PC1 to PC3 fails.

• Extended pings from the R1 G0/0/0 interface to PC3
fail.
• Pings from R1 (i.e., S0/1/0 interface) to R2 are
successful.
• Pings from R1 (i.e., S0/1/0 interface) to R3 are
successful.
• R2 routing table reveals the problem and the
incorrect static route is removed.
• A new static route solves the problem.

ip route 172.16.3.0 255.255.255.0 172.16.2.1

R2# show ip route | begin Gateway
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
C 172.16.1.0/24 is directly connected,
GigabitEthernet0/0/0
L 172.16.1.1/32 is directly connected, GigabitEthernet0/0/0
C 172.16.2.0/24 is directly connected, Serial0/l/0
L 172.16.2.2/32 is directly connected, Serial0/l/0
S 172.16.3.0/24 [1/0] via 192.168.1.1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Serial0/1/1
L 192.168.1.2/32 is directly connected, Serial0/1/1
S 192.168.2.0/24 [1/0] via 192.168.1.1
R2#
 OSPFv2

Introduction to OSPF

• OSPF is a link-state routing protocol that was developed as an alternative for the distance vector
Routing Information Protocol (RIP). OSPF has significant advantages over RIP in that it offers faster
convergence and scales to much larger network implementations.
• OSPF is a link-state routing protocol that uses the concept of areas. A network administrator can
divide the routing domain into distinct areas that help control routing update traffic.

A link is an interface on a router, a network segment that connects two routers, or a stub network such as an
Ethernet LAN that is connected to a single router.
Information about the state of a link is known as a link-state. All link-state information includes the network
prefix, prefix length, and cost.
• This module covers basic, single-area OSPF implementations and configurations.

Components of OSPF
• All routing protocols share similar components. They all use routing protocol messages to exchange
route information. The messages help build data structures, which are then processed using a routing
algorithm.
• Routers running OSPF exchange messages to convey routing information using five types of
packets:
▪ Hello packet
▪ Database description packet
▪ Link-state request packet
▪ Link-state update packet
▪ Link-state acknowledgment packet

• These packets are used to discover neighboring routers and also to exchange routing information to
maintain accurate information about the network.
OSPF messages are used to create and maintain three OSPF databases, as follows:

Database Table Description

• List of all neighbor routers to which a router has established bi-directional

Adjacency Neighbor communication.
Database Table • This table is unique for each router.
• Can be viewed using the show ip ospf neighbor command.

• Lists information about all other routers in the network.

Link-state
Topology • The database represents the network LSDB.
Database
Table • All routers within an area have identical LSDB.
(LSDB)
• Can be viewed using the show ip ospf database command.

• List of routes generated when an algorithm is run on the link-state database.

Forwarding Routing • Each router's routing table is unique and contains information on how and where to
Database Table send packets to other routers.
• Can be viewed using the show ip route command.

• The router builds the topology table using results of calculations based on the Dijkstra shortest-path
first (SPF) algorithm. The SPF algorithm is based on the cumulative cost to reach a destination.
• The SPF algorithm creates an SPF tree by placing each router at the root of the tree and calculating
the shortest path to each node. The SPF tree is then used to calculate the best routes. OSPF places the
best routes into the forwarding database, which is used to make the routing table.

Link-State Operation
To maintain routing information, OSPF routers complete a generic link-state routing process to reach a state
of convergence. The following are the link-state routing steps that are completed by a router:
1. Establish Neighbor Adjacencies
2. Exchange Link-State Advertisements
3. Build the Link State Database
4. Execute the SPF Algorithm
5. Choose the Best Route
Single-Area and Multiarea OSPF

To make OSPF more efficient and scalable, OSPF supports hierarchical routing using areas. An OSPF area
is a group of routers that share the same link-state information in their LSDBs. OSPF can be implemented in
one of two ways, as follows:
• Single-Area OSPF - All routers are in one area. Best practice is to use area 0.
• Multiarea OSPF - OSPF is implemented using multiple areas, in a hierarchical fashion. All areas must
connect to the backbone area (area 0). Routers interconnecting the areas are referred to as Area Border
Routers (ABRs).

The focus of this module is on single-area OSPFv2.

Multiarea OSPF

The hierarchical-topology design options with multiarea OSPF can offer the following advantages.
• Smaller routing tables - Tables are smaller because there are fewer routing table entries. This is
because network addresses can be summarized between areas. Route summarization is not enabled by
default.
• Reduced link-state update overhead - Designing multiarea OSPF with smaller areas minimizes
processing and memory requirements.
• Reduced frequency of SPF calculations -– Multiarea OSPF localize the impact of a topology change
within an area. For instance, it minimizes routing update impact because LSA flooding stops at the area
boundary.
OSPFv3
• OSPFv3 is the OSPFv2 equivalent for exchanging IPv6 prefixes. OSPFv3 exchanges routing
information to populate the IPv6 routing table with remote prefixes.
Note: With the OSPFv3 Address Families feature, OSPFv3 includes support for both IPv4 and IPv6.
OSPF Address Families is beyond the scope of this curriculum.

• OSPFv3 has the same functionality as OSPFv2, but uses IPv6 as the network layer transport,
communicating with OSPFv3 peers and advertising IPv6 routes. OSPFv3 also uses the SPF
algorithm as the computation engine to determine the best paths throughout the routing domain.
• OSPFv3 has separate processes from its IPv4 counterpart. The processes and operations are basically
the same as in the IPv4 routing protocol, but run independently.

OSPF Packets

Types of OSPF Packets

The table summarizes the five different types of Link State Packets (LSPs) used by OSPFv2. OSPFv3 has
similar packet types.

Type Packet Name Description

1 Hello Discovers neighbors and builds adjacencies between them

2 Database Description (DBD) Checks for database synchronization between routers

3 Link-State Request (LSR) Requests specific link-state records from router to router

4 Link-State Update (LSU) Sends specifically requested link-state records

5 Link-State Acknowledgment (LSAck) Acknowledges the other packet types

Link-State Updates
• LSUs are also used to forward OSPF routing updates. An
LSU packet can contain 11 different types of OSPFv2
LSAs. OSPFv3 renamed several of these LSAs and also
contains two additional LSAs.
• LSU and LSA are often used interchangeably, but the
correct hierarchy is LSU packets contain LSA messages.
Hello Packet
The OSPF Type 1 packet is the Hello packet.
Hello packets are used to do the following:
• Discover OSPF neighbors and establish
neighbor adjacencies.
• Advertise parameters on which two
routers must agree to become neighbors.
• Elect the Designated Router (DR) and
Backup Designated Router (BDR) on
multiaccess networks like Ethernet.
Point-to-point links do not require DR
or BDR.

OSPF Operational States

State Description

• No Hello packets received = Down.

Down State • Router sends Hello packets.
• Transition to Init state.

• Hello packets are received from the neighbor.

Init State • They contain the Router ID of the sending router.
• Transition to Two-Way state.

• In this state, communication between the two routers is bidirectional.

Two-Way State • On multiaccess links, the routers elect a DR and a BDR.
• Transition to ExStart state.

State Description

On point-to-point networks, the two routers decide which router will initiate the DBD packet
ExStart State
exchange and decide upon the initial DBD packet sequence number.

• Routers exchange DBD packets.

Exchange State • If additional router information is required then transition to Loading; otherwise,
transition to the Full state.

• LSRs and LSUs are used to gain additional route information.

Loading State • Routes are processed using the SPF algorithm.
• Transition to the Full state.

Full State The link-state database of the router is fully synchronized.

Establish Neighbor Adjacencies
• To determine if there is an OSPF neighbor on the link, the router sends a Hello packet that contains its router
ID out all OSPF-enabled interfaces. The Hello packet is sent to the reserved All OSPF Routers IPv4 multicast
address 224.0.0.5. Only OSPFv2 routers will process these packets.
• The OSPF router ID is used by the OSPF process to uniquely identify each router in the OSPF area. A router
ID is a 32-bit number formatted like an IPv4 address and assigned to uniquely identify a router among OSPF
peers.
• When a neighboring OSPF-enabled router receives a Hello packet with a router ID that is not within its
neighbor list, the receiving router attempts to establish an adjacency with the initiating router.

The process routers use to establish adjacency on a multiaccess network:

1 Down to Init State When OSPFv2 is enabled on the interface, R1 transitions from Down to Init and starts
sending OSPFv2 Hellos out of the interface in an attempt to discover neighbors.

2 Init State When a R2 receives a hello from the previously unknown router R1, it adds R1’s router ID
to the neighbor list and responds with a Hello packet containing its own router ID.

3 Two-Way State
R1 receives R2’s hello and notices that the message contains the R1 router ID in the list of
R2’s neighbors. R1 adds R2’s router ID to the neighbor list and transitions to the Two-Way
State.
If R1 and R2 are connected with a point-to-point link, they transition to ExStart
If R1 and R2 are connected over a common Ethernet network, the DR/BDR election occurs.

4 Elect the DR & BDR The DR and BDR election occurs, where the router with the highest router ID or highest
priority is elected as the DR, and second highest is the BDR

Synchronizing OSPF Databases

After the Two-Way state, routers transition to database synchronization states. This is a three step process,
as follows:
• Decide first router: The router with the highest router ID sends its DBD first.
• Exchange DBDs: As many as needed to convey the database. The other router must acknowledge
each DBD with an LSAck packet.
• Send an LSR: Each router compares the DBD information with the local LSDB. If the DBD has
more current link information, the router transitions to the loading state.
After all LSRs have been exchanged and satisfied, the routers are considered synchronized and in a full
state. Updates (LSUs) are sent:
• When a change is perceived (incremental updates)
• Every 30 minutes
The Need for a DR

Multiaccess networks can create two challenges for OSPF

regarding the flooding of LSAs, as follows:
• Creation of multiple adjacencies - Ethernet networks
could potentially interconnect many OSPF routers over
a common link. Creating adjacencies with every router
would lead to an excessive number of LSAs exchanged
between routers on the same network.
• Extensive flooding of LSAs - Link-state routers flood
their LSAs any time OSPF is initialized, or when there
is a change in the topology. This flooding can become
excessive.

LSA Flooding with a DR

• An increase in the number of routers on a multiaccess network also increases the number of LSAs
exchanged between the routers. This flooding of LSAs significantly impacts the operation of OSPF.
• If every router in a multiaccess network had to flood and acknowledge all received LSAs to all other
routers on that same multiaccess network, the network traffic would become quite chaotic.
• On multiaccess networks, OSPF elects a DR to be the collection and distribution point for LSAs sent
and received. A BDR is also elected in case the DR fails. All other routers become DROTHERs. A
DROTHER is a router that is neither the DR nor the BDR.
Note: The DR is only used for the dissemination of LSAs. The router will still use the best next-hop router indicated
in the routing table for the forwarding of all other packets.

OSPF Router ID

OSPF Reference Topology

The figure shows the topology used for

configuring OSPFv2 in this module. The
routers in the topology have a starting
configuration, including interface addresses.
There is currently no static routing or dynamic
routing configured on any of the routers. All
interfaces on R1, R2, and R3 (except the
loopback 1 on R2) are within the OSPF
backbone area. The ISP router is used as the
gateway to the internet of the routing domain.
Router Configuration Mode for OSPF

OSPFv2 is enabled using the router ospf process-id global configuration mode command. The process-id value
represents a number between 1 and 65,535 and is selected by the network administrator. The process-id value is
locally significant. It is considered best practice to use the same process-id on all OSPF routers.

R1(config)# router ospf 10

R1(config-router)# ?
area OSPF area parameters
auto-cost Calculate OSPF interface cost according to bandwidth
default-information Control distribution of default information
distance Define an administrative distance
exit Exit from routing protocol configuration mode
log-adjacency-changes Log changes in adjacency state
neighbor Specify a neighbor router
network Enable routing on an IP network
no Negate a command or set its defaults
passive-interface Suppress routing updates on an interface
redistribute Redistribute information from another routing protocol
router-id router-id for this OSPF process
R1(config-router)#

Router IDs
• An OSPF router ID is a 32-bit value, represented as an IPv4 address. It is used to uniquely identify
an OSPF router, and all OSPF packets include the router ID of the originating router.
• Every router requires a router ID to participate in an OSPF domain. It can be defined by an
administrator or automatically assigned by the router. The router ID is used by an OSPF-enabled
router to do the following:
▪ Participate in the synchronization of OSPF databases – During the Exchange State, the
router with the highest router ID will send their database descriptor (DBD) packets first.
▪ Participate in the election of the designated router (DR) - In a multiaccess LAN
environment, the router with the highest router ID is elected the DR. The routing device with
the second highest router ID is elected the backup designated router (BDR).

Router ID Order of Precedence

Cisco routers derive the router ID based on one of three
criteria, in the following preferential order:
1. The router ID is explicitly configured using the
OSPF router-id rid router configuration mode command.
This is the recommended method to assign a router ID.
2. The router chooses the highest IPv4 address of any of
configured loopback interfaces.
3. The router chooses the highest active IPv4 address of any
of its physical interfaces.
Configure a Loopback Interface as the Router ID

Instead of relying on physical interface, the router ID can be assigned to a loopback interface. Typically, the
IPv4 address for this type of loopback interface should be configured using a 32-bit subnet mask
(255.255.255.255). This effectively creates a host route. A 32-bit host route would not get advertised as a
route to other OSPF routers.
OSPF does not need to be enabled on an interface for that interface to be chosen as the router ID.

Explicitly Configure a Router ID

In our reference topology the router ID for each router is assigned as follows:
• R1 uses router ID 1.1.1.1
• R2 uses router ID 2.2.2.2
• R3 uses router ID 3.3.3.3
Use the router-id rid router configuration mode command to manually assign a router ID. In the example,
the router ID 1.1.1.1 is assigned to R1. Use the show ip protocols command to verify the router ID.
R1(config)# router ospf 10
R1(config-router)# router-id 1.1.1.1
R1(config-router)# end
*May 23 19:33:42.689: %SYS-5-CONFIG_I: Configured from console by console
R1# show ip protocols | include Router ID
Router ID 1.1.1.1
R1#

Modify a Router ID
• After a router selects a R1# show ip protocols | include Router ID
Router ID 10.10.1.1
router ID, an active R1# conf t
OSPF router does not Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# router ospf 10
allow the router ID to R1(config-router)# router-id 1.1.1.1
be changed until the % OSPF: Reload or use "clear ip ospf process" command, for this to take
effect
router is reloaded or R1(config-router)# end
the OSPF process is R1# clear ip ospf process
Reset ALL OSPF processes? [no]: y
reset. *Jun 6 01:09:46.975: %OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on
GigabitEthernet0/0/1 from FULL to DOWN, Neighbor Down: Interface down or
• Clearing the OSPF detached
*Jun 6 01:09:46.981: %OSPF-5-ADJCHG: Process 10, Nbr 3.3.3.3 on
process is the preferred GigabitEthernet0/0/1 from LOADING to FULL, Loading Done *
method to reset the R1# show ip protocols | include Router ID
Router ID 1.1.1.1
router ID. R1#
 Point-to-Point OSPF Networks

The network Command Syntax

• You can specify the interfaces that belong to a point-to-point network by configuring
the network command. You can also configure OSPF directly on the interface with the ip
ospf command.

Router(config-router)# network network-address wildcard-mask area area-id

• The network-address wildcard-mask syntax is used to enable OSPF on interfaces. Any interfaces on
a router that match this part of the command are enabled to send and receive OSPF packets.
• The area area-id syntax refers to the OSPF area. When configuring single-area OSPFv2,
the network command must be configured with the same area-id value on all routers. Although any
area ID can be used, it is good practice to use an area ID of 0 with single-area OSPFv2. This
convention makes it easier if the network is later altered to support multiarea OSPFv2.

The Wildcard Mask

• The wildcard mask is typically the inverse of the
subnet mask configured on that interface.
• The easiest method for calculating a wildcard mask
is to subtract the network subnet mask from
255.255.255.255, as shown for /24 and /26 subnet
masks in the figure.

Configure OSPF Using the network Command

Within routing configuration mode, there are two ways to identify the interfaces that will participate in the
OSPFv2 routing process.
• In the first example, the wildcard mask identifies the interface based on the network addresses. Any active
interface that is configured with an IPv4 R1(config)# router ospf 10
R1(config-router)# network 10.10.1.0 0.0.0.255 area 0
address belonging to that network will R1(config-router)# network 10.1.1.4 0.0.0.3 area 0
participate in the OSPFv2 routing R1(config-router)# network 10.1.1.12 0.0.0.3 area 0
process. R1(config-router)#

Note: Some IOS versions allow the subnet mask to be entered instead of the wildcard mask. The IOS then converts the
subnet mask to the wildcard mask format.
 • As an alternative, OSPFv2 can be enabled by specifying the exact interface IPv4 address using a quad zero
wildcard mask. Entering network 10.1.1.5 R1(config)# router ospf 10
0.0.0.0 area 0 on R1 tells the router to R1(config-router)# network 10.10.1.1 0.0.0.0 area 0
enable interface Gigabit Ethernet 0/0/0 for R1(config-router)# network 10.1.1.5 0.0.0.0 area 0
R1(config-router)# network 10.1.1.14 0.0.0.0 area 0
the routing process. R1(config-router)#

• The advantage of specifying the interface is that the wildcard mask calculation is not necessary. Notice that in
all cases, the area argument specifies area 0.

Configure OSPF Using the ip ospf Command

To configure OSPF directly on the interface, use the ip ospf interface configuration mode command. The
syntax is as follows:
Router(config-if)# ip ospf process-id area area-id

Remove the network commands using the no form of the command. Then go to each interface and configure
the ip ospf command
R1(config)# router ospf 10
R1(config-router)# no network 10.10.1.1 0.0.0.0 area 0
R1(config-router)# no network 10.1.1.5 0.0.0.0 area 0
R1(config-router)# no network 10.1.1.14 0.0.0.0 area 0
R1(config-router)# interface GigabitEthernet 0/0/0
R1(config-if)# ip ospf 10 area 0
R1(config-if)# interface GigabitEthernet 0/0/1
R1(config-if)# ip ospf 10 area 0
R1(config-if)# interface Loopback 0
R1(config-if)# ip ospf 10 area 0
R1(config-if)#

Passive Interface
By default, OSPF messages are forwarded out all OSPF-enabled interfaces. However, these messages only
need to be sent out interfaces that are connecting to other OSPF-enabled routers.
Sending out unneeded messages on a LAN affects the network in three ways:
• Inefficient Use of Bandwidth - Available bandwidth is consumed transporting unnecessary messages.
• Inefficient Use of Resources - All devices on the LAN must process and eventually discard the message.
• Increased Security Risk - Without additional OSPF security configurations, OSPF messages can be
intercepted with packet sniffing software. Routing updates can be modified and sent back to the router,
corrupting the routing table with false metrics that misdirect traffic.
Configure Passive Interfaces

• Use the passive-interface router configuration

mode command to prevent the transmission of
routing messages through a router interface, but
still allow that network to be advertised to other
routers.
• The show ip protocols command is then used to
verify that the interface is listed as passive.

OSPF Point-to-Point Networks

By default, Cisco routers elect a DR and BDR on Ethernet interfaces, even if there is only one other device
on the link. You can verify this with the show ip ospf interface command. The DR/ BDR election process is
unnecessary as there can only be two routers on the point-to-point network between R1 and R2. Notice in
the output that the router has designated the network type as BROADCAST.
R1# show ip ospf interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 2.2.2.2, Interface address 10.1.1.6
Backup Designated router (ID) 1.1.1.1, Interface address 10.1.1.5
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40

To change this to a point-to-point network, use the interface configuration command ip ospf network point-
to-point on all interfaces where you want to disable the DR/BDR election process.

R1(config)# interface GigabitEthernet 0/0/0

R1(config-if)# ip ospf network point-to-point
*Jun 6 00:44:05.208: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0 from FULL to DOWN,
Neighbor Down: Interface down or detached
*Jun 6 00:44:05.211: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0 from LOADING to
FULL, Loading Done
R1(config-if)# end
R1# show ip ospf interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
Loopbacks and Point-to-Point Networks
• Use loopbacks to provide additional interfaces for a variety of purposes. By default, loopback interfaces are
advertised as /32 host routes.
• To simulate a real LAN, the loopback interface can be configured as a point-to-point network to advertise the
full network.

What R2 sees when R1 advertises the loopback interface as-is:

R2# show ip route | include 10.10.1
O 10.10.1.1/32 [110/2] via 10.1.1.5, 00:03:05, GigabitEthernet0/0/0

• Configuration change at R1:

R1(config-if)# interface Loopback 0
R1(config-if)# ip ospf network point-to-point

• Result at R2:
R2# show ip route | include 10.10.1
O 10.10.1.0/24 [110/2] via 10.1.1.5, 00:03:05, GigabitEthernet0/0/0

Multiaccess OSPF Networks

OPSF Network Types

Multiaccess OSPF networks are unique in that one router
controls the distribution of LSAs.
The router that is elected for this role should be determined
by the network administrator through proper configuration.

OPSF Designated Router

• In multiaccess networks, OSPF elects a DR and BDR. The DR is responsible for collecting and
distributing LSAs sent and received. The DR uses the multicast IPv4 address 224.0.0.5 which is
meant for all OSPF routers.
• A BDR is also elected in case the DR fails. The BDR listens passively and maintains a relationship
with all the routers. If the DR stops producing Hello packets, the BDR promotes itself and assumes
the role of DR.
• All other routers become a Only the DR and BDR listen for 224.0.0.6.
• DROTHER (a router that is neither the DR nor the BDR). DROTHERs use the multiaccess address
224.0.0.6 (all designated routers) to send OSPF packets to the DR and BDR.
OPSF Multiaccess Reference Topology
• In the multiaccess topology shown in the figure,
there are three routers interconnected over a
common Ethernet multiaccess network,
192.168.1.0/24.
• Because the routers are connected over a
common multiaccess network, OSPF has
automatically elected a DR and BDR. R3 has
been elected as the DR because its router ID is
3.3.3.3, which is the highest in this network. R2
is the BDR because it has the second highest
router ID in the network.

Verify OSPF Router Roles

The output generated by R1 confirms that the following:
• R1 is not the DR or BDR, but is a DROTHER with a default priority of 1. (Line 7)
• The DR is R3 with router ID 3.3.3.3 at IPv4 address 192.168.1.3, while the BDR is R2 with router ID 2.2.2.2
at IPv4 address 192.168.1.2. (Lines 8 and 9)
• R1 has two adjacencies: one with the BDR and one with the DR. (Lines 20-22)
R1# show ip ospf interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 192.168.1.1/24, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
(output omitted)
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
Backup Designated router (ID) 2.2.2.2, Interface address 192.168.1.2
(output omitted)
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
Adjacent with neighbor 3.3.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
R1#

The output generated by R2 confirms that:

• R2 is the BDR with a default priority of 1. (Line 7)
• The DR is R3 with router ID 3.3.3.3 at IPv4 address 192.168.1.3, while the BDR is R2 with router ID 2.2.2.2
at IPv4 address 192.168.1.2. (Lines 8 and 9)

R2# show ip ospf interface GigabitEthernet 0/0/0

GigabitEthernet0/0/0 is up, line protocol is up
• R2 has two Internet Address 192.168.1.2/24, Area 0, Attached via Interface Enable
adjacencies; one Process ID 10, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
(output omitted)
with a neighbor Transmit Delay is 1 sec, State BDR, Priority 1
with router ID Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
1.1.1.1 (R1) and the Backup Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2
(output omitted)
other with the DR. Neighbor Count is 2, Adjacent neighbor count is 2
(Lines 20-22) Adjacent with neighbor 1.1.1.1
Adjacent with neighbor 3.3.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
R2#
The output generated by R3 confirms that:
• R3 is the DR with a default priority of 1. (Line 7)
• The DR is R3 with router ID 3.3.3.3 at IPv4 address 192.168.1.3, while the BDR is R2 with router ID 2.2.2.2
at IPv4 address
R3# show ip ospf interface GigabitEthernet 0/0/0
192.168.1.2. (Lines GigabitEthernet0/0/0 is up, line protocol is up
8 and 9) Internet Address 192.168.1.3/24, Area 0, Attached via Interface Enable
Process ID 10, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
• R3 has two (output omitted)
adjacencies: one Transmit Delay is 1 sec, State DR, Priority 1
with a neighbor Designated Router (ID) 3.3.3.3, Interface address 192.168.1.3
Backup Designated Router (ID) 2.2.2.2, Interface address 192.168.1.2
with router ID (output omitted)
1.1.1.1 (R1) and the Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 1.1.1.1
other with the BDR.
Adjacent with neighbor 2.2.2.2 (Backup Designated Router)
(Lines 20-22) Suppress hello for 0 neighbor(s)
R3#

Verify DR/BDR Adjacencies

To verify the OSPFv2 adjacencies, use the show ip ospf neighbor command. The state of neighbors in
multiaccess networks can be as follows:
• FULL/DROTHER - This is a DR or BDR router that is fully adjacent with a non-DR or BDR router. These
two neighbors can exchange Hello packets, updates, queries, replies, and acknowledgments.
• FULL/DR - The router is fully adjacent with the indicated DR neighbor. These two neighbors can exchange
Hello packets, updates, queries, replies, and acknowledgments.
• FULL/BDR - The router is fully adjacent with the indicated BDR neighbor. These two neighbors can
exchange Hello packets, updates, queries, replies, and acknowledgments.
• 2-WAY/DROTHER - The non-DR or BDR router has a neighbor relationship with another non-DR or BDR
router. These two neighbors exchange Hello packets.

The normal state for an OSPF router is usually FULL. If a router is stuck in another state, it is an indication
that there are problems in forming adjacencies. The only exception to this is the 2-WAY state, which is
normal in a multiaccess broadcast network.
The output generated by R2 confirms that R2 has adjacencies with the following routers:
• R1 with router ID 1.1.1.1 is in a Full state and R1 is neither the DR nor BDR.
• R3 with router ID 3.3.3.3 is in a Full state and the role of R3 is DR.
R2# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DROTHER 00:00:31 192.168.1.1 GigabitEthernet0/0/0
3.3.3.3 1 FULL/DR 00:00:34 192.168.1.3
GigabitEthernet0/0/0 R2#
Default DR/BDR Election Process
The OSPF DR and BDR election is based on the following criteria, in sequential order:
1. The routers in the network elect the router with the highest interface priority as the DR. The router
with the second highest interface priority is becomes the BDR.
• The priority can be configured to be any number between 0 – 255.
• If the interface priority value is set to 0, that interface cannot be elected as DR nor BDR.
• The default priority of multiaccess broadcast interfaces is 1.
2. If the interface priorities are equal, then the router with the highest router ID is elected the DR. The
router with the second highest router ID is the BDR.
• The election process takes place when the first router with an OSPF-enabled interface is active on
the network. If all of the routers on the network have not finished booting, it is possible that a
router with a lower router ID becomes the DR.
• The addition of a new router does not initiate a new election process.

DR Failure and Recovery

After the DR is elected, it remains the DR until one of the following events occurs:
• The DR fails.
• The OSPF process on the DR fails or is stopped.
• The multiaccess interface on the DR fails or is shutdown.
If the DR fails, the BDR is automatically promoted to DR. This is the case even if another DROTHER with
a higher priority or router ID is added to the network after the initial DR/BDR election. However, after a
BDR is promoted to DR, a new BDR election occurs and the DROTHER with the highest priority or router
ID is elected as the new BDR.

The ip ospf priority Command

• If the interface priorities are equal on all routers, the router with the highest router ID is elected the DR.
• Instead of relying on the router ID, it is better to control the election by setting interface priorities. This also
allows a router to be the DR in one network and a DROTHER in another.
• To set the priority of an interface, use the command ip ospf priority value, where value is 0 to 255. A value
of 0 does not become a DR or a BDR.
A value of 1 to 255 on the interface makes it more likely that the router becomes the DR or the BDR.
Configure OSPF Priority
The example shows the commands being used to change the R1 G0/0/0 interface priority from 1 to 255 and
then reset the OSPF process.
R1(config)# interface GigabitEthernet 0/0/0
R1(config-if)# ip ospf priority 255
R1(config-if)# end
R1# clear ip ospf process
Reset ALL OSPF processes? [no]: y
R1# *Jun 5 03:47:41.563: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0 from FULL to
DOWN, Neighbor Down: Interface down or detached

Modify Single-Area OSPFv2

Cisco OSPF Cost Metric

• Routing protocols use a metric to determine the best path of a packet across a network. OSPF uses
cost as a metric. A lower cost indicates a better path.
• The Cisco cost of an interface is inversely proportional to the bandwidth of the interface. Therefore,
a higher bandwidth indicates a lower cost. The formula used to calculate the OSPF cost is:
Cost = reference bandwidth / interface bandwidth
• The default reference bandwidth is 108 (100,000,000); therefore, the formula is:
Cost = 100,000,000 bps / interface bandwidth in bps
• Because the OSPF cost value must be an integer, FastEthernet, Gigabit Ethernet, and 10 GigE
interfaces share the same cost. To correct this situation, you can:
Adjust the reference bandwidth with the auto-cost reference-bandwidth command on each OSPF router.
Manually set the OSPF cost value with the ip ospf cost command on necessary interfaces.

Refer to the table for a breakdown of the cost calculation

Adjust the Reference Bandwidth
• The cost value must be an integer. If something less than an integer is calculated, OSPF rounds up to
the nearest integer. Therefore, the OSPF cost assigned to a Gigabit Ethernet interface with the default
reference bandwidth of 100,000,000 bps would equal 1, because the nearest integer for 0.1 is 0
instead of 1.
Cost = 100,000,000 bps / 1,000,000,000 = 1
• For this reason, all interfaces faster than Fast Ethernet will have the same cost value of 1 as a Fast
Ethernet interface.
• To assist OSPF in making the correct path determination, the reference bandwidth must be changed
to a higher value to accommodate networks with links faster than 100 Mbps.

• Changing the reference bandwidth does not actually affect the bandwidth capacity on the link; rather,
it simply affects the calculation used to determine the metric.
• To adjust the reference bandwidth, use the auto-cost reference-bandwidth Mbps router
configuration command.
This command must be configured on every router in the OSPF domain.
Notice in the command that the value is expressed in Mbps; therefore, to adjust the costs for Gigabit
Ethernet, use the command auto-cost reference-bandwidth 1000. For 10 Gigabit Ethernet, use the
command auto-cost reference-bandwidth 10000.
To return to the default reference bandwidth, use the auto-cost reference-bandwidth 100 command.
• Another option is to change the cost on one specific interface using the ip ospf cost cost command.
• Whichever method is used, it is important to apply the configuration to all routers in the OSPF routing
domain.
• The table shows the OSPF cost if the reference bandwidth is adjusted to accommodate 10 Gigabit Ethernet
links. The reference bandwidth should be adjusted anytime there are links faster than FastEthernet (100
Mbps).
• Use the show ip ospf interface command to verify the current OSPFv2 cost assigned to the interface.
OSPF Accumulates Cost
• The cost of an OSPF route is the
accumulated value from one router to the
destination network.
• Assuming the auto-cost reference-
bandwidth 10000 command has been
configured on all three routers, the cost of
the links between each router is now 10.
The loopback interfaces have a default
cost of 1.

• You can calculate the cost for each router to reach each network.
• For example, the total cost for R1 to reach the 10.10.2.0/24 network is 11. This is because the link to
R2 cost = 10 and the loopback default cost = 1. 10 + 1 = 11.
• You can verify this with the show ip route command.

Verifying the accumulated cost for the path to the 10.10.2.0/24 network:
R1# show ip route | include 10.10.2.0
O 10.10.2.0/24 [110/11] via 10.1.1.6, 01:05:02, GigabitEthernet0/0/0
R1# show ip route 10.10.2.0
Routing entry for 10.10.2.0/24
Known via "ospf 10", distance 110, metric 11, type intra area
Last update from 10.1.1.6 on GigabitEthernet0/0/0, 01:05:13 ago
Routing Descriptor Blocks:
* 10.1.1.6, from 2.2.2.2, 01:05:13 ago, via GigabitEthernet0/0/0
Route metric is 11, traffic share count is 1
R1#

Manually Set OSPF Cost Value

Reasons to manually set the cost value include:
• The Administrator may want to influence path selection within OSPF, causing different paths to be
selected than what normally would given default costs and cost accumulation.
• Connections to equipment from other vendors who use a different formula to calculate OSPF cost.

To change the cost value reported by the local OSPF router to other OSPF routers, use the interface
configuration command ip ospf cost value.
R1(config)# interface g0/0/1 R1(config-if)# ip ospf cost 30 R1(config-
if)# interface lo0 R1(config-if)# ip ospf cost 10 R1(config-if)# end
R1#
Test Failover to Backup Route

What happens if the link between R1 and R2 goes down? You can simulate that by shutting down the
Gigabit Ethernet 0/0/0 interface and verifying the routing table is updated to use R3 as the next-hop router.
R1# show ip route ospf | begin 10
Notice that R1 can 10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks
now reach the O 10.1.1.4/30 [110/50] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
O 10.1.1.8/30 [110/40] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
10.1.1.4/30 network O 10.10.2.0/24 [110/50] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
through R3 with a O 10.10.3.0/24 [110/40] via 10.1.1.13, 00:00:14, GigabitEthernet0/0/1
R1#
cost value of 50.

Hello Packet Intervals

• OSPFv2 Hello packets are transmitted to multicast address 224.0.0.5 (all OSPF routers) every 10
seconds. This is the default timer value on multiaccess and point-to-point networks.
Note: Hello packets are not sent on interfaces set to passive by the passive-interface command.

• The Dead interval is the period that the router waits to receive a Hello packet before declaring the
neighbor down. If the Dead interval expires before the routers receive a Hello packet, OSPF removes
that neighbor from its link-state database (LSDB). The router floods the LSDB with information
about the down neighbor out all OSPF-enabled interfaces. Cisco uses a default of 4 times the Hello
interval. This is 40 seconds on multiaccess and point-to-point networks.

Verify Hello and Dead Intervals

• The OSPF Hello and Dead intervals are configurable on a per-interface basis.
• The OSPF intervals must match or a neighbor adjacency does not occur.
• To verify the currently configured OSPFv2 interface intervals, use the show ip ospf interface
command. The Gigabit Ethernet 0/0/0 Hello and Dead intervals are set to the default 10 seconds and
40 seconds respectively.
R1# show ip ospf interface g0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Internet Address 10.1.1.5/30, Area 0, Attached via Interface Enable
Process ID 10, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 10
Topology-MTID Cost Disabled Shutdown Topology Name
0 10 no no Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
(output omitted)
Use the show ip ospf neighbor command to see the Dead Time counting down from 40 seconds. By default,
this value is refreshed every 10 seconds when R1 receives a Hello from the neighbor.
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:35 10.1.1.13 GigabitEthernet0/0/1
2.2.2.2 0 FULL/ - 00:00:31 10.1.1.6 GigabitEthernet0/0/0
R1#

Modify OSPFv2 Intervals

• It may be desirable to change the OSPF timers so that routers detect network failures in less time.
Doing this increases traffic, but sometimes the need for quick convergence is more important than
the extra traffic it creates.
Note: The default Hello and Dead intervals are based on best practices and should only be altered in rare situations.

• OSPFv2 Hello and Dead intervals can be modified manually using the following interface
configuration mode commands:
Router(config-if)# ip ospf hello-interval seconds
Router(config-if)# ip ospf dead-interval seconds

• Use the no ip ospf hello-interval and no ip ospf dead-interval commands to reset the intervals to
their default.
• In the example, the Hello interval for the link between R1 and R2 is changed to 5 seconds. The Cisco
IOS automatically modifies the Dead interval to four times the Hello interval. However, you can
document the new Dead interval in the configuration by manually setting it to 20 seconds, as shown.
• When the Dead Timer on R1 expires, R1 and R2 lose adjacency. R1 and R2 must be configured with
the same Hello interval. Use the show ip ospf neighbor command on R1 to verify the neighbor
adjacencies.

R1(config)# interface g0/0/0

R1(config-if)# ip ospf hello-interval 5
R1(config-if)# ip ospf dead-interval 20
R1(config-if)#
*Jun 7 04:56:07.571: %OSPF-5-ADJCHG: Process 10, Nbr 2.2.2.2 on GigabitEthernet0/0/0 from FULL to
DOWN, Neighbor Down: Dead timer expired
R1(config-if)# end
R1# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 0 FULL/ - 00:00:37 10.1.1.13
GigabitEthernet0/0/1
R1#
 Default Route Propagation

Propagate a Default Static Route in OSPFv2

To propagate a default route, the edge router must be configured with the following:
• A default static route using the ip route 0.0.0.0 0.0.0.0 [next-hop-address | exit-intf] command.
• The default-information originate router configuration command. This instructs R2 to be the
source of the default route information and propagate the default static route in OSPF updates.

In the example, R2 is configured with a loopback to simulate a connection to the internet. A default route is
configured and propagated to all other OSPF routers in the routing domain.
Note: When configuring static routes, best practice is to use the next-hop IP address. However, when simulating a
connection to the internet, there is no next-hop IP address. Therefore, we use the exit-intf argument.

R2(config)# interface lo1

R2(config-if)# ip address 64.100.0.1 255.255.255.252
R2(config-if)# exit
R2(config)# ip route 0.0.0.0 0.0.0.0 loopback 1
%Default route without gateway, if not a point-to-point interface, may impact performance
R2(config)# router ospf 10
R2(config-router)# default-information originate
R2(config-router)# end
R2#

Verify OSPF Neighbors

After configuring single-area OSPFv2, you will need to verify your configurations. The following two
commands are particularly useful for verifying routing:
• show ip interface brief - This verifies that the desired interfaces are active with correct IP addressing.
• show ip route- This verifies that the routing table contains all the expected routes.

Additional commands for determining that OSPF is operating as expected include the following:
• show ip ospf neighbor
• show ip protocols
• show ip ospf
• show ip ospf interface
 Network Security

Current State of Cybersecurity

Current State of Affairs

• Cyber criminals now have the expertise and tools necessary to take down critical infrastructure and
systems. Their tools and techniques continue to evolve.
• Maintaining a secure network ensures the safety of network users and protects commercial interests.
All users should be aware of security terms in the table.

Security Terms Description

Assets An asset is anything of value to the organization. It includes people, equipment, resources, and data.

Vulnerability A vulnerability is a weakness in a system, or its design, that could be exploited by a threat.

Threat A threat is a potential danger to a company’s assets, data, or network functionality.

Exploit An exploit is a mechanism that takes advantage of a vulnerability.

Mitigation is the counter-measure that reduces the likelihood or severity of a potential threat or risk.
Mitigation
Network security involves multiple mitigation techniques.

Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of negatively
Risk affecting an organization. Risk is measured using the probability of the occurrence of an event and its
consequences.

Vectors of Network Attacks

• An attack vector is a path by which a threat
actor can gain access to a server, host, or
network. Attack vectors originate from inside
or outside the corporate network, as shown in
the figure.
• Internal threats have the potential to cause
greater damage than external threats because
internal users have direct access to the building
and its infrastructure devices.
Data Loss

Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the
outside world. The data loss can result in:
• Brand damage and loss of reputation
• Loss of competitive advantage
• Loss of customers
• Loss of revenue
• Litigation/legal action resulting in fines and civil penalties
• Significant cost and effort to notify affected parties and recover from the breach

Network security professionals must protect the organization’s data. Various Data Loss Prevention (DLP)
controls must be implemented which combine strategic, operational and tactical measures.

Data Loss Vectors Description

Email/Social
Intercepted email or IM messages could be captured and reveal confidential information.
Networking

If the data is not stored using an encryption algorithm, then the thief can retrieve valuable
Unencrypted Devices
confidential data.

Cloud Storage Devices Sensitive data can be lost if access to the cloud is compromised due to weak security settings.

One risk is that an employee could perform an unauthorized transfer of data to a USB drive.
Removable Media
Another risk is that a USB drive containing valuable corporate data could be lost.

Hard Copy Confidential data should be shredded when no longer required.

Improper Access Passwords or weak passwords which have been compromised can provide a threat actor with easy
Control access to corporate data.

Threat Actors

The Hacker
Hacker is a common term used to describe a threat actor

Hacker Type Description

These are ethical hackers who use their programming skills for good, ethical, and legal
White Hat Hackers purposes. Security vulnerabilities are reported to developers for them to fix before the
vulnerabilities can be exploited.

These are individuals who commit crimes and do arguably unethical things, but not for
Gray Hat Hackers personal gain or to cause damage. Gray hat hackers may disclose a vulnerability to the
affected organization after having compromised their network.

These are unethical criminals who compromise computer and network security for personal
Black Hat Hackers
gain, or for malicious reasons, such as attacking networks.
The Evolution of Hackers

The table displays modern hacking terms and a brief description of each.

Hacking Term Description

These are teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause
Script Kiddies
harm, but typically not for profit.

Vulnerability These are usually gray hat hackers who attempt to discover exploits and report them to vendors,
Broker sometimes for prizes or rewards.

These are gray hat hackers who publicly protest organizations or governments by posting articles,
Hacktivists
videos, leaking sensitive information, and performing network attacks.

These are black hat hackers who are either self-employed or working for large cybercrime
Cyber criminals
organizations.

These are either white hat or black hat hackers who steal government secrets, gather intelligence, and
State-Sponsored sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most
countries in the world participate to some degree in state-sponsored hacking

Cyber Criminals

It is estimated that cyber criminals steal billions of dollars from consumers and businesses. Cyber criminals
operate in an underground economy where they buy, sell, and trade attack toolkits, zero day exploit code,
botnet services, banking Trojans, keyloggers, and much more. They also buy and sell the private information
and intellectual property they steal. Cyber criminals target small businesses and consumers, as well as large
enterprises and entire industries.

Hacktivists
Two examples of hacktivist groups are Anonymous and the Syrian Electronic Army. Although most
hacktivist groups are not well organized, they can cause significant problems for governments and
businesses. Hacktivists tend to rely on fairly basic, freely available tools.

State-Sponsored Hackers
State-sponsored hackers create advanced, customized attack code, often using previously undiscovered
software vulnerabilities called zero-day vulnerabilities. An example of a state-sponsored attack involves the
Stuxnet malware that was created to damage Iran’s nuclear enrichment capabilities.
 Threat Actor Tools

Introduction to Attack Tools

To exploit a vulnerability, a threat actor must have a technique or tool. Over the years, attack tools have
become more sophisticated, and highly automated. These new tools require less technical knowledge to
implement.

Evolution of Security Tools

The table highlights categories of common penetration testing tools. Notice how some tools are used by
white hats and black hats. Keep in mind that the list is not exhaustive as new tools are always being
developed.

Penetration Testing
Description
Tool

Password cracking tools are often referred to as password recovery tools and can be used to crack
or recover a password. Password crackers repeatedly make guesses in order to crack the password.
Password Crackers
Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC
Hydra, Rainbow Crack, and Medusa.

Wireless hacking tools are used to intentionally hack into a wireless network to detect security
Wireless Hacking Tools vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer,
KisMAC, Firesheep, and ViStumbler.

Network scanning tools are used to probe network devices, servers, and hosts for open TCP or
Network Scanning and
UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and
Hacking Tools
NetScanTools.

These tools are used to probe and test a firewall’s robustness using specially crafted forged
Packet Crafting Tools
packets. Examples include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.

These tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs.
Packet Sniffers Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and
SSLstrip.
Penetration
Description
Testing Tool

This is a directory and file integrity checker used by white hats to detect installed root kits. Example tools
Rootkit Detectors
include AIDE, Netfilter, and PF: OpenBSD Packet Filter.

Fuzzers to Search Fuzzers are tools used by threat actors to discover a computer’s security vulnerabilities. Examples of
Vulnerabilities fuzzers include Skipfish, Wapiti, and W3af.

These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer.
Forensic Tools
Example of tools include Sleuth Kit, Helix, Maltego, and Encase.

These tools are used by black hats to reverse engineer binary files when writing exploits. They are also
Debuggers used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and
Immunity Debugger.

Hacking Operating These are specially designed operating systems preloaded with tools optimized for hacking. Examples of
Systems specially designed hacking operating systems include Kali Linux, BackBox Linux.

Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the
Encryption Tools encrypted data. Examples of these tools include VeraCrypt, CipherShed, OpenSSH, OpenSSL, Tor,
OpenVPN, and Stunnel.

Vulnerability These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability
Exploitation Tools exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

These tools scan a network or system to identify open ports. They can also be used to scan for known
Vulnerability
vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper,
Scanners
Core Impact, Nessus, SAINT, and OpenVAS

Attack Types

Attack Type Description

Eavesdropping This is when a threat actor captures and “listens” to network traffic. This attack is also referred to as
Attack sniffing or snooping.

Data Modification If threat actors have captured enterprise traffic, they can alter the data in the packet without the
Attack knowledge of the sender or receiver.

IP Address A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate
Spoofing Attack intranet.

If threat actors discover a valid user account, the threat actors have the same rights as the real user.
Password-Based
Threat actors could use that valid account to obtain lists of other users, network information, change
Attacks
server and network configurations, and modify, reroute, or delete data.

A DoS attack prevents normal use of a computer or network by valid users. A DoS attack can flood a
Denial of Service
computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS
Attack
attack can also block traffic, which results in a loss of access to network resources by authorized users.

Man-in-the-Middle This attack occurs when threat actors have positioned themselves between a source and destination. They
Attack can now actively monitor, capture, and control the communication transparently.

If a threat actor obtains a secret key, that key is referred to as a compromised key. A compromised key
Compromised-Key
can be used to gain access to a secured communication without the sender or receiver being aware of the
Attack
attack.

A sniffer is an application or device that can read, monitor, and capture network data exchanges and read
Sniffer Attack network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the
packet
 Malware

Overview of Malware
• This topic introduces you to different types of malware that hackers use to gain access to end
devices.
• End devices are particularly prone to malware attacks. It is important to know about malware
because threat actors rely on users to install malware to help exploit the security gaps.

Viruses and Trojan Horses

• The first and most common type of computer malware is a virus. Viruses require human action to
propagate and infect other computers.
• The virus hides by attaching itself to computer code, software, or documents on the computer. When
opened, the virus executes and infects the computer.
• Viruses can:
o Alter, corrupt, delete files, or erase entire drives.
o Cause computer booting issues, and corrupt applications.
o Capture and send sensitive information to threat actors.
o Access and use email accounts to spread.
o Lay dormant until summoned by the threat actor.

Modern viruses are developed for specific intent such as those listed in the table.

Types of Viruses Description

Boot sector virus Virus attacks the boot sector, file partition table, or file system.

Firmware viruses Virus attacks the device firmware.

Macro virus Virus uses the MS Office macro feature maliciously.

Program viruses Virus inserts itself in another executable program.

Script viruses Virus attacks the OS interpreter which is used to execute scripts.
Threat actors use Trojan horses to compromise hosts. A Trojan horse is a program that looks useful but also
carries malicious code. Trojan horses are often provided with free online programs such as computer games.
There are several types of Trojan horses as described in the table.

Type of Trojan Horse Description

Remote-access Trojan horse enables unauthorized remote access.

Data-sending Trojan horse provides the threat actor with sensitive data, such as passwords.

Destructive Trojan horse corrupts or deletes files.

Trojan horse will use the victim's computer as the source device to launch attacks and perform
Proxy
other illegal activities.

FTP Trojan horse enables unauthorized file transfer services on end devices.

Security software
Trojan horse stops antivirus programs or firewalls from functioning.
disabler

Denial of Service (DoS) Trojan horse slows or halts network activity.

Trojan horse actively attempts to steal confidential information, such as credit card numbers, by
Keylogger
recording key strokes entered into a web form.

Other Types of Malware

Malware Description

• Adware is usually distributed by downloading online software.

• Adware can display unsolicited advertising using pop-up web browser windows, new toolbars, or
Adware unexpectedly redirect a webpage to a different website.
• Pop-up windows may be difficult to control as new windows can pop-up faster than the user can close
them.

• Ransomware typically denies a user access to their files by encrypting the files and then displaying a
message demanding a ransom for the decryption key.
Ransomware
• Users without up-to-date backups must pay the ransom to decrypt their files.
• Payment is usually made using wire transfer or crypto currencies such as Bitcoin.

• Rootkits are used by threat actors to gain administrator account-level access to a computer.
• They are very difficult to detect because they can alter firewall, antivirus protection, system files, and
even OS commands to conceal their presence.
Rootkit • They can provide a backdoor to threat actors giving them access to the PC, and allowing them to
upload files, and install new software to be used in a DDoS attack.
• Special rootkit removal tools must be used to remove them, or a complete OS re-install may be
required.

• Like adware but, used to gather information about the user and send to threat actors without the user’s
consent.
Spyware
• Spyware can be a low threat, gathering browsing data, or it can be a high threat capturing personal and
financial information.

• A worm is a self-replicating program that propagates automatically without user actions by exploiting
vulnerabilities in legitimate software.
Worm
• It uses the network to search for other victims with the same vulnerability.
• The intent of a worm is usually to slow or disrupt network operations
Common Network Attacks

• When malware is delivered and installed, the payload can be used to cause a variety of network
related attacks.
• To mitigate attacks, it is useful to understand the types of attacks. By categorizing network attacks, it
is possible to address types of attacks rather than individual attacks.
• Networks are susceptible to the following types of attacks:
o Reconnaissance Attacks
o Access Attacks
o DoS Attacks

Reconnaissance Attacks
• Reconnaissance is information gathering.
• Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of
systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks.

Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in
the table.

Technique Description

Perform an information The threat actor is looking for initial information about a target. Various tools can be used,
query of a target including the Google search, organizations website, whois, and more.

Initiate a ping sweep of The information query usually reveals the target’s network address. The threat actor can now
the target network initiate a ping sweep to determine which IP addresses are active.

Initiate a port scan of This is used to determine which ports or services are available. Examples of port scanners include
active IP addresses Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

This is to query the identified ports to determine the type and version of the application and
Run vulnerability
operating system that is running on the host. Examples of tools include Nipper, Core Impact,
scanners
Nessus, SAINT, and Open VAS.

The threat actor now attempts to discover vulnerable services that can be exploited. A variety of
Run exploitation tools vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer
Toolkit, and Netsparker.
Access Attacks
• Access attacks exploit known vulnerabilities in authentication services, FTP services, and web
services. The purpose of these types of attacks is to gain entry to web accounts, confidential
databases, and other sensitive information.
• Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to
escalate access privileges to administrator status.
• Password Attacks: In a password attack, the threat actor attempts to discover critical system
passwords using various methods. Password attacks are very common and can be launched using a
variety of password cracking tools.
• Spoofing Attacks: In spoofing attacks, the threat actor device attempts to pose as another device by
falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.
These spoofing attacks will be discussed in more detail later in this module
• Other Access attacks include:
o Trust exploitations
o Port redirections
o Man-in-the-middle attacks
o Buffer overflow attacks

Social Engineering Attacks

• Social engineering is an access attack that

attempts to manipulate individuals into
performing actions or divulging
confidential information. Some social
engineering techniques are performed in-
person while others may use the telephone
or internet.
• Social engineers often rely on people’s
willingness to be helpful. They also prey on
people’s weaknesses.
• The Social Engineering Toolkit (SET) was
designed to help white hat hackers and
other network security professionals create
social engineering attacks to test their own
networks.
• Enterprises must educate their users about
the risks of social engineering, and develop strategies to validate identities over the phone, via email,
or in person.
• The figure shows recommended practices that should be followed by all users.
Social Engineering
Description
Attack

Pretexting A threat actor pretends to need personal or financial data to confirm the identity of the recipient.

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source
Phishing to trick the recipient into installing malware on their device, or to share personal or financial
information.

Spear phishing A threat actor creates a targeted phishing attack tailored for a specific individual or organization.

Also known as junk mail, this is unsolicited email which often contains harmful links, malware,
Spam
or deceptive content.

Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a
Something for Something
party in exchange for something such as a gift.

A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive
Baiting
and unsuspectingly inserts it into their laptop, unintentionally installing malware.

This type of attack is where a threat actor pretends to be someone they are not to gain the trust of
Impersonation
a victim.

This is where a threat actor quickly follows an authorized person into a secure location to gain
Tailgating
access to a secure area.

This is where a threat actor inconspicuously looks over someone’s shoulder to steal their
Shoulder surfing
passwords or other information.

Dumpster diving This is where a threat actor rummages through trash bins to discover confidential documents

DoS and DDoS Attacks

A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or
applications. There are two major types of DoS attacks:
o Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of data at a rate
that the network, host, or application cannot handle. This causes transmission and response times to
slow down. It can also crash a device or service.
o Maliciously Formatted Packets - The threat actor sends a maliciously formatted packet to a host or
application and the receiver is unable to handle it. This causes the receiving device to run very slowly
or crash.

• DoS attacks are a major risk because they interrupt communication and cause significant loss of time
and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.
• A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple,
coordinated sources.
 IP Vulnerabilities and Threats

IPv4 and IPv6

• IP does not validate whether the source IP address contained in a packet actually came from that
source. For this reason, threat actors can send packets using a spoofed source IP address. Security
analysts must understand the different fields in both the IPv4 and IPv6 headers.
• Some of the more common IP related attacks are shown in the table

IP Attack Techniques Description

Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover
ICMP attacks subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing
tables.

Amplification and Threat actors attempt to prevent legitimate users from accessing information or services using
reflection attacks DoS and DDoS attacks.

Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind
Address spoofing attacks
spoofing.

Threat actors position themselves between a source and destination to transparently monitor,
Man-in-the-middle attack
capture, and control the communication. They could eavesdrop by inspecting captured packets,
(MITM)
or alter packets and forward them to their original destination.

Threat actors gain access to the physical network, and then use an MITM attack to hijack a
Session hijacking
session

ICMP Attacks
• Threat actors use ICMP for reconnaissance and scanning attacks. They can launch information-
gathering attacks to map out a network topology, discover which hosts are active (reachable),
identify the host operating system (OS fingerprinting), and determine the state of a firewall. Threat
actors also use ICMP for DoS attacks.
• Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

• Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid
ICMP probing from the internet. In the case of large networks, security devices such as firewalls and
intrusion detection systems (IDS) detect such attacks and generate alerts to the security analysts.

ICMP Messages used by Hackers Description

ICMP echo request and echo reply This is used to perform host verification and DoS attacks.

ICMP unreachable This is used to perform network reconnaissance and scanning attacks.

ICMP mask reply This is used to map an internal IP network.

This is used to lure a target host into sending all traffic through a
ICMP redirects
compromised device and create a MITM attack.

ICMP router discovery This is used to inject bogus route entries into the routing table of a target host.
Amplification and Reflection Attacks

Threat actors often use amplification and reflection techniques to create DoS attacks. The example in the
figure illustrates a Smurf attack is used to overwhelm a target host.
Note: Newer forms of amplification and reflection attacks such as DNS-based reflection and amplification attacks and
Network Time Protocol (NTP) amplification attacks are now being used.

Threat actors also use resource exhaustion attacks to either to crash a target host or to consume the resources
of a network.

Address Spoofing Attacks

• IP address spoofing attacks occur when a threat actor creates packets with false source IP address
information to either hide the identity of the sender, or to pose as another legitimate user. Spoofing is
usually incorporated into another attack such as a Smurf attack.
• Spoofing attacks can be non-blind or blind:
▪ Non-blind spoofing - The threat actor can see the traffic that is being sent between the host
and the target. Non-blind spoofing determines the state of a firewall and sequence-number
prediction. It can also hijack an authorized session.
▪ Blind spoofing - The threat actor cannot see the traffic that is being sent between the host and
the target. Blind spoofing is used in DoS attacks.

• MAC address spoofing attacks are used when threat actors have access to the internal network.
Threat actors alter the MAC address of their host to match another known MAC address of a target
host.
 TCP and UDP Vulnerabilities

TCP Segment Header

• TCP segment information appears immediately after the IP header. The fields of the TCP segment
and the flags for the Control Bits field are displayed in the figure.
• The following are the six control bits of the TCP segment:
o URG - Urgent pointer field significant
o ACK - Acknowledgment field significant
o PSH - Push function
o RST- Reset the connection
o SYN - Synchronize sequence numbers
o FIN - No more data from sender

TCP Services
TCP provides these services:
• Reliable delivery - TCP incorporates acknowledgments to guarantee delivery. If a timely acknowledgment is
not received, the sender retransmits the data. Requiring acknowledgments of received data can cause
substantial delays. Examples of application layer protocols that make use of TCP reliability include HTTP,
SSL/TLS, FTP, DNS zone transfers, and others.
• Flow control - TCP implements flow control to address this issue. Rather than acknowledge one segment at a
time, multiple segments can be acknowledged with a single acknowledgment segment.
• Stateful communication - TCP stateful communication between two parties occurs during the TCP three-way
handshake.
A TCP connection is established in three steps:
1. The initiating client requests a client-to-server
communication session with the server.
2. The server acknowledges the client-to-server
communication session and requests a server-to-
client communication session.
3. The initiating client acknowledges the server-to-
client communication session.

TCP Attacks
TCP SYN Flood Attack
1. The threat actor sends multiple SYN
requests to a webserver.
2. The web server replies with SYN-
ACKs for each SYN request and
waits to complete the three-way
handshake. The threat actor does not
respond to the SYN-ACKs.
3. A valid user cannot access the web
server because the web server has too
many half-opened TCP connections.

Terminating a TCP session uses the following four-way exchange process:

1. When the client has no more data to send in the stream, it sends a
segment with the FIN flag set.
2. The server sends an ACK to acknowledge the receipt of the FIN to
terminate the session from client to server.
3. The server sends a FIN to the client to terminate the server-to-client
session.
4. The client responds with an ACK to acknowledge the FIN from the
server.

A threat actor could do a TCP reset attack and send a spoofed packet
containing a TCP RST to one or both endpoints.

TCP session hijacking is another TCP vulnerability. Although difficult to conduct, a threat actor takes over
an already-authenticated host as it communicates with the target. The threat actor must spoof the IP address
of one host, predict the next sequence number, and send an ACK to the other host. If successful, the threat
actor could send, but not receive, data from the target device.
UDP Segment Header and Operation
• UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications
such as media streaming or VoIP. UDP is a connectionless transport layer protocol. It has much
lower overhead than TCP because it is not connection-oriented and does not offer the sophisticated
retransmission, sequencing, and flow control mechanisms that provide reliability.
• These reliability functions are not provided by the transport layer protocol and must be implemented
elsewhere if required.
• The low overhead of UDP makes it very desirable for protocols that make simple request and reply
transactions.

UDP Attacks
• UDP is not protected by any encryption. You can add encryption to UDP, but it is not available by
default. The lack of encryption means that anyone can see the traffic, change it, and send it on to its
destination.
• UDP Flood Attacks: The threat actor uses a tool like UDP Unicorn or Low Orbit Ion Cannon. These
tools send a flood of UDP packets, often from a spoofed host, to a server on the subnet. The program
will sweep through all the known ports trying to find closed ports. This will cause the server to reply
with an ICMP port unreachable message. Because there are many closed ports on the server, this
creates a lot of traffic on the segment, which uses up most of the bandwidth. The result is very
similar to a DoS attack.

IP Services

ARP Vulnerabilities
• Hosts broadcast an ARP Request to other hosts on the segment to determine the MAC address of a
host with a particular IP address. The host with the matching IP address in the ARP Request sends an
ARP Reply.
• Any client can send an unsolicited ARP Reply called a “gratuitous ARP.” When a host sends a
gratuitous ARP, other hosts on the subnet store the MAC address and IP address contained in the
gratuitous ARP in their ARP tables.
• This feature of ARP also means that any host can claim to be the owner of any IP or MAC. A threat
actor can poison the ARP cache of devices on the local network, creating an MITM attack to redirect
traffic.
ARP Cache Poisoning

ARP cache poisoning can be used to launch various man-in-the-middle attacks.

1. PC-A requires the MAC address of its default gateway (R1); therefore, it sends an ARP Request for the MAC
address of 192.168.10.1.
2. R1 updates its ARP cache with the IP and MAC addresses of PC-A. R1 sends an ARP Reply to PC-A, which
then updates its ARP cache with the IP and MAC addresses of R1.
3. The threat actor sends two spoofed gratuitous ARP Replies using its own MAC address for the indicated
destination IP addresses. PC-A updates its ARP cache with its default gateway which is now pointing to the
threat actor’s host MAC address. R1 also updates its ARP cache with the IP address of PC-A pointing to the
threat actor’s MAC address.

The ARP poisoning attack can be passive or active. Passive ARP poisoning is where threat actors steal
confidential information. Active ARP poisoning is where threat actors modify data in transit or inject
malicious data.

DNS Attacks
• The Domain Name Service (DNS) protocol defines an automated service that matches resource
names, such as www.cisco.com, with the required numeric network address, such as the IPv4 or IPv6
address. It includes the format for queries, responses, and data and uses resource records (RR) to
identify the type of DNS response.
• Securing DNS is often overlooked. However, it is crucial to the operation of a network and should be
secured accordingly.
• DNS attacks include the following:
o DNS open resolver attacks
o DNS stealth attacks
o DNS domain shadowing attacks
o DNS tunneling attacks

DNS Open Resolver Attacks: A DNS open resolver answers queries from clients outside of its administrative domain.
DNS open resolvers are vulnerable to multiple malicious activities described in the table.

DNS Resolver Vulnerabilities Description

Threat actors send spoofed, falsified record resource (RR) information to a DNS resolver
to redirect users from legitimate sites to malicious sites. DNS cache poisoning attacks can
DNS cache poisoning attacks
all be used to inform the DNS resolver to use a malicious name server that is providing
RR information for malicious activities.

Threat actors use DoS or DDoS attacks on DNS open resolvers to increase the volume of
DNS amplification and attacks and to hide the true source of an attack. Threat actors send DNS messages to the
reflection attacks open resolvers using the IP address of a target host. These attacks are possible because
the open resolver will respond to queries from anyone asking a question.

A DoS attack that consumes the resources of the DNS open resolvers. This DoS attack
consumes all the available resources to negatively affect the operations of the DNS open
DNS resource utilization attacks
resolver. The impact of this DoS attack may require the DNS open resolver to be
rebooted or services to be stopped and restarted.
DNS Stealth Attacks: To hide their identity, threat actors also use the DNS stealth techniques described in
the table to carry out their attacks.

DNS Stealth Techniques Description

Threat actors use this technique to hide their phishing and malware delivery sites behind a
quickly-changing network of compromised DNS hosts. The DNS IP addresses are continuously
Fast Flux
changed within minutes. Botnets often employ Fast Flux techniques to effectively hide malicious
servers from being detected.

Threat actors use this technique to rapidly change the hostname to IP address mappings and to
Double IP Flux also change the authoritative name server. This increases the difficulty of identifying the source
of the attack.

Domain Generation Threat actors use this technique in malware to randomly generate domain names that can then be
Algorithms used as rendezvous points to their command and control (C&C) servers.

DNS Domain Shadowing Attacks: Domain shadowing involves the threat actor gathering domain account
credentials in order to silently create multiple sub-domains to be used during the attacks. These subdomains
typically point to malicious servers without alerting the actual owner of the parent domain.

DNS Tunneling

Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often
circumvents security solutions when a threat actor wishes to communicate with bots inside a protected
network, or exfiltrate data from the organization. This is how DNS tunneling works for CnC commands sent
to a botnet:
1. The command data is split into multiple encoded chunks.
2. Each chunk is placed into a lower level domain name label of the DNS query.
3. Because there is no response from the local or networked DNS for the query, the request is
sent to the ISP’s recursive DNS servers.
4. The recursive DNS service will forward the query to the threat actor’s authoritative name
server.
5. The process is repeated until all the queries containing the chunks of are sent.
6. When the threat actor’s authoritative name server receives the DNS queries from the infected
devices, it sends responses for each DNS query, which contain the encapsulated, encoded
CnC commands.
7. The malware on the compromised host recombines the chunks and executes the commands
hidden within the DNS record.

• To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic. Pay
close attention to DNS queries that are longer than average, or those that have a suspicious domain
name..
DHCP
• DHCP servers dynamically
provide IP configuration
information to clients.
• In the figure, a client broadcasts a
DHCP discover message. The
DHCP responds with a unicast
offer that includes addressing
information the client can use. The
client broadcasts a DHCP request
to tell the server that the client
accepts the offer. The server
responds with a unicast
acknowledgment accepting the
request.

DHCP Attacks

A DHCP spoofing attack occurs when a rogue DHCP server is connected to the network and provides false
IP configuration parameters to legitimate clients. A rogue server can provide a variety of misleading
information:
Wrong default gateway - Threat actor provides an invalid gateway, or the IP address of its host to create a
MITM attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
Wrong DNS server - Threat actor provides an incorrect DNS server address pointing the user to a malicious
website.
Wrong IP address - Threat actor provides an invalid IP address, invalid default gateway IP address, or
both. The threat actor then creates a DoS attack on the DHCP client.
Assume a threat actor has successfully connected a rogue DHCP server to a switch port on the same subnet
as the target clients. The goal of the rogue server is to provide clients with false IP configuration
information.
1. The client broadcasts a DHCP Discover request looking for a response from a DHCP server. Both servers
receive the message.
2. The legitimate and rogue DHCP servers each respond with valid IP configuration parameters. The client
replies to the first offer received
3. The client received the rogue offer first. It broadcasts a DHCP request accepting the parameters from the
rogue server. The legitimate and rogue server each receive the request.
4. Only the rogue server unicasts a reply to the client to acknowledge its request. The legitimate server stops
communicating with the client because the request has already been acknowledged.
Confidentiality, Availability, and Integrity

Network security consists of protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction.
Most organizations follow the CIA information security triad:
• Confidentiality - Only authorized individuals, entities, or processes can access sensitive information. It
may require using cryptographic encryption algorithms such as AES to encrypt and decrypt data.
• Integrity - Refers to protecting data from unauthorized alteration. It requires the use of cryptographic
hashing algorithms such as SHA.
• Availability - Authorized users must have uninterrupted access to important resources and data. It
requires implementing redundant services, gateways, and links.

The Defense-in-Depth Approach

• To ensure secure communications across both public and private networks, you must secure devices
including routers, switches, servers, and hosts. Most organizations employ a defense-in-depth
approach to security. It requires a combination of networking devices and services working together.
• Several security devices and services are implemented.
o VPN
o ASA Firewall
o IPS
o ESA/WSA
o AAA Server
• All network devices including the router and switches are hardened.
• You must also secure data as it travels across various links.

Firewalls
A firewall is a system, or group of systems, that enforces an access control policy between networks.
IPS
• To defend against fast-moving and evolving attacks, you may need cost-effective detection and
prevention systems integrated into the entry and exit points of the network.
• IDS and IPS technologies share several characteristics. IDS and IPS technologies are both deployed
as sensors. An IDS or IPS sensor can be in the form of several different devices:
o A router configured with Cisco IOS IPS software
o A device specifically designed to provide dedicated IDS or IPS services
o A network module installed in an adaptive security appliance (ASA), switch, or router
o IDS and IPS technologies detect patterns in network traffic using signatures, which is a set of
rules that used to detect malicious activity. IDS and IPS technologies can detect atomic
signature patterns (single-packet) or composite signature patterns (multi-packet).

The figure shows how an IPS handles denied traffic.

1. The threat actor sends a packet destined for the target
laptop.
2. The IPS intercepts the traffic and evaluates it against
known threats and the configured policies.
3. The IPS sends a log message to the management console.
4. The IPS drops the packet.

Content Security Devices

• The Cisco Email Security Appliance (ESA) is a special device designed to monitor Simple Mail Transfer
Protocol (SMTP). The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos. This threat
intelligence data is pulled by the Cisco ESA every three to five minutes.
• The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats. The Cisco WSA
combines advanced malware protection, application visibility and control, acceptable use policy controls, and
reporting.
• Cisco WSA provides complete control over how users access the internet. The WSA can perform blacklisting
of URLs, URL-filtering, malware scanning, URL categorization, web application filtering, and encryption and
decryption of web traffic.
 Cryptography

Securing Communications

Organizations must provide support to secure the data as it travels across links. This may include internal
traffic, but it is even more important to protect the data that travels outside of the organization.
These are the four elements of secure communications:
• Data Integrity - Guarantees that the message was not altered. Integrity is ensured by implementing either
Message Digest version 5 (MD5) or Secure Hash Algorithm (SHA) hash-generating algorithms.
• Origin Authentication - Guarantees that the message is not a forgery and does come from whom it states.
Many modern networks ensure authentication with protocols, such as hash message authentication code
(HMAC).
• Data Confidentiality - Guarantees that only authorized users can read the message. Data confidentiality is
implemented using symmetric and asymmetric encryption algorithms.
• Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the validity of a message
sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how
that message is treated.

Cryptography can be used almost anywhere that there is data communication. In fact, the trend is toward all
communication being encrypted.

Data Integrity

Hash functions are used to ensure the integrity of a message. They guarantee that message data has not
changed accidentally or intentionally.
In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to ensure that the
message is not altered on its way to the receiver.
1. The sending device inputs the message into a hashing algorithm and computes its fixed-length hash of
4ehiDx67NMop9.
2. This hash is then attached to the message and sent to the receiver. Both the message and the hash are
in plaintext.
3. The receiving device removes the hash from the message and inputs the message into the same
hashing algorithm. If the computed hash is equal to the one that is attached to the message, the
message has not been altered during transit. If the hashes are not equal, then the integrity of the
message can no longer be trusted.
Hash Functions
• There are three well-known hash functions.
o MD5 with 128-bit Digest: MD5 is a one-way function that produces a 128-bit hashed message. MD5
is a legacy algorithm that should only be used when no better alternatives are available. Use SHA-2
instead.
o SHA Hashing Algorithm: SHA-1 is very similar to the MD5 hash functions. SHA-1 creates a 160-
bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy
algorithm. Use SHA-2 when possible.
o SHA-2: This includes SHA-224 (224 bit), SHA-256 (256 bit), SHA-384 (384 bit), and SHA-512 (512
bit). SHA-256, SHA-384, and SHA-512 are next-generation algorithms and should be used whenever
possible.
• While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate
changes. This means that anyone can compute a hash for any data, if they have the correct hash
function.
• Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide security to
transmitted data.

Origin Authentication

• To add authentication to integrity assurance,

use a keyed-hash message authentication code
(HMAC).
• An HMAC is calculated using any
cryptographic algorithm that combines a
cryptographic hash function with a secret key.
• Only parties who have access to that secret key
can compute the digest of an HMAC function.
This defeats man-in-the-middle attacks and
provides authentication of the data origin.

Data Confidentiality
There are two classes of encryption used to provide data confidentiality. These two classes differ in how
they use keys.
Symmetric encryption algorithms such as (DES), 3DES, and Advanced Encryption Standard (AES) are
based on the premise that each communicating party knows the pre-shared key. Data confidentiality can also
be ensured using asymmetric
algorithms, including Rivest,
Shamir, and Adleman (RSA)
and the public key infrastructure
(PKI).
Symmetric Encryption
• Symmetric algorithms use the same pre-shared key, also called a secret key, to encrypt and decrypt
data. A pre-shared key is known by the sender and receiver before any encrypted communications
can take place.
• Symmetric encryption algorithms are commonly used with VPN traffic because they use less CPU
resources than asymmetric encryption algorithms.
• When using symmetric encryption
algorithms, the longer the key, the
longer it will take for someone to
discover the key. To ensure that the
encryption is safe, use a minimum key
length of 128 bits.

Symmetric Encryption
Description
Algorithms

This is a legacy symmetric encryption algorithm. It can be used in stream cipher

Data Encryption Algorithm
mode but usually operates in block mode by encrypting data in 64-bit block size. A
(DES)
stream cipher encrypts one byte or one bit at a time.

3DES This is a newer version of DES, but it repeats the DES algorithm process three times.
(Triple DES) It is considered very trustworthy when implemented using very short key lifetimes.

AES is a secure and more efficient algorithm than 3DES.

Advanced Encryption Standard It is a popular and recommended symmetric encryption algorithm. It offers nine
(AES) combinations of key and block length by using a variable key length of 128-, 192-, or
256-bit key to encrypt data blocks that are 128, 192, or 256 bits long.

Software-Optimized Encryption SEAL is a faster alternative symmetric encryption algorithm to DES, 3DES, and
Algorithm AES. It uses a 160-bit encryption key and has a lower impact on the CPU compared
(SEAL) to other software-based algorithms.

This algorithm was developed by Ron Rivest. Several variations have been
Rivest ciphers
developed, but RC4 is the most prevalent in use. RC4 is a stream cipher and is used
(RC) series algorithms
to secure web traffic in SSL and TLS.

Asymmetric Encryption

• Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is used
for encryption is different from the key that is used for decryption.
• Asymmetric algorithms use a public key and a private key. The complementary paired key is
required for decryption. Data encrypted with the public key requires the private key to decrypt.
Asymmetric algorithms achieve confidentiality, authentication, and integrity by using this process.
• Because neither party has a shared secret, very long key lengths must be used. Asymmetric
encryption can use key lengths between 512 to 4,096 bits. Key lengths greater than or equal to 1,024
bits can be trusted while shorter key lengths are considered unreliable.
 • Examples of protocols that use asymmetric key algorithms include:
o Internet Key Exchange (IKE) - This is a fundamental component of IPsec VPNs.
o Secure Socket Layer (SSL) - This is now implemented as IETF standard Transport Layer
Security (TLS).
o Secure Shell (SSH) - This protocol provides a secure remote access connection to network
devices.
o Pretty Good Privacy (PGP) - This computer program provides cryptographic privacy and
authentication. It is often used to increase the security of email communications.

• Asymmetric algorithms are substantially slower than symmetric algorithms. Their design is based on
computational problems, such as factoring extremely large numbers or computing discrete
logarithms of extremely large numbers.
• Because they are slow, asymmetric algorithms are typically used in low-volume cryptographic
mechanisms, such as digital signatures and key exchange.

Asymmetric Encryption
Key Length Description
Algorithm

The Diffie-Hellman algorithm allows two parties to agree on a key that

512, 1024, they can use to encrypt messages they want to send to each other. The
Diffie-Hellman
2048, 3072, security of this algorithm depends on the assumption that it is easy to
(DH)
4096 raise a number to a certain power, but difficult to compute which power
was used given the number and the outcome.

Digital Signature Standard

DSS specifies DSA as the algorithm for digital signatures. DSA is a
(DSS)
public key algorithm based on the ElGamal signature scheme. Signature
and 512 - 1024
creation speed is similar to RSA but is 10 to 40 times slower for
Digital Signature Algorithm
verification.
(DSA)

RSA is for public-key cryptography that is based on the current

Rivest, Shamir, and Adleman difficulty of factoring very large numbers. It is the first algorithm
encryption algorithms 512 to 2048 known to be suitable for signing as well as encryption. It is widely used
(RSA) in electronic commerce protocols and is believed to be secure given
sufficiently long keys and the use of up-to-date implementations.

An asymmetric key encryption algorithm for public-key cryptography

which is based on the Diffie-Hellman key agreement. A disadvantage of
EIGamal 512 - 1024 the ElGamal system is that the encrypted message becomes very big,
about twice the size of the original message and for this reason it is only
used for small messages such as secret keys.

Elliptic curve cryptography can be used to adapt many cryptographic

Elliptical curve techniques 160 algorithms, such as Diffie-Hellman or ElGamal. The main advantage of
elliptic curve cryptography is that the keys can be much smaller.
Diffie-Hellman

• Diffie-Hellman (DH) is an asymmetric mathematical algorithm where two computers generate an

identical shared secret key without having communicated before. The new shared key is never
actually exchanged between the sender and receiver.
• Here are three examples of instances when DH is commonly used:
o Data is exchanged using an IPsec VPN.
o Data is encrypted on the internet using either SSL or TLS.
o SSH data is exchanged.
• DH security uses unbelievably large numbers in its calculations.
• Unfortunately, asymmetric key systems are extremely slow for any sort of bulk encryption.
Therefore, it is common to encrypt the bulk of the traffic using a symmetric algorithm, such as 3DES
or AES and then use the DH algorithm to create keys that will be used by the encryption algorithm.

• The colors in the figure will be used instead of

numbers to simplify the DH key agreement
process. The DH key exchange begins with
Alice and Bob agreeing on an arbitrary
common color that does not need to be kept
secret. The agreed upon color in our example is
yellow.
• Next, Alice and Bob will each select a secret
color. Alice chose red while Bob chose blue.
These secret colors will never be shared with
anyone. The secret color represents the chosen
secret private key of each party.
• Alice and Bob now mix the shared common color (yellow) with their respective secret color to produce a
private color. Therefore, Alice will mix the yellow with her red color to produce a private color of orange.
Bob will mix the yellow and the blue to produce a private color of green.
• Alice sends her private color (orange) to Bob and Bob sends his private color (green) to Alice.
• Alice and Bob each mix the color they received with their own, original secret color (Red for Alice and blue
for Bob.). The result is a final brown color mixture that is identical to the other’s final color mixture. The
brown color represents the resulting shared secret key between Bob and Alice.
 ACL

What is an ACL?

An ACL is a series of IOS commands that are used to filter packets based on information found in the packet
header. By default, a router does not have any ACLs configured. When an ACL is applied to an interface,
the router performs the additional task of evaluating all network packets as they pass through the interface to
determine if the packet can be forwarded.
• An ACL uses a sequential list of permit or deny statements, known as access control entries (ACEs).
Note: ACEs are also commonly called ACL statements.

• When network traffic passes through an interface configured with an ACL, the router compares the
information within the packet against each ACE, in sequential order, to determine if the packet
matches one of the ACEs. This process is called packet filtering.

Several tasks performed by routers require the use of ACLs to identify traffic:
• Limit network traffic to increase network performance
• Provide traffic flow control
• Provide a basic level of security for network access
• Filter traffic based on traffic type
• Screen hosts to permit or deny access to network services
• Provide priority to certain classes of network traffic

Packet Filtering
• Packet filtering controls access to a network by analyzing the incoming and/or outgoing packets and
forwarding them or discarding them based on given criteria.
• Packet filtering can occur at Layer 3 or Layer 4.
• Cisco routers support two types of ACLs:
o Standard ACLs - ACLs only filter at Layer
3 using the source IPv4 address only.
o Extended ACLs - ACLs filter at Layer 3
using the source and / or destination IPv4
address. They can also filter at Layer 4
using TCP, UDP ports, and optional
protocol type information for finer control.
ACL Operation

• ACLs define the set of rules that give added control for packets that enter inbound interfaces, packets
that relay through the router, and packets that exit outbound interfaces of the router.
• ACLs can be configured to apply to inbound traffic and outbound traffic.
Note: ACLs do not act on packets that originate from the router itself.

• An inbound ACL filters packets before they are routed to the outbound interface. An inbound ACL is
efficient because it saves the overhead of routing lookups if the packet is discarded.
• An outbound ACL filters packets after being routed, regardless of the inbound interface.

When an ACL is applied to an interface, it follows a specific operating procedure. Here are the operational
steps used when traffic has entered a router interface with an inbound standard IPv4 ACL configured:
1. The router extracts the source IPv4 address from the packet header.
2. The router starts at the top of the ACL and compares the source IPv4 address to each ACE in a
sequential order.
3. When a match is made, the router carries out the instruction, either permitting or denying the packet,
and the remaining ACEs in the ACL, if any, are not analyzed.
4. If the source IPv4 address does not match any ACEs in the ACL, the packet is discarded because there
is an implicit deny ACE automatically applied to all ACLs.
The last ACE statement of an ACL is always an implicit deny that blocks all traffic. It is hidden and not displayed in
the configuration.
Note: An ACL must have at least one permit statement otherwise all traffic will be denied due to the implicit deny
ACE statement.

Wildcard Masks in ACLs

A wildcard mask is similar to a subnet mask in that it uses the ANDing process to identify which bits in an
IPv4 address to match. Unlike a subnet mask, in which binary 1 is equal to a match and binary 0 is not a
match, in a wildcard mask, the reverse is true.
• An IPv4 ACE uses a 32-bit wildcard mask to determine which bits of the address to examine for a
match.
• Wildcard masks use the following rules to match binary 1s and 0s:
o Wildcard mask bit 0 - Match the corresponding bit value in the address
o Wildcard mask bit 1 - Ignore the corresponding bit value in the address
Wildcard Mask Last Octet (in Binary) Meaning (0 - match, 1 - ignore)

0.0.0.0 00000000 Match all octets.

• Match the first three octets

0.0.0.63 00111111 • Match the two left most bits of the last octet
• Ignore the last 6 bits

• Match the first three octets

0.0.0.15 00001111 • Match the four left most bits of the last octet
• Ignore the last 4 bits of the last octet

• Match the first three octets

0.0.0.248 11111100 • Ignore the six left most bits of the last octet
• Match the last two bits

• Match the first three octet

0.0.0.255 11111111
• Ignore the last octet

Wildcard Mask Types

Wildcard to Match a Host:

• Assume ACL 10 needs an ACE that only permits the host with IPv4 address 192.168.1.1. Recall that
“0” equals a match and “1” equals ignore. To match a specific host IPv4 address, a wildcard mask
consisting of all zeroes (i.e., 0.0.0.0) is required.
• When the ACE is processed, the wildcard mask will permit only the 192.168.1.1 address. The
resulting ACE in ACL 10 would be access-list 10 permit 192.168.1.1 0.0.0.0.

Decimal Binary

IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 0.0.0.0 00000000.00000000.00000000.00000000

Permitted IPv4 Address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask to Match an IPv4 Subnet

• ACL 10 needs an ACE that permits all hosts in the 192.168.1.0/24 network. The wildcard mask 0.0.0.255
stipulates that the very first three octets must match exactly but the fourth octet does not.
• When processed, the wildcard mask 0.0.0.255 permits all hosts in the 192.168.1.0/24 network. The resulting
ACE in ACL 10 would be access-list 10 permit 192.168.1.0 0.0.0.255.

Decimal Binary

IPv4 address 192.168.1.1 11000000.10101000.00000001.00000001

Wildcard Mask 0.0.0.255 00000000.00000000.00000000.11111111

Permitted IPv4 Address 192.168.1.0/24 11000000.10101000.00000001.00000000

Wildcard Mask to Match an IPv4 Address Range
• ACL 10 needs an ACE that permits all hosts in the 192.168.16.0/24, 192.168.17.0/24, …, 192.168.31.0/24
networks.
• When processed, the wildcard mask 0.0.15.255 permits all hosts in the 192.168.16.0/24 to 192.168.31.0/24
networks. The resulting ACE in ACL 10 would be access-list 10 permit 192.168.16.0 0.0.15.255.

Decimal Binary

IPv4 address 192.168.16.0 11000000.10101000.00010000.00000000

Wildcard Mask 0.0.15.255 00000000.00000000.00001111.11111111

192.168.16.0/24 11000000.10101000.00010000.00000000
Permitted IPv4 Address to
192.168.31.0/24 11000000.10101000.00011111.00000000

Wildcard Mask Keywords

The Cisco IOS provides two keywords to identify the most common uses of wildcard masking. The two
keywords are:
• host - This keyword substitutes for the 0.0.0.0 mask. This mask states that all IPv4 address bits must match to
filter just one host address.
• any - This keyword substitutes for the 255.255.255.255 mask. This mask says to ignore the entire IPv4
address or to accept any addresses.

Limited Number of ACLs per Interface

There is a limit on the number of ACLs that can be applied on a router interface. For example, a dual-
stacked (i.e, IPv4 and IPv6) router interface can have up to four ACLs applied, as shown in the figure.
Specifically, a router interface can have:
• One outbound IPv4 ACL.
• One inbound IPv4 ACL.
• One inbound IPv6 ACL.
• One outbound IPv6 ACL.

Note: ACLs do not have to be configured in both directions. The

number of ACLs and their direction applied to the interface will
depend on the security policy of the organization.
ACL Best Practices

Using ACLs requires attention to detail and great care. Mistakes can be costly in terms of downtime,
troubleshooting efforts, and poor network service. Basic planning is required before configuring an ACL.

Guideline Benefit

This will ensure you implement organizational security

Base ACLs on the organizational security policies.
guidelines.

This will help you avoid inadvertently creating potential

Write out what you want the ACL to do.
access problems.

Use a text editor to create, edit, and save all of your ACLs. This will help you create a library of reusable ACLs.

This will help you (and others) understand the purpose of an

Document the ACLs using the remark command.
ACE.

Test the ACLs on a development network before

This will help you avoid costly errors.
implementing them on a production network.

Standard and Extended ACLs

There are two types of IPv4 ACLs:

• Standard ACLs - These permit or deny packets based only on the source IPv4 address.
• Extended ACLs - These permit or deny packets based on the source IPv4 address and destination IPv4
address, protocol type, source and destination TCP or UDP ports and more.

Numbered and Named ACLs

Numbered ACLs
• ACLs numbered 1-99, or 1300-1999 are standard ACLs, while ACLs numbered 100-199, or 2000-
2699 are extended ACLs.
R1(config)# access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
rate-limit Simple rate-limit specific access list
template Enable IP template acls
Router(config)# access-list
Named ACLs
• Named ACLs are the preferred method to use when configuring ACLs. Specifically, standard and
extended ACLs can be named to provide information about the purpose of the ACL. For example,
naming an extended ACL FTP-FILTER is far better than having a numbered ACL 100.
• The ip access-list global configuration command is used to create a named ACL, as shown in the
following example.
R1(config)# ip access-list extended FTP-FILTER
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp
R1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 any eq ftp-data
R1(config-ext-nacl)#

Where to Place ACLs

• Every ACL should be placed where

it has the greatest impact on
efficiency.
• Extended ACLs should be located
as close as possible to the source of
the traffic to be filtered.
• Standard ACLs should be located as
close to the destination as possible.

Factors Influencing ACL Placement Explanation

Placement of the ACL can depend on whether or not the organization

The extent of organizational control
has control of both the source and destination networks.

It may be desirable to filter unwanted traffic at the source to prevent

Bandwidth of the networks involved
transmission of bandwidth-consuming traffic.

• It may be easier to implement an ACL at the destination,

but traffic will use bandwidth unnecessarily.
• An extended ACL could be used on each router where the
Ease of configuration
traffic originated. This would save bandwidth by filtering
the traffic at the source, but it would require creating
extended ACLs on multiple routers.
Standard ACL Placement Example

In the figure, the administrator wants to

prevent traffic originating in the
192.168.10.0/24 network from reaching the
192.168.30.0/24 network.
Following the basic placement guidelines, the
administrator would place a standard ACL on
router R3.

There are two possible interfaces on R3 to

apply the standard ACL:
• R3 S0/1/1 interface (inbound) - The
standard ACL can be applied inbound
on the R3 S0/1/1 interface to deny
traffic from .10 network. However, it
would also filter .10 traffic to the
192.168.31.0/24 (.31 in this example) network. Therefore, the standard ACL should not be applied to this
interface.
• R3 G0/0 interface (outbound) - The standard ACL can be applied outbound on the R3 G0/0/0 interface. This
will not affect other networks that are reachable by R3. Packets from .10 network will still be able to reach the
.31 network. This is the best interface to place the standard ACL to meet the traffic requirements.

Extended ACL Placement Example

• Extended ACLs should be located as close to the source as possible.

• However, the organization can only place ACLs on devices that they control. Therefore, the
extended ACL placement must be determined in the context of where organizational control extends.
• In the figure, for example, Company A wants to deny Telnet and FTP traffic to Company B’s
192.168.30.0/24 network from their 192.168.11.0/24 network, while permitting all other traffic.

An extended ACL on R3 would accomplish

the task, but the administrator does not
control R3. In addition, this solution allows
unwanted traffic to cross the entire network,
only to be blocked at the destination.
The solution is to place an extended ACL on
R1 that specifies both source and destination
addresses.
There are two possible interfaces on R1 to apply the extended ACL:
• R1 S0/1/0 interface (outbound) - The extended ACL can be applied outbound on the S0/1/0 interface. This
solution will process all packets leaving R1 including packets from 192.168.10.0/24.
• R1 G0/0/1 interface (inbound) - The extended ACL can be applied inbound on the G0/0/1 and only packets
from the 192.168.11.0/24 network are subject to ACL processing on R1. Because the filter is to be limited to
only those packets leaving the 192.168.11.0/24 network, applying the extended ACL to G0/1 is the best
solution.

Configure Standard IPv4 ACLs

Numbered Standard IPv4 ACL Syntax

To create a numbered standard ACL, use the access-list command.

Parameter Description

access-list-number Number range is 1 to 99 or 1300 to 1999

deny Denies access if the condition is matched

permit Permits access if the condition is matched

remark text (Optional) text entry for documentation purposes

source Identifies the source network or host address to filter

source-wildcard (Optional) 32-bit wildcard mask that is applied to the source

log (Optional) Generates and sends an informational message when the ACE is matched

Note: Use the no access-list access-list-number global configuration command to remove a numbered standard ACL.

Named Standard IPv4 ACL Syntax

To create a named standard ACL, use the ip
access-list standard command.
• ACL names are alphanumeric, case sensitive,
and must be unique.
• Capitalizing ACL names is not required but
makes them stand out when viewing the
running-config output.
Apply a Standard IPv4 ACL
After a standard IPv4 ACL is configured, it must be linked to an interface or feature.
• The ip access-group command is used to bind a numbered or named standard IPv4 ACL to an interface.
• To remove an ACL from an interface, first enter the no ip access-group interface configuration command.

Numbered Standard ACL Example

The example ACL permits traffic from host 192.168.10.10 and all hosts on the 192.168.20.0/24 network out
interface serial 0/1/0 on router R1.

• Use the show running-config command to review the ACL in the configuration.
• Use the show ip interface command to verify the ACL is applied to the interface.
Named Standard ACL Example
The example ACL permits traffic from host 192.168.10.10 and all hosts on the 192.168.20.0/24 network out
interface serial 0/1/0 on router R1.

• Use the show access-list command to review the ACL in the configuration.
• Use the show ip interface command to verify the ACL is applied to the interface.

Two Methods to Modify an ACL

After an ACL is configured, it may need to be modified. ACLs with multiple ACEs can be complex to
configure. Sometimes the configured ACE does not yield the expected behaviors.
There are two methods to use when modifying an ACL:
• Use a text editor.
• Use sequence numbers.
Text Editor Method
ACLs with multiple ACEs should be created in a text editor. This allows you to plan the required ACEs,
create the ACL, and then paste it into the router interface. It also simplifies the tasks to edit and fix an ACL.
To correct an error in an ACL:
• Copy the ACL from the running
configuration and paste it into the text editor.
• Make the necessary edits or changes.
• Remove the previously configured ACL on
the router.
• Copy and paste the edited ACL back to the
router.

Sequence Number Method

An ACL ACE can be deleted or added using the ACL
sequence numbers.
• Use the ip access-list standard command to edit an
ACL.
• Statements cannot be overwritten using an existing
sequence number. The current statement must be
deleted first with the no 10 command. Then the correct
ACE can be added using sequence number.

Modify a Named ACL Example

Named ACLs can also use sequence numbers to delete and add ACEs. In the example an ACE is added to
deny hosts 192.168.10.11.
ACL Statistics
The show access-lists command in the example shows statistics for each statement that has been matched.
• The deny ACE has been matched 20 times and the permit ACE has been matched 64 times.
• Note that the implied deny any statement
does not display any statistics. To track how
many implicit denied packets have been
matched, you must manually configure the
deny any command.
• Use the clear access-list counters command
to clear the ACL statistics.

Secure VTY Ports with a Standard IPv4 ACL

The access-class Command

A standard ACL can secure remote administrative access to a device using the vty lines by implementing the
following two steps:
• Create an ACL to identify which administrative hosts should be allowed remote access.
• Apply the ACL to incoming traffic on the vty lines.

Secure VTY Access Example

This example demonstrates how to configure an ACL to filter vty traffic.
• First, a local database entry for a user
ADMIN and password class is configured.
• The vty lines on R1 are configured to use
the local database for authentication,
permit SSH traffic, and use the ADMIN-
HOST ACL to restrict traffic.
Verify the VTY Port is Secured
After an ACL to restrict access to the vty lines is configured, it is important to verify it works as expected.
To verify the ACL statistics, issue the show access-lists command.
• The match in the permit line of the output is a result of a successful SSH connection by host with IP address
192.168.10.10.
• The match in the deny
statement is due to the
failed attempt to create a
SSH connection from a
device on another
network.

Extended ACLs

Extended ACLs provide a greater degree of control. They can filter on source address, destination address,
protocol (i.e., IP, TCP, UDP, ICMP), and port number.
Extended ACLs can be created as:
• Numbered Extended ACL - Created using the access-list access-list-number global configuration command.
• Named Extended ACL - Created using the ip access-list extended access-list-name.

Protocols and Ports

Extended ACLs can filter on internet protocols and ports. Use the ? to get help when entering a complex
ACE. The four highlighted protocols are the most popular options.

Protocol Options
Selecting a protocol influences port options. Many TCP port options are available, as shown in the output.

Protocols and Port Numbers Configuration Examples

Extended ACLs can filter on different port number and port name options.
This example configures an extended ACL 100 to filter HTTP traffic. The first ACE uses the www port
name. The second ACE uses the port number 80. Both ACEs achieve exactly the same result.

Configuring the port number is required when there is not a specific protocol name listed such as SSH (port
number 22) or an HTTPS (port number 443), as shown in the next example.
Apply a Numbered Extended IPv4 ACL

In this example, the ACL permits both HTTP and HTTPS traffic from the 192.168.10.0 network to go to any
destination.
Extended ACLs can be applied in various locations. However, they are commonly applied close to the
source. Here ACL 110 is applied inbound on the R1 G0/0/0 interface.

TCP Established Extended ACL

TCP can also perform basic stateful firewall

services using the TCP established
keyword.
• The established keyword enables inside
traffic to exit the inside private network
and permits the returning reply traffic to
enter the inside private network.
• TCP traffic generated by an outside host
and attempting to communicate with an
inside host is denied.
• ACL 120 is configured to only permit
returning web traffic to the inside hosts. The ACL is then applied outbound on the R1 G0/0/0 interface.
• The show access-lists command shows that inside hosts are accessing the secure web resources from the
internet.

Note: A match occurs if the returning TCP segment has the ACK or reset (RST) flag bits set, indicating that the packet
belongs to an existing connection.
 NAT

IPv4 Address Space

• Networks are commonly implemented using
private IPv4 addresses, as defined in RFC 1918. Class Activity Type Activity Name

• Private IPv4 addresses cannot be routed over the A 10.0.0.0 – 10.255.255.255 10.0.0.0/8
internet and are used within an organization or B 172.16.0.0 – 172.31.255.255 172.16.0.0/12
site to allow devices to communicate locally.
C 192.168.0.0 – 192.168.255.255 192.168.0.0/16
• To allow a device with a private IPv4 address
to access devices and resources outside of the
local network, the private address must first
be translated to a public address.
• NAT provides the translation of private
addresses to public addresses.

What is NAT
• The primary use of NAT is to conserve public IPv4 addresses.
• NAT allows networks to use private IPv4
addresses internally and translates them to a
public address when needed.
• A NAT router typically operates at the border
of a stub network.
• When a device inside the stub network wants
to communicate with a device outside of its
network, the packet is forwarded to the border
router which performs the NAT process,
translating the internal private address of the
device to a public, outside, routable address.
How NAT Works
PC1 wants to communicate with an outside web server with public address 209.165.201.1.
1. PC1 sends a packet addressed to the web server.
2. R2 receives the packet and reads the source IPv4 address to determine if it needs translation.
3. R2 adds mapping of the local to global address to the NAT table.
4. R2 sends the packet with the translated source address toward the destination.
5. The web server responds with a packet addressed to the inside global address of PC1 (209.165.200.226).
6. R2 receives the packet with destination address 209.165.200.226. R2 checks the NAT table and finds an entry
for this mapping. R2 uses this information and translates the inside global address (209.165.200.226) to the
inside local address (192.168.10.10), and the packet is forwarded toward PC1.

NAT Terminology

NAT includes four types of addresses:

• Inside local address
• Inside global address
• Outside local address
• Outside global address
NAT terminology is always applied from the perspective of the device with the translated address:
• Inside address - The address of the device which is being translated by NAT.
• Outside address - The address of the destination device.
• Local address - A local address is any address that appears on the inside portion of the network.
• Global address - A global address is any address that appears on the outside portion of the network.
Inside local address
The address of the source as seen from inside the network. This is typically a private IPv4 address. The inside local
address of PC1 is 192.168.10.10.

Inside global addresses

The address of source as seen from the outside
network. The inside global address of PC1 is
209.165.200.226

Outside global address

The address of the destination as seen from the outside
network. The outside global address of the web server
is 209.165.201.1

Outside local address

The address of the destination as seen from the inside
network. PC1 sends traffic to the web server at the
IPv4 address 209.165.201.1. While uncommon, this
address could be different than the globally routable
address of the destination.

Types of NAT

Static NAT

Static NAT uses a one-to-one mapping of local

and global addresses configured by the network
administrator that remain constant.
• Static NAT is useful for web servers or
devices that must have a consistent address
that is accessible from the internet, such as a
company web server.
• It is also useful for devices that must be
accessible by authorized personnel when
offsite, but not by the general public on the
internet.
Note: Static NAT requires that enough public addresses are
available to satisfy the total number of simultaneous user
sessions
Dynamic NAT

Dynamic NAT uses a pool of public addresses and

assigns them on a first-come, first-served basis.
• When an inside device requests access to an outside
network, dynamic NAT assigns an available public
IPv4 address from the pool.
• The other addresses in the pool are still available for
use.
Note: Dynamic NAT requires that enough public addresses are
available to satisfy the total number of simultaneous user sessions.

Port Address Translation

Port Address Translation (PAT), also known as NAT

overload, maps multiple private IPv4 addresses to a
single public IPv4 address or a few addresses.
• With PAT, when the NAT router receives a packet
from the client, it uses the source port number to
uniquely identify the specific NAT translation.
• PAT ensures that devices use a different TCP port
number for each session with a server on the
internet.

Next Available Port

PAT attempts to preserve the original source port. If the original source port is already used, PAT assigns
the first available port number starting from the beginning of the appropriate port group 0-511, 512-1,023, or
1,024-65,535.
• When there are no more ports available and there is
more than one external address in the address pool,
PAT moves to the next address to try to allocate
the original source port.
• The process continues until there are no more
available ports or external IPv4 addresses in the
address pool.
NAT and PAT Comparison
NAT PAT
Summary of the differences between NAT and PAT.
One-to-one mapping One Inside Global
NAT - Only modifies the IPv4 addresses between Inside Local address can be mapped
and Inside Global to many Inside Local
Inside Global Address Inside Local Address addresses. addresses.

209.165.200.226 192.168.10.10 Uses IPv4 addresses

Uses only IPv4
and TCP or UDP
addresses in translation
source port numbers in
process.
translation process.
PAT - PAT modifies both the IPv4 address and the
port number. A unique Inside Global A single unique Inside
Inside Global Address Inside Local Address address is required for Global address can be
each inside host shared by many inside
209.165.200.226:2031 192.168.10.10:2031 accessing the outside hosts accessing the
network. outside network.

Packets without a Layer 4 Segment

Some packets do not contain a Layer 4 port number, such as ICMPv4 messages. Each of these types of
protocols is handled differently by PAT.
For example, ICMPv4 query messages, echo requests, and echo replies include a Query ID. ICMPv4 uses
the Query ID to identify an echo request with its corresponding echo reply.
Note: Other ICMPv4 messages do not use the Query ID. These messages and other protocols that do not use TCP or
UDP port numbers vary and are beyond the scope of this curriculum.

Advantages of NAT
• NAT conserves the legally registered addressing scheme by allowing the privatization of intranets.
• NAT conserves addresses through application port-level multiplexing.
• NAT increases the flexibility of connections to the public network.
• NAT provides consistency for internal network addressing schemes.
• NAT allows the existing private IPv4 address scheme to remain while allowing for easy change to a
new public addressing scheme.
• NAT hides the IPv4 addresses of users and other devices.
Disadvantages of NAT
• NAT increases forwarding delays.
• End-to-end addressing is lost.
• End-to-end IPv4 traceability is lost.
• NAT complicates the use of tunneling protocols, such as IPsec.
• Services that require the initiation of TCP connections from the outside network, or stateless
protocols, such as those using UDP, can be disrupted.

Static NAT

Static NAT Scenario

• Static NAT is a one-to-one mapping between an inside address and an outside address.
• Static NAT allows external devices to
initiate connections to internal devices
using the statically assigned public
address.
• For instance, an internal web server may
be mapped to a specific inside global
address so that it is accessible from outside
networks.

Configure Static NAT

There are two basic tasks when configuring static NAT translations:
• Step 1 - Create a mapping between the inside local address and the inside global addresses using the ip nat
inside source static command.
• Step 2 - The interfaces participating in the translation are configured as inside or outside relative to NAT with
the ip nat inside and ip nat outside commands.

R2(config)# ip nat inside source static 192.168.10.254 209.165.201.5

R2(config)#
R2(config)# interface serial 0/1/0
R2(config-if)# ip address 192.168.1.2 255.255.255.252
R2(config-if)# ip nat inside
R2(config-if)# exit
R2(config)# interface serial 0/1/1
R2(config-if)# ip address 209.165.200.1 255.255.255.252
R2(config-if)# ip nat outside
 Dynamic NAT

Dynamic NAT Scenario

• Dynamic NAT automatically maps inside local addresses to inside global addresses.
• Dynamic NAT uses a pool of inside global addresses.
• The pool of inside global addresses is available to any device on the inside network on a first-come
first-served basis.
• If all addresses in the pool are in use, a device must wait for an available address before it can access
the outside network.

Configure Dynamic NAT

There are five tasks when configuring dynamic NAT translations:
• Step 1 - Define the pool of addresses that will be used for translation using the ip nat pool command.
• Step 2 - Configure a standard ACL to identify (permit) only those addresses that are to be translated.
• Step 3 - Bind the ACL to the pool, using the ip nat inside source list command.

R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL1

• Step 4 - Identify which interfaces are inside.

• Step 5 - Identify which interfaces are outside.

R2(config)# ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL1
R2(config)# interface serial 0/1/0
R2(config-if)# ip nat inside
R2(config-if)# interface serial 0/1/1
R2(config-if)# ip nat outside
 PAT

Configure PAT to Use a Single IPv4 Address

To configure PAT to use a single IPv4 address, add the keyword overload to the ip nat inside source
command.
In the example, all hosts from network 192.168.0.0/16 (matching ACL 1) that send traffic through router R2 to the
internet will be translated to IPv4 address 209.165.200.225 (IPv4 address of interface S0/1/1). The traffic flows will be
identified by port numbers in the NAT table because the overload keyword is configured.

R2(config)# ip nat inside source list 1 interface serial 0/1/0 overload

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# interface serial0/1/0
R2(config-if)# ip nat inside
R2(config-if)# exit
R2(config)# interface Serial0/1/1
R2(config-if)# ip nat outside

Configure PAT to Use an Address Pool

An ISP may allocate more than one public IPv4 address to an organization. In this scenario the organization
can configure PAT to use a pool of IPv4 public addresses for translation.
To configure PAT for a dynamic NAT address pool, simply add the keyword overload to the ip nat inside
source command.
In the example, NAT-POOL2 is bound to an ACL to permit 192.168.0.0/16 to be translated. These hosts can share an
IPv4 address from the pool because PAT is enabled with the keyword overload.

R2(config)# ip nat pool NAT-POOL2 209.165.200.226 209.165.200.240 netmask 255.255.255.224

R2(config)# access-list 1 permit 192.168.0.0 0.0.255.255
R2(config)# ip nat inside source list 1 pool NAT-POOL2 overload
R2(config)# interface serial0/1/0
R2(config-if)# ip nat inside
R2(config-if)# interface serial0/1/0
R2(config-if)# ip nat outside
 NAT64

NAT for IPv6?

IPv6 was developed with the intention of making NAT for IPv4 with translation between public and private
IPv4 addresses unnecessary.
• However, IPv6 does include its own IPv6 private address space, unique local addresses (ULAs).
• IPv6 unique local addresses (ULA) are similar to RFC 1918 private addresses in IPv4 but have a different
purpose.
• ULA addresses are meant for only local communications within a site. ULA addresses are not meant to
provide additional IPv6 address space, nor to provide a level of security.
• IPv6 does provide for protocol translation between IPv4 and IPv6 known as NAT64.

NAT64

• NAT for IPv6 is used in a much different

context than NAT for IPv4.
• The varieties of NAT for IPv6 are used to
transparently provide access between IPv6-
only and IPv4-only networks, as shown. It is
not used as a form of private IPv6 to global
IPv6 translation.
• NAT for IPv6 should not be used as a long-
term strategy, but as a temporary mechanism to
assist in the migration from IPv4 to IPv6.
 WAN

LANs and WANs

A WAN is a telecommunications network that spans over a relatively large geographical area and is required
to connect beyond the boundary of the LAN.

Local Area Networks (LANs) Wide Area Networks (WANs)

LANs provide networking services within a small WANs provide networking services over large
geographic area. geographical areas.

LANs are used to interconnect local computers, WANs are used to interconnect remote users, networks,
peripherals, and other devices. and sites.

A LAN is owned and managed by an organization or WANs are owned and managed by internet service,
home user. telephone, cable, and satellite providers.

Other than the network infrastructure costs, there is no fee WAN services are provided for a fee.
to use a LAN.

LANs provide high bandwidth speeds using wired WANs providers offer low to high bandwidth speeds,
Ethernet and Wi-Fi services. over long distances.

Private and Public WANs

A private WAN is a connection that is dedicated to a single customer.
Private WANs provide the following:
• Guaranteed service level
• Consistent bandwidth
• Security

A public WAN connection is typically provided by an ISP or telecommunications service provider using the internet.
In this case, the service levels and bandwidth may vary, and the shared connections do not guarantee security.
WAN Topologies
WANs are implemented using the following logical topology designs:
• Point-to-Point Topology
• Hub-and-Spoke Topology
• Dual-homed Topology
• Fully Meshed Topology
• Partially Meshed Topology
Note: Large networks usually deploy a combination of these topologies.

Point-to-Point Topology
• Employs a point-to-point circuit between two endpoints.
• Involves a Layer 2 transport service through the service
provider network.
• The point-to-point connection is transparent to the customer
network.
Note: It can become expensive if many point-to-point connections are required.

Hub-and-Spoke Topology
• Enables a single interface on the hub router to be shared by all
spoke circuits.
• Spoke routers can be interconnected through the hub router
using virtual circuits and routed subinterfaces.
• Spoke routers can only communicate with each other through
the hub router.
Note: The hub router represents a single point of failure. If it fails, inter-spoke communication also fails.

Dual-homed Topology
• Offers enhanced network redundancy, load balancing, distributed computing and processing, and the ability to
implement backup service provider connections.
• More expensive to implement than single-homed topologies.
This is because they require additional networking
hardware, such as additional routers and switches.
• More difficult to implement because they require additional,
and more complex, configurations.
Fully Meshed Topology

• Uses multiple virtual circuits to connect all sites

• The most fault-tolerant topology

Partially Meshed Topology

• Connects many but not all sites

Carrier Connections

Another aspect of WAN design is how an organization connects to the internet. An organization usually
signs a service level agreement (SLA) with a service provider. The SLA outlines the expected services
relating to the reliability and availability of the connection.
The service provider may or may not be the actual carrier. A carrier
owns and maintains the physical connection and equipment between the
provider and the customer. Typically, an organization will choose either
a single-carrier or dual-carrier WAN connection.
A single-carrier connection is when an organization connects to only
one service provider. An SLA is negotiated between the organization
and the service provider.
A dual-carrier connection provides redundancy and increases network
availability. The organization negotiates separate SLAs with two
different service providers.

Evolving Networks
Network requirements of a company can change dramatically as the company grows over time.
• A network must meet the day-to-day operational needs of business, and it must be able to adapt and grow as a
company changes.
• Network designers and administrators meet these challenges by carefully choosing network technologies,
protocols, and service providers.
• Networks can be optimized by using a variety of network design techniques and architectures.
To illustrate differences between network size, we will use a fictitious company called SPAN Engineering as
it grows from a small, local, business into a global enterprise.
Small Network
SPAN, a small fictitious company, started with a few employees
in a small office.
• Uses a single LAN connected to a wireless router for sharing
data and peripherals.
• Connection to the internet is through a common broadband
service called Digital Subscriber Line (DSL)
• IT support is contracted from the DSL provider.

Campus Network
Within a few years SPAN grew and required several floors of
a building.
The company now required a Campus Area Network (CAN).
• A firewall secures internet access to corporate users.
• In-house IT staff to support and maintain the network.

Branch Network

• A few years later, the company expanded and added a

branch site in the city, and remote and regional sites in
other cities.
• The company now required a metropolitan area
network (MAN) to interconnect sites within the city.
• To connect to the central office, branch offices in
nearby cities used private dedicated lines through their
local service provider.

Distributed Network
• SPAN Engineering has now been in business for 20
years and has grown to thousands of employees
distributed in offices worldwide.
• Site-to-site and remote access Virtual Private
Networks (VPNs) enable the company to use the
internet to connect easily and securely with employees
and facilities around the world.
WAN Standards
Modern WAN standards are defined and managed by a number of recognized authorities including the
following:
• TIA/EIA - Telecommunications Industry Association and Electronic Industries Alliance
• ISO - International Organization for Standardization
• IEEE - Institute of Electrical and Electronics Engineers

WANs in the OSI Model

Most WAN standards focus on the physical layer and the data link layer.
Layer 1 Protocols
• Synchronous Digital Hierarchy (SDH)
• Synchronous Optical Networking (SONET)
• Dense Wavelength Division Multiplexing (DWDM)

Layer 2 Protocols
• Broadband (i.e., DSL and Cable)
• Wireless
• Ethernet WAN (Metro Ethernet)
• Multiprotocol Label Switching
(MPLS)
• Point-to-Point Protocol (PPP) (less
used)
• High-Level Data Link Control
(HDLC) (less used)
• Frame Relay (legacy)
• Asynchronous Transfer Mode (ATM)
(legacy)
Common WAN Terminology
There are specific terms used to describe WAN connections between the subscriber (i.e., the company /
client) and the WAN service provider.

WAN Term Description

Data Terminal Equipment Connects the subscriber LANs to the WAN communication
(DTE) device

Data Communications Device used to communicate with the provider

Equipment (DCE)

Customer Premises Equipment This is the DTE and DCE devices located on the enterprise
(CPE) edge

Point-of-Presence (POP) The point where the subscriber connects to the service
provider network

Demarcation Point The physical location in a building or complex that officially

separates the CPE from service provider equipment.

WAN Term Description

Local Loop (last mile) The copper or fiber cable that connects the CPE to the CO of the service provider

Central office (CO) The local service provider facility or building that connects the CPE to the provider network

Toll network Includes backhaul, long-haul, all-digital, fiber-optic communications lines, switches, routers,
and other equipment inside the WAN provider network

Backhaul network Connects multiple access nodes of the service provider network

Backbone network Large, high-capacity networks used to interconnect service provider networks and to create a
redundant network.
WAN Devices

WAN Device Description

Voiceband Dial-up modem – uses telephone lines

Modem Legacy device

DSL Modem / Collectively known as broadband modems, these high-speed digital modems
Cable Modem connect to the DTE router using Ethernet.

CSU/DSU Digital-leased lines require a CSU and a DSU. It connects a digital device to a
digital line.

Optical Connect fiber-optic media to copper media and convert optical signals to electronic
Converter pulses.

Wireless Router / Devices are used to wirelessly connect to a WAN provider.

Access Point

WAN Core WAN backbone consists of multiple high-speed routers and Layer 3 switches.
devices

Serial Communication
• Almost all network communications occur using a serial
communication delivery. Serial communication transmits bits
sequentially over a single channel.
• In contrast, parallel communications simultaneously transmit
several bits using multiple wires.
• As the cable length increases, the synchronization timing
between multiple channels becomes more sensitive to
distance. For this reason, parallel communication is limited to
very short distances
Circuit-Switched Communication

A circuit-switched network establishes a dedicated circuit (or channel) between endpoints before the users
can communicate.
• Establishes a dedicated virtual connection through the
service provider network before communication can start.
• All communication uses the same path.
• The two most common types of circuit-switched WAN
technologies are the public switched telephone network
(PSTN) and the legacy Integrated Services Digital Network
(ISDN).

Packet-Switched Communication
Network communication is most commonly implemented
using packet-switched communication.
• Segments traffic data into packets that are routed over
a shared network.
• Much less expensive and more flexible than circuit
switching.
• Common types of packet-switched WAN technologies
are:
• Ethernet WAN (Metro Ethernet),
• Multiprotocol Label Switching (MPLS)
• Frame Relay
• Asynchronous Transfer Mode (ATM).

SDH, SONET, and DWDM

Service provider networks use fiber-optic infrastructures to transport user data between destinations. Fiber-
optic cable is far superior to copper cable for long distance transmissions due to its much lower attenuation
and interference.
There are two optical fiber OSI layer 1 standards available to service providers:
• SDH - Synchronous Digital Hierarchy (SDH) is a global standard for transporting data over fiber-optic cable.
• SONET - Synchronous Optical Networking (SONET) is the North American standard that provides the same
services as SDH.

SDH/SONET define how to transfer multiple data, voice, and video communications over optical fiber
using lasers or light-emitting diodes (LEDs) over great distances.
Dense Wavelength Division Multiplexing (DWDM) is a newer technology that increases the data-carrying
capacity of SDH and SONET by simultaneously sending multiple streams of data (multiplexing) using
different wavelengths of light.
Traditional WAN Connectivity Options

To understand the WANs of today, it helps to know where

they started.
• When LANs appeared in the 1980s, organizations began
to see the need to interconnect with other locations.
• To do so, they needed their networks to connect to the
local loop of a service provider.
• This was accomplished by using dedicated lines, or by
using switched services from a service provider.

Common WAN Terminology

Point-to-point lines could be leased from a service provider and were called “leased lines”. The term refers
to the fact that the organization pays a monthly lease fee to a service provider to use the line.
• Leased lines are available in different fixed capacities and are generally priced based on the bandwidth
required and the distance between the two connected points.
• There are two systems used to define the digital capacity of a copper media serial link:
▪ T-carrier - Used in North America, T-carrier provides T1 links supporting bandwidth up to
1.544 Mbps and T3 links supporting bandwidth up to 43.7 Mbps.
▪ E-carrier – Used in Europe, E-carrier provides E1 links supporting bandwidth up to 2.048
Mbps and E3 links supporting bandwidth up to 34.368 Mbps.

The table summarizes the advantages and disadvantages of leased lines.

Circuit-Switch Options

Circuit-switched connections are provided by Public Service Telephone Network (PSTN) carriers. The local
loop connecting the CPE to the CO is copper media.
There are two traditional circuit-switched options:
Public Service Telephone Network (PSTN)
• Dialup WAN access uses the PSTN as its WAN connection. Traditional local loops can transport binary
computer data through the voice telephone network using a voiceband modem.
• The physical characteristics of the local loop and its connection to the PSTN limit the rate of the signal to less
than 56 kbps.

Integrated Services Digital Network (ISDN)

• ISDN is a circuit-switching technology that enables the PSTN local loop to carry digital signals. This provided
higher capacity switched connections than dialup access. ISDN provides for data rates from 45 Kbps to 2.048
Mbps.

Packet-Switch Options

Packet switching segments data into packets that are routed over a shared network. It allows many pairs of
nodes to communicate over the same channel.
There are two traditional (legacy) circuit-switched options:

Frame Relay
• Frame Relay is a simple Layer 2 non-broadcast multi-access (NBMA) WAN technology that is used to
interconnect enterprise LANs.
• Frame Relay creates PVCs which are uniquely identified by a data-link connection identifier (DLCI).

Asynchronous Transfer Mode (ATM)

• Asynchronous Transfer Mode (ATM) technology is capable of transferring voice, video, and data through
private and public networks.
• ATM is built on a cell-based architecture rather than on a frame-based architecture. ATM cells are always a
fixed length of 53 bytes.
Note: Frame relay and ATM networks have been largely replaced by faster Metro Ethernet and internet-based
solutions.
Modern WANs
Modern WANS have more connectivity options than traditional WANs.
• Enterprises now require faster and more flexible WAN connectivity options.
• Traditional WAN connectivity options have rapidly declined in use because they are either no longer
available, too expensive, or have limited bandwidth.

The figure displays the local loop connections most likely encountered today.

Modern WAN Connectivity Options

New technologies are continually emerging.

The figure summarizes the modern WAN
connectivity options.

Dedicated broadband
• Fiber can be installed independently by
an organization to connect remote
locations directly together.
• Dark fiber can be leased or purchased
from a supplier.

Packet-switched
• Metro Ethernet – Replacing many traditional WAN options.
• MPLS – Enables sites to connect to the provider regardless of its access technologies.

Internet-based broadband
• Organizations are now commonly using the global internet infrastructure for WAN connectivity.
Ethernet WAN

Service providers now offer Ethernet WAN service using fiber-optic cabling.
The Ethernet WAN service can go by many names,
including the following:
• Metropolitan Ethernet (Metro E)
• Ethernet over MPLS (EoMPLS)
• Virtual Private LAN Service (VPLS)
There are several benefits to an Ethernet WAN:
• Reduced expenses and administration
• Easy integration with existing networks
• Enhanced business productivity

Note: Ethernet WANs have gained in popularity and are

now commonly being used to replace the traditional serial point-to-point, Frame Relay and ATM WAN links.

MPLS

Multiprotocol Label Switching (MPLS) is a high-performance service provider WAN routing technology
to interconnect clients without regard to access method or payload.
• MPLS supports a variety of client access methods (e.g., Ethernet, DSL, Cable, Frame Relay).
• MPLS can encapsulate all types of protocols including IPv4 and IPv6 traffic.
• An MPLS router can be a customer edge (CE) router, a provider edge (PE) router, or an internal provider (P)
router.
• MPLS routers are label switched routers (LSRs). They attach labels to packets that are then used by other
MPLS routers to forward traffic.
MPLS also provides services for QoS support, traffic engineering, redundancy, and VPNs
Internet-Based Connectivity

Internet-based broadband connectivity is an alternative to using dedicated WAN options, can be divided into
wired and wireless options.
Wired Options
• Wired options use permanent cabling (e.g., copper or
fiber) to provide consistent bandwidth, and reduce error
rates and latency. Examples: DSL, cable connections,
and optical fiber networks.

Wireless Options
• Wireless options are less expensive to implement
compared to other WAN connectivity options because
they use radio waves instead of wired media to transmit
data. Examples: cellular 3G/4G/5G or satellite internet
services.
• Wireless signals can be negatively affected by factors such as distance from radio towers, interference from
other sources and weather.

DSL Technology

Digital Subscriber Line (DSL) is a high-speed, always-on, connection technology that uses existing twisted-
pair telephone lines to provide IP services to users.
DSL are categorized as either Asymmetric DSL
(ADSL) or Symmetric DSL (SDSL).
• ADSL and ADSL2+ provide higher downstream
bandwidth to the user than upload bandwidth.
• SDSL provides the same capacity in both directions.
DSL transfer rates are dependent on the actual length of the
local loop, and the type and condition of the cabling.

DSL Connections

Service providers deploy DSL connections in the local loop. The connection is set up between the DSL
modem and the DSL access multiplexer (DSLAM).
• The DSL modem converts the Ethernet signals from the teleworker device to a DSL signal, which is
transmitted to a DSL access multiplexer (DSLAM) at the provider location.
• A DSLAM is located at the Central Office (CO) of the provider and concentrates connections from multiple
DSL subscribers.
 • DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. Adding users does
not impede performance.

DSL and PPP

ISPs use PPP as the Layer 2 protocol for broadband DSL connections.
• PPP can be used to authenticate the subscriber.
• PPP can assign a public IPv4 address to the subscriber.
• PPP provides link-quality management features.
There are two ways PPP over Ethernet (PPPoE) can be deployed:
• Host with PPoE Client - The PPPoE client software communicates with the DSL modem using PPPoE and
the modem communicates with the ISP using PPP.
• Router PPPoE Client - The router is the PPPoE client and obtains its configuration from the provider.

Cable Technology

Cable technology is a high-speed always-on connection technology that uses a coaxial cable from the cable
company to provide IP services to users.
The Data over Cable Service Interface Specification (DOCSIS) is the international standard for adding high-
bandwidth data to an existing cable system.
• The optical node converts RF signals to light pulses over fiber-optic cable.
• The fiber media enables the signals to travel over long distances to the provider headend where a Cable
Modem Termination System (CMTS) is located.
• The headend contains the databases needed to provide internet access while the CMTS is responsible for
communicating with the cable modems.
Note: All the local subscribers share the
same cable bandwidth. As more users
join the service, available bandwidth
may drop below the expected rate.

Optical Fiber

Many municipalities, cities, and providers install fiber-optic cable to the user location. This is commonly
referred to as Fiber to the x (FTTx) and includes the following:
• Fiber to the Home (FTTH) - Fiber reaches the boundary of the residence.
• Fiber to the Building (FTTB) - Fiber reaches the boundary of the building with the final connection to the
individual living space being made via alternative means.
• Fiber to the Node/Neighborhood (FTTN) – Optical cabling reaches an optical node that converts optical
signals to a format acceptable for twisted pair or coaxial cable to the premise.
Note: FTTx can deliver the highest bandwidth of all broadband options.

Wireless Internet-Based Broadband

Wireless technology uses the unlicensed radio spectrum to send and receive data.
• Municipal Wi-Fi - Municipal wireless networks are available in many cities providing high-speed internet
access for free, or for substantially less than the price of other broadband services.
• Cellular – Increasingly used to connect devices to the internet using radio waves to communicate through a
nearby mobile phone tower. 3G/4G/5G and Long-Term Evolution (LTE) are cellular technologies.
• Satellite Internet - Typically used by rural users or in remote locations where cable and DSL are not
available. A router connects to a satellite dish which is pointed to a service provider satellite in
Geosynchronous orbit. Trees and heavy rains can impact the satellite signal.
• WiMAX - Worldwide Interoperability for Microwave Access (WiMAX) is described in the IEEE standard
802.16 Provides high-speed broadband service with wireless access and provides broad coverage like a cell
phone network rather than through small Wi-Fi hotspots.

VPN Technology

VPNs can be used to address security concerns incurred when a remote office worker uses broadband
services to access the corporate WAN over the internet.
A VPN is an encrypted connection between private networks over a public network. VPN tunnels are routed
through the internet from the private network of the company to the remote site or employee host.
There are several benefits to using VPN:
• Cost savings - Eliminates expensive, dedicated WAN links and modem banks.
• Security - Advanced encryption and authentication protocols protect data from unauthorized access.
• Scalability - Corporations can add large amounts of capacity without adding significant infrastructure.
• Compatibility with broadband technology - Supported by broadband service providers such as DSL and
cable.

VPNs are commonly implemented as the following:

• Site-to-site VPN - VPN settings are configured on routers. Clients are unaware that their data is being
encrypted.
• Remote Access - The user is aware and initiates remote access connection. For example, using HTTPS in a
browser to connect to your bank. Alternatively, the user can run VPN client software on their host to connect
to and authenticate with the destination device.

ISP Connectivity Options

There are different ways an organization can connect to an ISP. The

choice depends on the needs and budget of the organization.
• Single-homed –Single connection to the ISP using one link.
Provides no redundancy and is the least expensive solution.
• Dual-homed - Connects to the same ISP using two links. Provides
both redundancy and load balancing. However, the organization
loses internet connectivity if the ISP experiences an outage.
• Multihomed -The client connects to two different ISPs. This
design provides increased redundancy and enables load-balancing,
but it can be expensive.
• Dual-multihomed - Dual-multihomed is the most resilient topology
of the four shown. The client connects with redundant links to
multiple ISPs. This topology provides the most redundancy
possible. It is the most expensive option of the four.
Broadband Solution Comparison

Each broadband solution has advantages and disadvantages. If there are multiple broadband solutions
available, a cost-versus-benefit analysis should be performed to determine the best solution.
Some factors to consider include the following:
• Cable - Bandwidth is shared by many users. Therefore, upstream data rates are often slow during high-usage
hours in areas with over-subscription.
• DSL - Limited bandwidth that is distance sensitive (in relation to the ISP central office). Upload rate is
proportionally lower compared to download rate.
• Fiber-to-the-Home - This option requires fiber installation directly to the home.
• Cellular/Mobile - With this option, coverage is often an issue, even within a small office or home office
where bandwidth is relatively limited.
• Municipal Wi-Fi - Most municipalities do not have a mesh Wi-Fi network deployed. If is available and in
range, then it is a viable option.
• Satellite - This option is expensive and provides limited capacity per subscriber. Typically used when no
other option is available.

VPN Technology

Virtual Private Networks

• Virtual private networks (VPNs) to
create end-to-end private network
connections.
• A VPN is virtual in that it carries
information within a private network,
but that information is actually
transported over a public network.
• A VPN is private in that the traffic is
encrypted to keep the data confidential
while it is transported across the public
network.
VPN Benefits
• Modern VPNs now support encryption features, such as Internet Protocol Security (IPsec) and
Secure Sockets Layer (SSL) VPNs to secure network traffic between sites.
• Major benefits of VPNs are shown in the table:

Benefit Description

Cost Savings Organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote
connection bandwidth.

Security Encryption and authentication protocols protect data from unauthorized access.

Scalability VPNs allow organizations to use the internet, making it easy to add new users without adding
significant infrastructure.

Compatibility VPNs can be implemented across a wide variety of WAN link options including broadband
technologies. Remote workers can use these high-speed connections to gain secure access to corporate
networks.

Site-to-Site and Remote Access VPNs

A site-to-site VPN is terminated on VPN

gateways. VPN traffic is only encrypted between
the gateways. Internal hosts have no knowledge
that a VPN is being used.

A remote-access VPN is dynamically created to establish a secure connection between a client and a VPN
terminating device.
Enterprise and Service Provider VPNs
VPNs can be managed and deployed as:
• Enterprise VPNs - common solution for securing enterprise traffic across the internet. Site-to-site and remote
access VPNs are created and
managed by the enterprise using
IPsec and SSL VPNs.
• Service Provider VPNs - created
and managed by the provider
network. The provider uses
Multiprotocol Label Switching
(MPLS) at Layer 2 or Layer 3 to
create secure channels between an
enterprise’s sites, effectively
segregating the traffic from other
customer traffic.

Types of VPNs

Remote-Access VPNs
• Remote-access VPNs let remote and mobile users securely connect to the enterprise.
• Remote-access VPNs are typically enabled dynamically by the user when required and can be
created using either IPsec or SSL.
o Clientless VPN connection -The
connection is secured using a web
browser SSL connection.
o Client-based VPN connection -
VPN client software such as Cisco
AnyConnect Secure Mobility Client
must be installed on the remote
user’s end device.
SSL VPNs
SSL uses the public key infrastructure and digital certificates to authenticate peers. The type of VPN method
implemented is based on the access requirements of the users and the organization’s IT processes. The table
compares IPsec and SSL remote access deployments.

Feature IPsec SSL

Applications supported Extensive – All IP-based applications Limited – Only web-based applications and file
sharing

Authentication strength Strong – Two-way authentication with Moderate – one-way or two-way

shared keys or digital certificates authentication

Encryption strength Strong – Key lengths 56 – 256 bits Moderate to strong - Key lengths 40 – 256 bits

Connection complexity Medium – Requires VPN client Low – Requires web browser on a host
installed on a host

Connection option Limited – Only specific devices with Extensive – Any device with a web browser
specific configurations can connect can connect

Site-to-Site IPsec VPNs

• Site-to-site VPNs connect networks across an untrusted network such as the internet.
• End hosts send and receive normal unencrypted TCP/IP traffic through a VPN gateway.
• The VPN gateway encapsulates and encrypts
outbound traffic from a site and sends the
traffic through the VPN tunnel to the VPN
gateway at the target site. The receiving VPN
gateway strips the headers, decrypts the
content, and relays the packet toward the
target host inside its private network.

GRE over IPsec

• Generic Routing Encapsulation (GRE) is a non-secure site-to-site VPN tunneling protocol.
• A GRE tunnel can encapsulate various network layer protocols as well as multicast and broadcast
traffic.
• GRE does not by default support encryption; and therefore, it does not provide a secure VPN tunnel.
• A GRE packet can be encapsulated into an IPsec packet to forward it securely to the destination VPN
gateway.
o Standard IPsec VPNs (non-GRE) can only create secure tunnels for unicast traffic.
o Encapsulating GRE into IPsec allows multicast routing protocol updates to be secured through a VPN.
The terms used to describe the encapsulation of GRE over IPsec tunnel are passenger protocol, carrier
protocol, and transport protocol.
• Passenger protocol – This is the original packet that is to be encapsulated by GRE. It could be an IPv4 or
IPv6 packet, a routing update, and more.
• Carrier protocol – GRE is the carrier protocol that encapsulates the original passenger packet.
• Transport protocol – This is the protocol that will actually be used to forward the packet. This could be IPv4
or IPv6.

For example, Branch and HQ need to exchange OSPF routing information over an IPsec VPN. GRE over IPsec is
used to support the routing protocol traffic over the IPsec VPN. Specifically, the OSPF packets (i.e., passenger
protocol) would be encapsulated by GRE (i.e., carrier protocol) and subsequently encapsulated in an IPsec VPN
tunnel.

Dynamic Multipoint VPNs

Site-to-site IPsec VPNs and GRE over IPsec are not sufficient when the enterprise adds many more sites.
Dynamic Multipoint VPN (DMVPN) is a Cisco software solution for building multiple VPNs in an easy,
dynamic, and scalable manner.
• DMVPN simplifies the VPN tunnel configuration and provides a flexible option to connect a central
site with branch sites.
• It uses a hub-and-spoke configuration to establish a full mesh topology.
• Spoke sites establish secure VPN tunnels with the hub site.
• Each site is configure using Multipoint Generic Routing Encapsulation (mGRE). The mGRE tunnel
interface allows a single GRE interface to dynamically support multiple IPsec tunnels.
• Spoke sites can also obtain information about each other, and alternatively build direct tunnels
between themselves (spoke-to-spoke tunnels).
IPsec Virtual Tunnel Interface

IPsec Virtual Tunnel Interface (VTI) simplifies the configuration process required to support multiple sites
and remote access.
• IPsec VTI configurations are applied to a virtual interface instead of static mapping the IPsec sessions to a
physical interface.
• IPsec VTI is capable of sending and receiving both IP unicast and multicast encrypted traffic. Therefore,
routing protocols are automatically
supported without having to
configure GRE tunnels.
• IPsec VTI can be configured
between sites or in a hub-and-spoke
topology.

Service Provider MPLS VPNs

Today, service providers use MPLS in their core network. Traffic is forwarded through the MPLS backbone
using labels. Traffic is secure because service provider customers cannot see each other’s traffic.
• MPLS can provide clients with managed VPN solutions; therefore, securing traffic between client
sites is the responsibility of the service provider.
• There are two types of MPLS VPN solutions supported by service providers:
o Layer 3 MPLS VPN - The service provider participates in customer routing by establishing a peering
between the customer’s routers and the provider’s routers.
o Layer 2 MPLS VPN - The service provider is not involved in the customer routing. Instead, the
provider deploys a Virtual Private LAN Service (VPLS) to emulate an Ethernet multiaccess LAN
segment over the MPLS network. No routing is involved. The customer’s routers effectively belong to
the same multiaccess network.
 IPsec

IPsec Technologies
IPsec is an IETF standard that defines how a VPN can be secured across IP networks. IPsec protects and
authenticates IP packets between source and destination and provides these essential security functions:
• Confidentiality - Uses encryption algorithms to prevent cybercriminals from reading the packet
contents.
• Integrity - Uses hashing algorithms to ensure that packets have not been altered between source and
destination.
• Origin authentication - Uses the Internet Key Exchange (IKE) protocol to authenticate source and
destination.
• Diffie-Hellman – Used to secure key exchange.

• IPsec is not bound to any specific rules for

secure communications.
• IPsec can easily integrate new security
technologies without updating existing IPsec
standards.
• The open slots in the IPsec framework shown in
the figure can be filled with any of the choices
that are available for that IPsec function to
create a unique security association (SA).

IPsec Protocol Encapsulation

Choosing the IPsec protocol encapsulation is the first

building block of the framework.
• IPsec encapsulates packets using Authentication
Header (AH) or Encapsulation Security Protocol
(ESP).
• The choice of AH or ESP establishes which
other building blocks are available.
o AH is appropriate only when
confidentiality is not required or
permitted.
o ESP provides both confidentiality
and authentication.
Confidentiality

The degree of confidentiality depends

on the encryption algorithm and the
length of the key used in the
encryption algorithm.
The number of possibilities to try to
hack the key is a function of the length
of the key - the shorter the key, the
easier it is to break.

The encryption algorithms highlighted in the figure

are all symmetric key cryptosystems:
• DES uses a 56-bit key.
• 3DES uses three independent 56-bit
encryption keys per 64-bit block.
• AES offers three different key lengths: 128
bits, 192 bits, and 256 bits.
• SEAL is a stream cipher, which means it
encrypts data continuously rather than
encrypting blocks of data. SEAL uses a 160-
bit key.

Integrity
• Data integrity means that the data has not
changed in transit.
• A method of proving data integrity is required.
• The Hashed Message Authentication Code
(HMAC) is a data integrity algorithm that
guarantees the integrity of the message using a
hash value.
o Message-Digest 5 (MD5) uses a 128-bit
shared-secret key.
o The Secure Hash Algorithm (SHA) uses a
160-bit secret key.
Authentication
There are two IPsec peer authentication methods:
1. Pre-shared key (PSK) - (PSK) value is entered
into each peer manually.
• Easy to configure manually
• Does not scale well
• Must be configured on every peer
2. Rivest, Shamir, and Adleman (RSA) -
authentication uses digital certificates to
authenticate the peers.
Each peer must authenticate its opposite peer before the tunnel
is considered secure.

Secure Key Exchange with Diffie – Hellman

DH provides allows two peers to establish a shared secret key over an insecure channel.
Variations of the DH key exchange are specified
as DH groups:
• DH groups 1, 2, and 5 should no longer be
used.
• DH groups 14, 15, and 16 use larger key
sizes with 2048 bits, 3072 bits, and 4096 bits,
respectively
• DH groups 19, 20, 21 and 24 with respective
key sizes of 256 bits, 384 bits, 521 bits, and
2048 bits support Elliptical Curve
Cryptography (ECC), which reduces the time
needed to generate keys.
 QoS

Network Transmission Quality

Prioritizing Traffic
• When traffic volume is greater than what can be transported across the network, devices queue (hold)
the packets in memory until resources become available to transmit them.
• Queuing packets causes delay because
new packets cannot be transmitted
until previous packets have been
processed.
• If the number of packets to be queued
continues to increase, the memory
within the device fills up and packets
are dropped.
• One QoS technique that can help with
this problem is to classify data into
multiple queues, as shown in the
figure.
Note: A device implements QoS only when it is experiencing some type of congestion.

Bandwidth, Congestion, Delay, and Jitter

• Network bandwidth is measured in the number of bits that can be transmitted in a single second, or
bits per second (bps).
• Network congestion causes delay. An interface experiences congestion when it is presented with
more traffic than it can handle. Network congestion points are ideal candidates for QoS mechanisms.
• The typical congestion points are aggregation, speed mismatch, and LAN to WAN.
Delay or latency refers to the time it takes for a packet to travel from the source to the destination.
• Fixed delay is the amount of time a specific process takes, such as how long it takes to place a bit on the
transmission media.
• Variable delay takes an unspecified amount of time and is affected by factors such as how much traffic is
being processed.
• Jitter is the variation of delay of received packets.

Delay Description

Code delay The fixed amount of time it takes to compress data at the source before transmitting to the first
internetworking device, usually a switch.

Packetization delay The fixed time it takes to encapsulate a packet with all the necessary header information.

Queuing delay The variable amount of time a frame or packet waits to be transmitted on the link.

Serialization delay The fixed amount of time it takes to transmit a frame onto the wire.

Propagation delay The variable amount of time it takes for the frame to travel between the source and destination.

De-jitter delay The fixed amount of time it takes to buffer a flow of packets and then send them out in evenly
spaced intervals.

Packet Loss
Without QoS mechanisms, time-sensitive packets, such as real-
time video and voice, are dropped with the same frequency as
data that is not time-sensitive.
• When a router receives a Real-Time Protocol (RTP) digital
audio stream for Voice over IP (VoIP), it compensates for
the jitter that is encountered using a playout delay buffer.
• The playout delay buffer buffers these packets and then plays
them out in a steady stream.

If the jitter is so large that it causes packets to be received out of the range of the play out buffer, the out-of-
range packets are discarded and dropouts are heard in the
audio.
• For losses as small as one packet, the digital signal
processor (DSP) interpolates what it thinks the audio
should be and no problem is audible to the user.
• When jitter exceeds what the DSP can do to make up
for the missing packets, audio problems are heard.
Note: In a properly designed network, packet loss should be near zero.
 Traffic Characteristics

Network Traffic Trends

In the early 2000s, the predominant types of IP traffic were voice and data.
• Voice traffic has a predictable bandwidth need and known packet arrival times.
• Data traffic is not real-time and has unpredictable bandwidth need.
• Data traffic can temporarily burst, as when a large file is being downloaded. This bursting can consume the
entire bandwidth of a link.
More recently, video traffic has become the increasingly important to business communications and
operations.
• According to the Cisco Visual Networking Index (VNI), video traffic represented 70% of all traffic in 2017.
• By 2022, video will represent 82% of all traffic.
• Mobile video traffic will reach 60.9 exabytes per month by 2022.
The type of demands that voice, video, and data traffic place on the network are very different.

Voice
Voice traffic is predictable and smooth and very sensitive to delays and dropped packets.
• Voice packets must receive a higher priority than other types of traffic.
• Cisco products use the RTP port range 16384 to 32767 to prioritize voice traffic.
Voice can tolerate a certain amount of latency, jitter, and loss without any noticeable effects
Latency should be no more than 150 milliseconds (ms).
• Jitter should be no more than 30 ms, and packet loss no more than 1%.
• Voice traffic requires at least 30 Kbps of bandwidth.

Voice Traffic Characteristics One-Way Requirements

• Smooth • Latency < 150ms

• Benign • Jitter < 30ms
• Drop sensitive • Loss < 1% Bandwidth (30-128 Kbps)
• Delay sensitive
• UPD priority
Video
Video traffic tends to be unpredictable, inconsistent, and bursty. Compared to voice, video is less resilient to
loss and has a higher volume of data per packet.
• The number and size of video packets varies every 33 ms based on the content of the video.
• UDP ports such as 554, are used for the Real-Time Streaming Protocol (RSTP) and should be given priority
over other, less delay-sensitive, network traffic.
• Latency should be no more than 400 milliseconds (ms). Jitter should be no more than 50 ms, and video packet
loss should be no more than 1%. Video traffic requires at least 384 Kbps of bandwidth.

Video Traffic Characteristics One-Way Requirements

• Bursty • Latency < 200-400 ms

• Greedy • Jitter < 30-50 ms
• Drop sensitive • Loss < 0.1 – 1%
• Delay sensitive • Bandwidth (384 Kbps - 20 Mbps)
• UPD priority

Data
Data applications that have no tolerance for data loss, such as email and web pages, use TCP to ensure that if
packets are lost in transit, they will be resent.
• Data traffic can be smooth or bursty. Data Traffic Characteristics

• Network control traffic is usually smooth and predictable. • Smooth/bursty

• Benign/greedy
Some TCP applications can consume a large portion of network • Drop insensitive
capacity. FTP will consume as much bandwidth as it can get when • Delay insensitive
you download a large file, such as a movie or game. • TCP Retransmits

Data traffic is relatively insensitive to drops and delays compared to voice and video. Quality of Experience
or QoE is important to consider with data traffic.
• Does the data come from an interactive application?
• Is the data mission critical?

Factor Mission Critical Not Mission Critical

Interactive Prioritize for the lowest delay of all data traffic Applications could benefit from lower delay.
and strive for a 1 to 2 second response time.

Not interactive Delay can vary greatly as long as the necessary Gets any leftover bandwidth after all voice,
minimum bandwidth is supplied. video, and other data application needs are met.
Queuing Algorithms

The QoS policy implemented by the network administrator becomes active when congestion occurs on the
link. Queuing is a congestion management tool that can buffer, prioritize, and, if required, reorder packets
before being transmitted to the destination.
A number of queuing algorithms are available:
• First-In, First-Out (FIFO)
• Weighted Fair Queuing (WFQ)
• Class-Based Weighted Fair Queuing (CBWFQ)
• Low Latency Queuing (LLQ)

First in First Out

• First In First Out (FIFO)
queuing buffers and forwards
packets in the order of their
arrival.
• FIFO has no concept of priority
or classes of traffic and
consequently, makes no decision
about packet priority.
There is only one queue, and all packets are treated equally.
Packets are sent out an interface in the order in which they arrive.

Weighted Fair Queuing (WFQ)

Weighted Fair Queuing (WFQ) is an automated scheduling method that provides fair bandwidth allocation
to all network traffic.
• WFQ applies priority, or weights, to identified traffic, classifies it into conversations or flows, and then
determines how much bandwidth each
flow is allowed relative to other
flows.
• WFQ classifies traffic into different
flows based on source and destination
IP addresses, MAC addresses, port
numbers, protocol, and Type of
Service (ToS) value.
• WFQ is not supported with tunneling
and encryption because these features
modify the packet content information
required by WFQ for classification.
Class-Based Weighted Fair Queuing (CBWFQ)

Class-Based Weighted Fair Queuing (CBWFQ) extends the standard WFQ functionality to provide support
for user-defined traffic classes.
o Traffic classes are defined based on match criteria including protocols, access control lists (ACLs),
and input interfaces.
o Packets satisfying the match criteria for a class constitute the traffic for that class.
o A FIFO queue is reserved for each class, and traffic belonging to a class is directed to the queue for
that class.

• A class can be assigned characteristics, such as bandwidth, weight, and maximum packet limit. The
bandwidth assigned to a class is the guaranteed bandwidth delivered during congestion.
• Packets belonging to a class are subject to the bandwidth and queue limits, which is the maximum
number of packets allowed to accumulate in the queue, that characterize the class.

After a queue has reached its configured queue limit, adding more packets to the class causes tail drop or
packet drop to take effect, depending on how class policy is configured.
• Tail drop discards any packet that
arrives at the tail end of a queue that
has completely used up its packet-
holding resources.
• This is the default queuing response to
congestion. Tail drop treats all traffic
equally and does not differentiate
between classes of service.

Low Latency Queuing (LLQ)

The Low Latency Queuing (LLQ) feature brings strict priority queuing (PQ) to CBWFQ.
• Strict PQ allows delay-sensitive packets
such as voice to be sent before packets in
other queues.
• LLQ allows delay-sensitive packets such
as voice to be sent first (before packets in
other queues), giving delay-sensitive
packets preferential treatment over other
traffic.
• Cisco recommends that only voice traffic
be directed to the priority queue.
 QoS Models

Selecting an Appropriate QoS Policy Model

There are three models for implementing QoS. QoS is implemented in a network using either IntServ or
DiffServ.
• IntServ provides the highest guarantee of QoS, it is very resource-intensive, and therefore, not easily scalable.
• DiffServ is less resource-intensive and more scalable.
• IntServ and DiffServ are sometimes co-deployed in network QoS implementations.

Model Description

Best-effort model • Not an implementation as QoS is not explicitly configured.

• Use when QoS is not required.

Integrated services • Provides very high QoS to IP packets with guaranteed delivery.
(IntServ) • Defines a signaling process for applications to signal to the network that they require
special QoS for a period and that bandwidth should be reserved.
• IntServ can severely limit the scalability of a network.

Differentiated • Provides high scalability and flexibility in implementing QoS.

services (DiffServ) • Network devices recognize traffic classes and provide different levels of QoS to different
traffic classes.

Best Effort
The basic design of the internet is best-effort packet delivery and provides no guarantees.
• The best-effort model treats all network packets in the same way, so an emergency voice message is treated
the same way that a digital photograph attached to an email is treated.

Benefits Drawbacks

The model is the most scalable. There are no guarantees of delivery.

Scalability is only limited by available bandwidth, in Packets will arrive whenever they can and in any order
which case all traffic is equally affected. possible, if they arrive at all.

No special QoS mechanisms are required. No packets have preferential treatment.

It is the easiest and quickest model to deploy. Critical data is treated the same as casual email is treated.
Integrated Services
IntServ delivers the end-to-end QoS that real-time applications require.
• Explicitly manages network resources to provide QoS to
individual flows or streams, sometimes called
microflows.
• Uses resource reservation and admission-control
mechanisms as building blocks to establish and maintain
QoS.
• Uses a connection-oriented approach. Each individual
communication must explicitly specify its traffic
descriptor and requested resources to the network.
• The edge router performs admission control to ensure
that available resources are sufficient in the network.

In the IntServ model, the application requests a specific kind of service from the network before sending
data.
• The application informs the network of its traffic profile and requests a particular kind of service that can
encompass its bandwidth and delay requirements.
• IntServ uses the Resource Reservation Protocol (RSVP) to signal the QoS needs of an application’s traffic
along devices in the end-to-end path through the network.
• If network devices along the path can reserve the necessary bandwidth, the originating application can begin
transmitting. If the requested reservation fails along the path, the originating application does not send any
data.

Benefits Drawbacks

• Explicit end-to-end resource admission • Resource intensive due to the stateful architecture
control requirement for continuous signaling.
• Per-request policy admission control • Flow-based approach not scalable to large
• Signaling of dynamic port numbers implementations such as the internet.

Differentiated Services
The differentiated services (DiffServ) QoS model
specifies a simple and scalable mechanism for
classifying and managing network traffic.
• Is not an end-to-end QoS strategy because it cannot
enforce end-to-end guarantees.
• Hosts forward traffic to a router which classifies
the flows into aggregates (classes) and provides the
appropriate QoS policy for the classes.
 • Enforces and applies QoS mechanisms on a hop-by-hop basis, uniformly applying global meaning to each
traffic class to provide both flexibility and scalability.
• DiffServ divides network traffic into classes based on business requirements. Each of the classes can then be
assigned a different level of service.
• As the packets traverse a network, each of the network devices identifies the packet class and services the
packet according to that class.
• It is possible to choose many levels of service with DiffServ.

Benefits Drawbacks

• Highly scalable • No absolute guarantee of service quality

• Provides many different levels of quality • Requires a set of complex mechanisms to work in concert
throughout the network

QoS Implementation Techniques

Avoiding Packet Loss

Packet loss is usually the result of congestion on an interface. Most applications that use TCP experience
slowdown because TCP automatically adjusts to network congestion. Dropped TCP segments cause TCP
sessions to reduce their window sizes. Some applications do not use TCP and cannot handle drops (fragile
flows).The following approaches can prevent drops in sensitive applications:
•
Increase link capacity to ease or prevent congestion.
•
Guarantee enough bandwidth and increase buffer space to accommodate bursts of traffic from fragile
flows. WFQ, CBWFQ, and LLQ can guarantee bandwidth and provide prioritized forwarding to drop-
sensitive applications.
Drop lower-priority packets before congestion occurs. Cisco IOS QoS provides queuing mechanisms, such as
weighted random early detection (WRED), that start dropping lower-priority packets before congestion occurs

QoS Tools
QoS Tools Description

Classification and marking tools • Sessions, or flows, are analyzed to determine what traffic class they belong
to.
• When the traffic class is determined, the packets are marked.

Congestion avoidance tools
• Traffic classes are allotted portions of network resources, as defined by the
QoS policy.
• The QoS policy also identifies how some traffic may be selectively dropped,
delayed, or re-marked to avoid congestion.
• The primary congestion avoidance tool is WRED and is used to regulate
TCP data traffic in a bandwidth-efficient manner before tail drops caused by
queue overflows occur.

Congestion management tools • When traffic exceeds available network resources, traffic is queued to await
availability of resources.
• Common Cisco IOS-based congestion management tools include CBWFQ
and LLQ algorithms.
The figure shows the sequence of QoS tools used when applied to packet flows.
• Ingress packets are classified and their respective IP header is marked.
• To avoid congestion, packets are then allocated resources based on defined policies.
• Packets are then queued and forwarded out the egress interface based on their defined QoS shaping and
policing policy.
Note: Classification and marking can be done on ingress or egress, whereas other QoS actions such queuing and
shaping are usually done on egress.

Classification and Marking

Before a packet can have a QoS policy applied to it, the packet has to be classified.
Classification determines the class of traffic to which packets or frames belong. Only after traffic is marked
can policies be applied to it.
How a packet is classified depends on the QoS implementation.
• Methods of classifying traffic flows at Layer 2 and 3 include using interfaces, ACLs, and class maps.
• Traffic can also be classified at Layers 4 to 7 using Network Based Application Recognition (NBAR).

How traffic is marked usually depends on the technology. The decision of whether to mark traffic at Layers
2 or 3 (or both) is not trivial and should be made after consideration of the following points:
• Layer 2 marking of frames can be performed for non-IP traffic.
• Layer 2 marking of frames is the only QoS option available for switches that are not “IP aware”.
• Layer 3 marking will carry the QoS information end-to-end.

QoS Tools Layer Marking Field Width in

Bits

Ethernet (802.1q, 802.1p) 2 Class of Service (CoS) 3

802.11 (Wi-Fi) 2 Wi-Fi Traffic Identifier (TID) 3

MPLS 2 Experimental (EXP) 3

IPv4 and IPv6 3 IP Precedence (IPP) 3

IPv4 and IPv6 3 Differentiated Services Code Point (DSCP) 6

Marking at Layer 2
802.1Q is the IEEE standard that supports VLAN tagging at Layer 2 on Ethernet networks. When 802.1Q is
implemented, two fields are inserted into the Ethernet frame following the source MAC address field.

The 802.1Q standard also includes the QoS prioritization scheme known as IEEE 802.1p. The 802.1p standard uses
the first three bits in the Tag Control Information (TCI) field. Known as the Priority (PRI) field, this 3-bit field
identifies the Class of Service (CoS) markings.
Three bits means that a Layer 2 Ethernet frame can be marked with one of eight levels of priority (values 0-7).

CoS Value CoS Binary Value Description

0 000 Best-Effort Data

1 001 Medium-Priority Data

2 010 High-Priority Data

3 011 Call Signaling

4 100 Videoconferencing

5 101 Voice bearer (voice traffic)

6 110 Reserved

7 111 Reserved

Marking at Layer 3

IPv4 and IPv6 specify an 8-bit field in their

packet headers to mark packets.
Both IPv4 and IPv6 support an 8-bit field for
marking: the Type of Service (ToS) field for
IPv4 and the Traffic Class field for IPv6.
Type of Service and Traffic Class Field
The Type of Service (IPv4) and Traffic Class (IPv6) carry the packet marking as assigned by the QoS
classification tools.
• RFC 791 specified the 3-bit IP Precedence
(IPP) field to be used for QoS markings.
• RFC 2474 supersedes RFC 791 and redefines
the ToS field by renaming and extending the
IPP field to 6 bits.
• Called the Differentiated Services Code Point
(DSCP) field, these six bits offer a maximum of
64 possible classes of service.
• The remaining two IP Extended Congestion
Notification (ECN) bits can be used by ECN-
aware routers to mark packets instead of
dropping them.

DSCP Values
The 64 DSCP values are organized into three categories:
• Best-Effort (BE) - This is the default for all IP packets. The DSCP value is 0. The per-hop behavior is normal
routing. When a router experiences congestion, these packets will be dropped. No QoS plan is implemented.
• Expedited Forwarding (EF) - RFC 3246 defines EF as the DSCP decimal value 46 (binary 101110). The
first 3 bits (101) map directly to the Layer 2 CoS value 5 used for voice traffic. At Layer 3, Cisco recommends
that EF only be used to mark voice packets.
• Assured Forwarding (AF) - RFC 2597 defines AF to use the 5 most significant DSCP bits to indicate queues
and drop preference.

Assured Forwarding values are shown in the figure.

The AFxy formula is specified as follows:
• The first 3 most significant bits are used to designate
the class. Class 4 is the best queue and Class 1 is the
worst queue.
• The 4th and 5th most significant bits are used to
designate the drop preference.
• The 6th most significant bit is set to zero.

For example: AF32 belongs to class 3 (binary 011) and has a

medium drop preference (binary 10). The full DSCP value is 28 because you include the 6th 0 bit (binary 011100).
Class Selector Bits
Class Selector (CS) bits:
• The first 3 most significant bits of the DSCP field and indicate the class.
• Map directly to the 3 bits of the CoS field and the IPP field to maintain compatibility with 802.1p
and RFC 791.

Trust Boundaries
Traffic should be classified and marked as close to its source as technically and administratively feasible.
This defines the trust boundary.
1. Trusted endpoints have the capabilities and intelligence to mark application traffic to the appropriate
Layer 2 CoS and/or Layer 3 DSCP values.
2. Secure endpoints can have traffic marked at the Layer 2 switch.
3. Traffic can also be marked at Layer 3 switches / routers.
Congestion Avoidance
Congestion avoidance tools monitor network traffic loads in an effort to anticipate and avoid congestion at
common network and internetwork bottlenecks before congestion becomes a problem.
• They monitor network traffic loads in an effort to anticipate and avoid congestion at common network and
internetwork bottlenecks before congestion becomes a problem.
• They monitor the average depth of the queue. When the queue is below the minimum threshold, there are no
drops. As the queue fills up to the maximum threshold, a small percentage of packets are dropped. When the
maximum threshold is passed, all packets are dropped.

Some congestion avoidance techniques provide preferential treatment for which packets get dropped.
• Weighted random early detection (WRED) allows for congestion avoidance on network interfaces by
providing buffer management and allowing TCP traffic to decrease, or throttle back, before buffers are
exhausted.
• WRED helps avoid tail drops and maximizes network use and TCP-based application performance.

Shaping and Policing

Traffic shaping and traffic policing are two mechanisms provided by Cisco IOS QoS software to prevent
congestion.
• Traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over
increments of time. Traffic
shaping results in a smoothed
packet output rate.
• Shaping is an outbound
concept; packets going out an
interface get queued and can
be shaped. In contrast,
policing is applied to inbound
traffic on an interface.

Policing is applied to inbound traffic on an interface. Policing is commonly implemented by service providers to
enforce a contracted customer information rate (CIR). However, the service provider may also allow bursting over the
CIR if the service provider’s network is not currently experiencing congestion.

QoS Policy Guidelines

QoS policies must consider the full path from source to destination.A few guidelines that help ensure the
best experience for end users includes the following:
• Enable queuing at every device in the path between source and destination.
• Classify and mark traffic as close the source as possible.
• Shape and police traffic flows as close to their sources as possible.
 Network Management

Device Discovery with CDP

CDP is a Cisco proprietary Layer 2 protocol that is used to gather information about Cisco devices which
share the same data link. CDP is media and protocol independent and runs on all Cisco devices, such as
routers, switches, and access servers.
The device sends periodic CDP advertisements to connected devices. These advertisements share
information about the type of device that is discovered, the name of the devices, and the number and type of
the interfaces.

Configure and Verify CDP

• For Cisco devices, CDP is enabled by default. To verify the status of CDP and display information
about CDP, enter the show cdp command.
• To disable CDP on a specific interface, enter no cdp enable in the interface configuration mode.
CDP is still enabled on the device; however, no more CDP advertisements will be sent out that
interface. To enable CDP on the specific interface again, enter cdp enable.
• To enable CDP globally for all the supported interfaces on the device, enter cdp run in the global
configuration mode. CDP can be disabled for all the interfaces on the device with the no cdp
run command in the global configuration mode.
• Use the show cdp interface command to display the interfaces that are CDP-enabled on a device.
The status of each interface is also displayed.

Discover Devices by Using CDP

• With CDP enabled on the network, the show cdp neighbors command can be used to determine the
network layout, as shown in the output.
• The output shows that there is another Cisco device, S1, connected to the G0/0/1 interface on R1.
Furthermore, S1 is connected through its F0/5
R1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
S1 Gig 0/0/1 179 S I WS-C3560- Fas 0/5
The network administrator uses show cdp neighbors detail to discover the IP address for S1. As displayed
in the output, the address for S1 is 192.168.1.2.
R1# show cdp neighbors detail
-------------------------
Device ID: S1
Entry address(es):
IP address: 192.168.1.2
Platform: cisco WS-C3560-24TS, Capabilities: Switch IGMP
Interface: GigabitEthernet0/0/1, Port ID (outgoing port): FastEthernet0/5
Holdtime : 136 sec
(output omitted)

Device Discovery with LLDP

Link Layer Discovery Protocol (LLDP) is a vendor-neutral neighbor discovery protocol similar to CDP.
LLDP works with network devices, such as routers, switches, and wireless LAN access points. This protocol
advertises its identity and capabilities to other devices and receives the information from a physically-
connected Layer 2 device.

Configure and Verify LLDP

• LLDP may be enabled by default. To enable LLDP globally on a Cisco network device, enter
the lldp run command in the global config mode. To disable LLDP, enter the no lldp run command
in the global config mode. Switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
• LLDP can be configured on Switch(config)# lldp run
specific interfaces. However, Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# lldp transmit
LLDP must be configured Switch(config-if)# lldp receive
separately to transmit and Switch(config-if)# end
receive LLDP packets. Switch# show lldp
Global LLDP Information:
Status: ACTIVE
• To verify LLDP is enabled, LLDP advertisements are sent every 30 seconds
enter the show lldp command in LLDP hold time advertised is 120 seconds
LLDP interface reinitialisation delay is 2 seconds
privileged EXEC mode.

Discover Devices by Using LLDP

With LLDP enabled, device neighbors can be discovered by using the show lldp neighbors command.
S1# show lldp neighbors
Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Device ID Local Intf Hold-time Capability Port ID
R1 Fa0/5 117 R Gi0/0/1
S2 Fa0/1 112 B Fa0/1
Total entries displayed: 2
When more details about the neighbors are needed, the show lldp neighbors detail command can provide
information, such as the neighbor IOS version, IP address, and device capability.
S1# show lldp neighbors detail
------------------------------------------------
Chassis id: 848a.8d44.49b0
Port id: Gi0/0/1
Port Description: GigabitEthernet0/0/1
System Name: R1
System Description: Cisco IOS Software [Fuji], ISR Software (X86_64_LINUX_.....,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Thu 22-Aug-19 18:09 by mcpre
Time remaining: 111 seconds
System Capabilities: B,R
Enabled Capabilities: R
Management Addresses - not advertised
(output omitted)

NTP

Time and Calendar Services

• The software clock on a router or switch starts when the system boots. It is the primary source of
time for the system. It is important to synchronize the time across all devices on the network. When
the time is not synchronized between devices, it will be impossible to determine the order of the
events and the cause of an event.
• Typically, the date and time settings on a router or switch can be set by using one of two methods
You can manually configure the date and time, as shown in the example, or configure the Network
Time Protocol (NTP).
R1# clock set 20:36:00 nov 15 2019
R1#
*Nov 15 20:36:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 21:32:31 UTC Fri
Nov 15 2019 to 20:36:00 UTC Fri Nov 15 2019, configured from console by console.

As a network grows, it becomes difficult to ensure that all infrastructure devices are operating with
synchronized time using the manual method.
A better solution is to configure the NTP on the network. This protocol allows routers on the network to
synchronize their time settings with an NTP server, which provides more consistent time settings. NTP can
be set up to synchronize to a private master clock, or it can synchronize to a publicly available NTP server
on the internet. NTP uses UDP port 123 and is documented in RFC 1305.
NTP Operation

NTP networks use a hierarchical system of time sources.

Each level in this hierarchical system is called a stratum.
The stratum level is defined as the number of hop counts
from the authoritative source. The synchronized time is
distributed across the network by using NTP.
The max hop count is 15. Stratum 16, the lowest stratum
level, indicates that a device is unsynchronized.
• Stratum 0: These authoritative time sources are
high-precision timekeeping devices assumed to be
accurate and with little or no delay associated with
them.
• Stratum 1: Devices that are directly connected to the authoritative time sources. They act as the primary
network time standard.
• Stratum 2 and Lower: Stratum 2 servers are connected to stratum 1 devices through network connections.
Stratum 2 devices, such as NTP clients, synchronize their time by using the NTP packets from stratum 1
servers. They could also act as servers for stratum 3 devices.
Time servers on the same stratum level can be configured to act as a peer with other time servers on the
same stratum level for backup or verification of time.

Configure and Verify NTP

• Before NTP is configured on the network, the show clock command displays the current time on the
software clock. With the detail option, notice that the time source is user configuration. That means
the time was manually configured with the clock command.
• The ntp server ip-address command R1# show clock detail
is issued in global configuration 20:55:10.207 UTC Fri Nov 15 2019
mode to configure 209.165.200.225 Time source is user configuration
R1# config t
as the NTP server for R1. To verify R1(config)# ntp server 209.165.200.225
the time source is set to NTP, use R1(config)# end
R1# show clock detail
the show clock detail command. 21:01:34.563 UTC Fri Nov 15 2019
Notice that now the time source is Time source is NTP
NTP.

The show ntp associations and show ntp status commands are used to verify that R1 is synchronized with the NTP
server at 209.165.200.225. Notice that R1 is synchronized with a stratum 1 NTP server at 209.165.200.225, which is
synchronized with a GPS clock. The show ntp status command displays that R1 is now a stratum 2 device that is
synchronized with the NTP server at 209.165.220.225.
R1# show ntp associations

address ref clock st when poll each delay offset disp

*~209.165.200.225 .GPS. 1 61 64 377 0.481 7.480 4.261
• sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1# show ntp status
Clock is synchronized, stratum 2, reference is 209.165.200.225
nominal freq is 250.0000 Hz, actual freq is 249.9995 Hz, precision is 2**19
(output omitted)
 • The clock on S1 is configured to synchronize to R1 with the ntp server command and the
configuration is verified with the show ntp associations command.
• Output from the show ntp associations command verifies that the clock on S1 is now synchronized
with R1 at 192.168.1.1 via NTP. R1 is a stratum 2 device, making S1 is a stratum 3 device that can
provide NTP service to other devices in the network.

S1(config)# ntp server 192.168.1.1

S1(config)# end
S1# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.1.1 209.165.200.225 2 12 64 377 1.066 13.616 3.840
• sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
(output omitted)
S1# show ntp status
Clock is synchronized, stratum 3, reference is 192.168.1.1
nominal freq is 119.2092 Hz, actual freq is 119.2088 Hz, precision is 2**17
(output omitted

SNMP

Introduction to SNMP
SNMP was developed to allow administrators to manage nodes on an IP network. It enables network
administrators to monitor and manage network performance, find and solve network problems, and plan for
network growth.
SNMP is an application layer protocol that provides a message format for communication between managers
and agents. The SNMP system consists of three elements:
• SNMP manager
• SNMP agents (managed node)
• Management Information Base (MIB)

SNMP defines how management information is exchanged between network management applications and
management agents. The SNMP manager polls the agents and queries the MIB for SNMP agents on UDP
port 161. SNMP agents send any SNMP traps to the SNMP manager on UDP port 162.
• The SNMP manager is part of a network management
system (NMS). The SNMP manager can collect
information from an SNMP agent by using the “get”
action and can change configurations on an agent by
using the “set” action. SNMP agents can forward
information directly to a network manager by using
“traps”.
• The SNMP agent and MIB reside on SNMP client
devices. MIBs store data about the device and
operational statistics and are meant to be available to
authenticated remote users. The SNMP agent is
responsible for providing access to the local MIB.
SNMP Operation
• SNMP agents that reside on managed devices collect and store information about the device and its
operation locally in the MIB. The SNMP manager then uses the SNMP agent to access information
within the MIB.
• There are two primary SNMP manager requests, get and set. In addition to configuration, a set can
cause an action to occur, like restarting a router.

Operation Description

get-request Retrieves a value from a specific variable.

Retrieves a value from a variable within a table; the SNMP manager does not need to know the
get-next-request exact variable name. A sequential search is performed to find the needed variable from within a
table.

Retrieves large blocks of data, such as multiple rows in a table, that would otherwise require the
get-bulk-request
transmission of many small blocks of data. (Only works with SNMPv2 or later.)

get-response Replies to a get-request, get-next-request, and set-request sent by an NMS.

set-request Stores a value in a specific variable.

The SNMP agent responds to SNMP manager requests as follows:

• Get an MIB variable - The SNMP agent performs this function in response to a GetRequest-PDU from the
network manager. The agent retrieves the value of the requested MIB variable and responds to the network
manager with that value.
• Set an MIB variable - The SNMP agent performs this function in response to a SetRequest-PDU from the
network manager. The SNMP agent changes the value of the MIB variable to the value specified by the
network manager. An SNMP agent reply to a set request includes the new settings in the device.

SNMP Agent Traps

• Traps are unsolicited messages alerting the SNMP manager to a condition or event on the network. Trap-
directed notifications reduce network and agent resources by eliminating the need for some of SNMP polling
requests.
• The figure illustrates the use of an
SNMP trap to alert the network
administrator that interface G0/0/0
has failed. The NMS software can
send the network administrator a text
message, pop up a window on the
NMS software, or turn the router
icon red in the NMS GUI.
SNMP Versions
• SNMPv1 - Legacy standard defined in RFC 1157. Uses a simple community-string based
authentication method. Should not be used due to security risks.
• SNMPv2c - Defined in RFCs 1901-1908. Uses a simple community-string based authentication
method. Provides for bulk retrieval options, as well as more detailed error messages.
• SNMPv3 - Defined in RFCs 3410-3415. Uses username authentication, provides data protection
using HMAC-MD5 or HMAC-SHA and encryption using DES, 3DES, or AES encryption.

Community Strings
SNMPv1 and SNMPv2c use community strings that control access to the MIB. Community strings are
plaintext passwords. SNMP community strings authenticate access to MIB objects.
There are two types of community strings:
• Read-only (ro) - This type provides access to the MIB variables, but does not allow these variables to be
changed, only read. Because security is minimal in version 2c, many organizations use SNMPv2c in read-only
mode.
• Read-write (rw) - This type provides read and write access to all objects in the MIB.

To view or set MIB variables, the user must specify the appropriate community string for read or write
access.

MIB Object ID
The MIB organizes variables hierarchically. Formally, the MIB defines each variable as an object ID (OID).
OIDs uniquely identify managed objects. The MIB organizes the OIDs based on RFC standards into a
hierarchy of OIDs, usually shown as a tree.
• The MIB tree for any given device includes some branches with variables common to many networking
devices and some branches with variables specific to that
device or vendor.
• RFCs define some common public variables. Most devices
implement these MIB variables. In addition, networking
equipment vendors, like Cisco, can define their own private
branches of the tree to accommodate new variables specific to
their devices.

The figure shows portions of the MIB structure defined by

Cisco. Note how the OID can be described in words or numbers
to help locate a particular variable in the tree.
OIDs belonging to Cisco, are numbered as follows: .iso (1).org
(3).dod (6).internet (1).private (4).enterprises (1).cisco (9).
Therefore, the OID is 1.3.6.1.4.1.9.
SNMP Polling Scenario
• SNMP can be used is to observe CPU utilization over a period of time by polling devices. CPU
statistics can then be compiled on the NMS and graphed. This creates a baseline for the network
administrator.
• The data is retrieved via the snmpget utility, issued on the NMS. Using the snmpget utility, you can
manually retrieve real-time data, or have the NMS run a report. This report would give you a period
of time that you could use the data to get the average.

SNMP Object Navigator

The snmpget utility gives some insight into the basic mechanics of how SNMP works. However, working
with long MIB variable names like 1.3.6.1.4.1.9.2.1.58.0 can be problematic for the average user. More
commonly, the network operations staff uses a network management product with an easy-to-use GUI,
which makes the entire MIB data variable naming transparent to the user.
The Cisco SNMP Navigator on the http://www.cisco.com website allows a network administrator to
research details about a particular OID.
 Syslog

Introduction to Syslog
Syslog uses UDP port 514 to send event notification messages across IP networks to event message
collectors, as shown in the figure.
The syslog logging service provides three primary functions,
as follows:
• The ability to gather logging information for
monitoring and troubleshooting
• The ability to select the type of logging information
that is captured
• The ability to specify the destinations of captured
syslog messages

Syslog Operation

The syslog protocol starts by sending system messages and debug output to a local logging process. Syslog
configuration may send these messages across the network to an external syslog server, where they can be
retrieved without needing to access the actual device.
Alternatively, syslog messages may be sent to an internal buffer. Messages sent to the internal buffer are
only viewable through the CLI of the device.
The network administrator may specify that only certain types of system messages be sent to various
destinations. Popular destinations for syslog messages include the following:
• Logging buffer (RAM inside a router or switch)
• Console line
• Terminal line
• Syslog server

Syslog Message Format

Cisco devices produce syslog messages as a result of network events. Every syslog message contains a
severity level and a facility.
The smaller numerical levels are the more critical syslog alarms. The severity level of the messages can be
set to control where each type of message is displayed (i.e. on the console or the other destinations).
The complete list of syslog levels is shown in the table.

Severity Name Severity Level Explanation

Emergency Level 0 System Unusable

Alert Level 1 Immediate Action Needed

Critical Level 2 Critical Condition

Error Level 3 Error Condition

Warning Level 4 Warning Condition

Notification Level 5 Normal, but Significant Condition

Informational Level 6 Informational Message

Debugging Level 7 Debugging Message

Syslog Facilities
In addition to specifying the severity, syslog messages also contain information on the facility. Syslog
facilities are service identifiers that identify and categorize system state data for error and event message
reporting. The logging facility options that are available are specific to the networking device.
Some common syslog message facilities reported on Cisco IOS routers include:
• IP
• OSPF protocol
• SYS operating system
• IP security (IPsec)
• Interface IP (IF)

By default, the format of syslog messages on the Cisco IOS Software is as follows:
%facility-severity-MNEMONIC: description

For example, sample output on a Cisco switch for an EtherChannel link changing state to up is:
%LINK-3-UPDOWN: Interface Port-channel1, changed state to up

Here the facility is LINK and the severity level is 3, with a MNEMONIC of UPDOWN.
Configure Syslog Timestamp
By default, log messages are not timestamped. Log messages should be timestamped so that when they are
sent to another destination, such as a Syslog server, there is record of when the message was generated. Use
the command service timestamps log datetime to force logged events to display the date and time.

R1# configure terminal

R1(config)# interface g0/0/0
R1(config-if)# shutdown
%LINK-5-CHANGED: Interface GigabitEthernet0/0/0, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to
down R1(config-if)# exit
R1(config)# service timestamps log datetime
R1(config)# interface g0/0/0
R1(config-if)# no shutdown
*Mar 1 11:52:42: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
*Mar 1 11:52:45: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to up
*Mar 1 11:52:46: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0,
changed state to up
R1(config-if)#

Router and Switch File Maintenance

Router File Systems

The Cisco IOS File System (IFS) allows the
administrator to navigate to different directories and list
the files in a directory. The administrator can also create
subdirectories in flash memory or on a disk. The
directories available depend on the device.
The example displays the output of the show file
systems command, which lists all of the available file
systems on a Cisco 4221 router.

The asterisk indicates the current default file system. The

pound sign (#) indicates a bootable disk. Both of these are
assigned to the flash file system by default

Because flash is the default file system,

the dir command lists the contents of flash. Of
specific interest is the last listing. This is the name
of the current Cisco IOS file image that is running
in RAM.
To view the contents of NVRAM, you must change
the current default file system by using
the cd (change directory) command, as shown in the
example.
The present working directory command is pwd.
This command verifies that we are viewing the
NVRAM directory. Finally, the dir command lists
the contents of NVRAM. Although there are several
configuration files listed, of specific interest is the
startup-configuration file.

With the Cisco 2960 switch flash file system, you can copy configuration files, and archive (upload and
download) software images.
The command to view the file systems on a Catalyst switch is the same as on a Cisco router: show file
systems.

Use a Text File to Back Up a Configuration

Configuration files can be saved to a text file by using Tera Term:

Step 1. On the File menu, click Log.
Step 2. Choose the location to save the file. Tera Term
will begin capturing text.
Step 3. After capture has been started, execute the show
running-config or show startup-config command at the
privileged EXEC prompt. Text displayed in the terminal
window will be directed to the chosen file.
Step 4. When the capture is complete, select Close in the
Tera Term: Log window.
Step 5. View the file to verify that it was not corrupted.
Use a Text File to Restore a Configuration

A configuration can be copied from a file and then directly pasted to a device. The file will require editing to
ensure that encrypted passwords are in plaintext, and that non-command text such as --More-- and IOS
messages are removed.
In addition, you may want to add enable and configure terminal to the beginning of the file or enter global
configuration mode before pasting the configuration. Instead of copying and pasting, a configuration can be
restored from a text file by using Tera Term. When using Tera Term, the steps are as follows:
Step 1. On the File menu, click Send file.
Step 2. Locate the file to be copied into the device and click Open.
Step 3. Tera Term will paste the file into the device.

The text in the file will be applied as commands in the CLI and become the running configuration on the
device.

Using TFTP to Back Up and Restore a Configuration

Follow these steps to back up the running configuration to a TFTP server:

Step 1. Enter the copy running-config tftp command.
Step 2. Enter the IP address of the host where the configuration file will be stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.

Use the following steps to restore the running configuration from a TFTP server:
Step 1. Enter the copy tftp running-config command.
Step 2. Enter the IP address of the host where the configuration file is stored.
Step 3. Enter the name to assign to the configuration file.
Step 4. Press Enter to confirm each choice.
R1# copy running-config tftp
Remote host []?192.168.10.254
Name of the configuration file to write[R1-config]? R1-Jan-2019
Write file R1-Jan-2019 to 192.168.10.254? [confirm]
Writing R1-Jan-2019 !!!!!! [OK]

USB Ports on a Cisco Router

The Universal Serial Bus (USB) storage feature enables certain models of Cisco routers to support USB
flash drives. The USB flash feature provides an optional secondary storage capability and an additional boot
device. The USB ports of a Cisco 4321 Router are shown in the figure.
Use the dir command to view the contents of the USB flash drive.
Using USB to Back Up and Restore a Configuration
• Issue the show file systems command to verify that the USB drive is there and confirm its name. For
this example, the USB file system is named usbflash0:.
• Use the copy run usbflash0:/ command to copy the configuration file to the USB flash drive. Be
sure to use the name of the flash drive, as indicated in the file system. The slash is optional but
indicates the root directory of the USB flash drive.
• The IOS will prompt for the filename. If the file already exists on the USB flash drive, the router will
prompt to overwrite.
R1# copy running-config usbflash0:
Destination filename [running-config]? R1-Config
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
5024 bytes copied in 1.796 secs (2797 bytes/sec)
R1#

Use the dir command to see the file on the USB drive and use the more command to see the contents.
To Restore Configurations with a USB Flash Drive, it will be necessary to edit the USB R1-Config file with
a text editor. Assuming the file name is R1-Config, use the command copy usbflash0:/R1-Config running-
config to restore a running configuration.

Password Recovery Procedures

Passwords on devices are used to prevent unauthorized access. For encrypted passwords, such as the enable
secret passwords, the passwords must be replaced after recovery. Depending on the device, the detailed
procedure for password recovery varies.
Step 1. Enter the ROMMON mode.
Step 2. Change the configuration register.
Step 3. Copy the startup-config to the running-config.
Step 4. Change the password.
Step 5. Save the running-config as the new startup-config.
Step 6. Reload the device.
Password Recovery Example
Step 1. Enter the ROMMON mode. With console access, a user can access the ROMMON mode by using
a break sequence during the boot up process or removing the external flash memory when the device is
powered off.
When successful, the rommon 1 > prompt displays, as shown in the example.

Readonly ROMMON initialized

monitor: command "boot" aborted due to user interrupt rommon 1 >

Step 2. Change the configuration register. The confreg 0x2142 command allows the user to set the
configuration register to 0x2142, which causes the device to ignore the startup config file during startup.
After setting the configuration register to 0x2142, type reset at the prompt to restart the device. Enter the
break sequence while the device is rebooting and decompressing the IOS. The example displays the terminal
output of a 1941 router in the ROMMON mode after using a break sequence during the boot up process.

rommon 1 > confreg 0x2142

rommon 2 > reset
System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.
(output omitted)

Step 3. Copy the startup-config to the running-config. After the device has finished reloading, issue
the copy startup-config running-config command.
CAUTION: Do not enter copy running-config startup-config. This command erases your original startup
configuration.
Router# copy startup-config running-config
Destination filename [running-config]?
1450 bytes copied in 0.156 secs (9295 bytes/sec)
R1#

Step 4. Change the password. Because you are in privileged EXEC mode, you can now configure all the
necessary passwords.
Note: The password cisco is not a strong password and is used here only as an example

R1# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# enable secret cisco

Step 5. Save the running-config as the new startup-config. After the new passwords are configured,
change the configuration register back to 0x2102 by using the config-register 0x2102 command in the
global configuration mode. Save the running-config to startup-config.

R1(config)# config-register 0x2102

R1(config)# end
R1# copy running-config startup-config
Destination filename [startup-config]? Building configuration... [OK]
R1#
 IOS Image Management

TFTP Servers as a Backup Location

As a network grows, Cisco IOS Software images and configuration files can be stored on a central TFTP
server. This helps to control the number of IOS images and the revisions to those IOS images, as well as the
configuration files that must be maintained.
Production internetworks usually span wide areas and contain multiple routers. For any network, it is good
practice to keep a backup copy of the Cisco IOS Software image in case the system image on the router
becomes corrupted or accidentally erased.
Widely distributed routers need a source or backup location for Cisco IOS Software images. Using a
network TFTP server allows image and configuration uploads and downloads over the network. The
network TFTP server can be another router, a workstation, or a host system.

Backup IOS Image to TFTP Server Example

To maintain network operations with minimum down time, it is necessary to have procedures in place for
backing up Cisco IOS images. This allows the network administrator to quickly copy an image back to a
router in case of a corrupted or erased image. Use the following steps:

Step 1. Ping the TFTP server. Ping the TFTP server to test connectivity.
Step 2. Verify image size in flash. Verify that the TFTP server has sufficient disk space to accommodate the Cisco
IOS Software image. Use the show flash0: command on the router to determine the size of the Cisco IOS image file.
Step 3. Copy the image to the TFTP server. Copy the image to the TFTP server by using the copy source-url
destination-url command. After issuing the command by using the specified source and destination URLs, the user is
prompted for the source file name, IP address of the remote host, and destination file name. The transfer will then
begin.

Copy an IOS Image to a Device Example

Step 1. Ping the TFTP server. Ping the TFTP server to test connectivity.
Step 2. Verify the amount of free flash. Ensure that there is sufficient flash space on the device being upgraded by
using the show flash: command. Compare the free flash space with the new image file size.
Step 3. Copy the IOS image file from the TFTP server to the router by using the copy tftp: flash: command. After
issuing this command, the user will be prompted for the IP address of the remote host, source file name, and
destination file name.

R1# copy tftp: flash:

Address or name of remote host []? 2001:DB8:CAFE:100::99
Source filename []? isr4200-universalk9_ias.16.09.04.SPA.bin
Destination filename [isr4200-universalk9_ias.16.09.04.SPA.bin]?
Accessing tftp://2001:DB8:CAFE:100::99/ isr4200- universalk9_ias.16.09.04.SPA.bin... Loading
isr4200-universalk9_ias.16.09.04.SPA.bin from 2001:DB8:CAFE:100::99 (via GigabitEthernet0/0/0):
!!!!!!!!!!!!!!!!!!!!
[OK - 517153193 bytes]
517153193 bytes copied in 868.128 secs (265652 bytes/sec)
The boot system Command

During startup, the bootstrap code parses the startup configuration file in NVRAM for the boot
system commands that specify the name and location of the Cisco IOS Software image to load. Several boot
system commands can be entered in sequence to provide a fault-tolerant boot plan.
If there are no boot system commands in the configuration, the router defaults to loading the first valid
Cisco IOS image in flash memory and runs it.
To upgrade to the copied IOS image after that image is saved on the flash memory of the router, configure
the router to load the new image by using the boot system command. Save the configuration. Reload the
router to boot the router with new image.

R1# configure terminal

R1(config)# boot system flash0:isr4200-universalk9_ias.16.09.04.SPA.bin
R1(config)# exit
R1# copy running-config startup-config
R1# reload

Network Design

Hierarchical Networks

The Need to Scale the Network

Organizations increasingly rely on their network infrastructure to provide mission-critical services.
Evolving organizations require networks that can scale and support:
• Converged network traffic
• Critical applications
• Diverse business needs
• Centralized administrative control
Campus network designs include small networks that use a single LAN switch, up to very large networks
with thousands of connections.
Borderless Switched Networks
The Cisco Borderless Network is a network
architecture that can connect anyone, anywhere,
anytime, on any device; securely, reliably, and
seamlessly.
• It provides the framework to unify wired
and wireless access, built on a hierarchical
infrastructure of hardware that is scalable
and resilient.
• Borderless switched networks are
hierarchical, modular, resilient, and
flexible.

Hierarchy in the Borderless Switched Network

Hierarchical networks use a tiered design of access, distribution, and core layers with each layer performing
a well-defined role in the campus network.

Three-tier layer Two-tier layer

Access, Distribution, and Core Layer Functions

Access Layer
• The access layer provide network access to the user.
• Access layer switches connect to distribution layer switches.
Distribution Layer
• The distribution layer implements routing, quality of service, and security.
• It aggregates large-scale wiring closet networks and limits Layer 2 broadcast domains.
• Distribution layer switches connect to access layer and core layer switches.
Core Layer
• The core layer is the network backbone and connects several layers of the network.
• The core layer provides fault isolation and high-speed backbone connectivity.
Three-Tier and Two-Tier Examples
Three-tier Campus Network
• Used by organizations requiring access, distribution, and core
layers.
• The recommendation is to build an extended-star physical
network topology from a centralized building location to all
other buildings on the same campus.

Two-tier Campus Network

• Used when separate distribution and core layers is not
required.
• Useful for smaller campus locations, or in campus sites
consisting of a single building.
• Also known as the collapsed core network design.

Role of Switched Networks

• Networks have fundamentally changed from a
flat network of hubs to switched LANs in a
hierarchical network.
• A switched LAN allows additional flexibility,
traffic management, quality of service, security.
• A switched LAN may also support wireless
networking and other technologies such as IP
telephone and mobility services.
 Scalable Networks

Design for Scalability

Scalability is the term for a network that can grow without losing availability and reliability.
Network designers must develop strategies to enable the network to be available and to scale effectively and
easily.
This is accomplished using:
• Redundancy
• Multiple Links
• Scalable Routing protocol
• Wireless Connectivity

Plan for Redundancy

Redundancy can prevent disruption of network services by minimizing the possibility of a single point of
failure by:
• Installing duplicate equipment
• Providing failover services for critical devices
Redundant paths offer alternate physical paths for data
to traverse the network supporting high availability.
• However, redundant paths in an Ethernet network
may cause logical Layer 2 loops.
• Therefore, Spanning Tree Protocol (STP) is
required.

Reduce Failure Domain Size

A well-designed network controls traffic and limits the size of failure domains (i.e., the area of a network
that is impacted when the network experiences problems).
• In the hierarchical design model, failure domains are terminated at the distribution layer.
• Every router functions as a gateway for a limited number of access layer users.

Routers, or multilayer switches, are usually deployed in pairs in a configuration referred to as a building, or
departmental, switch block.
• Each switch block acts independently of the others.
• As a result, the failure of a single device does not cause the network to go down.
Increase Bandwidth
Link aggregation (e.g., EtherChannel) allows an administrator to increase the amount of bandwidth between
devices by creating one logical link made up of several
physical links.
• EtherChannel combines existing switch ports into one
logical link using a Port Channel interface.
• Most configuration tasks are done on the Port Channel
interface (instead of on each individual port) to ensure
configuration consistency on the links.
• EtherChannel can load balance between links.

Expand the Access Layer

An increasingly popular option for extending access layer connectivity is through wireless.
• Wireless LANs (WLANs) provides increased flexibility, reduced costs, and the ability to grow and adapt to
changing network and business requirements.

• To communicate wirelessly, end devices require a

wireless NIC to connect to a wireless router or a wireless
access point (AP).
Considerations when implementing a wireless network include:
• Types of wireless devices connecting to the WLAN
• Wireless coverage requirements
• Interference considerations
• Security considerations

Tune Routing Protocols

Advanced routing protocols, such as Open Shortest Path First (OSPF) are used in large networks.
• OSPF is a link-state routing protocol that uses areas to support a hierarchical networks.
• OSPF routers establish and maintain
neighbor adjacencies with other connected
OSPF routers.
• OSPF routers synchronize their link-state
database.
• When a network change occurs, link-state
updates are sent, informing other OSPF
routers of the change and establishing a
new best path, if one is available.
 Switch Hardware

Switch Platforms
There is a variety of switch platforms, form factors, and other features that must be considered before
choosing a switch. When designing a network, it is important to select the proper hardware to meet current
network requirements, as well as to allow for network growth. Within an enterprise network, both switches
and routers play a critical role in network communication.
Campus LAN Switches, such as the Cisco 3850 series shown
here, support high concentrations of user connections with speed
and security appropriate for the enterprise network.

Cisco Meraki cloud-managed access switches enable virtual

stacking of switches. They monitor and configure thousands
of switch ports over the web, without the intervention of
onsite IT staff.

The Cisco Nexus platform promotes infrastructure scalability, operational continuity, and transport
flexibility in the data center.

Service provider Ethernet access switches feature application intelligence, unified services, virtualization,
integrated security, and simplified management.

Cisco Nexus virtual networking switch platforms provide secure multi-tenant services by adding
virtualization intelligence technology to the data center network.
Switch Form Factors
When selecting switches, network administrators must determine the switch form factors. This includes
fixed configuration, modular configuration, stackable, or non-stackable.
Features and options on fixed configuration switches are limited to those that
originally come with the switch.

The chassis on modular switches accept field-replaceable line cards.

Special cables are used to connect stackable switches that allow them to
effectively operate as one large switch.
The thickness of the switch, which is expressed in the number of rack
units, is also important for switches that are mounted in a rack. For
example, the fixed configuration switches shown in the figure are all one
rack units (1U) or 1.75 inches (44.45 mm) in height.

Port Density
The port density of a switch refers to the number of ports available on a
single switch.
Fixed configuration switches support a variety of port density configurations.
The Cisco Catalyst 3850 come in 12, 24, 48 port configurations.

Modular switches can support very high port densities through the addition of multiple switchport line cards.
The modular Catalyst 9400 switch supports 384 switchport interfaces.
Forwarding Rates
Forwarding rates define the processing capabilities of a switch by rating how much data the switch can
process per second.
• Switch product lines are classified by forwarding rates.
• Entry-level switches have lower forwarding rates than enterprise-level switches.

If switch forwarding rate is too low, it cannot accommodate full wire-speed communication across all of its
switch ports.
• Wire speed is the data rate that each Ethernet port on the switch is capable of attaining.
• Data rates can be 100 Mbps, 1 Gbps, 10 Gbps, or 100 Gbps.
• Access layer switches typically do not need to operate at full wire speed, because they are physically limited
by their uplinks to the distribution layer.

Power over Ethernet

Power over Ethernet (PoE) allows the switch to deliver power to a device (e.g., IP phone, AP, camera) over
the existing Ethernet cabling. A network administrator should ensure that the PoE features are actually
required for a given installation, because switches that support PoE are expensive.

Multilayer Switching
Multilayer switches are typically deployed in the core and distribution layers of an organization's switched
network.
• They support some routing protocols and forward IP packets at a rate close to that of Layer 2 forwarding.
• Multilayer switches often support specialized hardware, such as application-specific integrated circuits
(ASICs).
• ASICs along with dedicated software data structures can streamline the forwarding of IP packets independent
of the CPU.

Business Considerations for Switch Selection

Consideration Description

The cost of a switch will depend on the number and speed of the interfaces, supported features, and
Cost
expansion capability.
Port density Network switches must support the appropriate number of devices on the network.
It is now common to power access points, IP phones, and compact switches user Power over Ethernet
Power (PoE).
In addition to PoE considerations, some chassis-based switches support redundant power supplies.
Reliability The switch should provide continuous access to the network.
Port speed The speed of the network connection is of primary concern to end users.
The ability of the switch to store frames is important in a network where there may be congested ports
Frame buffers
to servers or other areas of the network.
The number of users on a network typically grows over time; therefore, the switch should provide the
Scalability
opportunity for growth.
 Router Hardware

Router Requirements
Routers use the network portion (prefix) of the destination IP address to route packets to the proper
destination.
• They select an alternate path if a link goes down.
• All hosts on a network specify the IP address of the local router interface as their default gateway.

Routers also serve other beneficial functions as follows:

• They provide broadcast containment by limiting broadcasts to the local network.
• They interconnect geographically separated locations.
• The group users logically by application or department within a company, who have command needs or
require access to the same resources.
• They provide enhanced security by filtering unwanted traffic through access control lists.

Cisco Routers
Branch routers, shown in the figure, optimize branch services on a single platform while delivering an
optimal application experience across branch and WAN infrastructures. Shown are the Cisco Integrated
Services Router (ISR) 4000 Series Routers.

Network edge routers, shown in the figure, enable the network edge to deliver high-performance, highly
secure, and reliable services that unite campus, data center, and branch networks. Shown are the Cisco
Aggregation Services Routers (ASR) 9000 Series Routers.
Service provider routers, shown in the figure, deliver end-to-end
scalable solutions and subscriber-aware services. Shown are the Cisco
Network Convergence System (NCS) 6000 Series Routers.

Industrial routers, such as the ones shown in the figure, are designed to provide enterprise-class features in
rugged and harsh environments. Shown are the Cisco 1100 Series Industrial Integrated Services Routers.

Router Form Factors

Cisco 900 Series: This is a small branch office router. It combines WAN, switching, security, and advanced
connectivity options in a compact, fanless platform for small and medium-sized businesses.

Cisco ASR 9000 and 1000 Series Aggregation Services Routers: These routers provide density and
resiliency with programmability, for a scalable network edge.
Cisco Network Convergence System 5500 Series Routers: These routers are designed to efficiently scale
between large data centers and large enterprise networks, web, and service provider WAN and aggregation
networks.

Cisco 800 Industrial Integrated Services Router: This router is compact and designed for harsh
environments.

Network Troubleshooting

Network Documentation
Accurate and complete network documentation is required to effectively monitor and troubleshoot networks.
Common network documentation includes the following:
• Physical and logical network topology diagrams
• Network device documentation that records all pertinent device information
• Network performance baseline documentation
All network documentation should be kept in a single location and backup documentation should be
maintained and kept in a separate location.
Network Topology Diagrams

There are two types of network topology diagrams: physical and logical.

Physical Topology

Logical Topology
Network Device Documentation
Network device documentation should contain accurate, up-to-date records of the network hardware and
software. Documentation should include all pertinent information about the network devices.

Router Device
Documentation

Switch Device
Documentation

End-System
Documentation

Establish a Network Baseline

A network baseline is used to establish normal network performance to determine the “personality” of a
network under normal conditions. Establishing a network performance baseline requires collecting
performance data from the ports and devices that are essential to network operation.
The baseline data is as follows:
• Provides insight into whether the current network design can meet business requirements.
• Can reveal areas of congestion or areas in the network that are underutilized.

Step 1 - Determine What Types of Data to Collect

When conducting the initial baseline, start by selecting a few variables that represent the defined policies.
If too many data points are selected, the amount of data can be overwhelming, making analysis of the
collected data difficult.
Start out simply and fine-tune along the way.
Some good starting variables are interface utilization and CPU utilization.
Step 2 - Identify Devices and Ports of Interest

A logical network topology can be useful in

identifying key devices and ports to monitor.
As shown in the sample topology, the devices
and ports of interest include:
• PC1 (the Admin terminal)
• Two servers (i.e., Srv1 and Svr2)
• Router interfaces
• Key ports on switches

Step 3 - Determine the Baseline Duration

When capturing data for analysis, the period specified should be:
• At a minimum, seven days long.
• Last no more than six weeks, unless specific long-term trends need to be measured.
• Generally, a two-to-four-week baseline is adequate.
Conduct an annual analysis of the entire network, or baseline different sections of the network on a rotating
basis.
Analysis must be conducted regularly to understand how the network is affected by growth and other
changes.

Data Measurement
Command Description

show version • Displays uptime, version information for device software and hardware
show ip interface [brief]
• Displays all the configuration options that are set on an interface.
show ipv6 interface [brief]
show interfaces • Displays detailed output for each interface.
show ip route [static | eigrp | ospf | bgp] • Displays the routing table content listing directly connected networks
show ipv6 route [static | eigrp | ospf | bgp] and learned remote networks.
show cdp neighbors detail • Displays detailed information about directly connected Cisco devices.
show arp • Displays the contents of the ARP table (IPv4) and the neighbor table
show ipv6 neighbors (IPv6).
show running-config • Displays current configuration.
show vlan • Displays the status of VLANs on a switch.
show port • Displays the status of ports on a switch.
• Used to collect a large amount of information using multiple show
show tech-support
commands for technical support reporting purposes.
 Troubleshooting Process

General Troubleshooting Procedures

Troubleshooting can be time consuming because
networks differ, problems differ, and troubleshooting
experience varies.
• Using a structured troubleshooting method
will shorten overall troubleshooting time.
• There are several troubleshooting processes
that can be used to solve a problem.
• The figure displays the logic flowchart of a
simplified three-stage troubleshooting
process.

Seven-Step Troubleshooting Process

Steps Description

Define the Problem • Verify that there is a problem and then properly define what the problem is.

Gather
• Targets (i.e., hosts, devices) are identified, accessed, and information gathered.
Information

Analyze • Identify possible causes using network documentation, network baselines, knowledge
Information bases, and peers.

Eliminate Possible
• Progressively eliminate possible causes to eventually identify the most probable cause.
Causes

Propose Hypothesis • When the most probable cause has been identified, a solution must be formulated.

• Assess the urgency of the problem, create a rollback plan, implement the solution, and
Test Hypothesis
verify outcome.

• When solved, inform all involved and document the cause and solution to help solve future
Solve the Problem
problems.
Question End Users
The table provides questioning guidelines and sample open ended end-user questions.

Guidelines Example Open Ended End-User Questions

• What does not work?

Ask pertinent questions.
Determine the scope of the problem.
Determine when the problem occurred /
occurs.
Determine if the problem is constant or
intermittent.
Determine if anything has changed.
Use questions to eliminate or discover
possible problems.
• What exactly is the problem?
• What are you trying to accomplish?
• Who does this issue affect? Is it just you or others?
• What device is this happening on?
• When exactly does the problem occur?
• When was the problem first noticed?
• Were there any error message(s) displayed?
• Can you reproduce the problem?
• Can you send me a screenshot or video of the problem?
• What has changed since the last time it did work?
• What works?
• What does not work?

Gather Information
Common Cisco IOS commands used to gather network problem symptoms.

Command Description

ping {host |ip-address}
traceroute destination
telnet {host | ip-address}
ssh -l user-id ip-address
show ip interface brief
show ipv6 interface brief
show ip route
show ipv6 route
show protocols
debug
• Sends an echo request packet to an address, then waits for a reply.
• Identifies the path a packet takes through the networks.
• Connects to an IP address using the Telnet application (Note: Use SSH
whenever possible).
• Connects to an IP address using SSH.
• Displays a summary status of all interfaces on a device.
• Displays the current IPv4 and IPv6 routing tables.
• Displays the global and interface-specific status of any configured Layer 3
protocol.
• Displays a list of options for enabling or disabling debugging events.

Troubleshooting with Layered Models

The OSI and TCP/IP models can be applied to isolate network
problems when troubleshooting.
The figure shows some common devices and the OSI layers
that must be examined during the troubleshooting process for
that device.
Structured Troubleshooting Methods
Troubleshooting
Description
Approach

Bottom-Up Good approach to use when the problem is suspected to be a physical one.

Top-Down Use this approach for simpler problems, or when you think the problem is with a piece of software.

Divide-and-
Start at a middle layer (i.e, Layer 3) and tests in both directions from that layer.
Conquer

Used to discover the actual traffic path from source to destination to reduce the scope of
Follow-the-Path
troubleshooting.

Substitution You physically swap a suspected problematic device with a known, working one.

Comparison Attempts to resolve the problem by comparing a nonoperational element with the working one.

Educated guess Success of this method varies based on your troubleshooting experience and ability.

Guidelines for Selecting a Troubleshooting Method

To quickly resolve network problems, take the time to select the most effective network troubleshooting
method.
• The figure illustrates which method could be used when a certain type of problem is discovered.
• Troubleshooting is a skill that is developed by doing it.
• Every network problem you identify and solve gets added to your skill set.
 Troubleshooting Process

Software Troubleshooting Tools

Software Tool Description

• Network software include device-level monitoring, configuration, and fault-management

Network Management
tools.
System Tools
• Tools can be used to investigate and correct network problems.
• Online network device vendor knowledge bases have become indispensable sources of
information.
Knowledge Bases
• When vendor-based knowledge bases are combined with internet search engines, a network
administrator has access to a vast pool of experience-based information.
• Many tools for automating the network documentation and baselining process are available.
• Baselining tools help with common documentation tasks such as network diagrams, update
Baselining Tools
network software and hardware documentation, and cost-effectively measure baseline
network bandwidth use.

Protocol Analyzers

A protocol analyzer can capture

and display the physical layer to
the application layer information
contained in a packet.
Protocol analyzers, such as
Wireshark, can help troubleshoot
network performance problems.

Hardware Troubleshooting Tools

Hardware Tools Description

Digital Multimeters Devices measure electrical values of voltage, current, and resistance.
Cable Testers Handheld devices are designed for testing the various types of data communication cabling.
Cable Analyzers Multifunctional handheld devices used to test and certify copper and fiber cables.
Portable Network
Specialized device used for troubleshooting switched networks and VLANs.
Analyzers
Browser-based interface that displays device performance analysis in a switched and routed
Cisco Prime NAM
environment.
Syslog Server as a Troubleshooting Tool

Syslog is used by syslog clients to send text-based log messages to a syslog server.
Level Keyword
• Log messages can be sent to the console, VTY lines, memory buffer, or syslog
0 Emergencies
server.
1 Alerts
• Cisco IOS log messages fall into one of eight levels.
2 Critical
• The lower the level number, the higher the severity level.
3 Errors
• By default, the console displays level 6 (debugging) messages. 4 Warnings
• In the command output, level 0 (emergencies) to 5 (notifications) are sent to the 5 Notifications
syslog server at 209.165.200.225. 6 Informational
7 Debugging

Symptoms and Causes of Network Problems

Physical Layer Troubleshooting

Symptom Description

• Requires previous baselines for comparison.

Performance lower than
baseline
Loss of connectivity
Network bottlenecks or
congestion
High CPU utilization rates
Console error messages
• The most common reasons include overloaded or underpowered servers, unsuitable
switch or router configurations, traffic congestion on a low-capacity link, and
chronic frame loss.
• Loss of connectivity could be due to a failed or disconnected cable.
• Can be verified using a simple ping test.
• Intermittent connectivity loss can indicate a loose or oxidized connection.
• If a route fails, routing protocols could redirect traffic to sub-optimal routes.
• This can result in congestion or bottlenecks in parts of the network.
• High CPU utilization rates indicates that a device is operating at or exceeding its
design limits.
• If not addressed quickly, CPU overloading can cause a device to shut down or fail.
• Error messages reported on the device console could indicate a physical layer
problem.
• Console messages should be logged to a central syslog server.
The table lists issues that commonly cause network problems at the physical layer.

Problem Cause Description

Power-related Check the operation of the fans and ensure that the chassis intake and exhaust vents are clear.
Faulty or corrupt NIC driver files, bad cabling, or grounding problems can cause network
Hardware faults
transmission errors such as late collisions, short frames, and jabber.
Look for damaged cables, improper cable, and poorly crimped connectors.
Cabling faults
Suspect cables should be tested or exchanged with a known functioning cable.
Attenuation can be caused if a cable length exceeds the design limit for the media, or when there
Attenuation
is a poor connection resulting from a loose cable, or dirty or oxidized contacts.
Local electromagnetic interference (EMI) can be generated by many sources, such as crosstalk,
Noise
nearby electric cables, large electric motors, FM radio stations, police radio, and more.
Interface configuration Causes can include incorrect clock rate, incorrect clock source, and interface not being turned on.
errors This causes a loss of connectivity with attached network segments.
Exceeding design limits A component could operate sub-optimally if it is being utilized beyond specifications.
Symptoms include processes with high CPU utilization percentages, input queue drops, slow
CPU overload performance, SNMP timeouts, no remote access, no DHCP services, Telnet, and pings are slow
or fail to respond.

Data Link Layer Troubleshooting

The table lists common symptoms of data link layer network problems.

Symptom
No functionality or connectivity
at the network layer or above
Network is operating below
baseline performance levels
Excessive broadcasts
Console messages
Description
Some Layer 2 problems can stop the exchange of frames across a link, while others only
cause network performance to degrade.
• Frames can take a suboptimal path to their destination but still arrive causing
the network to experience unexpected high-bandwidth usage on links.
• An extended or continuous ping can help reveal if frames are being dropped.
• Operating systems use broadcasts and multicasts extensively.
• Generally, excessive broadcasts are the result of a poorly programmed or
configured applications, a large Layer 2 broadcast domains, or an underlying
network problems .
• Routers send messages when it detects a problem with interpreting incoming
frames (encapsulation or framing problems) or when keepalives are expected
but do not arrive.
• The most common console message that indicates a Layer 2 problem is a line
protocol down message
The table lists issues that commonly cause network problems at the data link layer.

Problem Cause Description

Encapsulation errors Occurs when bits placed in a field by the sender are not what the receiver expects to see.
Address mapping Occurs when Layer 2 and Layer addressing is not available.
errors
Framing errors Framing errors can be caused by a noisy serial line, an improperly designed cable, faulty NIC,
duplex mismatch, or an incorrectly configured channel service unit (CSU) line clock.
STP failures or loops Most STP problems are related to forwarding loops that occur when no ports in a redundant
topology are blocked and traffic is forwarded in circles indefinitely, excessive flooding because
of a high rate of STP topology changes.

Network Layer Troubleshooting

The table lists common symptoms of network layer network problems.

Symptom Description

• Occurs when the network is nearly or completely non-functional, affecting all users and
applications on the network.
Network failure
• These failures are usually noticed quickly by users and network administrators and are
obviously critical to the productivity of a company.
• These involve a subset of users, applications, destinations, or a type of traffic.
• Optimization issues can be difficult to detect and even harder to isolate and diagnose.
Suboptimal performance
• This is because they usually involve multiple layers, or even a single host computer.
• Determining that the problem is a network layer problem can take time.

The table lists common symptoms of network layer network problems.

Problem Cause Description

• Often a change in the topology may unknowingly have effects on other areas of the
network.
General network issues
• Determine whether anything in the network has recently changed, and if there is anyone
currently working on the network infrastructure.
Check for any equipment and connectivity problems, including power problems, environmental
Connectivity issues
problems, and Layer 1 problems, such as cabling problems, bad ports, and ISP problems.
Routing table Check the routing table for anything unexpected, such as missing routes or unexpected routes.
Neighbor issues Check to see if there are any problems with the routers forming neighbor adjacencies.
Topology database Check the table for anything unexpected, such as missing entries or unexpected entries.
Transport Layer Troubleshooting – ACLs
The table lists areas where ACL misconfigurations commonly occur.

Misconfigurations Description

Selection of traffic flow
Order of access control entries
Implicit deny any
Addresses and IPv4 wildcard
masks
Selection of transport layer
protocol
Source and destination ports
Use of the established keyword
Uncommon protocols
An ACL must be applied to the correct interface in the correct traffic direction.
The entries in an ACL should be from specific to general.
The implicit ACE can be the cause of an ACL misconfiguration.
Complex IPv4 wildcard masks are more efficient, but are more subject to configuration
errors.
It is important that only the correct transport layer protocol be specified in an ACE.
Ensuring that the correct inbound and outbound ports are specified in an ACE
The established keyword applied incorrectly, can provide unexpected results.
Misconfigured ACLs often cause problems for protocols other than TCP and UDP.

Transport Layer Troubleshooting - NAT for IPv4

The table lists common interoperability areas with NAT.

Symptom Description

• The DHCP-Request packet has a source IPv4 address of 0.0.0.0.

BOOTP and • However, NAT requires both a valid destination and source IPv4 address, therefore, BOOTP and
DHCP DHCP can have difficulty operating over a router running either static or dynamic NAT.
• Configuring the IPv4 helper feature can help solve this problem.
• A DNS server outside the NAT router does not have an accurate representation of the network
DNS inside the router.
• Configuring the IPv4 helper feature can help solve this problem.
• An SNMP management station on one side of a NAT router may not be able to contact SNMP
SNMP agents on the other side of the NAT router.
• Configuring the IPv4 helper feature can help solve this problem.
Tunneling and
Encryption and tunneling protocols often require that traffic be sourced from a specific UDP or TCP port,
encryption
or use a protocol at the transport layer that cannot be processed by NAT.
protocols
Application Layer Troubleshooting
The table provides a short description of these application layer protocols.

Applications Description

SSH/Telnet Enables users to establish terminal session connections with remote hosts.
HTTP Supports the exchanging of text, graphic images, sound, video, and other multimedia files on the web.
FTP Performs interactive file transfers between hosts.
TFTP Performs basic interactive file transfers typically between hosts and networking devices.
SMTP Supports basic message delivery services.
POP Connects to mail servers and downloads email.
SNMP Collects management information from network devices.
DNS Maps IP addresses to the names assigned to network devices.
NFS Network File System (NFS) enables computers to mount and use drives on remote hosts.

Troubleshooting IP Connectivity

Components of Troubleshooting End-to-End Connectivity

Bottom-up approach steps when there is no end-to-end connectivity are as follows:
1. Check physical connectivity at the point where network communication stops.
2. Check for duplex mismatches.
3. Check data link and network layer addressing on the local network.
4. Verify that the default gateway is correct.
5. Ensure that devices are determining the correct path from the source to the destination.
6. Verify the transport layer is functioning properly.
7. Verify that there are no ACLs blocking traffic.
8. Ensure that DNS settings are correct.
End-to-End Connectivity Problem Initiates Troubleshooting

Usually what initiates a troubleshooting effort is the discovery that there is a problem with end-to-end
connectivity.
Two of the most common utilities used to verify a problem with end-to-end connectivity are ping and
traceroute.

Step 1 - Verify the Physical Layer

The show interfaces command is useful when
troubleshooting performance-related issues and
hardware is suspected to be at fault.
Of interest in the output are the:
• Interface status
• Input queue drops
• Output queue drops
• Input errors
• Output errors

Step 2 - Check for Duplex Mismatches

The IEEE 802.3ab Gigabit Ethernet standard mandates the use of autonegotiation for speed and duplex and
practically all Fast Ethernet NICs also use autonegotiation by default.
Problems can occur when there is a duplex
mismatch.
Step 3 - Verify Addressing on the Local Network
The arp Windows command displays and modifies entries in the ARP cache that are used to store IPv4
addresses and their resolved Ethernet physical (MAC) addresses.

Troubleshoot VLAN Assignment Example

Another issue to consider when troubleshooting end-to-end connectivity is VLAN assignment.

For example, the MAC address on Fa0/1 The following configuration changes Fa0/1 to
should be in VLAN 10 instead of VLAN 1. VLAN 10 and verifies the change.

Step 4 - Verify Default Gateway

Misconfigured or missing default gateways can cause connectivity problems.

In the figure for example, the default
gateways for:
• R1 is 192.168.1.2 (R2)
• PC1 is 10.1.10.1 (R1 G0/0/0)

Useful commands to verify the default

gateway on:
• R1: show ip route
• PC1: route print (or netstat –r)
Troubleshoot IPv6 Default Gateway Example
An IPv6default gateway can be configured manually, using SLAAC, or by using DHCPv6.

For example, a PC is unable to acquire its IPv6 R1 is enabled as an IPv6 router and now the output
configuration using SLAAC. The command output is verifies that R1 is a member of ff02::2, the All-IPv6-
missing the all IPv6-router multicast group (FF02::2). Routers multicast group.

Step 5 - Verify Correct Path

When troubleshooting, it is often necessary to verify the path to the destination network.
• The figure describes the process for both the
IPv4 and IPv6 routing tables.
• The process of forwarding IPv4 and IPv6
packets is based on the longest bit match or
longest prefix match.
• The routing table process will attempt to
forward the packet using an entry in the
routing table with the greatest number of
leftmost matching bits.
• The number of matching bits is indicated by
the prefix length of the route.

Step 6 - Verify the Transport Layer

Two of the most common issues that affect transport layer connectivity include ACL configurations and
NAT configurations.
• A common tool for testing transport
layer functionality is the Telnet utility.
• For example, the administrator attempts
to Telnet to R2 using port 80.
Step 7 - Verify ACLs
On routers, there may be ACLs that prohibit protocols from passing through the interface in the inbound or
outbound direction.

In this example, ACL 100 has been The ACL is removed from G0/0/0 and
incorrectly configured inbound on the G0/0/0 configured inbound on S0/1/1.
instead of inbound on S0/1/1.

Step 8 - Verify DNS

The DNS protocol controls the DNS, a distributed database with which you can map hostnames to IP
addresses.
• When you configure DNS on the device, you can substitute the hostname for the IP address with all IP
commands, such as ping or telnet. command output.
• Use the ip host global configuration
command to enter a name to be used instead
of the IPv4 address of the switch or router, as
shown in the command output.
• Use the nslookup Windows command to
display the name-to-IP-address mapping
information.

Network Virtualization

Cloud Computing

Cloud Overview
Cloud computing addresses a variety of data management issues:
• Enables access to organizational data anywhere and at any time
• Streamlines the organization’s IT operations by subscribing only to needed services
• Eliminates or reduces the need for onsite IT equipment, maintenance, and management
• Reduces cost for equipment, energy, physical plant requirements, and personnel training needs
• Enables rapid responses to increasing data volume requirements
Cloud Services

The three main cloud computing services defined by the National Institute of Standards and Technology
(NIST) in their Special Publication 800-145 are as follows:
• Software as a Service (SaaS) - The cloud provider is responsible for access to applications and services that
are delivered over the internet.
• Platform as a Service (PaaS) - The cloud provider is responsible for providing users access to the
development tools and services used to deliver the applications.
• Infrastructure as a Service (IaaS) - The cloud provider is responsible for giving IT managers access to the
network equipment, virtualized network services, and supporting network infrastructure.

Cloud service providers have extended this model to also provide IT support for each of the cloud
computing services (ITaaS). For businesses, ITaaS can extend the capability of the network without
requiring investment in new infrastructure, training new personnel, or licensing new software.

Cloud Models
There are four primary cloud models:
• Public clouds - Cloud-based applications and services made available to the general population.
• Private clouds - Cloud-based applications and services intended for a specific organization or entity, such as
the government.
• Hybrid clouds - A hybrid cloud is made up of two or more clouds (example: part private, part public), where
each part remains a separate object, but both are connected using a single architecture.
• Community clouds - A community cloud is created for exclusive use by a specific community. The
differences between public clouds and community clouds are the functional needs that have been customized
for the community. For example, healthcare organizations must remain compliant with policies and laws (e.g.,
HIPAA) that require special authentication and confidentiality.

Cloud Computing versus Data Center

These are the correct definitions of data center and cloud computing:
• Data center: Typically, a data storage and processing facility run by an in-house IT department or leased
offsite. Data centers are typically very expensive to build and maintain.
• Cloud computing: Typically, an off-premise service that offers on-demand access to a shared pool of
configurable computing resources. These resources can be rapidly provisioned and released with minimal
management effort.

Data centers are the physical facilities that provide the compute, network, and storage needs of cloud
computing services. Cloud service providers use data centers to host their cloud services and cloud-based
resources.
 Virtualization

Cloud Computing and Virtualization

• The terms “cloud computing” and
“virtualization” are often used interchangeably;
however, they mean different things.
Virtualization is the foundation of cloud
computing. Without it, cloud computing, as it is
most-widely implemented, would not be
possible.
• Virtualization separates the operating system
(OS) from the hardware. Various providers offer
virtual cloud services that can dynamically
provision servers as required. These virtualized
instances of servers are created on demand.

Dedicated Servers

Historically, enterprise servers consisted of a server OS, such as Windows Server or Linux Server, installed
on specific hardware. All of a server’s RAM, processing power, and hard drive space were dedicated to the
service provided (e.g., Web, email services, etc.).
• When a component fails, the service that is provided by this server becomes unavailable. This is known as a
single point of failure.
• Dedicated servers were generally underused. They often sat idle for long periods of time, waiting until there
was a need to deliver the specific service they provide. These servers wasted energy and took up more space
than was warranted by the amount of service provided. This is known as server sprawl.
Server Virtualization
• Server virtualization takes advantage of idle resources
and consolidates the number of required servers. This
also allows for multiple operating systems to exist on
a single hardware platform.
• The use of virtualization normally includes
redundancy to protect from a single point of failure.
• The hypervisor is a program, firmware, or hardware
that adds an abstraction layer on top of the physical
hardware. The abstraction layer is used to create
virtual machines which have access to all the
hardware of the physical machine such as CPUs,
memory, disk controllers, and NICs.

Advantages of Virtualization
One major advantage of virtualization is overall reduced cost:
• Less equipment is required
• Less energy is consumed
• Less space is required

These are additional benefits of virtualization:

• Easier prototyping
• Faster server provisioning
• Increased server uptime
• Improved disaster recovery
• Legacy support

Abstraction Layers
A computer system consists of the following abstraction layers: Services, OS, Firmware, and Hardware.
• At each of these layers of abstraction, some type of programming code is used as an interface between the
layer below and the layer above.
• A hypervisor is installed between the firmware and the OS. The hypervisor can support multiple instances of
OSs.
Type 2 Hypervisors
• A Type 2 hypervisor is software that creates and runs VM
instances. The computer, on which a hypervisor is
supporting one or more VMs, is a host machine. Type 2
hypervisors are also called hosted hypervisors.
• A big advantage of Type 2 hypervisors is that
management console software is not required.

Virtual Network Infrastructure

Type 1 Hypervisors
• Type 1 hypervisors are also called the “bare metal” approach because the hypervisor is installed
directly on the hardware. Type 1 hypervisors are usually used on enterprise servers and data center
networking devices.
• With Type 1 hypervisors, the hypervisor is installed directly
on the server or networking hardware. Then, instances of an
OS are installed on the hypervisor, as shown in the figure.
Type 1 hypervisors have direct access to the hardware
resources. Therefore, they are more efficient than hosted
architectures. Type 1 hypervisors improve scalability,
performance, and robustness.

Installing a VM on a Hypervisor
• Type 1 hypervisors require a “management console” to manage the hypervisor. Management
software is used to manage multiple servers using the same hypervisor. The management console can
automatically consolidate servers and power on or off servers as required.
• The management console provides recovery from hardware failure. If a server component fails, the
management console automatically moves the VM to another server. Cisco Unified Computing
System (UCS) Manager controls multiple servers and manages resources for thousands of VMs.
• Some management consoles also allow server over allocation. Over allocation is when multiple OS
instances are installed, but their memory allocation exceeds the total amount of memory that a server
has. Over allocation is a common practice because all four OS instances rarely require the all their
allocated resources at any one moment.
The Complexity of Network Virtualization
• Server virtualization hides server resources. This can create problems when using traditional network
architectures.
• VMs are movable, and the network administrator must be able to add, drop, and change network
resources and profiles to support their mobility. This process would be manual and time-consuming
with traditional network switches.
• Traffic flows differ from the traditional client-server model. Typically, there is a considerable
amount of traffic being exchanged between virtual servers (East-West traffic) that changes in
location and intensity over time. North-South traffic is typically traffic destined for offsite locations
such as another data center, other cloud providers, or the internet.

• Dynamic ever-changing traffic requires a flexible approach to network resource management.

Existing network infrastructures can respond to changing requirements related to the management of
traffic flows by using Quality of Service (QoS) and security level configurations for individual
flows. However, in large enterprises using multivendor equipment, each time a new VM is enabled,
the necessary reconfiguration can be very time-consuming.
• The network infrastructure can also benefit from virtualization. Network functions can be virtualized.
Each network device can be segmented into multiple virtual devices that operate as independent
devices. Examples include subinterfaces, virtual interfaces, VLANs, and routing tables. Virtualized
routing is called virtual routing and forwarding (VRF).
 Software-Defined Networking

Control Plane and Data Plane

A network device contains the following planes:
• Control plane - This is typically regarded as the brains of a device. It is used to make forwarding
decisions. The control plane contains Layer 2 and Layer 3 route forwarding mechanisms, such as
routing protocol neighbor tables and topology tables, IPv4 and IPv6 routing tables, STP, and the
ARP table. Information sent to the control plane is processed by the CPU.
• Data plane - Also called the forwarding plane, this plane is typically the switch fabric connecting
the various network ports on a device. The data plane of each device is used to forward traffic flows.
Routers and switches use information from the control plane to forward incoming traffic out the
appropriate egress interface. Information in the data plane is typically processed by a special data
plane processor without the CPU getting involved.

• CEF is an advanced, Layer 3 IP switching

technology that enables forwarding of packets
to occur at the data plane without consulting
the control plane.
• SDN is basically the separation of the control
plane and data plane. The control plane
function is removed from each device and is
performed by a centralized controller. The
centralized controller communicates control
plane functions to each device. Each device
can now focus on forwarding data while the
centralized controller manages data flow,
increases security, and provides other services.

• The management plane is responsible for

managing a device through its connection to the network.
• Network administrators use applications such as Secure Shell (SSH), Trivial File Transfer Protocol
(TFTP), Secure FTP, and Secure Hypertext Transfer Protocol (HTTPS) to access the management
plane and configure a device.
• The management plane is how you have accessed and configured devices in your networking studies.
In addition, protocols like Simple Network Management Protocol (SNMP), use the management
plane.
Network Virtualization Technologies
Two major network architectures have been developed to support network virtualization:
• Software-Defined Networking (SDN) - A network architecture that virtualizes the network, offering a new
approach to network administration and management that seeks to simplify and streamline the administration
process.
• Cisco Application Centric Infrastructure (ACI) - A purpose-built hardware solution for integrating cloud
computing and data center management.

Components of SDN may include the following:

• OpenFlow - This approach was developed at Stanford University to manage traffic between routers, switches,
wireless access points, and a controller. The OpenFlow protocol is a basic element in building SDN solutions.
• OpenStack - This approach is a virtualization and orchestration platform designed to build scalable cloud
environments and provide an IaaS solution. OpenStack is often used with Cisco ACI. Orchestration in
networking is the process of automating the provisioning of network components such as servers, storage,
switches, routers, and applications.
• Other components - Other components include Interface to the Routing System (I2RS), Transparent
Interconnection of Lots of Links (TRILL), Cisco FabricPath (FP), and IEEE 802.1aq Shortest Path Bridging
(SPB).

Traditional and SDN Architectures

In a traditional router or switch architecture, the control plane and data plane functions occur in the same
device. Routing decisions and packet forwarding are the responsibility of the device operating system. In
SDN, management of the control plane is moved to a centralized SDN controller. The figure compares
traditional and SDN architectures.
 • The SDN controller is a logical entity that enables network administrators to manage and dictate how
the data plane of switches and routers should handle network traffic. It orchestrates, mediates, and
facilitates communication between applications and network elements.
• The complete SDN framework is shown in the figure. Note the use of Application Programming
Interfaces (APIs). An API is a standardized definition of the proper way for an application to request
services from another application.
• The SDN controller uses northbound APIs to communicate with the upstream applications, helping
network administrators shape traffic and deploy services. The SDN controller uses southbound APIs
to define the behavior of the data planes on downstream switches and routers. OpenFlow is a widely
implemented southbound API.

Controllers

SDN Controller and Operations

• The SDN controller defines the data
flows between the centralized control
plane and the data planes on
individual routers and switches.
• Each flow traveling through the
network must first get permission
from the SDN controller, which
verifies that the communication is
permissible according to the network
policy.
• All complex functions are performed
by the controller. The controller
populates flow tables. Switches
manage the flow tables.
Within each switch, a series of tables implemented in hardware or firmware are used to manage the flows of
packets through the switch. To the switch, a flow is a sequence of packets that matches a specific entry in a
flow table.
The three table types shown in the previous figure are as follows:
• Flow Table - This table matches incoming packets to a particular flow and specifies the functions that
are to be performed on the packets. There may be multiple flow tables that operate in a pipeline
fashion.
• Group Table - A flow table may direct a flow to a Group Table, which may trigger a variety of
actions that affect one or more flows.
• Meter Table - This table triggers a variety of performance-related actions on a flow including the
ability to rate-limit the traffic.

Video - Cisco ACI

• Very few organizations actually have the desire or skill to program the network using SDN tools.
However, the majority of organizations want to automate the network, accelerate application
deployments, and align their IT infrastructures to better meet business requirements. Cisco developed
the Application Centric Infrastructure (ACI) to meet these objectives in more advanced and
innovative ways than earlier SDN approaches.
• Cisco ACI is a hardware solution for integrating cloud computing and data center management. At a
high level, the policy element of the network is removed from the data plane. This simplifies the way
data center networks are created.

Core Components of ACI

There are three core components of the ACI architecture:
• Application Network Profile (ANP) - An ANP is a collection of end-point groups (EPG), their connections,
and the policies that define those connections.
• Application Policy Infrastructure Controller (APIC) - APIC is a centralized software controller that
manages and operates a scalable ACI
clustered fabric. It is designed for
programmability and centralized
management. It translates application
policies into network programming.
• Cisco Nexus 9000 Series switches - These
switches provide an application-aware
switching fabric and work with an APIC to
manage the virtual and physical network
infrastructure.

The APIC is positioned between the APN and

the ACI-enabled network infrastructure. The
APIC translates the application requirements
into a network configuration to meet those
needs.
Spine-Leaf Topology
• The Cisco ACI fabric is composed of the APIC and the Cisco Nexus 9000 series switches using two-
tier spine-leaf topology, as shown in the figure. The leaf switches attach to the spines, but they never
attach to each other. Similarly, the spine switches only attach to the leaf and core switches (not
shown). In this two-tier topology, everything is one hop from everything else.
• When compared to SDN, the APIC controller does not manipulate the data path directly. Instead, the
APIC centralizes the policy definition and programs the leaf switches to forward traffic based on the
defined policies.

SDN Types

The Cisco Application Policy Infrastructure Controller -

Enterprise Module (APIC-EM) extends ACI aimed at enterprise
and campus deployments. To better understand APIC-EM, it is
helpful to take a broader look at the three types of SDN:
• Device-based SDN: Devices are programmable by applications
running on the device itself or on a server in the network, as
shown in the figure.

Controller-based SDN: Uses a centralized controller that has

knowledge of all devices in the network, as shown in the figure.
The applications can interface with the controller responsible for
managing devices and manipulating traffic flows throughout the
network. The Cisco Open SDN Controller is a commercial
distribution of OpenDaylight.
Policy-based SDN: Similar to controller-based SDN where a centralized controller has a view of all devices
in the network, as shown in the figure. Policy-based SDN includes an additional Policy layer that operates at
a higher level of abstraction. It uses built-in applications that automate advanced configuration tasks via a
guided workflow and user-friendly GUI. No programming skills are required. Cisco APIC-EM is an
example of this type of SDN.

APIC-EM Features
Cisco APIC-EM provides a single interface for
network management including:
• Discovering and accessing device and host
inventories.
• Viewing the topology (as shown in the figure).
• Tracing a path between end points.
• Setting policies.

APIC-EM Path Trace

The APIC-EM Path Trace tool allows the

administrator to easily visualize traffic flows and
discover any conflicting, duplicate, or shadowed
ACL entries. This tool examines specific ACLs
on the path between two end nodes, displaying
any potential issues. You can see where any
ACLs along the path either permitted or denied
your traffic, as shown in the figure. Notice how
Branch-Router2 is permit all traffic. The network
administrator can now make adjustments, if
necessary, to better filter traffic.
 Network Automation

The Increase in Automation

These are some of the benefits of automation:
• Machines can work 24 hours a day without breaks, which results in greater output.
• Machines provide a more uniform product.
• Automation allows the collection of vast amounts of data that can be quickly analyzed to provide information
which can help guide an event or process.
• Robots are used in dangerous conditions such as mining, firefighting, and cleaning up industrial accidents.
This reduces the risk to humans.
• Under certain circumstances, smart devices can alter their behavior to reduce energy usage, make a medical
diagnosis, and improve automobile driving safety.

Thinking Devices
• Many devices now incorporate smart technology to help to govern their behavior. This can be as
simple as a smart appliance lowering its power consumption during periods of peak demand or as
complex as a self-driving car.
• Whenever a device takes a course of action based on an outside piece of information, then that
device is referred to as a smart device. Many devices that we interact with now have the word smart
in their names. This indicates that the device has the ability to alter its behavior depending on its
environment.
• In order for devices to “think”, they need to be programmed using network automation tools.

Data Formats

The Data Formats

• Data formats are simply a way to store and exchange data in a structured format. One such format is
called Hypertext Markup Language (HTML). HTML is a standard markup language for describing
the structure of web pages.
• These are some common data formats that are used in many applications including network
automation and programmability:
• JavaScript Object Notation (JSON)
• eXtensible Markup Language (XML)
• YAML Ain’t Markup Language (YAML)
• The data format that is selected will depend on the format that is used by the application, tool, or
script that you are using. Many systems will be able to support more than one data format, which
allows the user to choose their preferred one.
Data Format Rules

Data formats have rules and structure similar to what we have with programming and written languages.
Each data format will have specific characteristics:
• Syntax, which includes the types of brackets used, such as [ ], ( ), { }, the use of white space, or indentation,
quotes, commas, and more.
• How objects are represented, such as characters, strings, lists, and arrays.
• How key/value pairs are represented. The key is usually on the left side and it identifies or describes the data.
The value on the right is the data itself and can be a character, string, number, list or another type of data.

Compare Data Formats

{
"message": "success",
"timestamp": 1560789260, message: success
"iss_position": { timestamp: 1560789260 iss_position:
"latitude": "25.9990", latitude: '25.9990’ longitude: '-
"longitude": "- 132.6992'
132.6992"
} YAML Format
}

JSON Format

<?xml version="1.0" encoding="UTF-8" ?> <root>

<message>success</message> <timestamp>1560789260</timestamp>
<iss_position>
<latitude>25.9990</latitude>
<longitude>-132.6992</longitude> </iss_position>
</root>

XML Format

JSON Data Format

• JSON is a human readable data format used by applications for storing, transferring and reading data.
JSON is a very popular format used by web services and APIs to provide public data. This is because
it is easy to parse and can be used with most modern programming languages, including Python.

GigabitEthernet0/0/0 is up, line protocol is up (connected)

Description: Wide Area Network
Internet address is 172.16.0.2/24
Compare the IOS output above to the output in JSON format. Notice that each object (each key/value pair)
is a different piece of data about the interface including its name, a description, and whether the interface is
enabled.
{
"ietf-interfaces:interface": {
"name": "GigabitEthernet0/0/0",
"description": "Wide Area Network”,
"enabled": true,
"ietf-ip:ipv4": {
"address": [
{
"ip": "172.16.0.2",
"netmask": "255.255.255.0"
}
]
}
}
}

JSON Syntax Rules

These are some of the characteristics of JSON:

• It uses a hierarchical structure and contains nested values.
• It uses braces { } to hold objects and square brackets [ ] hold arrays.
• Its data is written as key/value pairs.
With JSON, the data known as an object is one or more key/value pairs enclosed in braces { }. The syntax
for a JSON object includes:
• Keys must be strings within double quotation marks " ".
• Values must be a valid JSON data type (string, number, array, Boolean, null, or another object).
• Keys and values are separated by a colon.
• Multiple key/value pairs within an object are separated by commas.
• White space is not significant.

At times a key may contain more than one value. This is known as an array. An array in JSON is an ordered
list of values. Characteristics of arrays in JSON include:
• The key followed by a colon and a list of values enclosed in square brackets [ ].
• The array is an ordered list of values.
• The array can contain multiple value types including a string, number, Boolean, object or another array inside
the array.
• Each value in the array is separated by a comma.
For example, a list of IPv4 addresses might look like the following output. The key is “addresses”. Each
item in the list is a separate object, separated by braces { }. The objects are two key/value pairs: an IPv4
address (“ip”) and a subnet mask (“netmask”) separated by a comma. The array of objects in the list is also
separated by a comma following the closing brace for each object.
{
"addresses": [
{
"ip": "172.16.0.2",
"netmask": "255.255.255.0"
},
{
"ip": "172.16.0.3",
"netmask": "255.255.255.0"
},
{
"ip": "172.16.0.4",
"netmask": "255.255.255.0"
}
]
}

YAML Data Format

YAML is another type of human readable data format used by applications for storing, transferring, and
reading data. Some of the characteristic of YAML include:
• It is like JSON and is considered a superset of JSON.
• It has a minimalist format making it easy to both read and write.
• It uses indentation to define its structure, without the ietf-interfaces:interface:
name: GigabitEthernet2
use of brackets or commas. description: Wide Area Network
enabled: true
• IOS output in JSON is to the left. The same data in ietf-ip:ipv4:
YAML format is below. It is easier to read. address:
- ip: 172.16.0.2
• Similar to JSON, a YAML object is one or more key netmask: 255.255.255.0
- ip: 172.16.0.3
value pairs. Key value pairs are separated by a colon netmask: 255.255.255.0
without the use of quotation marks. In YAML, a - ip: 172.16.0.4
netmask: 255.255.255.0
hyphen is used to separate each element in a list.

{
"ietf-interfaces:interface": {
"name": "GigabitEthernet2",
"description": "Wide Area Network",
"enabled": true,
"ietf-ip:ipv4": {
"address": [
{
"ip": "172.16.0.2",
"netmask": "255.255.255.0"
},
{
"ip": "172.16.0.3",
"netmask": "255.255.255.0"
},
{
"ip": "172.16.0.4",
"netmask": "255.255.255.0"
}
]
}
}
}
XML Data Format
XML is one more type of human readable data format used to store, transfer, and read data by applications.
Some of the characteristics of XML include:
• It is like HTML , which is the standardized markup language for creating web pages and web applications.
• It is self-descriptive. It encloses data within a related set of tags: <tag>data</tag>
• Unlike HTML, XML uses no predefined tags or document structure.

XML objects are one or more key/value pairs, with the beginning tag used as the name of the
key: <key>value</key>

The output shows the same data for GigabitEthernet2 formatted as an XML data structure. Notice how the
values are enclosed within the object tags. In this example, each key/value pair is on a separate line and
some lines are indented. This is not required but is done for readability. The list uses repeated instances
of <tag></tag> for each element in the list. The elements within these repeated instances represent one or
more key/value pairs.
<?xml version="1.0" encoding="UTF-8" ?>
<ietf-interfaces:interface>
<name>GigabitEthernet2</name>
<description>Wide Area Network</description>
<enabled>true</enabled>
<ietf-ip:ipv4>
<address>
<ip>172.16.0.2</ip>
<netmask>255.255.255.0</netmask>
</address>
<address>
<ip>172.16.0.3</ip>
<netmask>255.255.255.0</netmask>
</address>
<address>
<ip>172.16.0.4</ip>
<netmask>255.255.255.0</netmask>
</address>
</ietf-ip:ipv4>
</ietf-interfaces:interface>

The API

• An API is software that allows other applications to access its data or services. It is a set of rules
describing how one application can interact with another, and the instructions to allow the interaction
to occur. The user sends an API request to a server asking for specific information and receives an
API response in return from the server along with the requested information.
• An API is similar to a waiter in a restaurant, as shown in the following figure.
An API Example

To really understand how APIs can be used to provide

data and services, we will look at two options for booking
airline reservations. The first option uses the web site of a
specific airline. Using the airline’s web site, the user
enters the information to make a reservation request. The
web site interacts directly with the airline’s own database
and provides the user with information matching the
user’s request.

A travel site can access this same

information, not only from a specific
airline but a variety of airlines. In this
case, the user enters in similar
reservation information. The travel
service web site interacts with the
various airline databases using APIs
provided by each airline. The travel
service uses each airline API to request
information from that specific airline,
and then it displays the information
from all the airlines on the its web page.
The API acts as a kind of messenger between the requesting application and the application on the server
that provides the data or service. The message from the requesting application to the server where the data
resides is known as an API call.

Open, Internal, and Partner APIs

An important consideration when developing an API is the distinction between open, internal, and partner
APIs:
• Open APIs or Public APIs - These APIs are publicly available and can be used with no restrictions. Because
these APIs are public, many API providers require the user to get a free key, or token, prior to using the API.
This is to help control the number of API requests they receive and process.
• Internal or Private APIs - These are APIs that are used by an organization or company to access data and
services for internal use only. An example of an internal API is allowing authorized salespeople access to
internal sales data on their mobile devices.
• Partner APIs - These are APIs that are used between a company and its business partners or contractors to
facilitate business between them. The business partner must have a license or other form of permission to use
the API. A travel service using an airline’s API is an example of a partner API.
Types of Web Service APIs
A web service is a service that is available over the internet, using the World Wide Web. There are four
types of web service APIs:
• Simple Object Access Protocol (SOAP)
• Representational State Transfer (REST)
• eXtensible Markup Language-Remote Procedure Call (XML-RPC)
• JavaScript Object Notation-Remote Procedure Call (JSON-RPC)

Characteristic SOAP REST XML-RPC JSON-RPC

JSON, XML, YAML, and

Data Format XML XML JSON
others

First released 1998 2000 1998 2005

Flexible formatting and Well-established,

Strengths Well-established Simplicity
most widely used simplicity

REST and RESTful API

• Web browsers use HTTP or HTTPS to request (GET) a web page. If successfully requested (HTTP
status code 200), web servers respond to GET requests with an HTML coded web page.
• Simply stated, a REST API is an API that works on top of the HTTP protocol. It defines a set of
functions developers can use to perform requests and receive responses via HTTP protocol such as
GET and POST.
• Conforming to the constraints of the REST architecture is generally referred to as being “RESTful”.
An API can be considered “RESTful” if it has the following features:
Client-Server - The client handles the front end and the server handles the back end. Either can be replaced
independently of the other.
Stateless - No client data is stored on the server between requests. The session state is stored on the client.
Cacheable - Clients can cache responses to improve performance.

RESTful Implementation
A RESTful web service is implemented using HTTP. It is a collection of resources with four defined
aspects:
• The base Uniform Resource Identifier (URI) for the web service, such
as http://example.com/resources.
• The data format supported by the web service. This is often JSON, YAML, or XML but could be any
other data format that is a valid hypertext standard.
• The set of operations supported by the web service using HTTP methods.
• The API must be hypertext driven.
RESTful APIs use common HTTP methods including POST, GET, PUT, PATCH and DELETE. As shown
in the following table, these correspond to RESTful operations: Create, Read, Update, and Delete (or
CRUD).

HTTP Method RESTful Operation

POST Create

GET Read

PUT/PATCH Update

DELETE Delete

URI, URN, and URL

Web resources and web services such as RESTful APIs are identified using a URI. A URI is a string of
characters that identifies a specific network resource. A URI has two specializations:
• Uniform Resource Name (URN) - identifies only the namespace of the resource (web page, document,
image, etc.) without reference to the protocol.
• Uniform Resource Locator (URL) - defines the network location of a specific resource. HTTP or HTTPS
URLs are typically used with web browsers. Protocols such as FTP, SFTP, SSH, and others can use a URL. A
URL using SFTP might look like: sftp://sftp.example.com.

These are the parts of the URI https://www.example.com/author/book.html#page155 :

• Protocol/scheme – HTTPS or other protocols such as FTP, SFTP, mailto, and NNTP
• Hostname - www.example.com
• Path and file name - /author/book.html
• Fragment - #page155

Anatomy of a RESTful Request

• In a RESTful Web service, a request made to a resource's URI will elicit a response. The response
will be a payload typically formatted in JSON, but could be HTML, XML, or some other format.
The figure shows the URI for the MapQuest directions API. The API request is for directions from
San Jose, California to Monterey, California.
These are the different parts of the API request:
• API Server - This is the URL for the server that answers REST requests. In this example it is the MapQuest
API server.
• Resources - Specifies the API that is being requested. In this example it is the MapQuest directions API.
• Query - Specifies the data format and information the client is requesting from the API service. Queries can
include:
o Format – This is usually JSON but can be YAML or XML. In this example JSON is
requested.
o Key - The key is for authorization, if required. MapQuest requires a key for their directions
API. In the above URI, you would need to replace “KEY” with a valid key to submit a valid
request.
o Parameters - Parameters are used to send information pertaining to the request. In this
example, the query parameters include information about the directions that the API needs so
it knows what directions to return: "from=San+Jose,Ca" and "to=Monterey,Ca".

Many RESTful APIs, including public APIs, require a key. The key is used to identify the source of the
request. Here are some reasons why an API provider may require a key:
• To authenticate the source to make sure they are authorized to use the API.
• To limit the number of people using the API.
• To limit the number of requests per user.
• To better capture and track the data being requested by users.
• To gather information on the people using the API.
Note: The MapQuest API does require a key. Search the internet for the URL to obtain a MapQuest key. Use the
search parameters: developer.mapquest. You can also search the internet for the current URL that outlines the
MapQuest privacy policy.

RESTful API Applications

• Many web sites and applications use APIs to access information and provide service for their customers.
• Some RESTful API requests can be made by typing in the URI from within a web browser. The MapQuest
directions API is an example of this. A RESTful API request can also be made in other ways.
Developer Web Site: Developers often maintain web sites that include information about the API, parameter
information, and usage examples. These sites may also allow the user to perform the API request within the developer
web page by entering in the parameters and other information.
Postman: Postman is an application for testing and using REST APIs. It contains everything required for constructing
and sending REST API requests, including entering query parameters and keys.
Python: APIs can also be called from within a Python program. This allows for possible automation, customization,
and App integration of the API.
Network Operating Systems: Using protocols such as NETCONF (NET CONFiguration) and RESTCONF, network
operating systems are beginning to provide an alternative method for configuration, monitoring, and management.
 Configuration Management Tools

Traditional Network Configuration

Network devices have traditionally been configured by a network

administrator using the CLI. Whenever there is a change or new feature,
the necessary configuration commands must be manually entered on all
of the appropriate devices. This becomes a major issue on larger
networks or with more complex configurations.

Simple Network Management Protocol (SNMP) lets administrators manage nodes on an IP network. With a
network management station (NMS), network administrators use
SNMP to monitor and manage network performance, find and
solve network problems, and perform queries for statistics.
SNMP is not typically used for configuration due to security
concerns and difficulty in implementation.
You can also use APIs to automate the deployment and
management of network resources. Instead of manually
configuring ports, access lists, QoS, and load balancing policies,
you can use tools to automate configurations.

Network Automation

We are rapidly moving away from a world where a network

administrator manages a few dozen network devices, to one
where they are deploying and managing a great number of
complex network devices (both physical and virtual) with the
help of software. This transformation is quickly spreading to
all places in the network. There are new and different methods
for network administrators to automatically monitor, manage,
and configure the network. These include protocols and
technologies such as REST, Ansible, Puppet, Chef, Python,
JSON, XML, and more.
Configuration Management Tools
Configuration management tools make use of RESTful API requests to automate tasks and can scale across
thousands of devices. These are some characteristics of the network that administrators benefit from
automating:
• Software and version control
• Device attributes such as names, addressing, and security
• Protocol configurations
• ACL configurations
Configuration management tools typically include automation and orchestration. Automation is when a tool
automatically performs a task on a system. Orchestration is the arranging of the automated tasks that results
in a coordinate process or workflow.

There are several tools available to make configuration management easier:

• Ansible
• Chef
• Puppet
• SaltStack
The goal of all of these tools is to reduce the complexity and time involved in configuring and maintaining a
large-scale network infrastructure with hundreds, even thousands of devices. These same tools can benefit
smaller networks as well.

Compare Ansible, Chef, Puppet, and SaltStack

Ansible, Chef, Puppet, and SaltStack all come with API documentation for configuring RESTful API
requests. All of them support JSON and YAML as well as other data formats. The following table shows a
summary of a comparison of major characteristics of Ansible, Puppet, Chef, and SaltStack configuration
management tools.

Characteristic Ansible Chef Puppet SaltStack

What programming
Python + YAML Ruby Ruby Python
language?

Agent-based or
Agentless Agent-based Supports both Supports both
agentless?

How are devices Any device can be

Chef Master Puppet Master Salt Master
managed? “controller”

What is created by the

Playbook Cookbook Manifest Pillar
tool?
 IBN and Cisco DNA Center

Intent-Based Networking Overview

• IBN is the emerging industry model for the next generation of networking. IBN builds on Software-
Defined Networking (SDN), transforming a hardware-centric and manual approach to designing and
operating networks to one that is software-centric and fully automated.
• Business objectives for the network are expressed as intent. IBN captures business intent and uses
analytics, machine learning, and automation to align the network continuously and dynamically as
business needs change.
• IBN captures and translates business intent into network policies that can be automated and applied
consistently across the network.

Cisco views IBN as having three essential functions: translation, activation, and assurance. These functions
interact with the underlying physical and virtual infrastructure, as shown in the figure.

Translation - The translation function enables the network administrator to express the expected networking behavior
that will best support the business intent.
Activation - The captured intent then needs to be interpreted into policies that can be applied across the network. The
activation function installs these policies into the physical and virtual network infrastructure using networkwide
automation.
Assurance - In order to continuously check that the expressed intent is honored by the network at any point in time,
the assurance function maintains a continuous validation-and-verification loop.
Network Infrastructure as Fabric
• From the perspective of IBN, the physical and virtual network infrastructure is a fabric; an overlay
that represents the logical topology used to
virtually connect to devices. The overlay
limits the number of devices the network
administrator must program and provides
services and alternative forwarding
methods not controlled by the underlying
physical devices.
• The overlay is where encapsulation
protocols like IPsec and CAPWAP occur.
Using an IBN solution, the network
administrator can use policies to specify
exactly what happens in the overlay control
plane. Notice that how the switches are
physically connected is not a concern of the
overlay.

The underlay network is the physical

topology that includes all hardware required
to meet business objectives. The underlay
reveals additional devices and specifies how
these devices are connected. End points,
such as the servers in the figure, access the
network through the Layer 2 devices. The
underlay control plane is responsible for
simple forwarding tasks.

Cisco Digital Network Architecture (DNA)

Cisco implements the IBN fabric using Cisco DNA.

The business intent is securely deployed into the
network infrastructure (the fabric). Cisco DNA then
continuously gathers data from a multitude of sources
(devices and applications) to provide a rich context of
information. This information can then be analyzed to
make sure the network is performing securely at its
optimal level and in accordance with business intent and
network policies.
Cisco DNA
Description Benefits
Solution

• First intent-based enterprise networking solution built

using Cisco DNA.
• It uses a single network fabric across LAN and WLAN
Enables network access in minutes for any
to create a consistent, highly secure user experience.
SD-Access user or device to any application without
• It segments user, device, and application traffic and
compromising security.
automates user-access policies to establish the right
policy for any user or device, with any application,
across a network.

• Delivers better user experiences for

• It uses a secure cloud-delivered architecture to centrally
applications residing on-premise or
manage WAN connections.
in the cloud.
SD-WAN • It simplifies and accelerates delivery of secure, flexible
• Achieve greater agility and cost
and rich WAN services to connect data centers,
savings through easier deployments
branches, campuses, and colocation facilities.
and transport independence.

Cisco DNA
Description Benefits
Solution

• Allows you to identify root causes and

• Used to troubleshoot and increase IT
provides suggested remediation for faster
productivity.
troubleshooting.
• It applies advanced analytics and machine
• The Cisco DNA Center provides an easy-to-
Cisco DNA learning to improve performance and
use single dashboard with insights and drill-
Assurance issue resolution, and predict to assure
down capabilities.
network performance.
• Machine learning continually improves
• It provides real-time notification for
network intelligence to predict problems
network conditions that require attention.
before they occur.

• Used to provide visibility by using the
network as a sensor for real-time analysis
Cisco DNA and intelligence.
Security • It provides increased granular control to
enforce policy and contain threats across
the network.
• Reduce risk and protect your organization
against threats - even in encrypted traffic.
• Gain 360-degree visibility through real-time
analytics for deep intelligence across the
network.
• Lower complexity with end-to-end security.
Cisco DNA Center
• Cisco DNA Center is the foundational controller and analytics platform at the heart of Cisco DNA. It
supports the expression of intent for multiple use cases, including basic automation capabilities,
fabric provisioning, and policy-based segmentation in the enterprise network. Cisco DNA Center is a
network management and command center for provisioning and configuring network devices. It is a
hardware and software platform providing a ‘single-pane-of-glass’ (single interface) that focuses on
assurance, analytics, and automation.
• The DNA Center interface launch page gives you an overall health summary and network snapshot.
From here, the network administrator can quickly drill down into areas of interest.

At the top, menus provide you access to DNA Center’s five main areas. As shown in the figure, these are:
• Design - Model your entire network, from sites and buildings to devices and links, both physical and virtual,
across campus, branch, WAN, and cloud.
• Policy - Use policies to automate and simplify network management, reducing cost and risk while speeding
rollout of new and enhanced services.
• Provision - Provide new services to users with ease, speed, and security across your enterprise network,
regardless of network size and complexity.
• Assurance - Use proactive monitoring and insights from the network, devices, and applications to predict
problems faster and ensure that policy and configuration changes achieve the business intent and the user
experience you want.
• Platform - Use APIs to integrate with your preferred IT systems to create end-to-end solutions and add
support for multi-vendor devices.