Escolar Documentos
Profissional Documentos
Cultura Documentos
Module 1.
Basic networking..................................................................................6
1.1.1
What is a computer network....................................................................6
1.1.2
Benefits of a computer network...............................................................6
1.1.3
Disadvantages of the computer Network.................................................7
1.1.4
Core Network Devices.............................................................................8
1.1.5
Interpret network diagrams....................................................................11
1.2 Networking models....................................................................................16
1.2.1
The OSI Model.......................................................................................16
1.2.2
The OSI layers in greater detail.............................................................18
1.2.3
Network Applications.............................................................................21
1.2.4
TCP/IP Model........................................................................................25
1.2.5
The Cisco 3 layer hierarchical model.....................................................26
1.2.6
TCP: Transmission Control Protocol.....................................................26
1.2.7
UDP: User Datagram Protocol...............................................................30
1.2.7
Port Numbers and Multiplexing.............................................................31
1.3 Network Topology.....................................................................................31
1.3.1
Differentiate between LAN & WAN......................................................32
1.3.2
Local area network (LAN).....................................................................32
1.3.3
Wide Area Network (WAN)...................................................................34
1.3.4
WAN Encapsulation Protocols...............................................................35
1.3.5
Frame Relay...........................................................................................37
1.3.6
Select the appropriate media, cables, ports and connectors...................38
Module 2.
Switching.............................................................................................43
2.1 Ethernet......................................................................................................43
2.2 Implement a switched network......................................................................44
2.2.1
Explain switch concepts.........................................................................44
2.2.2
Spanning Tree Protocol..........................................................................46
Spanning tree versions.........................................................................................53
Advance STP configuration.................................................................................54
2.3 Switch Configuration.................................................................................56
2.3.1
Switch Management...............................................................................56
2.3.2
Switch security.......................................................................................57
2.3.3
Port Security...........................................................................................57
Module3
3.1
3.2
3.3
3.4
3.5
3.6
Module 4.
Router Management..........................................................................71
4.1 Router Components...................................................................................71
4.2 Connecting to a Router..............................................................................73
4.3 Router Modes.............................................................................................74
4.4 Configuring Passwords..............................................................................79
4.6 Router Interfaces........................................................................................81
4.6
Module 5.
Routing................................................................................................85
5.1 Routing overview.......................................................................................85
5.2 Static Routing............................................................................................85
5.3 Dynamic Routing.......................................................................................87
5.4 Classful v Classless....................................................................................87
5.5 Routing information protocol (RIP)..........................................................88
5.6 Enhanced interior gateway routing protocol (EIGRP)..............................90
5.6.1
Packet Formats.......................................................................................90
5.6.2
Configuring EIGRP................................................................................92
5.7 Open shortest path first (OSPF).................................................................94
5.7.1
Areas, Neighbors and Border Routers...................................................95
5.7.2
Building the Adjacency..........................................................................97
5.7.3
OSPF Network types..............................................................................97
5.7.4
OSPF Cost..............................................................................................98
5.7.5
Link-State advertisement Packets..........................................................99
5.7.6
Configuring OSPF..................................................................................99
5.7.7
Passive interfaces.................................................................................100
5.7.8
OSPF Authentication............................................................................100
5.7.9
OSPF Area configuration.....................................................................100
Module 6.
VLANS..............................................................................................102
6.1 Virtual Local Area Networks...................................................................102
6.2 VLAN Trunking Protocol (VTP).............................................................106
6.3 Enabling VTP Pruning.............................................................................108
6.4 VLan Manangement Policy Server..........................................................108
6.5 Load Sharing Using STP.........................................................................109
6.6 Etherchannel............................................................................................109
6.7 Router on a stick - InterVLAN routing....................................................110
Module 7
Wireless Networking........................................................................112
7.1 Fundamentals...........................................................................................112
7.2 Wireless Security.....................................................................................112
Module 8
Frame Relay.....................................................................................114
8.1 Frame Relay.............................................................................................114
8.2 Frame relay Point-to-Point Configuration...............................................116
8.3 Configuring a frame relay switch for lab use...........................................117
Module 9
Troubleshooting...............................................................................118
9.1 Common network client tools..................................................................118
Module 10 Access lists.........................................................................................119
10.1
Standard or Extended Access-lists.......................................................119
10.2
Numbered vs Named Access-lists........................................................121
10.3
ACL Practical uses...............................................................................121
Module 11
Network address translation NAT..................................................122
11.1
Types of Network address translation..................................................122
Module 12
Module 13
13.1
13.2
13.3
13.4
13.5
13.6
Labs...................................................................................................125
Basic Labs............................................................................................125
Router and Switch basics.....................................................................125
Switching Labs.....................................................................................125
Routing Labs........................................................................................125
Security Labs........................................................................................126
WAN Labs............................................................................................126
Module 1.
Basic networking.
management Software ( SMS). This software often allows for auditing of devices and
software installations.
Communication and collaboration medium
Computer network can provide powerful tools to end users to increase communication
and collaboration which has a positive impact on productivity. The use of enterprise
instant messaging reduces communication time and allows the quick passing of
information in an informal procedure.
Data Security and Management
Data security and integrity is an important factor to any business today. By taking
advantage of the network and its security applications data can be stored privately and
securely. By using permissions, data can only be accessed by users who have the
necessary authority. It also allows the storage of data in an organised fashion in
reducing the chance of vital files not being backed up.
Speed
Today, networks are very fast, often sharing data at the blink of an eye, this reduces
the time required to locate and open data to work on. This in turn increases
productivity.
Protocols
Modern networks require processes and rules to operate, these rules are called
protocols and they set the standards on hardware and communication.
With modern computer systems comes the threat of computer virus, if a computer is
connected to a network and has become infected then it can spread the threat to other
devices on the network. This poses a threat to the integrity of data on the network.
Modern virus can include key logging to steal usernames and password or to copy
data from your network to an unauthorised remote user. Proper security diligence by
installing and maintaining antivirus software mitigates but does not fully eliminate
this risk. User education is important on a network; users should not open unknown
files etc.
Overcoming Network Disadvantages
Overcoming these disadvantages requires some time, effort and a skilled
administrator. It is important to create a network security process that adheres to
industry standard practices that ensure data security through such processes as regular
back ups, password change routines, and monitoring system logs. It is important to
actively administer leavers and joiners to ensure the correct security access rules are
applied at all stages.
The security of the network should also include Antivirus software, patching of
operating systems and the addition auditing.
Basic network types
Networks are generally broken down into the following types:
Local Area Networks (LAN) a LAN is a local high speed network covering a
limited geographical area such as an office or campus.
Wide Area Networks (WAN) - a WAN is used to connect LANS together over a
geographically dispersed area.
sitting between two physical networks and analyzing the destination mac address of
frame ingress its interfaces. This allows the bridge to build a map of network devices
and either blocking or allowing frames to pass through it based on this map. A bridge
will split a network into separate collision domains but still keeps a single broadcast
domain.
Switches
Like hubs, switches are most used to provide connectivity to end devices;
however they are more intelligent and are best described as a multiport
bridge.
A switch is basically an intelligent high port density bridge which allows high speed
connectivity for devices whilst providing a separate collision domain for each port.
Where a hub simply floods all ports with data, a switch sends data out the port
connected to the destination mac-address.
It does this by looking at incoming data and matching the source address and the port
it arrived in. The switch then builds a list of these addresses into the mac-addresstable. The mac-address-table allows the switch to look up an address and forward the
data out a single port rather than forwarding out multiple ports.
By forwarding data direct to the end device, a switch can improve network
performance in many ways. One of the biggest improvements is the way a switch
creates a collision domain for each port which allows full-duplex connectivity on the
port greatly improving speed and reducing collisions. It should be noted that
broadcast traffic is still forwarded out all ports thus flooding the switch with traffic.
The methods a switch uses to switch data will be covered in greater detail in a later
module.
Router
Routers are physical network devices that run an operating system called IOS and are
used to join multiple smaller sub-network sections or segment larger networks. They
operate on the network layer of the OSI model and use the concept of a routing table
to resolve where to send traffic. Routers typically perform the following functions
Segment a network into smaller segments allowing for smaller broadcast domains as
networks grow along with the number of devices a network can experience a growth
in broadcast traffic. By its nature, broadcast traffic tries to send itself to all devices on
the network; this can eventually lead to performance issues on the network. This
performance can be exaggerated if the network design is not correct. A router can help
manage this broadcast traffic by segmenting the network which essentially slices the
larger network into smaller more manageable broadcast domains. By reducing the
network size and the device count it is generally accepted that broadcast traffic will
reduce.
Act as a default gateway for a network segment - By segmenting a network and
creating multiple smaller networks an administrator must be capable of connecting
these together to allow the sharing of data and resources. A default gateway as its
name suggests is the exit point on a segment to other networks. Through a default
gateway a device can use resource or send data to other devices on any other network.
By using a router to perform this task it can learn the topology of the network by
using routes allowing the movement of traffic from segment to segment. A router can
provide this service to multiple segments by connecting different segments to
different ports. Routers use a routing protocol which is different from a routed
protocol to learn the network topology and provide the best path to any destination in
the network. Common routing protocols include RIP, EIGRP, OSPF, BGP, IS-IS.
Routers are intelligent devices which software functions that allow them to carry out
security functions such as Access control lists, Firewall services and Quality of
Service to provide control over inbound and outbound traffic. They also allow for a
Layer 2.5 protocol called MPLS to carry out very fast routing.
A router can have many port types such as Ethernet, Fast Ethernet, Serial, FXS, FXO,
T1, ISDN these will be described in greater detail in a later module.
In the example 1.4.1 below, we can see the role of a router in segmenting a corporate
network and providing firewall secured access to the internet. The router is connected
to 2 network segments, one of which is the internet. This is normally called a Local
Area Network with access to the internet normally provided by a service provider.
Traffic arriving at the router ports will be processed by the router and forwarded
accordingly by a routing protocol. Typically the protocol used on modern networks is
TCP/IP which is a routed protocol.
Of course, many companies have multiple offices each with a LAN that require
communication between each other. This is typically known as a Wide Area Network
(WAN).
Typically, both routers would be configured to connect to a service provider (ISP)
who creates a logical connection between the two company routers. Common
protocols using in a WAN are Frame Relay, PPP and HDLC.
To summarise a router:
Routers are Layer 3 devices they operate at the NETWORK layer of the OSI
model
Routers will not propagate broadcasts, they create separate broadcast domains.
Routers use routing protocols to exchange information about the network
Routers route routed protocols using a routing protocol.
Server
Serial connection
Broadcast Domain
A broadcast domain is a network segment where all devices will receive a broadcast message
All devices in this domain will receive broadcast frames originating from any other device
within the domain. Broadcast domains are typically bordered by a router.
Collision domain
A collision domain is defined as a network segment that shares the transmission media with
all other devices on the segment. It is called a collision domain because if two hosts transmit
at the same time, the data will collide and cause a collision. This forces all devices to stop
transmitting for a period of time before starting again.
Where do collision and broadcast domains affect networks? To help visualise what a collision
and broadcast domain are and how they are managed in a network there are several
examples using common network hardware and topologies below.
Hubs
Hubs operate at Layer1, the physical layer of the OSI model and are not aware of any routed
protocol such as IP. Being a bus based device they are subject to CSMA/CD where every port
is part of a single collision and broadcast domain. Adding additional hubs extends the
broadcast and collision domain.
Bridges
A bridge operates on the data link layer, which is layer 2 on the OSI model and are used to
segment a network into separate collision domains. Bridges are essentially early low port
density switches.
They operate by creating an address table of MAC addresses called the Mac-address-table.
This table is populated by reading the source mac address from a frame and noting which
port it arrived on. This is then stored in the mac-table. Subsequent frames can be compared
to this table to allow forwarding decision to be made. If the port associated with the
destination is not known then the frame will be broadcast (flooded) out all ports.
Switches
Switches continue to improve network performance over hubs and switches by adding higher
density ports. They still operate mainly at Layer 2 which is the Data link layer of the OSI
model although high end switches now have functionality at Layer 3.
Switches make use of hardware ASIC chips to increase the switching speed of the ports
which now provide 100Mbps full duplex as standard. Some switch ports can provide speeds
in excess of 1000Mbps.
Like a bridge, a switch does not control broadcast domains without additional configuration of
VLANs; however they create a separate collision domain on every port
A VLAN is a logical grouping of switch ports that are isolated from other switch ports on a
physical switch. A VLAN creates a broadcast domain boundary on a single switch where
broadcast traffic cannot pass between VLANs. VLANs are covered in greater depth in a
further module.
ROUTERS
Routers operate at layer 3 of the OSI model which is the Network layer, each port on a router
is a separate broadcast and collision domain. Routers are normally connected to switches in
a LAN.
Servers:
The function a network is to provide the provision of resources to a user. This may
include end users access to applications, shared printers or resources as well as
allowing applications to integrate with each other allowing communication such as
financial software.
Some of the major resources that are shared or stored on a network include data,
applications, printers, email, instant messaging and databases
There are many applications can run on a network, in fact most modern software is
network aware and can communicate across a network, some common examples of
these are
Email, MS Outlook is an example of this when it is configured to use Exchange
server
Web browsers, Internet explorer, Firefox, chrome all use networks to allow users to
browse the internet or connect to a web based application.
Instant messaging: Sametime, Communicator are enterprise tools allowing instant
communication across a network, it often provides free/busy status of users
Collaboration: Collaboration tools such as SharePoint allows groups of people to
1.2
Networking models
People
Seem
To
Need
Data
Processing
Application
Presentation
Session
Transport
Network
Datalink
Physical
DATA
DATA
DATA
SEGMENT
PACKET
FRAME
BIT
Layer.7
Layer.6
Layer.5
Layer.4
Layer.3
Layer.2
Layer.1
Layers 7, 6, and 5 of the OSI, also known as the Application, Presentation and Session
are collectively known as the upper layers and are implemented in software such as a
browser or mail client.
Layers 4 and 3, the Transport and network layers are concerned with routed protocols
such as TCP/IP and are responsible for the delivery of packet to the destination. These
layers are also implemented in software such as the networking stack within an
operating system.
Layers 2 and 1, the data link and physical layers are primarily hardware based and
define the method for transporting the data to a destination.
Presentation
Session
Transport
Network
Application
Datalink
Physical
Framing
Physical topology
Flow Control: a mechanism that enables the communicating hosts to negotiate how
much data is transmitted each time with each time slot.
Reliability service: a mechanism that guarantee the delivery of each packet by using
sequence numbers and acknowledgments.
TCP is responsible for slicing the dataflow into segments and attaching a sequence number
to each of them. The segment is then passed to the network layer. When the TCP segments
arrive at a receiving device the segments are reordered and reassembled into a dataflow for
processing by the session layer. TCP will be discussed further in a later module.
Layer 3: Network
The Network layer is responsible for the calculation of the best path to the destination and the
actual routing of the data. The Network layer converts segments received from the Transport
layer into packets which are sent to Layer 2 Data Link.
Logical device addresses are allocated at the network layer of which the IP address is the
most commonly used. This allows any device to be uniquely identified anywhere on the
network.
Examples of Layer 3 protocols include the following routed protocols such as IP, IPX, and
ICMP along with routing protocols such as RIP, BGP, OSPF and EIGRP. These protocols will
be covered in later modules
Layer 2: Datalink
The data link layer consists of the two sub-layers of Link Logic Control ( LLC) and Media
access Control (MAC) and is responsible for taking packets from the Network layer, wrapping
it into a frame suitable for the physical transmission media and then actually sending it across
the wire. The most common device used at layer2 are Switches.
The data link layer is responsible for flow control and error checking.
As mentioned the Data link layer has distinct sub layers that perform independent functions.
When a frame pass passes through a device at this layer, it replaces the source and
destination MAC address; however the IP address does not change.
LLC sub layer
LLC is the upper sub layer of the Data Link layer. It resides immediately below the Network
layer and above the MAC Sub layer. The LLC hides the underlying infrastructure from the
Network layer thus presenting any physical configuration as a preset configuration.
MAC sub layer
The MAC layer is responsible for most things physical such as addressing in the form of a
MAC address and allows the upper layers to access the physical media. It handles the
transformation of frames to bits in preparation of transmission on the physical media.
Some standards on this layer include Frame Relay and Ethernet.
MAC Addressing is also known as the layer2 address is a hexadecimal address that is unique
to each device on the network and is hard-coded to the device.
An example of a MAC address would be 00:01:A5:55:B1:01 where the first 6 digits are
specific to a vendor or manufacturer and the last 6 digits are the unique device address.
Layer 1: Physical
The physical layers responsibility lies with the definition of mechanical, electrical and
functional connection between devices. This involves a type of transmission media such as
twisted copper wire, Fibre optic and any physical connection that they plug into such as ports
or patch panels.
Data is transmitted across the physical layers as either a 1 or 0
The following diagram shows the process of encapsulation through the layers for TCP/IP
communications
Applicatio
n
DATA
TCP
Header
DATA
IP
Header
TCP
Header
DATA
IP
Header
TCP
Header
DATA
Transport
Network
Datalink
Physical
MAC
LLC
FCS
1010111111000100101010101010110101101010101
Devices that operate at Layer 1 include hubs, repeaters and network cards
OSI Layer
Devices
Application
Presentation
N/A
Session
Transport
Network
N/A
Firewall
Router
Data Link
Bridge, Switch
Physical
Transceiver, Repeater,
Hub, NIC
Applications
SMTP, POP3, DNS, DHCP,
FTP, HTTP, TFTP, SNMP,
VoIP
JPG, JPEG, TIFF, PNG,
GIF, MIME
NFS, ASP, SQL, RPC
TCP, UDP, SPX
IP, IPX, Appletalk
Ethernet, PPP, HDLC,
Frame
Relay, ATM
RJ45, ST/SC, V series
(modem
Domain name
redmountainit
All FQDN are stored in DNS servers that are available on the internal network and the
internet. DNS works by the DNS server hosting a zone or collection of DNS records
including the FQDN and IP addresses local to the network. Requests are sent to the
DNS server and if it holds an entry it will respond. However, its not always possible
for a DNS server to hold all records especially when an internet address is required. In
this scenario the local DNS server will forward the query to an internet root server
which will either respond with the request or reply with a DNS server known as an
authoritative server which can provide the answer. This is known as a recursive query.
When the original DNS server receives a reply from the root server or authoritative
server it stores the answer in its memory for future use. This is known as DNS
Caching. DNS Caching reduces network bandwidth resulting from DNS queries by
storing any DNS queries for a record.
Configuring DNS lookup on a Cisco router to point to a well known DNS server
Router(config)# ip name-server 4.4.4.4
To disable DNS lookups on an IOS device:
Router(config)# no ip domain-lookup
DHCP Dynamic Host Configuration Protocols function is to automatically provide
network devices an IP address based on its location within a network. DHCP uses
groups of IP address known as a scope that are specific to a segment of the network.
Either a server or routers are configured as a DHCP server that is a device that has
the DHCP service installed and configured with scopes. Every device on the network
must have an IP address, therefore as the network grows it can become time
consuming and chaotic trying to administer IP addresses manually. This is where
DHCP plays an important part of an administrators toolbox.
As previously mentioned a DHCP server can assign IP addresses from a scope or
range of IP addresses configured on it. As part of the scope, DHCP can automatically
assign other important network settings to devices such as the subnet mask, default
gateway, DNS server amongst others. The scope contains a finite number of IP
addresses and if these where allocated indefinitely they it would soon become
exhausted therefore DHCP uses a lease system to avoid exhaustion of the scope. This
sets a time limit on the use of an IP address to a configurable value, typically 8 days.
A mechanism called lease renewal is activated at 50% of the remaining lease time to
request a renewal. If a device does not request a renewal the IP address is
automatically returned to the pool for future use.
DHCP uses the following lease process
A device requests an IP address by broadcasting a DISCOVER DHCP
A DHCP server replies with an OFFER of an address
The device then officially REQUESTS this address
The DHCP server ACKNOWLEDGES this request and assigns the address
You may notice that the initial DHCP discover is a broadcast, we know that a
broadcast stops at the layer3 boundary and will not traverse a router. This causes
issues on large network as its inefficient to have a DHCP server on each segment. A
solution to is to to configure a DHCP relay agent on the gateway device. This agent
listens for DHCP packets and forwards them as a unicast packet direct to a DHCP
server.
Configure a Cisco device to be a DHCP server
Router(config)# ip dhcp pool MY_DHCP_POOL
Router(dhcp-config)# network 172.16.1.0
255.255.255.0
Router(dhcp-config)# excluded-address 172.16.1.1
172.16.1.10
These 3 commands create a DHCP pool called MY_DHCP_POOL then assigns the
range of IP addresses to be allocated by the pool. Finally it excludes the IP range of 110 which could be used as a server range and default gateway
File Transfer Protocols - File Transfer Protocol (FTP) and Trivial File
Transfer Protocol (TFTP) are both provide the ability to transfer files from
device to device however they behave slightly differently.
FTP can almost be called an application in the way it operates, it requires a server,
client and authentication to reliably transfer files.
TFTP requires nothing more than an application to be able to send files. It doesnt
care about a client and is not reliable.
E-mail Protocols
Email is now a critical business application and it is important to understand that mail
has its own protocol. The two main email protocols are Simple Mail Transfer Protocol
(SMTP) and Post Office Protocol (POP3).
SMTP is used as the send protocol between all devices whereas POP3 is used to
receive mail only to an end device. Be aware that incorrectly configured SMTP
servers can be hi-jacked by spammers, when this happens the SMTP server is referred
to as an open relay and will be producing massive quantities of mail which will
quickly consume all the networks bandwidth
Network Management Protocols
Simple Network Management Protocol (SNMP) is another very important Application
layer protocol used to provide monitoring functionality for the network
SNMP uses a Management information base (MIB) that contains a default list of
questions the SNMP protocol can ask devices. The devices can then provide a huge
amount of configuration and information
Internet Protocols
Internet usage is now a way of life and has a huge impact on how people work, live
and play. Its hard to imagine a world without the internet; however it relies on a few
protocols to work. The Hyper Text Transport Protocol (HTTP) and the secure version
(HTTPS) provide the communication between the web servers and end clients using
HTML files. Hyper Text Mark-up Language tells browsers to format the information
provided to the browser displaying what we know as a webpage. HTTP uses port 80
or 8080
Hyper Text Transport Protocol over SSL (HTTPS) uses the same process, but simply
adds security and encryption to the process and uses port 443.
Quality of Service (QoS) and Voice over IP (VOIP) Quality of Service is crucial
when VOIP is running on the network. VOIP is time sensitive and bandwidth
congestion, delay and jitter all combine to destroy VOIP. Quality of service is a
mechanism that allows the categorising and policing of traffic on the network.
Although QoS is out with the CCNA scope it is crucial to know that it does exists and
how it can help to control and police certain protocols.
It is possible to take a protocol such as Kazza or FTP, categorise it and then set a limit
on the amount of bandwidth it is allowed to consume. It is also permissible to also
guarantee protocol or applications a bandwidth limit, this is often used to categorise
UDP Voice traffic.
Be aware of what packet loss, congestion and jitter mean.
Jitter
Congestion
Packet Loss
OSI
Application
TCP/IP
Applications
Application
Presentation
Session
Transport
Network
Data Link
Physical
Transport
UDP
Internet
Network
As the diagram suggests the layers have names that suggest they have a similar function to
those of the OSI model, but it has to be stress the TCP/IP model is protocol specific (TCP /
IP) whereas the OSI model is protocol independent.
The 4 layers of the TCP/IP model can be described as follows
Application Layer: Similar to the OSI Application, Presentation and Session Layer, its
normally provided by an application or program that wishes to communicate to another
device. this layer is responsible for representation, encoding, and dialog control.
Transport Layer: Aligns to the OSI Session and transport layers where TCP and UDP reside.
The transport layer provides end to end data transfer for multiple simultaneous applications.
Internet Layer: Aligns to the OSI Network layer. IP resides at this layer and provides logical
addressing and routing capabilities.
Network Access Layer: Aligns and combines the functionality of the OSI Datalink and
Physical layers. This layer defines the physical features of the network.
Internet Protocol (IP). Standardised as protocol 5, IP is a connectionless protocol that
provides best effort delivery of packets relying on upper layer protocols to carry out flow
control and retransmission. Logical addressing is a function of IP with IPv4 addresses being
todays standard addressing scheme with the latest version IPv6 started to be utilised due to
its superior address range. IP addressing is covered in greater detail in a later module.
BOOTP the BOOTP protocol was developed to aid diskless workstations to boot with a
minimal networking configuration with enough information to begin the process of contacting a
server to request and download a boot code. BOOTP is also commonly used as a delivery
mechanism for configuration. The most common example of BOOTP is thin clients or
terminals. As BOOTP uses a broadcast mechanism, it cannot traverse layer 3 devices. To
resolve this issue, the BOOTP relay agent can be installed on a gateway device that
retransmits the broadcast to the destination as a unicast.
TCP is responsible for breaking a message passed down from the session layer into
multiple segments. It then attaches a sequence number to each segment before passing
to the network layer.
For a connection to be established, the two end stations must synchronize on each
others initial TCP sequence numbers. This initial exchange ensures that lost data can
be recovered.
The following steps are followed in this initial synchronization:
1.
2.
3.
4.
Because step 2 and 3 are combined into one message, it is called a three-way
handshake. The following diagram might better illustrate this process.
TCP will return an acknowledgment to the sender upon receipt of one or more
segments. There is a field called Acknowledgment number in the TCP segment. The
receiving TCP use this field to tell the sending TCP which segment to receiving TCP
expecting to receive next.
In case the sender transmitting too fast, the receiver will implement a TCP flow
control mechanism which will do either
1. Drop the segments: Dropping segments causes TCP to go into
synchronisation, this slows TCP down.
2. Set a smaller window size: Each TCP acknowledgement contains a field
called the Window Size. The window size specifies the number of bytes
that a TCP flow is prepared to receive without sending an
acknowledgement. This window size is normally automatically configured
but an administrator can set this manually thus allowing less data to be
processed before getting acknowledgment from the receiver. The smaller
window size the more acknowledgements the sender must receive, this
means the data transmission is slowed waiting on acknowledgements. If
too many TCP flows drop data a scenario where TCP global
synchronisation can occur where all the TCP transmitters back off causing
poor bandwidth utilisation.
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
Source Port
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
3
0
3
1
Destination Port
Sequence number
Acknowledgement number
Offset
Reserve
Flags
Window
Checksum
Urgent Pointer
Options & Padding
Data Payload
A TCP header contains 10 mandatory fields with 1 optional field. The following list
is a brief explanation of the TCP header fields,
Source port (16 bits)
Destination port (16 bits)
Sequence number (32 bits)
Acknowledgment (32 bits)
Reserved (4 bits)
Flags (8 bits)
Window (16 bits)
Checksum (16 bits)
Urgent pointer (16 bits)
3
2
network. Similar to TCP it uses ports to communicate with the session layer allowing
multiple communication streams to occur.
Communication between devices will use UDP headers that include a source and
destination port that identifies an application.
UDP is unreliable, it provides no mechanism for error recovery, flow control however
it is a smaller protocol. UDP is useful when application layer protocols can provide
some of the functionality normally attributed to TCP
Applications that use UDP are DNS, TFTP, VOIP
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
Source Port
Destination Port
Length
Checksum
2
8
2
9
3
0
3
1
Data
Source port
Destination port
Length
Checksum
TCP vs UDP
1.2.7
TCP:
UDP:
Guaranteed delivery
best-effort delivery
Windowing
No windowing
Connection-oriented
Connectionless
During the description of the OSI model the idea of port number was introduced. Ports let the
transport layer know which application protocol the segments should use.
3
2
TCP and UDP use port numbers, from 0 to 65,535, which are divided into specific ranges.
The numbers up to 1023 are called well-known port numbers
Port numbers between 1024 and 49,151 are called registered ports, while those between
49,152 and 65,535 are dynamic ports.
Port Number
20
21
22
23
25
80
110
443
3389
Protocol
FTP
FTP
SSH
Telnet
SMTP
HTTP
POP3
HTTPS
RDP
1.3
Network Topology
Network topologies described the way the network is physically connected and how it is
logically configured.
The physical topology of a network refers to the actual way the devices on the network are
physically connected to each other. Visually look at the cabling of the network and how
devices interconnect and this will give you a good understanding of a physical topology.
Physical topology types: there are many physical topologies available but the most common
ones are detailed below
Bus Topology
Bus networks are old technology by todays standards and are little used in a modern
network. A bus network was typically a stretch of co-axial cable with terminators at each end.
Devices would attach to the cable either through vampire tap connectors or BNC Tconnectors. They were slow due to CSMA/CD and collisions. They were also limited by the
length of cable and number of devices.
Star topology
The Star topology was designed so that each device operates independently of each other
but connect to a centralised device such as a switch. This topology has major benefits over
the bus topology that it can provide much faster communication.
Most modern networks use a physical star topology as it is cost effective and reliable.
Ring topology
In the physical ring topology, each device is connected together in a loop, think of a bus
topology where both ends are joined together. These can either be single where devices
share a single cable and data flows one way or dual loops where devices share both loops
and can send data both ways increasing resilience and redundancy. Physical ring topologies
are not implemented often.
Logical topologies define the communication path between devices on the physical network
and disregard the physical attributes of the network.
Logical topologies are determined by the use of the protocol at layer 1 and 2 for example
Ethernet is a logical bus whilst Token Ring as the name suggests is a logical ring. There are
many logical topology types
Mesh Topology
Star
Bus
Ring
Tree
Distribution:
Core:
When connecting switches together there is a risk of creating a loop this is often
created by miscabling and results in multiple connections between switches. The
result of this in called a switching loop. This is a problem when a broadcast message
is sent by a device; remember a broadcast is flooded out every port so when a loop
occurs then the broadcast will continue to cycle around the network. Multiply that by
1000s of broadcast message and your network will quickly grind to a halt. This is
known as a broadcast storm. There is a protocol that prevents switching loops and the
resulting broadcast storm which is known as Spanning tree protocol or STP this will
be discussed in a later module.
LAN Transmission Methods -LAN data transmissions fall into three
classifications:
Unicast - a single packet is sent to a specific device on a network.
Multicast - a single data packet that is copied and sent to a specific subset of
devices on the network that subscribe to a multicast address
Broadcast - a single data packet that is copied and sent to all devices on the
network.
There are 3 main types of WAN both of which are normally provided by a Service
provider.
Leased Line. A leased line is a dedicated private connection between two
geographically dispersed LANs with a fixed bandwidth and cost. T1, E1 are
common leased line point to point configurations. Leased lines do not scale to
large numbers of sites due to costs. Leased lines use one of two WAN
protocols such as HDLC or PPP discussed later.
Circuit switched networks is similar to a leased line in that it creates a
dedicated point to point circuit between sites but is only setup during data
transfer. An unused circuit switch link will be torn down by the service
provider to release that bandwidth to another customer. Examples of circuit
switched networks are ISDN BRI & PRI.
Packet switched networks are the most cost effective and configurable
way of creating a WAN. With a packet switched connected a connection is
made to the Service provider and data flow takes the best path through the SP
network. Packet switching allows for multiple sites to have a single physical
connection but multiple logical links to others sites.
Packet switching is shared technology so a SP will share its network bandwidth across
multiple customers although they will provide a guarantee of some sorts. This is
called the committed information Rate which is the guaranteed bandwidth
The most common packet switch technology is Frame relay.
Other types of WAN connections include Digital subscriber Line high speed
connection typically delivered over POTS copper wire.
Physical Parameters A service provider will install a connection to a customer
premise including a network device, typically a router which is called a CPE
(customer premises equipment). This device is also referred to as the DTE and
connects to a service provider router called DCE. The DTC/CPE router will mark the
demarcation point where responsibility will switch from SP to customer. WAN
clocking is provided to the DTE by the DCE.
1-2
Byte
1 Byte
Variable
2 Byte
1 Byte
Flag
Address
Control
Information
FCS
Flag
Flag
Address field
Control field
FCS
HDLC is the default configuration on Cisco WAN links but to configure HDLC on a
WAN link follow these commands
Router(config)# int s0/0
Router(config-if)# encapsulation hdlc
Point-to-Point Protocol (PPP) is a WAN encapsulation protocol is
primarily used on leased lines and is compatible with most routers from different
vendors.
PPP supports several features that HDLC does not, including Authentication,
Compression and error control.
Configuring PPP is straight forward and requires a few simple commands on each
router that participates in the link.
Router(config)# int s0/0
Router(config-if)# encapsulation ppp
Configuring authentication involves using the hostname of the remote router along
with a shared password
Router(config)# hostname London
London(config)# username Glasgow password
PASSWORD
DLCI = 102
DLCI = 103
DLCI = 201
DLCI = 301
Being a WAN protocol, Frame relay requires such kind of encapsulation. This
encapsulation can be configured on the WAN ports in either Cisco or IETF standards
Cisco the default, and proprietary, Frame-Relay encapsulation
IETF the standardized Frame-Relay encapsulation.
Frame relay is discussed further in a future module.
VPN Virtual private networks or VPN function is to create a secure tunnel between
two devices over an insecure network. VPNs are usually found connecting 2 devices
together over the internet such as a remote worker to a corporate network or a branch
office to HQ. VPNs are usually encrypted and require authentication through the use
of IPSEC.
IPSEC provides authentication, encryption, and integrity protection for remote access
VPNs to a corporate network. The most commonly used IPSEC device is the RSA
token.
Straight-through
Crossover
Rolled
RJ-45 to DB9 female
Straight-through Cabling
A straight through cable is the most commonly used cable in networking. The ends of
a straight through cable are identical at both ends.
RJ-45 plug
Signal
Pin
Pin
Signal
Tx+
Tx+
Tx-
Tx-
Rx+
Rx+
not used
not used
not used
not used
Rx-
Rx-
not used
not used
not used
not used
Straight through cables can be used to connect the following devices together. Notice
you cannot connect like to like devices.
PC
to
Switch
Router
to
Switch
Server
to
Switch
Printer
to
Hub
PC
to
Hub
Server
to
Hub
Crossover Cable
In a crossover cable, the first (far left) colour wire at one end of the cable is the third
colour wire at the other end of the cable.
Pin
RJ-45 plug
Pin
Signal
Tx+
Rx+
Tx-
Rx-
Rx+
Tx+
not used
not used
not used
not used
Rx-
Tx-
not used
not used
not used
not used
Crossover cables are used to connect like to like devices as described in the following
table. It should be note that some modern devices are capable of auto-sensing the type
of cable attached to the port and can automatically reconfigure the ports so
communications can occur.
Switch
to
Switch
Hub
to
Switch
PC
to
PC
PC
to
Router
Router
to
Router
Rolled Cable
In a rolled cable, the colour wires at one end of the cable are in the reverse sequence
of the colour wires at the other end of the cable.
RJ-45 plug
Signal
Pin
Pin
Signal
Fibre optic A fibre optic cable contains strands of glass called optical fibres which
are sheathed in a plastic covering. Fibre optic cables can contain many individual
fibres allowing for very high data throughput.
As fibre optic cables use light to carry information they have less attenuation than
copper cabling making them practical for long distance communication. Fibre optic
cables are unidirectional which means they require to be installed in pairs.
Today, two modes of fibre optic ar in common use.
Single mode
Multimode
Module 2.
2.1
Switching
Ethernet
Ethernet
Fast Ethernet
Gig Ethernet
10Mpbs
100Mbps
1000Mbps
Device details
Device
SRV1
SRV2
SRV3
Switch 1
Port
Fa0/1
Fa0/10
Fa0/20
n/a
Mac address
10:00:01:11:11:11
10:00:01:22:22:22
10:00:01:33:33:33
n/a
IP address
192.168.1.1 /24
192.168.1.2 /24
192.168.1.3 /24
n/a
In our example we have a core switch named Switch1 that has three Servers attached
to ports. The devices are located in the 192.168.1.0/24 address space and are
connected by standard UTP cabling.
All of this learning and lookup is carried out in the switch and is transparent to the
devices connected to the switch interfaces. To demonstrate this we will follow an
initial ARP request from a device
The switch receives an ARP request from Server1 on an interface Fa0/1- the switch
reads the source MAC address of 10:00:01:11:11:11 and places it in the MAC table
with a reference to interface Fa0/1
Mac Address Table
----------------------------------------------------------Vlan
Mac Address
Type
Ports
-------------------------------1
10:00:01:11:11:11 DYNAMIC Fa0/1
The switch floods the frame out all other interfaces looking for Server2
Server2 responds to the ARP by sending a frame to the switch
The switch reads the source MAC address of 10:00:01:22:22:22 and as it doesnt
already exist places it in the MAC table with interface Fa0/10
Mac Address Table
----------------------------------------------------------Vlan
Mac Address
Type
Ports
-------------------------------1
10:00:01:11:11:11 DYNAMIC Fa0/1
1
10:00:01:22:22:22 DYNAMIC Fa0/10
Subsequent frames sent between the two hosts will then be sent by unicast between
the Servers.
This sequence continues until all devices MAC address have an entry in the MAC
table
Mac Address Table
----------------------------------------------------------Vlan
Mac Address
Type
Ports
-------------------------------1
10:00:01:11:11:11 DYNAMIC Fa0/1
1
10:00:01:22:22:22 DYNAMIC Fa0/10
1
10:00:01:33.33.33 DYNAMIC Fa0/20
Along with Mac address, type and port number, the mac table also include a VLAN
number. VLANs are Virtual LANs that segment a switch into separate broadcast
domains that prevents hosts communicating between VLANs without a Layer 3
device.
Switches use hardware Asics to carry out switching which provide wire-speed
throughput. There are three ways a switch can process incoming frames.
Cut-through - The switch receives enough of the frame, approx 6bytes to be able
to check the destination address. It then immediately begins forwarding the frame out
the destination interface even before the full frame has been received.
Store and forward - The switch waits until the full frame has been received
and checked for errors before forwarding it to the destination.
Fragment-Free - The switch receives the first 64Bytes of a frame before
forwarding to the destination
Broadcast and Multicast Frames - Broadcast and multicast frames are flooded to all
ports other than the originating port. Broadcast and multicast addresses never appear
as a frames source address, so the switch does not learn these addresses.
In the above diagram, when the server sends a broadcast to the network without
Spanning tree this broadcast will loop around the network continuously.
Fortunately a protocol has been designed that prevents looping in a switched network
The Spanning Tree Protocol STP was designed to prevent the creation of loops by
blocking certain links between switches based on criteria.
STP learns a topology of a switched network and places redundant links into a
blocked state, this means that only one path exists to any interface on any port. If a
link goes down STP can quickly reconfigure or converge to unblock a link to provide
a usable path. STP is commonly known as 802.1d and should be configured on all
switches in a network. Of course blocking certain uplinks can be inefficient so STP is
implemented on a per VLANs basis. For each VLAN, an instance of STP can be
configured resulting in better bandwidth and link utilisation. Physically an uplink may
be up but logically it can be up or down on a per VLANs basis. This is beyond the
CCNA level and will be discussed in greater detail in the CCNP:Switch course.
STP uses a special information message called a BPDU ( bridge protocol data unit) to
send messages between each switch that contain information on how to maintain a
loop free network. BPDUs are multicast to one of 17 MAC addresses of
01:80:c2:00:00:00 -> 01:80:c2:00:00:10
This loop free network is accomplished by assigning a single switch as the master
switch called the root bridge. All other switches will use STP to create a path back to
the root bridge. The root bridge is won by election between all switches in the
network participating in STP. The switches gather information about other switches
in the network through an exchange of BPDUs
To elect a root bridge the switches must compare the highest switch priority, followed
by lowest MAC address. The default switch priority is set to 32768 which mean by
default the switch with the lowest MAC address will win the election and become the
root bridge.
This is not always the best means of electing the root bridge due to physical location
or age of switch. The STP root bridge is the logical heart of the network; all devices
must have a path back to the root bridge. Typically an older switch would have a
lower mac address than a new more powerful one. It is important to note that if a
switch with a lower priority than the current root bridge is introduced then an election
will occur and the new switch will become the root bridge forcing a reconvergence of
the network.
Root bridge manipulation can be carried out by changing the switch priority in
increments of 4096.
Additionally setting the priority to 0 removes a switch from the STP process
completely thus making it impossible to become the root bridge.
Switch(config)#spanning-tree vlan 1 priority ?
Configuring a Secondary Root bridge It is possible to configure a backup root
bridge called the Secondary root bridge. This switch can take over the role of root in
the event of a failure in the root bridge. When configuring the secondary the bridge
priority will be set to 16384 which increase the likelihood of the switch being elected
root.
Interfaces connected to other switches are deemed to be part of STP and are classified
accordingly as Root, Designated or blocked ports. These ports are classified according
to where the fit into the network path back to the root bridge.
Root ports are classified on non root bridges and are a connection towards the root
bridge. Designated ports are all ports on the root bridge and ports on a non-root bridge
that connect away from the root bridge. Blocked ports are ports that are redundant
could cause a loop and are blocked as a result
Occasionally more than one path will have an equal cost to the root bridge from the
same switch. In this case a further additional tiebreaker exists which is simplicity at
its best. The port with the lowest Port ID wins. By default a port priority is 128 which
mean the port with the lowest name wins. Fa0/1 would be elected root port before
Fa0/20. An administrator can lower the port priority manually to influence the root
port election.
Remember, STP elects Root and Designated Ports based on the following criteria, and
in this order:
Lowest Path Cost to the Root Bridge
Lowest Bridge ID
Lowest Port ID
Path cost is the major factor in path calculation. Path Cost is based on the bandwidth
of the links. The higher the bandwidth, the lower the Path Cost:
Bandwidth
STP Cost
10Mbs
100Mbs
1,000Mbs
10,000Mbs
100
19
4
2
RSTP Cost
2,000,000
200,000
20,000
2,000
To summarise the STP process to elect a root bridge and maintain a loop free network
An election is held to identify a root bridge
Root ports are identified on the basis of cost
Designated ports are identified
Loops are identified and ports set to blocking
STP Interface States
Switch ports participating in STP progress through five port states:
Blocking The default state of an STP interface when a switch is powered on.
Interfaces also enter the blocking stat if identified as a port that is neither root or
designated Ports that are in blocked state will never forward frames.
Listening A port will progress from a Blocking to a Listening state after a period
of time has elapsed. The port will listen for BPDUs to participate in the election of a
Root Bridge, Root Ports, and Designated Ports. Ports in a listening state will not
forward frames.
Learning After the forward delay timer expires the interface will move from
listening to forwarding and will be elected either a Root Port or Designated Port. Ports
in a learning state listen for BPDUs. As the name suggests the port will learn MAC
addresses to populate the CAM or MAC table but will not forward frames
Forwarding The port will move to the Forwarding state after the expiry of
another Forward Delay. Ports placed in the forwarding state can fully participate in
the network allowing sending and receiving frames. All root ports, designated ports
and access ports are placed in the forwarding state.
Disabled The port in disabled state has been administratively shut down and will
not participate in any network communication including STP
STP Timers
Timers are used in STP to ensure switches can converge to ensure a loop free
topology. These timers allow STP enough time to fully converge.
Hello Timer
Forward Delay
Max Age
2s
15s
20s
We can see these in the following diagram from the root bridge using the show
spanning-tree command
.
Timers are set only on the root bridge which will propagate these to other switches in
a BPDU.
RSTP
STP has a limit of 64 instances so VLANs above 64 will be included in the default
instance; MST overcomes this by grouping VLANs into a STP instance called a
region.
RST
802.3w
RSTP was designed to reduce the convergence time within the network due to port
state transitions. RSTP operates very much like STP with Root bridges, BPDU and
port states.
RSTP defines 5 ports
Root Port
Alternate Port
Designated Port
Backup Port
Edge Port
RSTP can converge much quicker than STP as it does not have to rely on the STP
timers expiring. RSTP is discussed in greater depth in the CCNP:switch course
PortFast Portfast allows switch interfaces that are directly connected to an end
device to transition directly from blocking to forwarding without disabling STP. This
allows the interface to bypass the listening and learning states. This configuration
allows devices to boot and access network services such as DHCP much quicker.
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree portfast
BPDU Guard - BPDUGuard when used in conjunction with Portfast shuts down
an interface that receives a BPDU. This is a prevention mechanism where a switch or
hub is connected to an access port potentially causing a loop. BPDUGuard will place
an interface into a errdisabled state from which recovery is to shut then no shut the
interface
SW1(config)#int fast 0/5
SW1(config-if)#spanning-tree bpduguard enable
UplinkFast UplinkFast allows a switch to have multiple uplinks to another
switch without loops. Without Etherchannel one of these links would induce a loop
which would be closed by STP, however it takes time for the link to become active in
the event of failure of the active link. Uplink Fast allows the redundant link to move
directly to forwarding.
SW2(config)#spanning-tree uplinkfast
BackboneFast Similar in functionality to Uplinkfast, BackboneFast works on
indirectly connected uplinks. Normally if a switch fails it takes the Max age timer to
expire before a convergence is triggered. By implementing Backbonefast, this failure
is noticed immediately allowing the convergence to occur.
Root guard Root guard provides protection against another switch with a lower
bridge priority becoming the root on the network. When configured on an interface it
will set it to root inconsistent if it hears a BPDU advertising a new Root.
Unidirectional Link Detection (UDLD) UDLD was developed to
provide a detection mechanism for errors in the STP bi-directional communication. A
2.3
Flags an error
Places interface into errdisabled state
Switch Configuration
Status is
Protocol is
What it means
Up
Up
Down
Admin Down
Up
Down
Down
Down
IP Addressing
192.168.1.1
10.10.0.221
134.34.22.94
Each octet can occupy a number between 0 and 255 and with the range of IP address
that runs from 0.0.0.1 to 255.255.255.255 gives approx 4.228 billion addresses that
are available.
An IP address written in binary, which is a set of bits that are 0 or 1 - this means the IP
addresses above can also be written as
192.168.1.1
10.10.0.221
134.34.22.94
11000000.10101000.00000001.00000001
00001010.00001010.00000000.11011101
10000110.00100010.00010110.01011110
IP addresses consist of a network number and a host number which are determined by
a subnet mask. The subnet mask is a way of highlighting this network and host
number. The subnet mask is a contiguous string is binary 1s
Given the IP address of 172.16.100.22 and subnet mask 255.255.0.0 provides the
necessary information to determine the network and host values.
Address
Subnet mask
Network
172.16
255.255
Host
100.22
0.0
Network
192.168.1
255.255.255
Host
.40
.0
3.2
Binary
Network
10
255.
Host
0.0.50
0.0.0
Binary is a way of counting in base2 instead of base10 and is the way computers use
and manipulate data.
In binary, a digit can only every be either a value 0 or 1
To count in binary you need to get over the concept of decimal and think about 2s,
sounds difficult but with some practice can become second nature and must be
mastered by a network administrator.
A quick table to see the comparison between binary and decimal numbers
Decimal
0
1
2
3
4
5
6
7
8
Binary
0000
0001
0010
0011
0100
0101
0110
0111
1000
Using the following grid to convert a number between decimal and binary we carry
out the following
128
64
32
16
1. Place a decimal number (56 in this example) in the left column of the table at
row 1.
2. Look at the decimal number and see where it fits in against the table what is
the biggest number from the top row that can fit into the decimal number. We
can see 32 is the largest number we can fit into 56.
3. Add a 1 to the column under 32 in the row belonging to 56 and then subtract
that number from the decimal.
4. You are now left with a number (24)
5. repeat step 2 until you are left with zero
6. drop the columns into a single row and add 0 to any missing fields
Example 1 Decimal 56 to binary
128 64
32
16
8
56
1
24
1
8
1
0
1
1
1. By looking at the top row, we find the biggest number that fits into the decimal
number to be converted. In this example we find 128 fits into 153. Place a 1
under 128.
2. Subtract 128 from 153 and write the number in the left column in row 2. The
result is 24
3. follow the steps above to calculate the remaining digits.
The resulting string of 10011001 is a binary representation of Decimal 153
Example 3 Decimal 213 to binary
128
64
32
16
8
213
1
85
1
21
1
5
1
1
1
0
1
0
1
1
1
1
2048
1024
512
256
128
64
32
16
3.3
Subnets
IP networks are normally divided into subnets, which in its
basic form take the IP address and split it into 2 sections. The sections are the network
prefix and host identifier. The subnet mask determines how the IP is split between the
network and host. The subnet mask is a 32bit binary number.
Subnets are not complicated to work with if you fully understand what they are and
how they work. As previously described a subnet is a subsection of a network address.
A subnet mask are normally written in 2 ways
1.
2.
Every networking student must be able to convert binary to decimal and back. The
first part of learning to do this is to understand the binary values. This is really basic
and should take you a few minutes for it to become second nature. To calculate the
number of values given a bit count is 2 to the power of the number of bits
2bits
Bit count
1 bit
2 bits
3 bits
4 bits
5 bits
6 bits
7 bits
8 bits
9 bits
10 bits
Formula
1
2
22
23
24
25
26
27
28
29
210
Values
2
Usable IP
0
16
14
32
30
64
62
128
126
256
254
512
510
1024
1022
To determine the number of usable hosts given a subnet mask, you can easily use the
formula to find the value and then subtract 2 as they are used for network and
broadcast address.
Converting Binary to decimal. Working example.
To convert binary to decimal create a table similar to the one here and write in the
decimal values
Row
1
2
3
4
5
6
7
8
Decimal value
128
64
32
16
8
4
2
1
Binary number
Total
Given a binary number of 11010101 copy this into the Binary number column with
the leftmost digit in row 1 we now have a table that looks similar to the one below.
Row
1
2
Decimal value
128
64
Binary number
1
1
Total
3
4
5
6
7
8
32
16
8
4
2
1
0
1
0
1
0
1
Now its a simple two stage calculation. Firstly multiply the decimal value by the
binary column. The resulting table should look like
Row
1
2
3
4
5
6
7
8
Decimal value
128
64
32
16
8
4
2
1
Binary number
1
1
0
1
0
1
0
1
Total
128
64
0
16
0
4
0
1
213
Finally add up all the values in the total column this answer is the decimal number
In this case binary 11010101 = decimal 213
Example 2 - Convert Binary 10001011 to decimal
Row
1
2
3
4
5
6
7
8
Decimal value
128
64
32
16
8
4
2
1
Binary number
1
0
0
0
1
0
1
1
Total
128
0
0
0
8
0
2
1
139
Decimal value
512
256
128
64
32
16
Binary number
1
1
1
0
0
0
Total
512
256
128
0
0
0
7
8
9
10
8
4
2
1
1
0
1
1
8
0
2
1
907
What is a subnet mask a subnet mask is a number that tells the IP address
what network prefix it belongs to and what is the host identifier. Within a subnet mask
when the bit is 1 = network 0=host
Written in binary a subnet mask will look similar to
IP Address
192.168.1.1
Subnet mask 255.255.255.0
11000000.10101000.00000001.00000001
11111111.11111111.11111111.00000000
As we can see in the example above when the subnet mask bit is set to 1 it indicates
the network portion of the address and when set to 0 indicates the host
Network
Host
192.168.1.0
0.0.0.1
11000000.10101000.00000001 .xxxxxxxx
xxxxxxxx.xxxxxxxx.xxxxxxxx.00000001
Decimal Subnet
255.255.255.0
255.255.0.0
255.255.128.0
255.255.255.240
255.255.255.241
255.255.129.0
Validity
Valid
Valid
Valid
Valid
Invalid
Invalid
There are several ways to explain sub netting most of the certification guides will
have you doing lots of binary maths which is not necessary. You still need to
understand binary but not to that level. Hosts within a subnet will have identical
subnet masks and network address but they must have a unique host address.
Given two addresses and a subnet mask was can work out what network the hosts
reside on, by locating the first IP address and the last usable IP an administrator is
able to identify the usable IP range and the broadcast address. Thats a lot of
information from an IP address and subnet mask, it sounds difficult but it is relatively
easy to work out.
Working example 1
Given the IP address and subnet mask of
IP address
Subnet mask
192.168.1.40
255.255.255.0
11000000.10101000.00000001.00010100
11111111.11111111.11111111.00000000
11000000.10101000.00000001.xxxxxxxx
11111111.11111111.11111111.xxxxxxxx
192.168.1.40
255.255.255.224
This may look more complicated but its not. It involves an additional few simple
steps.
Step 1. calculate the subnet step, thats the size of the network
Using the subnet mask of 255.255.255.224 we can see the last octet is 224. We
simply subtract that from 256 to establish the network step of 32
Step 2. We calculate the actual networks. This starts from 0 and increments in steps
In our example the step size is 32 so our networks step up by 32
Network 1
Network 2
Network 3
31
63
91
192.168.17.40
255.255.240.0
Again this may look more complicated as the subnet mask sits in the 3rd octet but its
not. It again involves an additional few simple steps.
Step 1. At the moment ignore the 4th octet and calculate the subnet step, thats the size
of the network in the 3rd octet
Using the subnet mask of 255.255.240.0 we can see the third octet is 240. We
simply subtract that from 256 to establish the network step of 16
Step 2. We calculate the actual networks. This starts from 0 and increments in steps
In our example the step size is 16 so our networks step up by 16
Network 1
Network 2
Network 3
192.168.15.255
192.168.31.255
192.168.47.255
STOP!!!!! Our IP addresses are in the network range of 16-32 so we have identified
our network.
Immediately we should be able to see the network address 192.168.16.0
We can instantly deduce the first usable IP address
192.168.16.1
BUT!!!! And here is the catch. As we are working in the 3rd octet we must add the
4th octet back in. Looking at the networks of
Network 2
Network 3
192.168.16.0
192.168.32.0
We can see the last IP address in Network 2 must include all the IP addresses
up to 192.168.32.0 minus 1 address. This makes the last IP 192.168.31.255
Network 2
192.168.16.0 to 192.168.31.255
How to determine if two network devices are located on the same network. Given two
ip addresses and a sunbnet mask of the following
IP address 1
IP address 2
Subnet mask
192.168.44.23
192.168.44.45
255.255.255.240
Using the workings from example above we can see that given a subnet mask of
255.255.225.240 we can determine our networks to reside at
Network 1
Network 2
Network 3
Network 4
192.168.44.0
192.168.44.16
192.168.44.32
192.168.44.48
Fitting our device IP address into a table with networks we can clearly see that they
are located in different subnets. This would mean they cannot communication without
a router connecting the subnets.
Subnet
192.168.44.0
192.168.44.16
192.168.44.32
192.168.44.48
IP address
192.168.44.23
192.168.44.45
3.4
We require the following subnets to be created with provision for the number of hosts
Subnet 1
Subnet 2
Subnet 3
Subnet 4
100 hosts
50 hosts
25 hosts
25 hosts
3.5
IP Classes
During the creation of IPv4 it was envisaged that different size of enterprise would
have there own IP address space. This resulted in IPv4 being split into classes A, B, C,
D and E.
The classes were split depending on the value of the first octet where the following
was ratified
Class
first IP
Last IP
First octet
Default mask
Class A
Class B
Class C
Class D
Class E
1.0.0.1
128.0.0.1.
192.168.0.1
224.0.0.0
240.0.0.0
126.255.255.255
191.255.255.255
223.255.255.0255
239.255.255.255
255.255.255.255
0
10
110
1110
11110
255.0.0.0
255.255.0.0
255.255.255.0
Reserved IP addresses.
Looking at the IP class table, there are certain address ranges that are not allocated.
These are reserved ranges and used for specific functions.
The address range of 127.0.0.0 is known as a loopback address and is used for testing
of the TCP/IP stack. The most commonly used IP address is 127.0.0.1 which is always
allocated to the localhost and used for testing IP on a host.
One further range that is in use, the 169.254.0.0 range is known as the autoconfiguration range. This is used especially by Microsoft and their Windows OS and
is called APIPA. Automatic Private IP Addressing is a self service IP addressing
scheme that can be implemented in the event of no DHCP service is available. It uses
the range of 169.254.x.x
The rule of subnetting.
Usable addresses
254
14
4094
10.255.255.255
172.31.255.255
192.168.255.255
Private addresses resolved the issue of not enough public addresses but created
another altogether different issue. How could a private network communicate with the
internet if the private address could not be routed? The solution to this issue was
Network address translation.
Network Address Translation, more commonly known as NAT was created to
translate between private and public addresses. Defined in RFC 1918 NAT almost
single handed saved the internet. It allows many internal private IP addresses to be
mapped to a single external public IP address allowing it access and be accessed from
the internet. This overcame the issue of a lack of public IP addresses. NAT is
discussed in a later module.
3.6
IPv6
fe80::200:f4fa:fe31
Example 3
2601:f0a0:1009:0004:0000:0000:0000:0001
Can be written
2601:f0a0:1009:4::0001
IPv6 addresses are divided into two parts: a 64-bit network prefix, and a 64-bit
interface identifier. IPv6 has three classes of address
1. Unicast addresses - used to identify each network interface.
2. Anycast addresses - used to identify a group of interfaces at different
locations.
3. Multicast addresses - used to deliver one packet to many interfaces.
Notice IPv6 has no broadcast method
Module 4.
4.1
Router Management
Router Components
A router like most network devices is made up of many component modules which all
have to be available and configured properly. The following gives an overview of
each component within a router and describes its function.
Memory
Unlike a PC or Server, a Router has 4 areas of memory which all carry out a different
function.
RAM - Random Access Memory has the same function as in a PC or Server. This is
where the router operating system(IOS) is loaded during boot. The start-up
configuration file is also loaded into RAM and is called the running-configuration.
The routing table is held in RAM.
ROM Read Only Memory provides a similar service to a bootstrap program,
it holds a limited cut down version of the operating system that can be used to boot
the router to perform recovery and diagnostics function.
NVRAM - Non volatile RAM is an area of memory that allows to semi permanent
storage. It does not lose its contents when the router is powered off. The best way to
remember NVRAM function is to think about a very small hard disk that stores the
start-up configuration file as well as the config register.
Flash
- flash is similar to a hard disk that gives a router room to store the
operating system and other files such as Call manager.
Memory overview
Memory type
RAM
ROM
NVRAM
Flash
Is it writable
Y
N
Y
Y
Is it volatile
Y
N
N
N
Config register
The NVRAM has a special location that contains the 16-bit configuration register.
Every time the router boots it reads this value. This value is similar to a BIOS
instruction set. By modifying the config-register a router can be forced to mode into
different modes including a recovery mode. Common settings for the config-register
are
0x2102
0x2142
0x2100
Configuration files - A router has two configuration files known as the start-up
or running configuration file. At boot, the router loads the start-up configuration from
NVRAM into RAM and calls it the running-config.
During normal use, all changes made on a router are made to the runningconfiguration. As the running-configuration is held in RAM it is lost on a power off.
Administrators can commit a running-config to be stored permanently by saving it to
the startup-config. Changes to the running configuration are made immediately.
Please be aware that running-config can be over written by startup-config and vice
versa using the following commands
Router#copy running-config startup-config
Router#copy startup-config running-config
In the real world a router can be configured to reboot in a set period of time. This is a
common configuration when working on a router remotely, which can eliminate the
possibility of locking out a router by mis-configuration. If an administrator configures
a router which then drops the connection it can be embarrassing not having access. By
using this setting a router will reboot and reload the existing known startupconfiguration allowing access but without any changes. Be warned that this will not
work once the running config is saved. The administrator must also remember to
remove the reload command once the configuration is correctly saved otherwise the
router will reload with the original configuration.
Initial router configuration - when a router is unboxed and powered on for
the first time it does not have any startup-config to load. It will then move into initial
configuration mode. An administrator will be prompted to enter this mode. If the
administrator opts to say no then the router will boot into IOS with a blank
configuration file which allows the router to be configured manually. This is the
normal behaviour for experienced administrators. If the option to enter initial config
mode is accepted, a number of questions will appear which when answered will
configure the router automatically.
The operating system IOS - The operating system or IOS is the heart of a
router, without the IOS the router is simply a piece of metal and plastic. The IOS
contains all the programs and logic to provide the functionality a router is renowned
for.
The IOS is normally loaded from FLASH but it is also possible to store IOS centrally
and have a router load it from TFTP. This allows for secure storage of IOS files and to
allow asset and change management to be used in relation to the IOS file.
IOS are router platform specific and have a very unique naming convention.
C3600-ipadvancek9-mz.122-15.T9.bin
C3600
ipadvancek9
mz
122-15.T9
platform
feature set
compressed RAM version
version
Instead of using the IOS stored in flash, you can load it from a TFTP server, or you
can load the limited IOS from ROM. This can be configured in the configuration file
using the following commands in global configuration mode:
Router(config)#boot system tftp
4.2
Connecting to a Router
Interfaces are used to connect network devices to allow the flow to data
Serial
Physical slow speed
WAN connectivity
Ethernet
Physical high speed
LAN connectivity
T1
Physical variable speed
WAN connectivity
Connecting to a console port to a PC you will require a terminal emulator to
communicate with the switch or router. Some common programs are Hyperterm,
Putty and SecurCRT.
The console port requires some configuration settings within these programs to
successfully connect and allow communication. By default Cisco device console ports
operate with the following settings
Baud:
Data Bits:
Parity:
Stop bits:
Flow control:
4.3
9600
8
None
1
None
Router Modes
Cisco Devices have three main modes of operation; each has the ability to carry out specific
tasks. The modes are User EXEC mode and Privileged exec mode.
USER MODE
Router>enable
PRIVILEGED MODE
Router#Configure terminal
GLOBAL CONFIGURATION
MODE
User Exec Mode In user exec mode an administrator can carry out read only, non disruptive
commands to assist in troubleshooting. In User exec mode an administrator cannot view or
change any configuration and its the default mode when accessing the router. The router
prompt when in user exec mode looks similar to
Router>
Privileged EXEC mode - In privileged exec mode an administrator is effectively entering the
configuration mode that allows full diagnostics, debug and show commands to be carried out.
It also allows access to modify the configuration files through the global config mode. To enter
Privileged EXEC mode an administrator would use the following commands
Router>enable
If a password or secret are set then a prompt for this will be presented
Router>enable
Password [enter]
Router#
As you can see the router prompt has change to Router#. This indicates privileged EXEC
mode
Global Configuration mode this mode is access whilst in Privileged EXEC mode and
allows access to modify the configuration files of the router. As the name suggests, changes
made in global config mode affect the entire router. Global config mode is accessed using the
following command
Router#configure terminal
Router(config)#
Changes made in config mode apply to the running configuration and can be saved to the
startup config by running the command
Router#copy running-config start-up config
You will be prompted for the file location, the default is startup-config, it is ok to simply hit the
enter key here.
The router prompt changes to Router(config-if)# to indicate that interface configuration mode
is active.
The Exit command moves the user back through config modes one level at a time
Router(config-if)#exit
Router(config)#exit
Router#
The end command drops the user straight back to privileged mode
Router(config-if)#end
Router#
The do command allows any command to be run from the current context for example it is not
normally [possible to use the ping command within interface configuration mode. Using the do
command allows the command to run.
Router(config-if)#ping 192.168.0.1
IOS Shortcuts allow an administrator to start typing a command and then allow the IOS to
automatically complete it by typing the TAB key. In this example typing int followed by the
TAB key automatically completes the interface command. This only works when there can be
no ambiguity in the command.
Router(config)#int [TAB]
Router(config)#interface
Router(config)#cl [TAB]
% Ambiguos command: cl
Another useful command an administrator has in their toolbox is the ? . The question mark
symbol tells a router display a list of all valid commands available in the current context.
A lot of the commands have various parameters or interfaces which you can combine. In this
case, by typing the main command e.g "show" and then putting the "?" you will get a list of the
subcommands. This picture shows this clearly:
IOS Navigation Cisco has given its IOS some navigation commands that make working at
the IOS easier and quicker
Command
Ctrl + P ( up arrow)
Ctrl + N ( down arrow)
Ctrl + A
Ctrl + E
Ctrl + F
Ctrl + B
Esc + F
Esc + B
Ctrl + R
Ctrl + U
Ctrl + W
Ctrl + Z
Function
Displays the last command
Cycles through the previous commands
Moves cursor to start of line
Moves cursor to the end of the line
Move forward a character
Move back a character
Move forward a word
Move back a word
Redraw the line
Erase a line
Erase a word
Exits the current config mode
IOS tips there are some tips that every administrator should know, not only do they mark
you out as somebody who knows their stuff but are incredibly useful
Terminal history by default the previous 10 commands are saved, this can be
modified to save any number of commands
Router#terminal history size 100
Router(config)#no ip domain-lookup
Exec timeout this command allows the administrator to modify the idle time
out of a device. This command is configured in minutes.
Router(config)#line con 0
Router(config-line)#exec-timeout 60 0
4.4
Configuring Passwords
Cisco routers are highly connected network devices that are subject to attack therefore
they must be secured against vulnerabilities. A way of doing this to assign passwords
to each access method and configuration mode.
Console password The console password is used to secure the console port.
Use the following commands to configure the console password.
Router(config)#line con 0
Router(config-line)#password ABC123
Router(config-line)#login
These commands access the console, sets a password and then forces the application
of password when access the console port.
Telnet password - Use the following commands to configure a password for
Telnet
Router(config)#line vty 0 4
Router(config-line)#password ABC123
Router(config-line)#login
These commands access the vty lines 0 to 4, sets a password and then forces the
application of password when access the console port.
Auxiliary password - Use the following commands to configure the auxiliary port
Router(config)#line aux 1
Router(config-line)#password ABC123
Router(config-line)#login
These commands access the aux port configuration, set a password and then force the
application of password.
Enable password | secret the enable secret or password is a local security
mechanism that secures the privileged EXEC mode. The difference between password
and secret is a hash. Password is stored as clear text in the config file whereas Secret
is stored as a hash.
BE WARNED that although the hash is an encrypted version of a password it is NOT
secure. Given the hash plus internet access it is very easy to Google Cisco secret
crack to find multiple websites that can decrypt the secret.
To configure the password or secret use the following commands
Router(config)#enable password Cisco
Router(config)#enable secret Cisco
Enable secret will automatically take preference over the enable password. It will also
be automatically hashed by MD5 and stored as encrypted text in the config file. If no
secret or passwords are set then you will never be prompted when entering Privileged
EXEC mode locally but will experience issues accessing the router remotely.
This can be verified by looking at the running or startup config
Router#sh run
Message of the Day (MOTD) required the following configuration. This configuration
requires a delimiter character to specify the start and end of the message
Router(config)#banner motd c
4.6
Router Interfaces
unlike a switch whose interfaces are enabled by default, those of a router are disabled
by default and must be assigned an IP address that must reside in a different subnet to
any other configured interface on the router.
To configure an IP address on an interface then use the following commands
Router#conf t
Router(config)#int s0/0
Router(config)# ip address 192.168.1.1 255.255.255.0
Router(config)#no shut
Saving the configuration of the router is as easy as the following command
Router#copy run start
Its also possible for the administrator to save or copy the configs between RAM,
NVRAM and a TFTP server.
4.6
Cisco Discovery Protocol (CDP) is a Cisco proprietary layer 2 network protocol that
is used as a discovery tool to discover, identify and access information other network
devices. It does this by multicasting a discovery frame to 01:00:0C:CC:CC:CC every
60 seconds in the hope that other devices receive this and respond. CDP is enabled by
default on most Cisco devices and stores information for 180s. In the event of a
device not responding for this hold time the CDP table will flush the entry and mark
the connected device as dead.
CDP is a discovery protocol and as such it can provide a lot of information regarding
connected devices known as neighbours. This command provides information such as
Device ID, capability, platform type and the interfaces connected. Use the following
command to show the CDP neighbors
Router#sh cdp neighbors
Detailed information can be gained relating to attached devices, such as the type,
name, interface details and IOS versions
Further to the show neighbors command, more information can be gathered from the
CDP details switch, information returned includes Device ID, IP address,
platform type, IOS version and port IDs. Use the following command to
provide the CDP neighbors detail.
Router#sh cdp neighbors detail
Module 5.
5.1
Routing
Routing overview
5.2
Static Routing
Static Routes Static routes are routes that have been manually added to the routing
table by an administrator. This is useful for a very small network or stub network which has
only one exit point, however it is not recommended in a large network duet of the amount of
administrative effort needed to maintain. To configure static routes the command would be
similar to
Router(config)#ip route 192.168.1.0 255.255.255.0 10.0.0.1
The above command creates a route to the network 192.168.1.0 / 24 sending all data
destined for it to IP address 10.0.0.1. here is a second example of a static route
Router(config)#ip route 172.16.2.0 255.255.0.0 10.0.0.1
The above command creates a route to the network 172.16.2.0 / 16 sending all data destined
for it to IP address 10.0.0.1
Directly Connected Routes - Connected routes are added to the route table for every
interface with a correctly configured IP address. Routers will route between directly connected
networks without additional configuration.
Default Routes Default routes are another way of adding a route to the routing table. Default
routes are basically a route of last resort where if the destination address does not have a n
entry in the routing table the router will forward the traffic to the default route.
To configure a default route use the following command
Router(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.1
The above command sends all data that does not match any other route to 10.0.0.1 and is
placed in the routing table with the routing code S
5.3
Dynamic Routing
Static Routing is easy to understand and almost as easy to configure but it is not scalable or
manageable in a large network. Dynamic Routing uses the power of the routing protocol to
discover, build and maintain a network topology map much more quickly and effectively than
static routing and almost always eliminates human error.
Dynamic Routing is relatively straight forward to implement but requires a little work in
actually understanding how the dynamic routing protocols work. By entering a few commands
the router will enable a protocol and start to build the topology and more importantly create
routes. These topology table and routing tables are then exchanged between neighbors.
These updates are sent via Broadcast or Multicast.
Once the topology and routing table and built the router is ready to route. It does this by
comparing a destination address on a packet to the routing table. It then makes a decision
based on the longest prefix match to route the packet.
Dynamic Routing protocols also the ability to summarise routes in blocks. This reduces the
size of the routing table and improves performance but in a large network can lead to
incorrect routing decision. So when summarisation is used it should be sparingly.
Dynamic Routing protocols use an Autonomous system identifier. The AS is a logical grouping
of which routers are joined and sent updates to each other. Routing protocols designed to
work within a single AS are known as IGP (interior gateway Protocol). Routing protocols
designed to connect AS are known as EGP (exterior gateway protocols)
Examples of IGP
Example of EGP
5.4
Classful v Classless
Classful v Classless routing is the decision of the routing protocol to send subnet
mask information with the updates.
Classful routing protocols do not send subnet mask information
Classless routing protocols do send subnet mask information
Classful routing protocols will apply the major network class to the updates. For
example
10.1.2.0 / 16 & 10.1.3.0 / 16 both lie within the Classful network of 10.0.0.0 so if
either of these networks were to be advertised using a Classful routing protocol then a
single route of 10.0.0.0 would be advertised.
With the same subnets of 10.1.2.0 / 16 & 10.1.3.0 / 16 with a Classless routing
protocol these routes would both be advertised witht eh subnet mask information.
An example of Classful routing protocol is RIPv1
Examples of classless routing protocols include RIPv2, EIGRP and OSPF
5.5
Verifying RIPv2
To verify RIPv2 is very simple, use the following command to view the routing table
Router#sh ip route
The output should return something similar to
Codes:Cconnected,Sstatic,RRIP,Mmobile,BBGP
DEIGRP,EXEIGRPexternal,OOSPF,IAOSPFinterarea
N1OSPFNSSAexternaltype1,N2OSPFNSSAexternaltype2
172.16.0.0/24issubnetted,2subnets
R172.16.2.0[120/1]via172.16.3.254,00:00:17,
192.168.1.0/24issubnetted,2subnets
R192.168.1.0[120/1]via10.0.0.1,00:00:17
As you can see, any routes added using RIP are annotated with R to indicate they
were learnt from RIP.
5.6
EIGRP is a hybrid distance vector (DV) routing protocol developed by Cisco that uses the
Diffusing Update Algorithm (DUAL) to obtain loop free routes quickly and efficiently. It is a fast
converging protocol that is defined by protocol 88
EIGRP establishes Neighbor relationships on their directly attached networks to dynamically
learn routes by multicasting hello packets to the IP address of 224.0.0.10. Routers configured
within the same autonomous system will establish a neighbor relationship with each other.
Hello packets are small discovery packets that are sent to neighbors to ensure they are still
functioning. The hello interval by default is 5 seconds with a hold time of 15 seconds. If no
hellos are received during the hold time DUAL and EIGRP are informed the neighbor is down.
The key functions EIGRP provides an administrator are
Fast efficient routing, with the DUAL algorithm allows for backup routes to be kept in the
routing table to ensure rapid convergence in the event of a failure.
Summarisation can be configured allowing a reduction in the size of the routing table.
Unequal load balancing is configurable which can balance traffic accurately over unequal cost
links.
uses RTP
uses RTP
uses RTP
EIGRP uses the reliable transport protocol for all updates between neighbors that ensures
acknowledgement of the receipt of updates, and if an acknowledgment is not received,
EIGRP retransmits the update.
EIGRP uses tables to store information relating to neighbors and topology and routing, each
table contains information that helps EIGRP make the best routing decision.
Neighbor Table Each router keeps a neighbor table that includes information regarding the
relationship with each neighbor. The neighbor table tracks hello packets and hold timers so if
a neighbor is unavailable it can trigger reconvergence.
Topology Table the topology table is populated by DUAL and contains all destinations that
are advertised by routers in the neighbor table. For each entry the metric and advertising
neighbor is stored. The topology table contains a lot of information about the best routes
called successors, the next best routes called feasible successors, and feasible distance
Routing table the routing table includes contains a list of the successors identified in the
topology table.
Int example the route from Source Router B Destination is the successor due to
the lowest overall cost of 100
Route Source Router C Destination is a feasible successor as the reported distance
(30) is lower than the successor (100).
Route Source Router A Destination is not a feasible successor due to the reported
distance (120) being greater than the successor (100).
After entering the EIGRP Configuration Mode, the next step for an administrator is to specify
which networks EIGRP will advertise
Router(config-router)#no auto-summary
EIGRP Timers can be manually configured by an administrator to speed convergence
in the event of a failed device. The following commands set the hello timer for EIGRP
AS#20 to 2 seconds with hold-time of 6 seconds. This means if no hellos replies are
received in 6 seconds from the neighbor then EIGRP will set the neighbor to dead and
set the DUAL algorithm to active.
Router(config)#interface serial 1/0
Router(config-if)#ip hello-interval eigrp 20 2
Router(config-if)#ip hold-time eigrp 20 6
Administrative distance (AD)- the routing table for EIGRP will contain entries that
are similar to the following
D
192.168.1.0/24 [90/5542656] via 192.168.10.1, 00:55:33
Serial0/0
This entry details that the route is EIGRP by the D classification. The brackets
contain the number 90 which is the administrative distance for EIGRP and is followed
by the EIGRP metric.
EIGRP Bandwidth on Low-Speed Links
By default, EIGRP is limited to using up to 50% of available bandwidth on slow links.
This prevents swamping the interface with traffic that would overwhelm the interface
limiting the available bandwidth for data and thus cause packet drops.
EIGRP uses the interface bandwidth to decide how much EIGRP traffic can use,
therefore its important that the link bandwidth is configured correctly. If its not
possible to reconfigure the bandwidth of the interface an administrator canmodify
EIGRP by using the following command
Router(config)#ip bandwidth percent eigrp AS#
Debug Commands
ip
ip
ip
ip
neighbors
eigrp packet
eigrp neighbors
eigrp ?
EIGRP Load-Balancing EIGRP can provide load balancing over a maximum of six paths
that do that required to be equal cost.. By default EIGRP uses 4 paths, however using a
command EIGRP can be forced to load balance over unequal cost paths.
By using the variance command EIGRP can be forced to load balance across unequal cost
links assuming the links as feasible successors. The variance command is really a multiplier
that takes the feasible distance and multiplies it by the variance factor.
To configure the variance of an EIGRP process use the following commands
Router(config)# router eigrp 50
Router(config-router)# variance 4
I this example if the FD is 20 then EIGRP will load balance across feasible successor whose
metric is 80 or lower.
5.7
OSPF protocol is a link-state routing protocol uses the Dijkstra algorithm that supports VLSM,
route summarisation and authentication. OSPF sends packets called link-state
advertisements (LSAs) to all other routers within the same hierarchical area to inform of
routing updates. Routing changes are advertised immediately which makes OSPF a much
superior routing protocol compared to some others. The link state advertisements contain
information on the router links that are sent to neighbors. Once a router receives an LSA it
stores it in the link state database.
LSA packets include information on attached interfaces and metrics. OSPF routers use the
SPF algorithm to calculate the shortest path to each node.
The Shortest Path First (SPF) routing algorithm is the basis for OSPF operations. A router
sends hello packets to acquire neighbors. The hello packet once they have acquired
neighbors starts an election process to define the designated router (DR) and the backup DR.
The DR is responsible for generating LSAs that are distributed to other routers in the OSPF
network. Designated routers allow a reduction in network traffic and in the size of the
topological database. Only one DR and BDR are allowed with OSPF. One of the main
functions of the DR is receive updates from all other routers and sent multicast them back out.
It should be stressed that routers only communicate with the DR.
When the link-state databases of two OSPF neighbors are synchronized, the routers are
adjacent. Topology databases are synchronized between pairs of adjacent routers.
Each OSPF router is identified by a unique Router ID. This can be specified in order by
manually configuring or using the highest loopback interface or finally the highest physical IP
address will become the router-id
5.7.1
OSPF uses the concept of hierarchal areas called an Autonomous system (AS). OSPF can be
ad is divided into areas which are groups of contiguous networks.
By creating areas, OSPF creates two different types of routing; if the source and destination
are inside an area then this is known as intra-area routing. Subsequently if the source and
destination are in separate areas this is known as inter-area routing.
Area 0 - The main area OSPF creates is Area 0 which is considered the backbone. An OSPF
backbone is responsible for distributing routing information between areas and for connecting
all other areas together. OSPF expects all other areas to connect to area 0 to allow updates.
Of course its not always possible to keep to this rule and often an administrator can find that
an area is not connected to Area 0. In this case a virtual link can be created to logically
connect ABRs to a backbone ABR. This will be discussed later.
Stub Area - Stub areas are connected only to Area0. Stub areas as the name suggests do
not receive routes from outside the autonomous system, but do receive the routes from within
the autonomous system
Totally Stub Area Totally stub areas are only connected to Area 0. A totally stub area only
receives a default route from Area 0. This default route is the only route a totally stub area can
use to communicate with rest of the network
Not so stubby area an NSSA allows a stub area to communicate with an external
Autonomous system by allowing an ASBR to be place within the area. This allows
redistribution of external routes into the OSPF process
A router participating in OSPF must reside within an area or areas. Depending on where the
router interfaces resides will dictate what function that router will take
Interfaces
Function
Internal Router
Interfaces in another AS
Neighbors Routers that share a network segment can become OSPF neighbors if
they receive and responded to hello packets with some common agreements such as
the area they belong too, the timers are identical, the segment and mask are identical
and authentication is correct.
Hello and Dead Intervals: OSPF routers exchange keepalives or hello packets on each
segment. This is used by routers to confirm they are alive. The Hello interval specifies the
length of time between hello packets. The dead interval is the number of seconds between
routers receiving a hello and deciding a neighbor is down. These intervals have to be exactly
the same between two neighbors. If any of these intervals are different, these routers will not
become neighbors.
Adjacencies An adjacency is the stage where OSPF neighbors actually exchange routing
information. This process is carried out by the DR. instead of each router flooding every other
router with updates; they send a multicast to the DR address of 224.0.0.6 - The DR then
multicasts the update back to the all routers address of 224.0.0.5 which will be received by
every router in the segment.
DR Election the DR and BDR election process is carried out by hello packets. Routers
when configured with OSPF have a priority value set. These priority values are compared and
the router with the highest priority will assume the role of DR. in the event of a tie, the router
with the highest Router-ID will win.
The DR election can be influenced by modifying the router Priority. Setting priority to 0 will
ensure the router never takes part in DR elections.
Description
No information has been received from anybody on the segment.
Start sending hello packets
Init:
Two-way:
Exstart:
Exchange:
Loading:
Full:
Adjacency completed
OSPF has been designed to work across multiple diverse network types such as
Ethernet, frame-relay, leased line etc and as such has a requirement to be configurable
for each
Broadcast Multi-Access typically Ethernet
DR and BDR election
Traffic to DRs and BDRs is multicast to 224.0.0.6.
Traffic from DRs and BDRs is multicast to 224.0.0.5.
No manual neighbor commands
Point-to-Point typically point to point leased line
No DR and BDR election
All OSPF traffic is multicast to 224.0.0.5.
No manual neighbor commands
Point-to-Multipoint typically hub and spoke networks. (multiple P2P)
No DR and BDR election
All OSPF traffic is multicast to 224.0.0.5.
No manual neighbor commands
Non-broadcast Multi-access Network (NBMA) typically frame
relay
DR and BDR election
Manual neighbor configuration
The OSPF process builds and maintains three separate tables:
Neighbor table
Topology table
Routing table
IDENTIFIER
O
SUMMARY
Router LSA
LSA 2
Network LSA
LSA 3
O IA
LSA 4
O IA
LSA 5
O E1, O E2
LSA 7
O N1, O N2
GENERATED BY
every router and is local
to the area
DR and is local to the
area
ABR and is propagated
between areas
ABR and is propagated
between areas
ASBR and is propagated
between areas
ASBR into NSSA area
and is propagated into
area 0
Knowing the LSA types is not critical to passing the CCNA as the exam concentrates
on single area OSPF. The purpose of the LSA types is to ensure OSPF routers share an
identical link-state database with the other routers in its area. LSA1 and LSA 2
propagate within an area and are responsible for building the OSPF tables. The LSA
types 3 and above are for inter-area routing and are not required in the CCNA exam.
RouterArea0(config)#router ospf 50
RouterArea0(config-router)#router-id 1.1.1.1
RouterArea0(config-router)#area 12 virtual-link 2.2.2.2
RouterArea12(config)#router ospf 50
RouterArea12(config-router)#router-id 2.2.2.2
RouterArea12(config-router)# area 12 virtual-link
1.1.1.1
Configuring OSPF areas with the exception of area 0 are out with the scope of the CCNA but
these commands will give you an idea of how OSPF can scale.
Stub area
Router(config)# router ospf 50
Router(config-router)#area 50 stub
Totally Stubby
Router(config)# router ospf 50
Router(config-router)#area 50 stub no-summary
Not-So-Stubby
Router(config)# router ospf 50
Router(config-router)#area 50 stub nssa
Totally Stubby Not-So-Stubby
Router(config)# router ospf 50
Router(config-router)#area 50 stub nssa no-summary
Not-So-Stubby
Router(config)# router ospf 50
Router(config-router)#area 50 stub nssa default-information-originate
Module 6.
6.1
VLANS
Virtual Local Area Networks or VLANs allows an administrator to logically group devices into a
single broadcast domain whilst improving security, VLANs create a layer 3 boundary between
devices which segregates them from other devices on additional VLANs.
A VLAN is never bound by a physical location and can span multiple switches or geographical
location which means they can span LANs, or WANs. Each VLAN is ring fenced within the
switching environment with broadcasts only ever being forward to ports within the VLAN.
Unicast messages to destinations out with the VLAN must pass through a gateway or router
to be routed to the destination.
A VLAN is transparent to the end device, I never knows which VLAN it is a member of.
VLANs are assigned at the switches physical interface by an administrator and can typically
only be assigned to a single VLAN unless a Cisco telephony is in use and a voice VLAN is
configured. VLAN membership can be given by static or dynamic means.
Static
VLAN configuration is carried out manually by an administrator using
interface configuration mode.
Dynamic
VLAN configuration is carried out automatically based on device MAC
address by a VLAN membership policy server (VMPS)
VLAN creation can be carried out several ways and amends a file called vlan.dat in Flash that
stores information relating to configuration of VLANs on the local switch.
To create a VLAN simply use the following commands
Switch(config)# vlan 25
Switch(config-vlan)# name MY_NEW_VLAN
Assigning an interface to a VLAN is a case of accessing the interface config mode, setting
port mode to access and assigning the VLAN.
Switch(config)# interface fa0/1
Switch(config-if)#switchport mode access
Name
--------default
MY_NEW_VLAN
fddi-default
token-ring-default
fddinet-default
trnet-default
Status
--------active
active
suspended
suspended
suspended
suspended
Ports
------Fa0/1
As you can see the port Fa0/1 is now assigned to VLAN 25 and can now only communicate
with other devices assigned to VLAN 25.
Most Cisco switches support two methods of tagging. Inter-switch Link or 802.1Q
Inter-Switch Link (ISL) is a Cisco proprietary protocol that is rapidly falling out of favour to
802.1Q which encapsulates a frame with a 26Byte header and 4byte trailer.
ISL Header
(26Bytes)
Ethernet Frame
CRC ( 4Bytes)
ISL frames are larger than normal at around 1544 bytes so the MTU size must be increased
to stop any non Cisco routers from discarding the frame.
802.1Q otherwise known as dot1Q, is now becoming the prevalent tagging protocol. Dot1Q
actually tags the frame rather than encapsulating it by adding a 4byte VLAN ID into the layer2
header. As most modern switches support dot1Q this increase in frame size is ignored and
the frame processed as normal. Dot1Q requires the native VLAN to be identical on both sides
of the Trunk, otherwise switching loops will occur.
ISL
Cisco Proprietary
Encapsulates the frame
No Native VLAN
802.1Q
Industry Standard
Inserts a 4 Byte VLAN tag
Native VLAN 1
This command enters interface config-mode, assigns an encapsulation protocol and finally
sets the mode to trunk. It must be stressed that both sides of the trunk must have the same
encapsulation set or a trunk will fail to form.
Dynamic Trunking Protocol (DTP) Configuration allow for the automatic negotiation of a trunk.
This protocol dynamically establishes whether an interface stays an access port or can move
to being a trunk port. DTP has settings that when configured on both sides of a link can
negotiate or not to create a trunk. The configuration settings are trunk, dynamic desirable,
dynamic auto, no negotiate.
Interface 1
Manual Trunk
Manual Trunk
Manual Trunk
Dynamic Desirable
Dynamic Desirable
Dynamic Auto
Interface 2
Manual Trunk
Dynamic Desirable
Dynamic Auto
Dynamic Desirable
Dynamic Auto
Dynamic Auto
Dynamic Desirable will actively look to establish a trunk link with the other interface; where as
Dynamic Auto is passive and will wait until asked to establish a trunk. Placing the interface
into no-negotiate always creates a trunk but the interface never advertises DTP
To configure a switchport to establish a trunk use the following configuration, this is a slight
difference from the example above.
Switch#config t
Switch(config)#interface fa0/5
Switch(config-if)#switchport mode trunk | Dynamic Desirable | Dynamic Auto
Managing VLAN access to trunks. By default, all VLANS from 1 to 1005 in the VLAN
database are allowed to be carried across a trunk; however an administrator can manually
configure this. This is useful I the manipulation of Spanning tree to manipulate root paths and
generally improve bandwidth usage. To restrict the VLANs allowed to be carried across the
trunk use the following command
Switch(config-if)#switchport trunk allowed VLAN
Switch(config-if)#switchport trunk allowed VLAN
Switch(config-if)#switchport trunk allowed VLAN
Switch(config-if)#switchport trunk allowed VLAN
Switch(config-if)#switchport trunk allowed VLAN
add 25
add 30-40
remove 34
add all
add all except 50
This command looks at the VLAN database and adds, removes VLAN ID from the trunk. A
trunk port automatically adds newly created VLANs to the allowed VLAN list if VTP exists and
the VLAN is in the allowed list.
If a frame arrives to a trunk without being tagged then it is classed as being in the native
VLAN. All untagged traffic resides in the native VLAN which by default is VLAN 1. This can be
manually configured using the command
Switch(config-if)# switchport trunk native vlan 100
6.2
As the network grows and multiple switches are installed and configured, it can quickly
become an administrative nightmare to manage VLANS. When creating a new VLAN it would
need to be configured on each switch and trunk links amended to allow it to pass across
them. VTP is a Cisco proprietary protocol that maintains VLAN configuration by managing the
administration of VLANS. Using VTP, an administrator can make configuration changes
centrally to one or more switches from a centralised location. This alleviates the
administrative burden from manual VLAN configuration and provides a source of security and
change management control, however it should be noted that simultaneous changes to
switches in the same domain can lead to database inconsistencies.
Switches making uses of VTP are configured to join a VTP domain, which is a logical group of
switches that are under a single administrative control. Only switches that belong to the same
VTP domain can communicate VLAN information to one another. VTP supports the normal
range of VLANs (VLAN ID 1 to 1005), Extended VLANs are not supported by VTP.
Switches participating in VTP can only ever join a single VTP Domain and only then if they
have the correct shared password to connect. Without the correct password or Domain name,
a switch will not participate in the correct VTP.
VTP domain the VTP domain consists of a logical group of interconnected switches under
the same administrative authority that participate in the sharing of a common VLAN database.
VTP Modes
VTP supports 3 modes for switches to operate; these modes are Server, Client and
Transparent.
VTP Server Servers have the ability to create, modify or delete VLANS in a VTP domain.
VTP servers keep a record of the Database revision number with the VLAN configurations
held in NVRAM.
VTP Client Clients can only listen and read advertisements from VTP Servers in the same
domain. They cannot create, delete or modify VLAN information. VTP clients also forward
received VTP advertisements out trunk ports.
VTP Transparent transparent switches do not participate in the VTP Domain, however they
will forward VTP advertisements out trunk ports. They also have the ability to add, delete and
modify local VLAN information that is not propagated.
VTP revision number VTP contains a configuration revision number which is used to ensure
all switches participating in VTP have the correct version of the VLAN database. A switch will
only accept and process a VTP update if the revision number is higher than the current value.
In an enterprise environment it is important to secure the VTP server with a distinct Domain
name and password. Failure to do so may result in the loss of all VLAN information if a new
switch is added. If a switch is added to the network that has the same name and password
but a higher VTP revision number then the new switch will advertise its database that will take
preference thus wiping the existing VLAN database. New switches must be configured as a
VTP client with a NULL value for domain and password.
VTP advertisements each switch in the VTP domain sends advertisements from each trunk
port to a multicast address. Neighbouring switches receive and process the advertisement
based on their mode. VTP advertisements contain the following. VTP Domain names, revision
number, timestamp, VLAN ID, VLAN name, VLAN type, VLAN state.
Configuring VTP
Configuring VTP for server or client mode is straight forward with a few commands to set the
mode, domain, version and password
Switch#conf t
Switch(config)# vtp domain CISCO
Switch(config)# vtp mode SERVER | CLIENT
Switch(config)# vtp version 1 | 2
Switch(config)# vtp domain My_VTP_Domain
Switch(config)# vtp password My_VTP_Passw0rd
To configure VTP for transparent mode
Switch#conf t
Switch(config)# vtp mode transparent
This configuration can be verified by running the command
Switch# show vtp status
6.3
VTP Pruning is a process for removing VLAN information being transmitted over
trunks to a switch that has no interfaces associated with the VLAN. Pruning increases
available bandwidth by restricting VLAN information traffic to those trunk links that
connect to switches that must use the VLAN information. VTP pruning is configured
on switches that support VTP version 1 & 2. Enabling Pruning on a VTP server
enables it globally across the VTP domain. VLAN 1 is never pruned.
Switch(config)# vtp pruning
Alternatively, it is possible to specify which VLANs on a trunk are eligible to be
pruned.
Switch(config)# interface fa0/1
Switch(config-if)# switchport trunk pruning vlan add 10
Switch(config-if)# switchport trunk pruning vlan remove 25
Monitoring VTP
Monitoring and verification of VTP can be carried out with the following commands
Switch#sh vtp status
Switch#sh vtp counters
6.4
Description
Sends VLAN configuration to port
Places port into pre-configuration state
Shuts the port down
Log an error that port is misconfigured
6.5
By using parallel trunks it is possible to load share Spanning tree protocol by sharing
the VLAN traffic across the multiple trunks. STP would normally block one trunk but
by using load sharing different VLANs can use different trunks thus utilising
bandwidth more effectively. Load sharing is discussed in more detail in the
CCNP:Switch course.
6.6
Etherchannel
A logical Etherchannel is now created on each switch which would be called PortChannel 1(Po1). When configuring the Etherchannel this new port should be used
Switch2(config)#interface Po1
an administrator is able to view the etherchannel status using
Switch2(config)#sh interface etherchannel
6.7
Fundamentals
802.11b
11Mbps
802.11g
54Mbps
802.11n
600Mbps
It is important to note that wireless networks have a small range, in the region of tens
of metres. This means that an office or campus can have many access points to service
mobile users. They use channels of bandwidth within the frequency range allocated to
them, multiple channels improve the throughput of wireless networks, however
careful administration of channels is required. Adjacent WAPs should overlap slightly
to ensure 100% coverage but should never be configured on the same channel. By
using the same channel on adjacent WAP severely impacts the performance.
There are two kinds of wireless networks:
Ad-hoc wireless networks consist of a number of end devices that communicate
directly to each other through an installed wireless network card. Each device can
share resources to each other but cannot access wired network resources.
Access-point based wireless networks introduce a base station or access point with a
fixed connection to a wired LAN. This access point acts like a hub by providing half
duplex connectivity to wireless devices. An access point uses a dedicated range of RF
called a channel.
A network can have multiple access points however its important to know that each
adjacent access point access must use a different channel to reduce interference
7.2
Wireless Security
network a little stronger, however MAC addresses can be spoofed and this present an
administrative burden.
Module 8
8.1
Frame Relay
Frame Relay
Full-mesh topology - the most expensive option where all routers have virtual
circuits to all other destinations. The Full mesh topology provides full redundancy,
because all sites are connected to all other sites. As a network grows and additional
sites are added then the requirement for additional PVCs and the administration of
these increase. The number of links required in a full-mesh topology with n nodes is
(N/2)*(N-1)
Given this formula, we can see how rapidly the number of PVCs rises.
Number of Sites
5
8
10
15
Number of PVCs
10
28
45
105
Partial-mesh topology in a partial mesh, not all sites have direct access to
all other sites. It is common for the network administrator to provide at least 2
connections back to a hub and will usually be based on the traffic flow between sites.
Virtual Circuits
With Frame relay, an administrator is only concerned with the router connection to the
Service provider. Once traffic is passed into the Frame relay cloud the administrator
can only hope the traffic will arrive at its destination.
For frame relay communication to happen the administrator and service provider must
create what is known as a Virtual Circuit (VC). The virtual circuit is the one-way path
traffic takes when traversing the service providers network.
Frame relay virtual circuits are either switched SVC or Permanent (PVC). An SVC is
setup and torn down on a per session basis where as the PVC as its name suggests is
set up once and is permanent. This said to effect communication between two sites
requires the configuration of two Virtual circuits.
Virtual circuits are locally identified with a label called the Data Link Connection
Identifiers (DLCIs). DLCIs are locally significant and are essentially the way into the
frame relay cloud and can be described as a pipe. Its possible to imagine VCs as a
pipe that goes to a location. A DLCI is a label on this pipe; therefore if the
administrator wishes to send data to a remote site, they look at the labels on the pipes
and push the traffic down it.
Frame-Relay switches make decisions based on DLCIs, whereas Ethernet switches
make decisions based on MAC addresses.
Committed information rate (CIR) The committed information rate is the
guaranteed bandwidth that a service provider has a contractual obligation to provide.
CIR is almost always based on cost; higher bandwidth links require additional
expense. Often the service provider will allow the customer to burst above the CIR
which is called the burst excess. This allows a customer for a short period of time to
send more traffic without additional cost. It should be noted that the service provider
will employ Quality of Service (QoS) and policing to make sure this burst is not
abused.
Frame relay can become congested, especially when a multipoint interface is utilised,
therefore some flow control mechanism is required to prevent the receiving router
from becoming over whelmed. This mechanism is the Discard Eligibility (DE). Every
packet that is exceeding the CIR or marked as low priority by QoS will be marked
with a DE flag which marks it as highly likely to be dropped.
8.2
These commands set the frame-relay mode on the physical interface, create a subinterface named s0/0324 and apply an IP address to it. Finally the frame-relay is
applied to the interface. Configuring the remote end of the link is exactly the same
procedure however as DLCIs are locally significant then this will change.
Router4(config)#int s0/0
Router4(config-if)#encap frame-relay
Router4(config-if)#exit
Router4(config)#int s0/0.43 point-to-point
Router4(config)#ip address 10.0.0.2 255.255.255.0
Router4(config-if)#frame-relay interface-dlci 423
Additional PVCs can be added to the router3 by creating an additional sub-interface,
applying an IP address and then assigning the DLCI.
Frame relay Multipoint configuration
Router3(config)#int s0/0
Router3(config-if)#ip address 10.0.0.3
Router3(config-if)#encap frame-relay
Router3(config-if)#frame-relay map ip 10.0.0.4 324
broadcast
8.3
Module 9
9.1
Troubleshooting
It is important to realise that networking not only uses routers and switches, most of
network troubleshooting can be carried out from a host PC. Here are some common
commands to master.
IPConfig Allows an administrator to verify a hosts IP address, Subnet mask, DNS
server, MAC address, default gateway along with a few other settings.
IPconfig has some switch arguments that can be used to provide more information.
Ipconfig /all
Ipconfig /release
Ipconfig /renew
Ipconfig /flushDNS
PING Packet internet groper. Ping uses the ICMP protocol to send a test
packet to a host to test connectivity. When a destination host receives this test packet,
it immediately sends it back. This end to end test is a great resource and can help
troubleshoot many network issues
Traceroute / tracert this utility can be used to map the route through a
network be showing the IP address of every device the path routes through.
NSLookup NSLookup gives the ability to query a DNS server and ensure a
devices FQDN can be resolved to an IP address.
ARP Arp allows an administrator to find an IP address from a MAC address or vice
versa.
Module 10
Access lists
Access Control Lists are sets or a list of rules read in a specific order that are used to
control, identify or filter traffic through a network device to either permit or deny that
traffic.
When using access lists, its important to understand what permit and deny actually
mean. Permit is used to allow or include traffic in a rule. Deny is used to block or notinclude traffic in a rule.
Access lists are exactly that they are a list of rules that are processed in order from
top down, once a match is made no further processing is carried out. An implicit
deny all is automatically entered at the end of any Access-List.
A few examples of what an Access-list can be used for.
Permitting certain host access to a secure file server
Identifying traffic from a subnet using a specific protocol
Access-lists can be applied on inbound or outbound traffic. It is important to note that
the order of an access list is important as well as where the access-list is applied.
Blocking traffic at the external interface is more preferable then the router processing
the traffic only to drop it exiting the internal interface.
When creating an Access-list all new entries to the ACL are automatically created at
eh end of the ACL, this can make modifying them tricky as they have to be removed
and inserted all over again.
Wherever a 255 is found in the wildcard then it can be ignored. Therefore anything
located in 172.16.0.0 network would be permitted, so any device with an IP address in
this range would be matched and processed.
To block a network of 192.168.1.0 from accessing another subnet we caould create
the following Access list.
Router(config)#access-list 20 deny 192.168.1.0
0.0.0.255
Once an access list is created it is not enforced until it is applied to an interface. To
apply an ACL to an interface the administrator needs to access the interface and apply
the ACL
Router(config)#int fa0/0
Router(config-if)#ip access-group 20 in
The command above will apply access list 20 to the interface and will be applied to
traffic entering interface fa0/0
Standard access lists such as the one defined above are useful but not always practical
or suitable. Extended IP access-lists build on the same principles of standard access
lists but allow for more granularities on what it can match.
Router(config)#access-list 105 permit TCP 192.168.1.0
0.0.0.255 host 172.16.0.1 eq www
Router(config)#access-list 105 deny TCP host
192.168.1.10 host 172.16.0.1 eq www
Slightly more complicated than a standard ACL, this extended ACL creates an entry
into ACL 105 that permits the TCP protocol from network 192.168.1.0 to the host of
172.16.0.1 on the port 80. The second entry would block http traffic from a host to the
webserver, however recall ACLs are read from the top down. Therefore as soon as the
first entry is matched all hosts within the 192.168.1.0 network will be permitted. The
second entry to be effective must be re-entered above the network. BE CAREFUL.
Finally apply the Access list to the interface
Router(config)#int fa0/0
Router(config-if)#ip access-group 102 in
Within the extended Access list there is a port identifier that is used to identify
specific ports or protocols. These identifiers are
Identifier
eq
gt
lt
Meaning
Match a port
Match all ports greater than
Match all ports lower than
neq
Named access lists provide a bit more flexibility than numbered access-lists. They
allow an administrator to be descriptive and name the ACL as well as allow
modification without deleting and recreating by allocating line numbers to each entry.
To create a named access list use the following commands
Router(config)# ip access-list standard MY_NAMED_ACL
Router(config-std-nacl)# permit 192.168.1.0
0.0.255.255
Router(config-std-nacl)# permit 192.168.2.0
0.0.255.255
Router(config)# ip access-list extended
MY_EXTENDED_NAMED_ACL
Router(config-ext-nacl)# permit tcp 192.168.1.0
0.0.0.255 host 10.10.10.10 eq 25
Router(config-ext-nacl)# permit tcp host 10.10.10.10
host 10.10.20.10 eq www
Router#conf t
Router(Config)#access-list 10 permit 192.168.10.0
0.0.0.255
Router(Config)#access-list 10 deny any log
Router(Config)#line vty 0 4
Router(Config-line)#access-class 10 in
Router(Config-line)#exit
Router(Config)#end
To view who has attempted to connect to your router then use the following show
command. This will show what matches have been made against the ACL
Router#show access-lists 10
Module 11
Since the year 2000, the Internet has been expanding and as the amount of
information and resources available increases, it is becoming apparent that the current
range of IP addresses cannot cope. Network Address Translation (NAT) is a method
created to deal with the forthcoming exhaustion of IP addresses by connecting
multiple computers to the Internet using one IP address.
The impetus towards increasing use of NAT comes from a number of factors:
The purpose of NAT is to allow traffic from multiple devices on an internal network
to use a single external or public address to access the internet or external network.
The protocols in the TCP/IP model allow sharing of this external address by using a
multiplex methodology. By using ports and port numbers NAT can track internal hosts
and there requests to the external network. This is the key to single address NAT.
TCP Ports - This combination of IP address and TCP port number defines a single
TCP/IP connection. The IP address specifies the two devices at each end, and the two
port numbers ensure that each connection can be uniquely identified and maintained.
PAT
addresses
Translation of many private addresses to one or more public
addresses based on a random port
more public addresses. This is possible due to unique port numbers. PAT uses ports to
identify outgoing and incoming connections and can build a translation table on this.
PAT introduces some new terminology that can be confusing to begin with.
Inside Local
Inside Global
Outside global
Module 12
It is always a question that is asked, does a CCNA student need hardware to pass or
can they make do with a simulator? There are three camps on this, one is determined
to ensure that all students have a full hardware based lab to configure, the alternative
is software based only with applications such as Packet Tracer or Dynamips(GNS).
Lets be totally clear, both sides have their pros and cons however a hybrid approach
is one I personally feel is best, both provide valuable contributions to the learning
environment needed to pass the CCNA first time.
Hardware only.
Pros
Real hardware for hands on
Can participate in recovery type labs
Familiarity of equipment
Real IOS
Cons
Can be expensive
Old equipment
Risk of purchasing incorrect equipment
Electricity costs
Noisy
Cabling
Possible to corrupt IOS
Can be difficult for novice to configure
Software only
Pros
Easy to configure
Instantly scalable
Inexpensive
More configurable
Pre-configured tutorials
Cons
Lacks full features
No hands on experience
The Hybrid model combines all the Pros from both the hardware and software
methods along with reducing most of the cons from each. In fact most CCIE
candidates use a hybrid model based on Dynamips to virtualise routers connected to
physical switches. This configuration allows for a highly configurable home lab.
Module 13
Labs
Basic Labs
Basic Connectivity & Getting Started
Basic Three Router Routing Lab
Cisco Switch Exploration Lab
Terminal Server Setup
Basic Cisco Hub Exploration Lab
SDM Exploration Lab
Switching Labs
Vlan Exploration Lab
Two Switch Trunking Lab
Three Switch VTP Lab
Three Switch Spanning Tree Protocol Lab
Three Switch Rapid Spanning Tree Protocol Lab
Inter Vlan Routing Lab
Routing Labs
Three Router RIP Lab
Three Router EIGRP Lab
Three Router OSPF Lab
Default Routing Lab
Security
Standard Access Lists
Extended Access Lists
Named Access Lists
Trusted Hosts Access Lists
WAN
Frame-Relay Physical Lab
Frame-Relay Point to Point Lab
Frame-Relay Multipoint Lab
Frame-Relay Basic Configuration Lab
PPP Encapsulation
PPP PAP Lab
PPP CHAP Lab
HDLC Encapsulation Lab