CCNAX Interconnecting Cisco Networking Devices: Accelerated Volume 2 Version 1.1 Student Guideetfeales cisco ‘aereas Hensquarere ‘sleet Headauerers| Sree systame he Sate Syrtame hist Severe tn Sraipore [Gace rata aco. ope we radenario| Cuca Syrloms be orale alisarivfaUS an cer comes, Aeing ol Geese vadonara con lang Gi icncaconiaivscenara, nvapery Todo maris atte propery ol oirexpacive cure Thee he worse aoe tral a puirertiprooneapbameen Gis ox sty ar cargay 00088 |Gkapiics, O8 FORMATTING ERRORS, CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE |CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR ICOMMUNICATION BETWEEN CISCO AND YOU, CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A. ICOURSE OF DEALING, USAGE OR TRADE PRACTICE. This leaming product may coaaia ely release content and while Ciseo believes itt0 baccarat i fils ubject othe islam above ‘Student Guide {© 2010 Cisco andr is afats. Alright reservedTable of Contents Volume 2 Wireless LANs 3-4 Overview 34 Module Objectives a4 Exploring Wireless Networking 33 Overview 33 Objectives 33 Business Case for WLAN Services 34 Differences Between WLANs and LANs 35 RF Transmission 37 Organizations That Define WLANS 38 ITU-R Local FCC Wireless 3.9 IEEE 802.11 Standards Comparison 311 Wi-Fi Certification 315 ‘Summary 346 Understanding WLAN Security 3-17 ‘Overview 347 Objectives 347 WLAN Security Threats 3-18 Mitigating Security Threats 3-20 Evolution of WLAN Security 3.21 Wireless Client Association 3-23 How 802,1X Works on WLANs 3-24 WPA and WPA2 Modes 3-25 Enterprise Mode 3-26 Personal Mode 3:26 ‘Summary 3-29 Implementing a WLAN. 331 Overview 331 Objectives 3.31 IEEE 802.11 Topology Building Blocks 3-32 BSA Wireless Topology 3-34 Wireless Topology Data Rates 3-36 ‘Access Point Configuration 338 Steps to Implement a Wireless Network 3-40 Wireless Clients 341 Wireless Troubleshooting 343 ‘Summary 3-45 Module Summary 3.47 Module Self-Check 3.49 Module SelCheck Answer Key 3-53 LAN Connections 4-4 Overview a4 Module Objectives at Understanding Binary Basics. 43 Overview 43 Objectives 43 Decimal and Binary Systems 44 Powers of 2 45 Least Significant Bit and Most Significant Bit 46 Base-2 Conversion System 46 Decimal and Binary Numbers Chart 47 Decimal-to-Binary Conversion 48 Binary-to-Decimal Conversion 440‘Summary ant Constructing a Network Addressing Scheme 443 Overview 4-13 Objectives: 413 ‘Subnetworks aig Two-Level and Three-Level Addresses 417 Subnet Creation 447 How End Systems Use Subnet Masks 419 How Routers Use Subnet Masks 4-20 Mechanics of Subnet Mask Operation 4-23 Octet Values of a Subnet Mask 4-23 Computing Usable Subnetworks and Hosts 4-26 Computing Hosts for a Class C Subnetwork 4-26 Computing Hosts for a Class 8 Subnetwork 427 Computing Hosts for a Class A Subnetwork 4-29 Applying Subnet Mask Operation 431 Determining the Network Addressing Scheme 432 Class C Example 4-34 Class B Example 4-36 Class A Example 4-38 Summary 4-40 Exploring the Packet Delivery Process 4-43 Overview 443 Objectives 4-43 Layer 2 Addressing 444 Layer 3 Addressing 445 Host-to-Host Packet Delivery 4-46 Using the show ip arp Command 458 Using Common Cisco IOS Tools 4-60 Summary 4-63 Starting a Cisco Router 465 Overview 4-65 Objectives 4-65 Initial Startup of a Cisco Router 4-66 Initial Setup of a Cisco Router 4-68 Logging into the Cisco Router 4-70 ‘Showing the Router initial Startup Status 414 Summary 4-76 Configuring a Cisco Router 477 Overview “a7 Objectives 477 Cisco Router Configuration Modes 478 Configuring a Cisco Router from the CLI 481 Configuring Cisco Router Interfaces 4-83 Configuring the Cisco Router IP Address 487 Verifying the Interface Configuration 4-89 Summary 4-95 Understanding Cisco Router Security 497 Overview 4-97 Objectives 497 Physical and Environmental Threats 4-98 Configuring Password Security 4-99 Configuring the Login Banner 4-104 Telnet and SSH Access 4-105 Summary 4-108 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 (© 2010 Gisco Systems, Ine.Using Cisco SDM 4-109 ‘Overview ‘4-409 Objectives 4.409 Cisco SDM Overview 4.410 Cisco SDM User Interface 444 Configuring Your Router to Support Cisco SDM anid Start Cisco SOM 4416 ‘The More Link 4nt7 Configuration Overview ante Cisco SDM Wizards 4421 ‘Summary 4.122 Using a Cisco Router as a DHGP Server 4-123 Overview 4.423 Objectives 4.423 Understanding DHCP 4.424 DHCPDISCOVER 4.425 DHCPOFFER 4.425 DHCPREQUEST 4.425 DHCPACK 4.425 Using a Cisco Router as a DHCP Server 4.426 Using Cisco SDM to Enable the DHCP Server Function 4427 Monitoring DHCP Server Functions 4.133 ‘Summary 4-136 Module Summary 4.437 Module Self-Check 4.439 Module Self-Check Answer Key 4147 WAN Connections 5-4 Overview ot Module Objectives 52 Understanding WAN Technologies 5.3 Overview 53 Objectives 53 What Is @ WAN? Bat Why Are WANs Necessary? 55 How Is a WAN Different from a LAN? 57 WAN Access and the OSI Reference Model 59 WAN Devices 5-10 WAN Cabling 5-13 Role of Routers in WANs 545 WAN Data-Link Protocols 5-16 Metro Ethernet 517 WAN Communication Link Options 548 Private WAN Connection Options 5-18 Public WAN Connection Options 5-19 Last Mile and Long Range WAN Technologies 5-20 ‘Summary 5-22 Enabling the Internet Connection 5-25 Overview 5-25 Objectives 5-25 Packet-Switched Communication Links 527 Digital Subscriber Line 5-29 DSL Types and Standards 5-30 DSL Considerations 531 Cable 5-32 Global Internet: The Largest WAN 5.33 Obtaining an interface Address from a DHCP Server 5-35 Introducing NAT and PAT 5-36 '© 2010 Cisco Systoms, Ine. Interconnecting Cisco Networking Devices: Accelerated (CGNAX) v1.1Example: Overloading an Inside Global Address 5:37 Configuring the DHCP Client and PAT 5-38 Verifying the DHCP Client Configuration 542 Verifying the NAT and PAT Configuration 5-44 Summary 5-45 Introducing VPN Solutions 5-47 Overview 5.47 Objectives 547 VPNs and Their Benefits 5-48 Types of VPNs 5-50 Components of VPNs 5-55 Introducing IPsec 5.59 Symmetric Encryption 5-62 ‘Asymmetric Encryption 563 IPsec Protocol Framework 5.67 Summary 5-69 Configuring Serial Encapsulation 5-71 Overview 571 Objectives 571 Circuit-Switched Communication Links 5-73 Public Switched Telephone Network 574 Pointsto-Point Communication Links 576 Bandwidth 578 Point-to-Point Communication Considerations 5-79 High-Level Data Link Control Protocol 5.34 Verifying Serial HDLC Encapsulation 5-85 Example: Verifying HDLC Encapsulation Configuration 5-85 Point-to-Point Protocol 5-86 PPP Layered Architecture 5-88 Configuring and Verifying PPP 5-93 Example: PPP and CHAP Configuration 5.96 Example: Verifying PPP Encapsulation Configuration 5.97 Example: Verifying PPP Authentication 5.98 Summary 5-101 Enabling St: Routing 5-103 Overviow 5-103 Objectives 5-103 Static and Dynamic Route Comparison 5-104 When to Use Static Routes 5-105 Static Route Configuration 5-106 Example: Static Routes 5-106 Example: Configuring Static Routes 5-108 Default Route Forwarding Configuration 5-110 Static Route Configuration Verification 54112 Example: Verifying the Static Route Configuration 5112 Summary 5113 Module Summary 5-115 Module Self-Check 517 Module SelCheck Answer Key 5127 Iv __Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 (© 2010 Gisco Systems, Ine.Network Environment Management 6-1 Overview o1 Module Objectives 61 Accessing Remote Devices 6-3 Overview 63 Objectives 63 Establishing a Telnet or SSH Connection 64 Telnet 64 Secure Shell 65 ‘Suspending and Resuming a Telnet Session 68 Closing a Teinet Session 69 Alternate Connectivity Tests 6-10 Summary 612 Using CDP 6-13 Overview 613 Objectives 613 Creating a Network Map of the Environment 614 Cisco Discovery Protocol 6-16 Information Obtained with Cisco Discovery Protocol 617 Link Layer Discovery Protocol 6-18 Implementation of Cisco Discovery Protocol 619 Using the show cdp neighbors Command 6-21 Monitoring and Maintaining Cisco Discovery Protocol 6:23 Summary 6-25 Managing Cisco Router Startup and Configuration 6-27 Overview 627 Objectives 6-27 Intemal Router Components 6-28 Stages of the Router Power-On Boot Sequence 6-32 How a Device Locates and Loads Cisco 10S Image and Configuration Files 6-34 Configuration Register 6-43 Summary 647 Managing Cisco Devices 6-49 Overview 6-49 Objectives 6-49 Cisco 10S File System and Devices 6-50 Managing Cisco IOS images 6-52 Cisco 10S copy Command 655 Managing Device Configuration Files 658 Using show and debug Commands on Cisco Devices 6-64 Summary 6-69 Module Summary 671 Module Self-Check 6-73 Module Self-Check Answer Key 6-79 '© 2010 Cisco Systoms, Ine. Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1Vi Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 (© 2010 Gisco Systems, Ine.Module 3 Wireless LANs Overview Historically, LANs have been limited to physical wired segments, With the advent of technologies that utilized infrared and RF (o carry data, LANs were freed from the limitations ofa physical media. This module describes the reasons for extending the reach of a LAN and the methods that can be used to do so, with a focus on RF wireless access. With the extension of LANs, new types of applications appeared, such as VoIP. This module also briefly describes the main drivers of VoIP implementations on LANs. Module Objectives Upon completing this module, you will be able to describe the wireless LAN (WLAN) environment. This ability includes being able to meet these objectives: Describe the business drivers and standards that affect WLAN implementation = Describe WLAN security issues and threat-mitigation methods = Describe the factors that affect WLAN implementation Describe the requirements of the implementation of VoIP32 Interconnecting Cisco Networking Devices: Accelerated (CCNAX v1.1 (© 2010 Gisco Systems, Ine.Lesson 1 Exploring Wireless Networking Overview Wireless access to networks has developed like most new technologies. Business needs direct, technology developments, which in turn direct new business needs, which in turn direct new technology developments. To keep this cycle from spinning out of control, several organizations have stepped forward to establish wireless LAN (WLAN) standards, certifications, and multivendor interoperability, This lesson describes the trends and standards that affect WLAN development. Objectives Upon completing this lesson, you will be able to describe the factors that affect WLANs and the standards that govern WLANs. This ability includes being able to meet these obj m= Describe the business case for WLAN services Describe the differences between WLAN and LAN implementation Identify the characteristics of the RF transmissions that are used by WLANs ‘= Identify the organizations that define WLAN standards Describe the three unlicensed bands that are used by ITU-R local FCC wireless m= Compare the different IEEE 802.11 standards m= Describe Wi-Fi certificationBusiness Case for WLAN Services This topic describes the business case for WLAN services. OT Market Trends From single to rmultask devioes Fro applications From working hours to working From individual to collaboration More notebooks sold than desktops Productivity is no longer restricted to a fixed work location or a defined time period. People now expect to be connected at any time and place, from the office to the airport or even the home. Traveling employees used to be restricted to pay phones for checking messages and returning a few phone calls between flights. Now employees can check email, voice mail, and the web status of products on personal digital assistants (PDAs) while walking to a flight. Even at home, people have changed the way that they live and learn. The Internet has become a standard in homes, along with TV and phone service. Even the method of accessing the Intemet has quickly moved from temporary modem dialup service to dedicated DSL or cable service, which is always connected and is faster than dialup. In 2005, users of PCs purchased more Wi- Fi-enabled mobile laptops than fixed-location desktops. ‘The most tangible benefit of wireless is the cost reduction. Two situations illustrate the cost savings. First, with a wireless infrastructure already in place, savings are realized when moving. a person from one cubicle to another, reorganizing a lab, ot moving from temporary locations ‘or project sites. On average, the IT cost of moving an employee from one cubicle to another is $375. For the business case, we will assume that 15 percent of the staff is moved every year. ‘The second situation to consider is when a company moves into a new building that does not have any wired infrastructure, In this case, the savings of wireless are even more noticeable, because running cables through walls, ceilings, and floors is a labor-intensive process Last but not least, another advantage of using a WLAN is the increase in employee satisfaction, which leads to less tumover and the cost savings of not hiring as many new employees. Employee satisfaction also results in better customer support, which cannot be easily quantified, but is a major benefit 34 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 (© 2010 Gisco Systems, Ine.Differences Between WLANs and LANs This topic de 's between WLAN and LAN implementation a -s the differen ifferences Between WLAN and LAN * WLANs use radio waves as the physical layer. — WLANs use CSMAICA instead of CSMAICD for media access = Twouway radio (half-duplex) communication. * Radio waves have problems that are not found on wires. ~ Connectivity issues’ * Coverage problems ® Interference, noise — Privacy issues " Access points are shared devices similar to an Ethernet hub for shared bandwidth. * WLANs must meet country-specific RF regulations. In WLANs, radio frequencies are used as the physical layer of the network. WLANs use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) instead of Carrier Sense Multiple Access with Collision Detection (CSMA/CD), whieh is used by Ethernet LANs. Collision detection is not possible in WLANs, be cannot receive at the same time that it is transmitting and, therefore, cannot detect a use a sending station collision. Instead, WLANs use the Ready to Send (RTS) and Clear to Send (CTS) protocols to avoid collisions. = WLANs use a different frame format than wired Ethernet LANs. WLANs require additional information in the Layer 2 header of the frame. Radio wav ise problems in WLANS that are not found in LANs: Connectivity issues occur in WLANs because of coverage problems, RF transmission, multipath distortion, and interference from other wireless services or other WLANs. Privacy issues occur because radio frequencies can reach outside the facility In WLANs, mobile clients connect to the network through an a s point, which is the equivalent of a wired Ethernet hub (but an access point has some Layer 2 features, making it also have characteristics of switches): 1 Mobile clients do not have a physical connection to the network. = Mobile devices are often battery-powered, as opposed to plugged-in LAN devices (© 2010 Cisco Systems, ne. Wireless LANS 35WLANs must meet country-specific RF regulations. The aim of standardization is to make WLANS available worldwide. Because WLANs use radio frequencies, they must follow country-specific regulations of RF power and frequencies. This requirement does not apply to wired LANs. 36 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 (© 2010 Gisco Systems, Ine.RF Transmission Radio freque identifies the characteristics of the RF transmi -s range from the AM radio band to frequencies used by cell phones. This topic sions that are used by WLANs. RF Transmission " Radio frequencies are radiated into the air via an antenna, creating radio waves. * Objects can affect radio wave propagation resulting in ~ Reflection ~ Scattering ~ Absorption * Higher frequencies allow higher data rates; however, they have a shorter range, Radio frequencies are radiated into the air by antennas that create radio waves. When radio ‘waves are propagated through objects, they may be absorbed (for instance, by walls) or reflected (for instance, by metal surfaces). This absorption and reflection may cause areas of low signal strength or low signal quality The transmission of radio waves is influenced by the following factors: = Reflection: Occurs when RF waves bounce off objects (for example, metal or glass surfaces). Scattering: Occurs when RF waves strike an uneven surface (for example, a rough surface) and are reflected in many directions. Absorption: Occurs when RF waves are absorbed by objects (for example, walls), The following rules apply for data transmission over radio waves: Higher data rates have a shorter range because the receiver requires a stronger signal with a better signal-to-noise ratio (SNR) to retrieve the information. Higher transmit power results in a greater range, To double the range, the power has to be increased by a factor of 4. Higher data rates require more bandwidth. Increased bandwidth is possible with higher frequencies or more-complex modulation. Higher frequencies have a shorter transmission range because they have higher degradation and absorption. This problem can be addressed by more-efficient antennas. (© 2010 Cisco Systems, ne. Wireless LANS 3-7Organizations That Define WLANs Several organizations have stepped forward to establish WLAN standards, certifications, and multivendor interoperability. This topic identifies the organizations that define WLAN standards. Organizations That Define WLAN TUR: * Regulates the RF used in wireless IEEE: * 802.11 documents wireless technical standards Wi-Fi Alliance: * Global nonprofit industry trade association * Promotes wireless growth through interoperability certification Regulatory agencies control the use of the RF bands. With the opening of the 900-MHz industrial, scientific, and medical (ISM) band in 1985, the development of WLANS started, ‘Now transmissions, modulations, and frequencies must be approved by regulatory agencies. A worldwide consensus is required. Regulatory agencies include the Federal Communications Commission (FCC) for the United States (hitp:/www.fec.gov) and the European Telecommunications Standards Institute (ETSI) for Europe (http://www.ctsi.org). The Institute of Electrical and Electronic Engineers (IEEE) defines standards. IEEE 802.11 is part of the 802 networking standardization process. IEEE 802.11 is a group of standards for WLAN computer communication in the 2.4-, 3.6-, and 5-GHz frequency bands. The first release was completed in 1997. You can download ratified standards from the IEEE website (http://standatds ieee.org/geticee802). The Wi-Fi Alliance offers certification for interoperability between vendors of 802.11 products Certification provides comfort zone for purchasers of these products. It also helps market WLAN technology by promoting interoperability between vendors. Certification includes all three 802.11 RF technologies and Wi-Fi Protected Access (WPA), a security model that was released in 2003 and ratified in 2004, based on the new security standard IEEE 802.11i, which was ratified in 2004, The Wi-Fi Alliance promotes and influences WLAN standards. A list of ratified products can be found on the Wi-Fi Alliance website (http://www. wiefi.org). 38 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 (© 2010 Gisco Systems, Ine.ITU-R Local FCC Wireless There are several unlicensed RF bands. used by ITU-R local FCC wireless, This topic describes the three unlicensed bands that are ITU-R with FCC Wireless "ISM frequency band * No exclusive use * No license required * Best-effort * Interference possible see There are three unlicensed bands: 900 MHz, 2.4 GHz, and 5.7 GHz. The 900-MHz. and 2.4-GHz bands are referred to as the industrial, scientific, and medical or ISM bands. The 5- Gllz band is commonly referred to as the Unlicensed National Information Infrastructure (UNI) band, Frequencies for these bands are as follows: m1 900-MHz band: 902 to 928 MHz. m= 2.4-GHz band: 2.400 MHz to 2.483 GHz. (In Japan, this band extends to 2.495 GHz), 1m 5GHz band: 5.150 to 5.350, 5.725 to 5.825 MHz, with some countries supporting middle bands between 5.350 and 5.725 MHz. Not all countries permit IEEE 802.1 1a, and the available spectrum varies widely. The list of countries that permit 802. 1a is changing. This figure shows WLAN frequencies. Next to the WLAN frequencies in the spectrum are other wireless services such as cellular phones and narrowband Personal Communications Service (PCS). The frequencies that are used for WLAN are ISM bands. A license is not required to operate wireless equipment on unlicensed frequency bands. However, no user has exclusive use of any frequency. For example, the 2.4-GHz band is used for WLANs, video transmitters, Bluetooth, microwave ovens, and portable phones. Unlicensed frequency bands offer best-effort use, and interference and degradation are possible. Even though these three frequency bands do not require a license to operate equipment, they are still subject to the local country code regulations. Countries regulate frequency areas such as transmitter power, antenna gain (which increases the effective power), and the sum of transmitter loss, cable loss, and antenna gain. (© 2010 Cisco Systems, ne. Wireless LANS 3-8Note ‘The number of channels that are available and transmission parameters are regulated by ‘country regulations. Each country allocates radio spectrum channels to various services. Refer to the country regulations and product documentation for specific details for each regulatory domain Effective Isotropic Radiated Power (EIRP) is the final unit of measurement that is monitored by local regulatory agencies. EIRP is the radiated power from the device, including antenna, cables, and other components of the WLAN system that are attached to it. By changing the antenna, cables, and transmitter power, the EIRP can change and exceed the allowed value. Therefore, caution should be used when attempting to replace a component of wireless equipment; for example, when adding or upgrading an antenna to increase the range. The possible result could be a WLAN that is illegal under local codes. EIRP = transmitter power + antenna gain — cable loss Note Only use antennas and cables that are supplied by the original manufacturer that is listed for the specific access point implementation. Only use qualified technicians who understand the many requirements of the RF regulatory codes for that country. 310 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.IEEE 802.11 Standards Comparison This topic compares the different IEBE 802.11 standards, IEEE 802.11 Standards Comparison 24GHz 5GHz 24GHz 3 Up to23 3 Se oFoM oFom Dsss. 412.55, 6912.18.24, 6,9, 12, 18,26, 36, 48, 54 36, 48, 54 IEEE standards define the physical layer as well as the MAC sublayer of the data link layer of ‘the Open Systems Interconnection (OSI) model. The original 802.11 wireless standard was completed in June 1997. It was revised in 1999 to create IEEE 802.1 1a and 802.11, then reaffirmed in 2003 as IEEE 802.1 1g, and reaffirmed again in 2009 as IEEE 802.1 In. By design, the standard does not address the upper layers of the OSI model. IEEE 802.116 was defined using Direct Sequence Spread Spectrum (DSSS). DSSS uses just one channel that spreads the data across all frequencies that are defined by that channel IEEE 802.11 divided the 2.4GHz ISM band into 14 channels, but local regulatory agenci such as the FCC designate which channels are allowed, such as channels | through 11 in the United States. Each channel in the 2.4-GHz ISM band is 22-MHz wide with S-MHz separation, resulting in an overlap with channels before or after a defined channel. Therefore, a separation, of five channels is needed to ensure unique nonoverlapping channels. For example, using the 11 FCC channels, there are three nonoverlapping channels: 1, 6, and I Remember that wireless uses half-duplex communication, so the basic throughput is only about half of the data rate. Because of this limitation, the IEEE 802.11b main development goal was to achieve higher data rates within the 2.4-GHz ISM band, They want to continue to increase the Wi-Fi consumer market and encourage consumer acceptance of Wi IEEE 802.1 1b defined the usage of DSSS with newer encoding or modulation of Complementary Code Keying (CCK) for higher data rates of 5.5 and 11 Mb/s while retaining coding of 1 and 2 Mb/s. IEEE 802.1 1b still uses the same 2.4GHz. ISM band as prior 802.11 standards, making it backward-compatible with the prior 802.1 standard and its associated data of | and 2 Mbs, {© 2010 Cisco Systems, Ine. Wireless LANS 3-17The same year that the 802.1 1b standard was adopted, IEEE developed another standard that is, Known as 802.1 1a, This standard was motivated by the goal of increasing data rates by using a different orthogonal frequency-division multiplexing (OFDM) spread spectrum and modulation technology, and using the less-crowded frequency of 5-GHz UNII. The 2.4-GHz ISM band was widely used for all WLAN devices, such as Bluetooth, cordless phones, monitors, video, and home gaming consoles. The 802.1 a standard was not as widely accepted because materials, that were needed to manufacture chips that supported 802.1 1a were less readily available and initially resulted in higher cost. Most applications satisfied the requirements for wireless support by following the cheaper and more accessible standards of 802.1 1b. A continued development by IEEE maintains usage of the 802.11 MAC and obtains higher data rates in the 2.4-GHz ISM band, The IEEE 802.1 1g amendment uses the newer OFDM from 802.1 1a for higher speeds, yet is backward-compatible with 802.1 1b using DSSS, which was already using the same ISM frequency band. DSSS data rates of 1, 2, 5.5, and 11 Mb/s are supported, as are OFDM data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbis. 412 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.IEEE 802.11 Standards Comparison (Cont.) * Per spatial stream a 2.4GHz 5GHe 20-MH2-3 20-MH2-21 40-MH2-1 40-MH2-9 oFom oFom Se 20-MHzor 40-MHz —_20-MHz or 40-MHz bandwidth ‘bandwith Peart! 7.2, 144,217, 289, 1,30, 45, 60, 90, 120, 4 43.3, 97.8, 65, 722 135, 150 ‘The most recent development by IEEE is the completed 802.1 In standard as the upgrade to the 802.11 protocol. The project was a multi-year effort to standardize and upgrade the 802.1 1g standard, IEEE 802.1 1n provides a new set of capabilities that dramatically improve the reliability of communications, the predictability of coverage, and the overall throughput of devices. ‘The 802.1 1n protocol has several enhancements in the physical layer and the MAC sublayer that provide exceptional benefits to wireless deployments. The four key features are as follows: = Multiple-input multiple-output (MIMO). MIMO uses the diversity and duplication of signals using the multiple transmit and receive antennas. = 40-MHz operation bonds adjacent channels that are combined with some of the reserved channel space between the two, to more than double the data rate Frame aggregation reduces the overhead of 802.11 by coalescing multiple packets together. m= Backward compatibility, which makes it possible for 802.1 1a/b/g and 802.1 1n devices to coexist, therefore allowing customers to phase in their access point and/or client migrations, over time. ‘The 802.1 In standard supports 2.4- and 5-GHz frequency bands, and adopted an OFDM modulation method, 20-MH7z or 40-MH7z bandwidth is supported, 20-MHz bandwidth is used for backward compatibility IEEE 802.1 1n continues the modulation evolution, IEEE 802.1 1n uses OFDM like 802.11a and 802.1 1g standards. However, 802.1 In increases the number of subcarriers in each 20-MHz channel from 48 to 52. IEEE 802.1 In provides a selection of eight data rates for a transmitter, including a data rate using 64 quadrature amplitude modulation (QAM) with a rate 5/6 encoder. ‘Together, these changes marginally increase the data rate to a maximum of 72.2 Mbis for a single-transmit radio. Via spatial division multiplexing, 802.1 In also increases the number of transmitters allowable to four. For two, the maximum data rate is 144 Mb/s. Three provide a maximum data rate of 216 Mb/s. The maximum of four transmitters can deliver 288 Mbis. ‘When using 40-MHz channels, 8021 In increases the number of subcarriers available to 108. {© 2010 Cisco Systems, Ine. Wireless LANS 3:13This provides a maximum data rate of 150, 300, 450, and 600 Mbis for one through four ‘transmitters, respectively. The data rates depend on the OFDM mode of operation. IEEE 802.1 In has the ability to dramatically increase the capacity of a WLAN, the effective ‘throughput of every client, and the reliability of the networking experience for the client. 3:14 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Wi-Fi Certification Even after the 802.11 standards were established, there was a need to ensure interoperability among 802.11 products. This topic describes how Wi-Fi certification ensures multivendor interoperability. Wi-Fi Certi ica The Wi-Fi Alliance certifies interoperability between products. + Products include 802.114, 802.11b, 802.119, 802.11n, dual-band products, | cee and security testing * Provides assurance to customers SS regarding migration and integration mheigerel lect options. eaee NUL pe SGHe ons 54 ¥eo0I2) WI-FI Protects Aouee™ EZ) © Interoperable with: Cisco is a founding member of the WéF Alliance, Certified products can be found at http:/iwww.wiefi.org. The Wi-Fi Alliance is a global, nonprofit industry trade association that is devoted to promoting the growth and acceptance of WLANs. One of the primary benefits of the Wi-Fi Alliance is to ensure interoperability among 802.11 products that are offered by various vendors. The Wi-F Alliance provides a certification for each product as a proof of interoperability. Certified vendor interoperability provides a comfort zone for purchasers. Certification includes all three IEEE 802.11-RF technologies, as well as early adoption of pending IEEE drafts, such as one addressing security. The Wi-Fi Alliance adapted IEEE 802.11i draft security as WPA, and then revised it to Wi-Fi Protected Access 2 (WPA2) after the final release of IEEE 802.1 i (© 2010 Cisco Systems, ne. Wireless LANS 3:15Summary This topic summarizes the key points that were discussed in this lesson. a Summary * People now expect to be connected at any time and place. However, the most tangible benefit of wireless is the cost reduction. * WLANs and LAN both use CSMA. However, WLANs use collision avoidance while LANs use collision detection. * Radio frequencies are radiated into the air by antennas, where they are affected by reflection, scattering, and absorption. * The IEEE defines the 802.11 standards, and the Wi-Fi Alliance offers certification for interoperability between vendors of 802.11 products. a Summary (Cont.) * The three ITU-R local FCC wireless unlicensed bands are 900 MHz, 2.4 GHz, and 5.7 GHz. * The 802,11 standards are a set of standards that define the frequencies and radio bands for WLANs, where the most known standards are 802.11a, 802 11b, 802.119, and 802,11n, * One of the primary benefits of the Wi-FiAlliance is to ensure interoperability among 802.11 products of different vendors. 318 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 2 Understanding WLAN Security Overview The most tangible benefit of wireless is cost reduction. In addition to increasing productivity, wireless LANs (WLANs) increase work quality. However, a security breach resulting from a single unsecured access point can negate hours spent securing the corporate network and even ruin an organization. It is important to understand the security risks of WLANs and how to reduce those risks. Objectives After completing this lesson, you will be able to describe WLAN security issues and the features available to increase WLAN security. This ability includes being able to meet these objective = Describe common threats to WLAN services = Describe methods of mitigating security threats to WLAN services 1m Describe the evolution of WLAN security m= Describe the wireless ctient association process Describe how IEEE 802.1X provides additional WLAN security Describe the modes of WPA and WPA2WLAN Security Threats This topic describes common threats to WLAN services. OT Wireless LAN Security Threats Find ‘open networks; Exploit weak privacy Plug consumer-grade Use them to gain free measurosto view APs and gatoways into Intemet access sensitive WLAN ‘company Ethernet Information and even ports to create own break into WLANS WLANs TET aT ACT x With the lower costs of IEEE 802. 1b/g systems, it is inevitable that hackers will have many more unsecured WLANS from which to choose. Incidents have been reported of people using ‘numerous Open Source applications to collect and exploit vulnerabilities in the IEEE 802.11 standard security mechanism, Wired Equivalent Privacy (WEP). Wireless sniffers enable network engineers to passively capture data packets so that they can be examined to correct, system problems, These same sniffers can be used by hackers to exploit known security weaknesses. “War driving” originally meant using a cellular scanning device to find cell phone numbers to exploit. War driving now also means driving around with a laptop and an 802.1 1b/g client card to find an 802.1 [b/g system to exploit. Most wireless devices that are sold today are WLAN-ready. End users often do not change default settings or they implement only standard WEP security, which is not optimal for securing wireless networks. With basic WEP encryption enabled (or, obviously, with no encryption enabled), it is possible to collect data and obtain sensitive network information, such as user login information, account numbers, and personal records. 318 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.‘A rogue access point is an unauthorized access point that is connected to the corporate network. Ifa rogue access point is programmed with the correct WEP key, client data could be captured. ‘A rogue access point could also be configured to provide unauthorized users with information such as MAC addresses of clients (wireless and wired), or to capture and spoof data packets. At worst, a rogue access point could be configured to gain access to servers and files. A simple and common version of a rogue access point is one installed by employees with authorization. Employee access points that are intended for home use and are configured without the necessary security can cause a security risk in the enterprise network. (© 2010 Cisco Systems, ne. Wireless LANS 3418Mitigating Security Threats This topic describes how to mitigate security threats toa WLAN service Mitigating the Threats or oer iid nen) Intrusion Prevention ‘Authentication Encryption Shai Ensure that legitimate Protect data as itis Track and mitigate Clients associate with transmitted and unauthorized access trusted access points. received. and network attacks. ‘To secure a WLAN, the following steps are required: = Authentication, to ensure that legitimate clients and users access the network via trusted access points = Encryption, to provide privacy and confidentiality. Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), to protect from. security risks and availability. ‘The fundamental solution for wireless security is authentication and encryption to protect the wireless data transmission. These two wireless security solutions can be implemented in degrees; however, both apply to both small office, home office (SOHO) and large enterprise wireless networks. Larger enterprise networks will need the additional security that is offered by an IPS monitor. Current IPSs can not only detect wireless network attacks, but they also provide basic protection against unauthorized clients and access points. Many enterprise networks use IPSs for protection not primarily against outside threats, but mainly against ‘unintentional access points that are installed by employees who desire the mobility and benefits of wireless. 3-20 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Evolution of WLAN Security Almost as soon as the first WLAN standards were established, hackers began trying to exploit ‘weaknesses. To counter this threat, standards evolved to provide more security. This topic describes the evolution of WLAN security Evolution of Wireless LAN Security 1997 2001 2003 2004 to Present Bee ELS * Basicencryption « Dynamickeys + Standarzed + AES strong = No strong ~ Improves ceria utententon tneypton, TKIP = Authentication pen and sared- nar * User ~ Strong user = Dynamickey futhenteaton authonteafon, management + Sta, (Such as LEAP ate okays * B02 TKEAP breatabiokeys "(UEAR.PEAP) as) NT = Notscale ane + MAC titers and Ssib-cleakng aso used complement WEP This figure shows the evolution of WLAN security, Initially, 802.11 security defined only 64-bit static WEP keys for both encryption and authentication. The 64-bit key contained the actual 40-bit key plus a 24-bit initialization vector. The authentication method was not strong. Open and shared-key authentication is supported. Open authentication allows association of any wireless client. Shared-key authentication allows authentication of sclected wireless clients only, but the challenge text is sent unencrypted. This is the main reason that shared-key authentication is not secure. Another issue with WEP key encryption is that the keys were eventually compromised. The keys were administered statically, and this method of security was not scalable to large enterprise environments, Companies tried to counteract this weakness with techniques such as MAC address filtering, The SSID is a network-naming scheme and configurable parameter that the client and the access point must share. If the access point is configured to broadcast its SSID, the client that is associated with the access point is using the SSID that is advertised by the access point. An access point can be configured to not broadcast the SSID (called “SSID cloaking”) to provide a first level of security. The belief was that if the access point did not advertise itself, it would be more difficult for hackers to find it. To allow the client to learn the access point SSID, 802.11 allows wireless clients to use a mull value (that is, no value is entered in the SSID field), therefore requesting that the access point broadcast its SSID. However, this technique renders the security effort ineffective because hackers need only send a null string until they find an access point. Access points supported filtering using a MAC address as well. Tables are manually constructed on the access point to allow for clients that are based on their physical hardware address. However, MAC addresses are easily spoofed, and MAC address filtering is not considered a security feature. (© 2010 Cisco Systems, ne. Wireless LANS 3:25While 802.11 committees began the process of upgrading WLAN security, enterprise customers needed wireless security immediately to enable deployment. Driven by customer demand, Cisco introduced early proprietary enhancements to RC4-based WEP encryption. Cisco implemented Cisco Temporal Key Integrity Protocol (CKIP) per-packet keying or hashing, and Cisco Message Integrity Check (Cisco MIC) to protect WEP keys. Cisco also adapted 802,1X wired authentication protocols to wireless and dynamic keys using Cisco Lightweight Extensible Authentication Protocol (Cisco LEAP) to a centralized database. This approach is based on the IEEE 802.11 Task Group i end-to-end framework using 802.1X and the Extensible Authentication Protocol (EAP) to provide this enhanced functionality. Cisco has incorporated 802.1X and EAP into its WLAN solution—the Cisco Wireless Security Suite. ‘Numerous EAP types are available today for user authentication over wired and wireless networks. Current EAP types include the following: m= EAP-Cisco Wireless (LEAP) m= EAP-Transport Layer Security (EAP-TLS) m= Protected EAP (PEAP) m= EAP-Tunneled TLS (EAP-TTLS) m= EAP-Subscriber Identity Module (EAP-SIM) In the Cisco SAFE wireless architecture, LEAP, EAP-TLS, and PEAP were tested and documented as viable mutual authentication EAP protocols for WLAN deployments. Soon after Cisco wireless security implementation, the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) as an interim solution. WPA was a subset of the expected IEEE 802.1 i security standard for WLANs using 802.1X authentication and improvements to WEP encryption, The newer key-hashing TKIP has security implementations like those implementations that are provided by Cisco Key Integrity Protocol and message integrity check (CKIP), but these three security implementations are not compatible. Today, 802.1 i has been ratified and the Advanced Encryption Standard (AES) has replaced WEP as the latest and most secure method of encrypting data. Wireless IDSs are available to identify attacks and protect the WLAN from them. The Wi-Fi Alliance certifies 802.11i devices under Wi-Fi Protected Access 2 (WPA2). 322 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Wireless Client Association This topic describes the wireless client association process. Wireless Client Association Aiea oe Sout ; ae aereian Pte + Client scans all channels. * Client istens for beacons and responses from access points. * Client associates to access point with strongest signal * Client repeats scan if signal becomes low to reassociate to another access point (roaming). * Duting association, SSID, MAC address, and security settings are sent from the cliant to the access point, and checked by the access point Probe Requests — In the client association process, access points send out beacons announcing one or more SSIDs, data rates, and other information. The client scans all of the channels and listens for beacons and responses from the access points. The client associates to the access point that has, the strongest signal. If the signal becomes low, the client repeats the scan to associate with another access point. This process is called “roaming.” During association, the SSID, MAC address, and security settings are sent from the client to the access point, and then checked by the access point. The association of a wireless client to a selected access point is actually the second step in a ‘two-step process. First authentication, then association, must occur before an 802.11 client can pass traffic through the access point to another host on the network, Client authentication in this, initial process is not the same as network authentication (which is entering a username and password to gain access to the network). Client authentication is simply the first step (followed by association) between the wireless client and access point, and merely establishes communication, The 802.11 standard has specified only two methods of authentication: open authentication and shared-key authentication, Open authentication is simply the exchange of four hello-type packets with no client or access point verification to allow ease of connectivity Shared-key authentication uses a static WEP key that is known between the client and access point for verification, This same key may be used to encrypt the actual data passing between a wireless client and access point. (© 2010 Cisco Systems, ne. Wireless LANS 3:23How 802.1X Works on WLANs This topic describes how 802.1X provides additional WLAN security. How 802.1X Works on the WLAN ere Eien Ed upplicant ‘atenteator AAA Server {02.7 Trae Only rates on cllent Access peint hia ‘acts a, athentestor ‘The access point, acting as the authenticator at the enterprise edge, allows the client to associate using open authentication. The access point then encapsulates any 802.1X traffic that is bound for the AAA (Authentication, Authorization, and Accounting) server and sends it to the server. All other network traffic is blocked, meaning that all other attempts to access network resources are stopped. Upon receiving AAA traffic that is bound for the client, the access point encapsulates it and sends the information to the client. Although the server authenticates the client as a valid network uscr, this process allows the client to validate the server as well, ensuring that the client is not logging into a fake server While an enterprise network will use a centralized authentication server, smaller offices or businesses might simply use the access point as the authentication server for wireless clients. 3-24 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.WPA and WPA2 Modes This topic describes the modes of Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2). WPA and WPA2 Modes a Enterprise mode ‘Authentication: ‘Authentication: (Business, education, EEE 802.1%, EAP IEEE 802.1X, EAP ‘government) Encryption: Encryption TKIP ‘AES-CCMP Personal mode ‘Authentication: ‘Authentication: (SOHO, home and PSK PSK personal), Encryption Encryption: TKIP ‘AES-CCMP WPA provides authentication support via 802.1X and pre-shared key (PSK). 802.1X is recommended for enterprise deployments. WPA provides encryption support via TKIP. TKIP includes MIC and per-packet keying (PPK) via initialization vector hashing and broadcast key rotation. WPA2 (standard 802.1 i) uses the same authentication architecture, key distribution, and key renewal technique as WPA. However, WPA2 added better encryption, called AES-Counter with CBC-MAC Protocol (AES-CCMP). AES-CCMP uses two combined cryptographic ‘techniques. One is counter mode and the second one is CBC-MAC. AES-CCMP provides a robust security protocol between the wireless client and the wireless access point, Note ‘AES Is a cryptographic cipher that uses a block length of 128 bits and key lengths of 128, 192, oF 256 bits. Counter mode is a mode of operation. Counter mode uses a number that changes with each block of text encrypted, The number is called the counter, The counter is encrypted with the cipher, and the result goes into ciphertext. The counter changes for each block and the ciphertext is not repeated, Cipher Block Chaining-Message Authentication Code (CBC-MAC) is a message integrity ‘method. The method uses block cipher such as AES. Each block of cleartext is encrypted with the cipher and then an exclusive OR (XOR) operation is conducted between the frst ‘and the second encrypted blocks. An XOR operation is then run between this result and the third block, and s0 on, (© 2010 Cisco Systems, ne. Wireless LANS 3:25Enterprise Mode “Enterprise mode” is a term that is used for products that are tested to be interoperable in both PSK and 802.1X Extensible Authentication Protocol (EAP) modes of operation for authentication. When 802.1X is used, an authentication, authorization, and accounting (AAA) server is required to perform authentication as well as Key and user management. Enterprise mode is targeted to enterprise environments. Personal Mode “Personal mode” is a term that is used for products that are tested to be interoperable in the PSK-only mode of operation for authentication, It requires manual configuration of a PSK on the access point and clients. The PSK authenticates users via a password, or identifying code, on both the client station and the access point. No authentication server is needed. Personal mode is targeted to SOHO environments. 328 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.WLAN Encryption Types WEP * Basic encryption * Has serious issues TKIP * Asolution to avoid the problems of WEP * Part of WPA AES + Stronger and the most resource-consuming * Part of WPAZ VPN * Encrypted connection between private networks over a public network = DES, 3DES, AES, SSL Encryption is the process of transforming plaintext information to make it unreadable to anyone except those possessing the key. The algorithm that is used to encrypt information is called cipher, and the result is called ciphertext. Encryption is now commonly used in protecting information within WLAN implementations, Encryption is also used to protect data in transit, Data in transit might be intercepted, and eneryption is one option for protection. WEP keys were the first solution to encrypt and decrypt WLAN transmitted data, Several research papers and articles have highlighted the potential vulnerabilities of static WEP keys ‘An improvement to static WEP keys was dynamic WEP keys in combination with 802.1X authentication. However, hackers have ready access to tools for cracking WEP keys. Several enhancements to WEP keys were provided. These WEP enhancements were TKIP, support for MIC, per-packet key hashing, and broadcast key rotation. TKIP is a set of software enhancements to RC4-based WEP. Cisco had a proprietary implementation of TKIP at the beginning. It was sometimes referred to as Cisco TKIP. In 2002, 802.1 i finalized the specification for TKIP, and the Wi-Fi Alliance announced that it was making TKIP a component of WPA. Cisco TKIP and the WPA TKIP both include per-packet keying and message integrity check. A weakness exists in TKIP, however, that can allow an attacker to decrypt packets under certain circumstances, An enhancement to TKIP is Advanced Encryption Standard (AES). AES is a stronger alternative to the RC4 encryption algorithm. AES is a more-secure encryption algorithm and has been deemed acceptable for the U.S. government to encrypt both unclassified and classified data. AES is currently the highest standard for encryption and replaces WEP. AES has been. developed to replace the Data Encryption Standard (DES). AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length—the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. The use of WPA2 with AES is recommended ‘whenever possible. It, however, is more resource-consuming and requires new hardware compared to simple WEP or TKIP implementations. (© 2010 Cisco Systems, ne. Wireless LANS 3:27Ifa client does not support WPA2 with AES due to the age of the hardware or lack of driver compatibility, 2 VPN may be a good solution for securing over-the-air client connections. IP Security (IPsec) and Secure Sockets Layer (SSL) VPNs provide a similar level of security as WPA2. IPsec VPNs are the services that are defined within IPsec to ensure confidentiality, integrity, and authenticity of data communications across public networks, such as the Internet. IPsec also has a practical application to secure WLANs by overlaying IPsec in addition to cleartext 802.11 wireless traffic. IPsec provides for confidentiality of IP traffic, as well as authentication and anti-replay capabilities. Confidentiality is achieved through encryption using a variant of the DES, called Triple DES (3DES), or the new Al 3.28 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Summary This topic summarizes the key points that were discussed in this lesson. a Summary * Itis inovitable that hackers will attack unsecured WLANs. * The fundamental solution for wireless security is authentication and encryption to protect wireless data transmission « WLAN standards evolved to provide more security. — WEP = 802.1X, EAP = WPA 802,111, WPA2 * Access points send out beacons announcing SSIDs, data rates, and other information in order to support wireless client association. a Summary (Cont.) * With 802.1%, the access point acts as the authenticator at the enterprise edge, allows the client to associate using open authentication, and provides the path to the authentication server, * WPA provides authentication support via IEEE 802.1X and PSK, = Enterprise mode is a term given to products that are tested to be interoperable in both PSK and IEEE 802. 1X/EAP modes of operation for authentication. = Personal mode is a term given to products tested to be interoperable in the PSK-only mode of operation for authentication. (© 2010 Cisco Systems, ne. Wireless LANS 3:283.30 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 3 Implementing a WLAN Overview There is more to implementing a wireless LAN (WLAN) than selecting the desired standard. The standards provide required functionality, data rates, and theoretical approximate distance. The selection of a standard is just a beginning as access point placement can have more effect, on throughput than standards. It is important that you understand how the efficiency of a WLAN is affected by such issues as topology, distance, and access point location, Objectives Upon completing this lesson, you will be able to describe the factors affecting the implementation of a WLAN. This ability includes being able to meet these objectives: Describe the IEEE 802.11 topologies Describe basic service area WLAN service m= Describe the effect of distance and speed on WLAN service m= Describe the factors that should be considered in implementation of an access point m= Describe basic wireless implementation Describe the form factors to add wireless to laptops = Describe common wireless issues and troubleshooting methodsIEEE 802.11 Topology Building Blocks This topic describes IBEE 802.11 topologies. 802.11 Topology Building Blocks ‘Ad hoc mode: ] “ass Selene = Mobile clits connect directly without an intermediate access point Infrastructure mode: | % = BSS = id — Mobile clients use a single access point for connecting to each other ‘oF to wired network resources “Ess ~ Two or more BSSs are connected bya common distribution system IEEE 802.11 provides several topologies (or modes) that can be used as building blocks of a WLAN; Ad hoc mode: Independent Basie Service Set (IBSS) is the ad hoc topology mode. Mobile clients connect directly without an intermediate access point, as shown on the top right side of the figure. Operating systems such as Windows have made this peer-to-peer network casy to set up. This configuration can be used for a small office (or home office) to allow a laptop to be connected to the main PC or for several people to simply share files. The coverage is limited. Everyone must be able to hear everyone else. An access point is not required. A drawback of peer-to-peer networks is that they are difficult to secure. Infrastructure mode: In infrastructure mode, clients connect through an access point, ‘There are two infrastructure sub-topologies. — _ Basic Service Set (BSS): The communication devices that create a BSS are mobile clients using a single access point to connect to each other or to wired network resources, as shown in the middle of the right side of the figure. The Basic Service Set Identifier (BSSID) is the Layer 2 MAC address of the BSS access point radio card. While the BSS is the fundamental building block for wireless topology and the BSS access point is uniquely identified through a BSSID, the wireless network itself is advertised through a Service Set Identifier (SSID). The SSID announces the availability of the wireless network to mobile clients. The SSID is a wireless network name that is user-configurable and can be made up of as many as 32 case- sensitive characters. 332 Inlerconnecting Cisco Network Devices: Accelerated (CCNAX) vi.1 {© 2010 Gisco Systems. Ine.— _ Extended Service Set (ESS): The wireless topology is extended with two or more Basic Service Sets connected by a distribution system or a wired infrastructure, as shown on the bottom right side of the figure. An ESS generally includes a common SSID to allow roaming from access point to access point without requiring client configuration These topologies are the original standard defined 802.11 topologies. Topologies such as repeaters, bridges, and workgroup bridges are vendor-specific extensions. (© 2010 Cisco Systems, ne. Wireless LANS 3:33BSA Wireless Topology This topic describes the basic service area (BSA) and extended service area (ESA) topologies and roles in a WLAN. BSA Wireless Topology— Basic Coverage Internet Wirelees Cell A basic service area is the physical area of RF coverage that is provided by an access point in a BSS, This area is dependent on the RF energy field that is created, with variations caused by access point power output, antenna type, and physical surroundings affecting the RF. This area of coverage is referred to as a cell. While the BSS is the topology building block and the BSA is the actual coverage pattern, the two terms are used interchangeably in basic wireless discussions The access point attaches to the Ethernet backbone and communicates with all of the wireless devices in the cell area. The access point is the master for the cell, and controls traffic flow to and from the network. The remote devices do not communicate directly with each other; they communicate only with the access point. The access point is user-configurable with its unique RF channel and wireless SSID name. The access point broadcasts the name of the wireless cell in the SSID through beacons. Beacons are broadcasts that access points send to announce the available services. The SSID is, ‘used to logically separate WLANs. It must match exactly between the client and the access point. However, clients can be configured without an SSID (null SSID), then detect all access. points and lear the SSID from the beacons of the access point. A common example of the discovery process is the one that is used by the integrated Wircless Zero Configuration (WZC) utility when a wireless laptop is used at a new location. The user is shown a display of the newly found wireless service and asked to connect or supply appropriate keying material to join, SSID broadcasts can be disabled on the access point, but this approach does not work if the client needs to sce the SSID in the beacon. 3.34 Interconnecting Cisco Network Devices: Accelerated (CCNAX) v1.1 {© 2010 Gisco Systems. Ine.ESA Wireless Topology— Extended Cover Imtemat Wireless Gell Wireless Celt Ifa single cell does not provide enough coverage, any number of cells can be added to extend, the range. The range of the combined cells is known as an extended service area (ESA). Several issues exist when extended coverage is implemented. If overlapping of the wireless cells is required, careful design of the coverage outside of the office is required, and the performance of the wired network and WLAN devices is important. It is recommended that ESA cells have 10 to 15 percent overlap to allow remote users to roam without losing RF connections. For wireless voice networks, an overlap of 15 to 20 percent is, recommended. Bordering cells should be set to different nonoverlapping channels for best performance. Extending the coverage with more access points must be properly designed. WLAN coverage outside of the office or home area provides easy access to your network to anybody including attackers, Once the coverage is extended, and the number of users increases, the performance of the network devices is important. The access points, which are providing access to multiple users, must ensure that all ofthe users get enough bandwidth and the required quality of service. At the same time, the increased number of users requires additional throughput via the wired network and WLAN. A sufficient number of access points must be implemented and the network capacity must be taken into account. (© 2010 Cisco Systems, ne. Wireless LANS 3:35Wireless Topology Data Rates WLAN clients are able to shift data rates while moving. This topic describes the effects of distance and speed on WLAN service. Wireless Topology Data Rates—802.11b 1-Mbis DSSS 2-Mbls DSSS 5.5-Mb/s DSSS 11-Mb/s DSSS Greater range frlowerdatarates | WLAN clients have the ability to shift data rates while moving. This technique allows the same client that is operating at 11 Mbys to shift to 5.5 Mb/s, then 2 Mb, and finally still communicate in the outside ring at | Mbis. This rate shifting happens without losing the connection and without any interaction from the user. Rate shifting also happens on a transmission-by-transmission basis; therefore, the access point has the ability to support multiple clients at multiple speeds depending upon the location of each client. Higher data rates require stronger signals at the receiver. Therefore, lower data rates have a greater range Wireless clients always try to communicate with the highest possible data rate. = The client will reduce the data rate only if transmission errors and transmission retries, This approach provides the highest total throughput within the wireless cell. This figure shows IEEE 802.1 1b using the Direct Sequence Spread Spectrum (DSSS) modulation technique. However, the same concept applies to 802.1 1a, 802.11g, or 802.1 1n data rates. The difference is in distance and the coverage area of the wireless cell. 3.38 Interconnecting Cisco Network Devices: Accelerated (CCNAX) vit {© 2010 Gisco Systems. Ine.Wireless Topology Data Rates and Range C Pr ‘App om ees B0211a 6,9, 12, 18, 24,36, 115 ftom 380 for 100m 48, 54 s0211 1,2,85,11 125ttor40m ——460tor 140m 802.119 6,9, 12, 18, 24,36, 125 ftordom 460 tor 140m 48,54 802.11n 20-MH2:7.2, 14.4, 230 ftor70m 820 tor 250m 217,289,433, 57.8, 85, 722 40-MHz: 15,30, 45, 60, 90, 120, 195, 150 Data rate por stream This figure shows the most important 802.11 WLAN standards, their data rates, and approximate indoor and outdoor range (in feet and meters). The performance, throughput, and the distance (range) depend on topology, installation, different obstacles in a path, and configuration of the WLAN equipment. The topology and the installation can significantly change the performance of the WLAN network. Installation without a line of sight, and placement near metal objects, can significantly decrease the distance as well as the throughput and data rate of the WLAN network. When different obstacles are on a path between two wireless devices, the absorption of the signal can limit the performance and the distance. Water, cardboard, and metal can significantly impact the coverage. Additionally, the configuration of the WLAN devices with different parameters is important. In order to limit the coverage to a particular area, the transmit power can be decreased and antennas with lower gain can be used. Lowering the transmit power and antenna gain affects the coverage area, There is no single answer on how far away the wireless signal will go and how large the data rate can be. The whole WLAN network must be observed and tests must be performed in order to define the real coverage arca and data rate. {© 2010 Cisco Systems, Ine. Wireless LANS 3:37Access Point Configuration This topic describes the factors that should be considered when implementing @ WLAN, in terms of the configuration of an access point. Access Point Configuration Basic parameters: "IP address (static or using DHCP), subnet mask, and default gateway + Wireless protocol (802.119 only, 802.11b/g, 802.11a) * Channel adjustment if needed—channel 1, 6, or 11 pending interference + Power adjustment if needed—or could change antenna Security parameters: + SSIDdentifies your network + Authentication method—usually WPA or WPA2 PSK * Encryption method—usually TKIP, or AES if hardware- supported Wireless access points can be configured through a commandeline interface (CLI) or, more commonly, through a browser GUI, However, the mode of configuration of the basic wireless parameters is the same, Basie wireless access point parameters include SSID, an RF channel with optional power, and authentication (security). Basic wireless client parameters include only authentication, Wireless clients need fewer parameters b wireless network interface card (NIC) will scan the entire available RF spectrum to locate the RF channel Note IEEE 802.11 standards cannot scan 2.4 ot 5-GHz bands. Every standard operates at a specific frequency range, and the automatic scan is scanning this frequency range. Wireless client will usually initiate the connection with a null SSID in order to discover the SSIDs that are available. Therefore, by 802.11 design, if you are using open authentication, the result is almost plug-and-play. When security is configured with pre-shared keys (PSKs) for older Wired Equivalent Privacy (WEP) or current Wi-Fi Protected Access (WPA), the key must bbe an exact match on the client side and on the infrastructure side in order to allow connectivity. Depending on the hardware that is chosen for the access point, it might be capable of one or two frequencies. Two frequencies that are available are 2.4 GHz from the industrial, scientific, and medical (ISM) band, and the 5-GHz Unlicensed National Information Infrastructure (UNI) band, The features of the access point usually allow for fine adjustment of parameters such as transmit power, frequencies that are used, which radio will be enabled, and which IEEE. standard to use on that RF. 3.38 Interconnecting Cisco Network Devices: Accelerated (CCNAX) v1.1 {© 2010 Gisco Systems. Ine.Note ‘The details of these adjustments are not applicable for this course. Check for other course offerings for more information, ‘The following course is for Cisco CCNA® WLAN: Implementing Cisco Unified Wireless [Networking Essentials (UWNE), ‘These courses are for other WLAN course offerings (Cisco CCNP® WLAN): Implementing Advanced Cisco Unified Wireless Secunty |AUWS), Implementing Cisco Unified Wireless Mobility Services (IUWMS), Cisco Unified Wireless Site Survey (CUWSS) and Implementing Cisco Unified Wireless Voice Networks (IUWVN). ‘When 802.116 wireless clients are mixed with 802.11g wireless clients, throughput is decreased because the access point must implement a Ready to Send/Clear to Send (RTS/CTS) protocol. After configuring the basic required wireless parameters of the access point, additional fundamental wired-side parameters must be configured for the default router and DHCP server. On a pre-existing LAN, there must be a default router to exit the network as well as a DHCP server to lease IP addresses to wired PCs. The access point simply uses the existing router and DHCP servers for relaying IP addresses to wireless clients. Because the network has been expanded, you should verify that the existing DHCP IP address scope is large enough to accommodate the new wireless client additions. If this is a new installation with all router and access point functions in the same hardware, then you simply configure all parameters in the same hardware. (© 2010 Cisco Systems, ne. Wireless LANS 3439Steps to Implement a Wireless Network This topic describes a the basic approach to wireless implementation. Steps to Implement a Wireless Network Stop 1: Verify local wired operation—DHCP and ISP, Stop 2: Install the access point. ‘Stop 3: Configure the access point SSID, no security Stop 4: Install one wireless client—no security. Stop 5: Verify wireless network operation, Step 6: Configure wireless security—WPA with PSK, Stop 7: Verify the wireless network operation, The basic approach to wireless implementation, as with any basic networking, is to gradually configure and incrementally test. Before implementing any wireless network, verify the existing network and Intemet access for the wired hosts. Implement the wireless network with only a single access point and a single cliont, without wireless security. Verify that the wireless client has received a DHCP IP address and can ping the local wired default router, and then browse to the external Internet, Before the installation, perform a site survey to identify the position and the configuration parameters for all the required WLAN equipment. Correct WLAN coverage and throughput in the WLAN network must be ensured, Finally, configure wireless security with WPA or WPA2. Use WEP only if the hardware does not support WPA. Use WPA2 if possible because AES encryption support provides a higher level of security. Once the configuration is completed, verify the WLAN operation. Inlerconnecting Cisco Network Devices: Accelerated (CCNAX) vi.1 {© 2010 Gisco Systems. Ine.Wireless Clients This topic de a 's the form factors that are needed to add wireless Wireless Clients Wireless Zero Configuration + Default on Windows XP or later operating system + Limited features for basic PSK * Very thal users have the corect encryption type and passwor Cisco Compatible Extensions Program + Accelerated feature deployment of third-party clients, + Wide deployment of various vendors Cisco Secure Services Client + Enterprise ful-featured wireless client supplicant + Wired and wireless Currently, there are many form factors available to add wireless capabilities to laptops. The most common are Universal Serial Bus (USB) devices with self-contained fixed antennas and ‘wireless supplicant software. Both of them enable wireless hardware usage and provide security options for authentication and encryption. Most new laptops contain some form of wireless capability. The availability of wireless technology has increased the wireless market and improved case of use. Newer Microsoft Windows operating systems have a basic wireless supplicant client (that is, WZC) to enable wireless plug-and-play. This functionality is performed by discovering SSIDs that are being broadcast and allowing the user to simply enter the matching security credentials or keys for WEP or WPA, for example. The basic features of WZC are satisfactory for simple small office, home office (SOHO) environments. Large enterprise networks require more-advanced wireless client features than those features of native operating systems. In 2000, Cisco started a program of value-added feature enhancements through a royalty-free certification program, More than 95 percent of Wi-Fi- enabled laptops that are shipped today are compliant with Cisco Compatible Extensions. The details and status of versions and features of Cisco Compatible Extensions can be found on this link: hutp://www.cisco.com/web/partners/pr46/pr147ipartners_pgm_concept_home.html (© 2010 Cisco Systems, ne. Wireless LANS 3-43This table is a summary of versions and features. Versions and Features Version | Topic Example vl Security Wi-Fi compliant, 802.1X, LEAP, Cisco Key Integrity Protocol 2 Scaling WPA, access point assisted roaming 3 Performance and security | WPA2, Wi-Fi Multimedia (WMM) v4 Voice over WLAN Call Admission Control (CAC), voice metrics vs ‘Management and Management Frame Protection (MFP), client intrusion prevention reporting system (IPS) Until Cisco offered a full-featured supplicant for both wired and wireless clients (called Cisco Secure Services Client), enterprise networks were managing one set of wired clients and another set of wireless clients separately. The benefit to users is a single client for wired or wireless connectivity and security, Refer to hitp://www.cisco.com/go/ciscocompatible/wireless for additional information. 3-42 Interconnecting Cisco Network Devices: Accelerated (CCNAX) vit {© 2010 Gisco Systems. Ine.Wireless Troubleshooting This topic de ‘ommon wireless issues and troubleshooting methods. Common Wireless Network Issues Most problems are due to incorrect configuration * Verify that the access point is running the latest revision of firmware. + Verify the channel configuration. Try channels 1, 6, or 1 * Verify that users have the correct encryption type and password Other common problems + RF interference + Not connected + Radio not enabled + Poor antenna location If you follow the recommended steps for implementing a wireless network, the incremental method of configuration will most likely lead you to the probable cause of an issue. These issues are the most common causes of configuration problems: = Configuring a defined SSID on the client (as opposed to the method of discovering the SSID) that does not match the access point (including case-sensitivity) = Configuring incompatible security methods The wireless client and access point must match in authentication method—Extensible Authentication Protocol (EAP) or PSK—and encryption method (TKIP or AES). Other common problems can result from initial RF installation, such as: = Is the radio enabled on both the access point and the client for the correct RF (2.4-GHz ISM or 5-GHz UNII)? = Isan extemal antenna connected and facing in the correct direction? = Is the antenna location too high or too low relative to the wireless clients, preferably within 20 vertical fect (6 vertical m) of the client? m= Isa metal object in the room reflecting RF and causing poor performance? Are you attempting to reach too great a distance? (© 2010 Cisco Systems, ne. Wireless LANS 3-43a Wireless Troubleshooting * Locate the access point near the center of your home or office. * Avoid mounting the access point next to metal objects. * Keep the access point out of the line of sight of devices that contain metal. * Verify connectivity without the security of PSK. * Avoid RF interference from other equipment (gaming, monitors, phones). * Ifthe home or office is large, you may need two or more access points. ' Make sure that the access point works over a unique channel that is not in use by other adjacent access point deployments, The first step in troubleshooting a suspected wireless issue is to separate the environment into wired network versus wireless network. The second step is to further divide the wireless network into configuration versus RF issues. Begin by verifying the proper operation of the existing wired infrastructure and associated services. Verify that existing Ethemnet-attached hosts can renew their DHCP addresses and reach the Internet, Then colocate the access point and wireless client to verify the configuration and eliminate the possibility of RF issues. Always start the wireless client on open authentication and establish connectivity. Then implement the desired wireless security. If the wireless client is operational at this point, then only RF-related issues remain. First, consider whether metal obstructions exist, If so, move the obstruction or change the location of the access point. If the distance is too great, consider adding another access point using the same SSID but on a unique RF channel. Lastly, consider the RF environment, Just as a wired network can become congested with traffic, so can RF for 2.4 GHz (more often than 5 GHz). Check for other sources of wireless devices using 2.4 GHz. Performance issues that seem to relate to time of day would indicate RF interference from device. An example would be slow performance at lunchtime in an office that is located near a microwave oven that is used by employees. Although most microwaves will jam RF chaniiel 11, some microwaves will jam all of the 2.4 GHz RF channels. Another cause of problems could be RF devices that hop frequencies, such as the Frequency Hopping Spread Spectrum (FHSS) that is used in cordless phones. Since there can be many sources of RF interference, always start by colocating the access point and wireless client, and then move the wireless client until you can reproduce the problem, Most wireless clients have supplicant software that helps you troubleshoot issues by presenting relative RF signal strength and quality. 3:44 Interconnecting Cisco Network Devices: Accelerated (CCNAX) v1.1 {© 2010 Gisco Systems. Ine.Summary This topic summarizes the key points that were discussed in this lesson. a Summary * 802.11 topologies operate in various modes: = Inad hoc mode, clients connect directly without an intermediate access point. — In infrastructure mode, clients connect through an access point. There are two sub-modes: BSS and ESS. * BSS wireless topology consists of the basic service area and the extended service area. a Summary (Cont.) « WLAN data rates are affected by standards, access point placement, and distances. * Wireless access points can be configured through a CLI or, more commonly, through a browser GUI. * The basic approach to wireless implementation is to gradually configure and test incrementally * Currently, there are many form factors available to add wireless to laptops: — Wireless Zero Configuration = Cisco Compatible Extensions ~ Cisco Secure Services Client + You can troubleshoot wireless by breaking the environment into the wired network and the wireless network. (© 2010 Cisco Systems, ne. Wireless LANS 3-453-48 Interconnecting Cisco Network Devices: Accelerated (CCNAX) v1.1 {© 2010 Gisco Systems. Ine.Module Summary This topic summarizes the key points that were discussed in this module. Module Summary + The various 802.11 standards identify the characteristics of the transmissions used by WLANS, while WiFi certification ensures compatibility between devices. * To address common threats to WLAN services, security has evolved to include 802.1X and WPA. * Wireless implementations are affected by distance, speed, and form factors. * VoIP equipment that is connected to the switch or via WLAN access point requires a power solution and proper configuration of the switch or WLAN access point. (© 2010 Cisco Systems, ne. Wireless LANS 3-473.48 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Module Self-Check Use the questions here to review what you leamed in this module, The correct answers and solutions are found in the Module Self-Check Answer Key. Ql) Qa) Q3) 4) Q5) a6) What is the most tangible benefit of wireless implementation? (Source: Exploring, Wireless Networking) A) cost reduction B) __ increased mobility ©) better productivity D) improved security Which method does a WLAN use to control transmissions? (Source: Exploring Wireless Networking) A) CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) B) _ CSMAVCD (Carrier Sense Multiple Access with Collision Detection) ©) CSMAVCR (Carrier Sense Multiple Access with Collision Rejection) D) —_ CSMA/CW (Carrier Sense Multiple Access with Collision Weighting) Match each factor that influences the transmission of radio waves to its correct description, (Source: Exploring Wireless Networking) 1. occurs when RF waves bounce off metal or glass surfaces 2. occurs when RF waves are soaked up by walls occurs when RF waves strike an uneven surface and are refl cted in many directions A) absorption B) reflection ©) scattering Which regulatory agency controls the 801.11 standard that governs WLANS? (Source: Exploring Wireless Networking) A) Wi-Fi Alliance B) IEEE ©) EMA D) WIS Which organization offers certification for interoperability between vendors of 802.11 products? (Source: Exploring Wireless Networking) A) B) ° D) Wisc Which three are the unlicensed bands used by WLANs? (Choose three.) (Source: Exploring Wireless Networking) A) 2.4-MHz band B) —900-MHz band ©) 2.4-GHz band D) — 5-GHz band E) 900-GHz band (© 2010 Cisco Systems, ne. Wireless LANS 3449Qn 8) Q9), io) Quy Q12) Which two of the IEEE 802.11 standards have the highest possible data rat ixploring Wireless Networking) 2 (Choose B) — 802.1a ©) 802.11 D) —802.11d FE) 802.11g Which IEEE 802.1 standard transmits using the 5-GHz band? (Source: Exploring Wireless Networking) A) 80211 B) — 802.1la ©) 802.11b D) — 802.11d BE) 802dlg Which statement is true about the Wi-Fi Alliance? (Source: Exploring Wireless Networking) A) Itisa global standards organization that controls the compatibility of Wi-Fi products B) It operates only in the United States and ensures the compatibility of Wi-Fi products. ©) Itisa global, nonprofit industry trade association that is devoted to promoting the growth and acceptance of wireless LANs. D) _Itisa global, nonprofit industry trade association that is devoted to promoting, the installation of wireless LANs in retail locations. What is a rogue access point? (Source: Understanding WLAN Security) A) anaccess point that has an open WEP key B) an access point that is broadcasting its SSID ©) anunsecured access point that has been placed on a WLAN D) —_anaccess point that has had a hardware failure that causes it to endlessly broadcast its SSID Which three are the s WLAN Security) A) encryption for providing privacy and confidentiality eps to secure WLAN? (Choose three.) (Source: Understanding B) authentication to ensure that legitimate clients and users access the network via trusted access points ©) control of the access point power level to limit the cell range and limit that range to the property boundaries D) protection from security risks with intrusion detection and intrusion protection systems for WLANs Which standard provides the strongest level of WLAN security? (Source: Understanding WLAN Security) A) EAP B) WEP c) WPA D) 802.11 WPA2 350 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Q13) Which factor determines with which access point a client will associate? (Source: Understanding WLAN Security) A) the access point with the lowest SSID B) the access point with the highest SSID ©) the access point whose SSID is received first D) the access point that is received with the strongest signal Q14) When using IEEE 802.1X, how is the client authenticated? (Source: Understanding WLAN Security) A) The client is authenticated against a local database that is stored on the access point B) The access point forwards all network traffic to the server where itis either authenticated or blocked. ©) The access point encapsulates any 802.1X traffic that is bound for the authentication server and sends it to the server. D) The client encapsulates the 802.1X authentication traffic before sending it to the access point. This functionality causes the access point to forward it to the server. Q15) Which statement is true of a comparison between WPA and WPA2? (Source: Understanding WLAN Security) A) WPA uses pre-shared keys, while WPA2 uses PSK. B) WPA uses EAP authentication, while WPA2 uses IEEE 802.11X. ©) WPA uses Personal mode, while WPA2 uses Enterprise mode, D) WPA uses TKIP/MIC encryption, while WPA2 uses AES-CCMP encryption, Q16) Match the IBEE 802.11 topology to its description, (Source: Implementing a WLAN) 1. Mobile clients connect directly without an intermediate access point. 2. The communication devices use a single access point for connectivity to each other of to wired network resources, 3. The wireless topology is two or more service sets connected by a distribution system or, more commonly, a wired infrastructure. A) adhoc mode B) __ Basic Service Set ©) Extended Services Set Q17) What does the physical area of RF coverage that is provided by an access point define? (Source: Implementing a WLAN) A) the RF service area B) the basic service area ©) the ad hoc service area D) the extended services area Q18) When you ate implementing extended service areas, how much overlap is suggested? (Source: Implementing a WLAN) A) 5to 10 percent B) —10to 15 percent ©) 151020 percent D) 25 to 30 pervent (© 2010 Cisco Systems, ne. Wireless LANS 3-59Qi9) 20) Q21) Q22) What allows a client to communicate while moving? (Source: Implementing a WLAN) A) the ability to shift data rates B) the ability to vary transmit levels ©) the ability to match the transmit level to the receive level D) the ability to perform error correction as the signal level changes Which three are basic wireless access point parameters? (Choose three.) (Source: Implementing a WLAN) A) SSID B) authentication ©) data exchange rates D) transmit band selection E) RF channel with optional power When implementing a WLAN, when should you use WEP? (Source: Implementing @ WLAN) A) only iftthere is an AAA server available B) when you need the increased security of WEP ©) when you are planning to enable IEEE 802.11x authentication D) only ifthe hardware equipment does not support WPA Match the wireless client to its description. (Source: Implementing a WLAN) 1. full-feature supplicant for both wired and wireless client 2. Windows operating system basic wireless supplicant client 3. more-advanced wireless client features than those features of native operating system A) wz B) Cisco Compatible Extensions C) Cisco Secure Services Client 382 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Module Self-Check Answer Key an 2) 3) os) 5) 6) on 8) Co) a0) au a2) a) aus) as) a6) an ais) a9) 20) en 2) ABD ABE D 1=C,2=A,3-B (© 2010 Cisco Systems, ne. Wireless LANS 3533-54 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Module 4 LAN Connections Overview In addition to connecting multiple devices in a network, the networks themselves can be connected. In fact, the Internet is a collection of networks that are connected. The concept of connected networks is a common communications infrastructure in large organizations. Connecting networks with diverse devices, architectures, and protocols requires more sophisticated components than simple LANs. Routers are the devices used in this more complex networking environment, and a suite of protocols known as TCP/IP governs how data is transmitted, This module describes the functions of routers in connecting networks, and describes how routers transmit data through networks using TCP/IP. Module Objectives Upon completing this module, you will be able to connect multiple networks by creating a default gateway. This ability includes being able to meet these objectives: = Convert a decimal number into a binary number and a binary number into decimal Describe how IP constructs network addresses Describe the packet flow from one host to another through a router m= Start a router and use the CLI to configure and to monitor the router m= Implement basic router security m= Describe basic Cisco SDM features Use Cisco SDM to enable a DHCP server on the router42 Interconnecting Cisco Networking Devices: Accelerated (CCNAX v1.1 (© 2010 Gisco Systems, Ine.Lesson 1 Understanding Binary Basics Overview All computers use a system of switches internally. These switches can be in one of two positions: on or off. This functionality is called a binary system, with “off” being represented by the digit 0, and “on” being represented by the digit I. A binary number will include only the digits 0 and 1 Network device addresses also use this binary system to define their location on the network. The IP address is based upon a dotted-decimal notation of a binary number. You must have a basic understanding of the mathematical properties of a binary system to understand networking. This lesson describes the mathematics that is involved in the binary numbering system, and how to convert a decimal (base 10) number to a binary (base 2) number and vice versa Objectives Upon completing this lesson, you will be able to convert decimal numbers to binary numbers and binary numbers to decimal numbers. This ability includes being able to meet these objectives Describe the decimal and binary number systems Describe the “powers of 2” process = Convert a decimal number to a binary number m= Convert a binary number to a decimal numberDecimal and Binary Systems The decimal (base 10) system is the numbering system that is used in everyday mathematics, and the binary (base 2) system is the foundation of computer operations. This topic describes the decimal and binary systems. Decimal vs. Binary Numbers. * Decimal numbers are represented by the numbers 0 through * Binary numbers are represented by a series of ts and Os. Deoknal [Bay fo fo 0 00 0 ® ito 3 7 @ Tt q a n 0 3 vor io 7 q 7 0 roo 7 7 7 a o 0 7 rome o wa 3 won In the decimal system, the digits are 0, 1, 2,3, 4,5, 6, 7, 8, and 9. When quantities higher than 9 are required, the decimal system begins with 10 and continues all the way to 99. Then the decimal system begins again with 100, and so on, with each column to the left raising the exponent by 1 The binary system uses only the digits 0 and 1. Therefore, the first digit is 0, followed by 1. Ifa quantity higher than 1 is required, the binary system goes to 10, followed by 11, The binary system continues with 100, 101, 110, 111, and then 1000, and so on. This figure shows the binary equivalent of the decimal numbers O through 19. + Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 (© 2010 Gisco Systems, Ine.Powers of 2 To understand how binary numbers are used in addressing, you must understand the mathematical process of converting a decimal number to a binary number and vice versa. This topic describes “powers of 2.” Powers of 2 Calculation uma 2 2 [272 25) 2; 21812 sina) 2in-2ini2in2 16 oem 2s cldeie aise 32 2 ([2*272*2°2 2 64 2g [2r2*272*2 *2*2| 128 | Calculator batteries run down and charts can be misplaced, but if you know the mathematical principals, a paper and pencil is all that you need to convert binary numbers to decimal numbers and to convert decimal numbers to binary numbers. There are charts available to help with decimal to binary conversion, showing, for example, 2° = decimal 1, 2' = decimal 2, 27 decimal 4, and so on. This figure illustrates how some decimal numbers are produced. The binary numbers chart explains the process of base=2 binary conversion. Each bit in the binary value has a decimal weight, which is based on power-of-2 calculations. The decimal weight in the base-2 binary conversion maps exactly to the value column of the power-of-2 calculations in the figure. (© 2010 Cisco Systems, ne. LANConnestions 45a Decimal and Binary Numbers Chart Base 10 Decimal Example - 63204829 MSS mz Bagorern sof 1a | 10" | sot | 10° | 10 | 10°] 10° Decimal Weignt_| 10000000 | 1000000 | 100000 | r0000]| T0900 | 709 | 70 Column Weight [0000000 [3000000 [200000 0 | 4000 [800 | 20 | © Place Value 6 3 [2 [ol-lslle ‘50000000 + 3000000 + Base 2 Binary Example - 11101001 (233) 79000 +0 A000 BO +e cr sa Basen 2 e | 2 [ele lela] 2 Decmaweon | ze | | 2 | w]e |l2]a Coumnweisht | 128 | 6a | a2 | o |e |olo]1 Place Value 1 1 Fn Tes 64r 32s 0+8s000+1= 289 Least Significant Bit and Most Significant Bit Most people are accustomed to the decimal numbering system, While the base number is important in any numbering system, itis the position of a digit that confers value. The number 10 is represented by a 1 in the tens position and a 0 in the ones position. The number 100 is represented by a | in the hundreds position, a 0 in the tens position, and a 0 in the ones position Ina binary number, the digit on the right-most side is the least significant bit (LSB) and the digit on the left-most side is the most significant bit (MSB). The significance of any digits in ‘between these sides is based on their proximity to either the LSB or the MSB, Base-2 Conversion System Understanding the base-2 system is important because an IP version 4 (IPv4) address consists of 32 binary bits. Each digit is 1 bit. The 32 bits are divided into four sets of 8 bits, called octets. A dot (or period) is placed between each set to separate them. (A byte is another name for 8 bits; however, for the purposes of this module, 8 bits will be referred to as an octet.) The various classes of addresses are based on the octet boundaries, soit is helpful to get used to such groupings. It is also an ease-of-use issue, because 8-bit binary numbers are easier to convert than 32-bit binary numbers. When converting a binary IP address, you only convert one octet ata time. The highest possible binary octet is 11111111, which converts to the decimal number 255 46 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 (© 2010 Gisco Systems, Ine.Decimal and Binary Numbers Chart The first table in this figure presents the decimal presentation of the number 63204829. Each digit of the number 63204829 belongs to a different position and has a different base. The presents how the base is calculated and the decimal weight of each base. The position of each number within the table defines the column value. When the column value is multiplied by the decimal weight, the column weight is defined. The sum of all the column values determines the decimal number. The first table does not present the conversion because the decimal number is already provided. The first table provides the explanation of how the decimal values are represented in the base-10 decimal conversion. le The second table in this figure presents the binary to decimal conversion of the binary value 11101001. The first row shows how the base is calculated. The second row is the decimal weight ofa base. The third row lists the binary number, where each number is in its own position, under its own base. The multiplication of the column value and the decimal weight gives the column value for each base separately. The sum of all the column weights determines ‘the decimal number of the original binary number. This decimal number is the result of the binary to decimal conversion, (© 2010 Cisco Systems, ne. LAN Connections 47Decimal-to-Binary Conversion Decimal numbers can be converted to binary numbers through a specific process. This topic describes how to convert decimal numbers to binary numbers. Decimal-to-Binary Conversion p z7[* |? |# /*|"7|[7]2 wef [x2{[elelale2|a ofofs]ofofofa]a 35= (2?*0)+(28°0)+ (251) o(25*0)4(23"0)9(22"0}4(2"*1)4(2°4) (a1) + ey earn) o+o+r+o+o+o+aed This figure shows a simple binary conversion of the decimal number 35. The base exponent line shows base-2 numbers and their exponents (2 * 2=4 * 28, and so on). The decimal value of the base exponent number is listed in the second row and the binary number is displayed in the third row. The table describes the steps to determine the binary number. Note that the first 2 bits of the binary number are Os. These 0s are known as leading Os. In reality, the decimal number 35 would only be a 6-bit binary number. Because IP addresses are laid out as, four sets of octets, the binary number is made into an octet by placing 0s to the left of the 6-bit umber. 48 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 (© 2010 Gisco Systems, Ine.The table shows the steps for converting the number 35 to a binary number, Procedure for Converting a Decimal Number to a Binary Number Step Action 1 Looking at the figure, what isthe greatest power of 2 that is less than or equal to 35? 128 does not go into 36, so place a 0 in that column, 64 does not go into 35, 50 place a 0 in that column, 2° (32) is smaller than 35. 32 goes into 35 one time. Place a 1 in that column. CCaleulate how much is le aver by subtracting 32 from 35. The result is 3. ‘Check fo see If 76 (the next lower power of 2) is into 3. Because It does not, a 0 Is placed in that column, The value of the next number is 8, which is larger than 3, so a 0 is placed in that column also. ‘The next value is 4, whichis stil larger than 3, soit too, receives a 0 “The next value is 2, which is smaller than 3, Because 2 fis into 3 one time, place a 1 in that column, ‘Subtract 2 from 3, and the results 1 10, “The decimal value ofthe last bit is 1, which fis in the remaining number. Therefore, place a 1 inthe last column. The binary equivalent of the decimal number 35 is 00100011 (© 2010 Cisco Systems, ne. LAN Connections 49Binary-to-Decimal Conversion As with decimal-to-binary conversion, there is usually more than one way to convert binary numbers to decimal numbers. This topic describes one conversion method. Binary-to-Decimal Conversion ote ames | ee ease | ose |e 28 || 1} 64} a2|ie}a]4a]2}1 oe ig 1} o}s2|%}slojo}1 10111001 = (4128°1)+(64°0)+(32°1}+(16"1)+(8°1)+4°0)+(2°0)H(171) 10111001, 128+ 0 +32 +16 +8+0+0+1 10111001 ‘You can convert binary numbers to decimal numbers by using the positional values that ate based on the powers of 2 and identifying the columns with nonzero values, which contribute to the final numerical value. This table shows the steps for converting the binary number 10111001 to a decimal number. Procedure for Converting a ary Number to a Decimal Number Step Action Find the place value that corresponds to any 1 bit in the binary number, according to its| position. For example, as shown in the figure, the binary bitin the 2” column is 1, $0 the decimal total is 128. ‘There is a 0 in the 2° (64) column. The decimal equation is 128 + 0 = 128. ‘There is now a 1 in the 2° (32) column. The decimal equation becomes 128 + 32 = 160. Theres a1 inthe Z (16) column. Adding the valve tothe decimal otal gives 160 + 16= 176. ‘The next column, 2", has a 1. Add the value 8 to the decimal total, giving 176 + 8 = 184 ‘There are 0s in the 2° and 2" columns. Add 0s to the decimal total 184 +0 + 0= 184, ~lelelalele Finally, there is a 1 in the 2° (1) column, Now, add 1 to 184, The result is 185. The decimal equivalent ofthe binary number 10111001 is 185. 410 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Summary This topic summarizes the key points that were discussed in tis lesson AT Summary * All computers operate using a binary system, and most people are accustomed to the decimal numbering system. The numerals are as follows: ~ Binary systems (base 2) use only the numerals 0 and 1. — Decimal systems (base 10) use the numerals 0 through 9. «The powers of 2 provide the calculation of the decimal weight for base-2 binary conversion. (© 2010 Cisco Systems, ne. LAN Connections 4-17412 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 2 Constructing a Network Addressing Scheme Overview Subnetworks, also known as subnets, are very common in all but the smallest of network environments, Subnetworks segment the network into smaller divisions that have their own, addresses. Each host is represented by a unique IP address. In some cases, some of the bits that are used for the host portion of an IP address are “borrowed” to create the subnet address. The subnet mask defines which part of the IP address represents the network part. This lesson describes how subnets function and how they are computed. Objectives Upon completing this lesson, you will be able to describe and calculate subnet addresses. This ability includes being able to meet these objectives: = Define the purpose and function of a subnet Describe the process of computing usable subnet and host addresses = Describe how end systems use subnet masks to locate a destination device Describe how routers use subnet masks to route packet to its destination = Describe the mechanics of subnet mask operation m= Apply subnet mask operations to Class A, B, and C IP addressesSubnetworks ‘Network administrators often need to divide networks, especially large networks, into subnetworks, or subnets, to provide addressing flexibility. This topic describes the purposes and functions of subnets and their addressing schemes. Flat Topology The problems with a flat topology are as follows: + All devices share the same bandwith, + All devices share the same Layer 2 broadcast domain, + Itis difficult to apply a security policy, A company that occupies a three-story building might have a network that is divided by floors, with cach floor divided into offices. Think of the building as the network, the floors as the three subnets, and the offices as the individual host addresses. A subnet segments the hosts within the network. With no subnets, the network has a flat topology. A flat topology has a short routing table and relies on Layer 2 MAC addresses to deliver packets. MAC addresses have no hierarchical structure, As the network grows, the use of the network bandwidth becomes less and less efficient, The disadvantages of a flat network are as follows’ All devices share the same bandwidth, m= All devices share the same Layer 2 broadcast domain. = Icis difficult to apply security policies because there are no boundaries between devices. On an Ethernet network that is connected by hubs, every host on the same physical network sees all of the packets on the network. On a switch-connected network, the host sees all of the broadcasts. In heavy traffic situations, there can be many collisions that are caused by two or more devices that are transmitting simultaneously. The devices detect the collision, stop transmitting, and then begin transmitting later, at a random interval. To users, this process is perceived as the network slowing down. Switches are improving the network performance, but routers are a better choice in these situations. Routers can be used to separate networks by breaking the network into multiple subnets. 4-14 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Subnetworks * Smaller networks are easier to manage. + Overall traffic is reduced, * You can more easily apply network security a $s ‘Seer 3 The advantages of subnetting a network are as follows Smaller networks are easier to manage and map to geographical or functional requirements. m= Overall network traffic is reduced, which can improve performance, = You can more easily apply network security measures at the interconnections between subnets than throughout the entire network. In multiple-network environments, each subnetwork may be connected to the Intemet via a single router. This figure shows one router connecting multiple subnetworks to the Intemet. In this example, the network is divided into multiple subnetworks. The actual details of the internal network environment and how the network is divided into multiple subnetworks are inconsequential to other IP networks. The IP addressing that is used in the flat network must be modified to accommodate the required segmentation. A subnet mask identifies the network-significant portion of an IP address. The network-significant portion of an IP address is, simply, the part that identifies ‘what network the host device is on. This part is called the network address and defines every subnetwork. The use of segmentation is important for the routing operation to be efficient (© 2010 Cisco Systems, ne. LAN Connections #15What a Subnet Mask Does + Talis the router the number of bts to look at when routing + Defines the number of bits that represent the network part How much of Destination IP address this address is 172.16.55.87 the network part? y =) ~ - How do we know how many bits represent the network portion and how many bits represent the host portion? When we express an IPv4 network address, we add a prefix length to the network address. The prefix length is the number of bits in the address that gives us the network portion. For example, in 172.16.4.0 /24, the /24 is the prefix length—it tells us that the first 24 bits are the network address. This leaves the remaining 8 bits, the last octet, as the host, portion. The entity that is used to specify the network portion of an IPv4 address to the network devices is called the subnet mask. The subnet mask consists of 32 bits, just as the address does, and uses 1s and Os to indicate which bits of the address are network bits and which bits are host bits. We express the subnet mask in the same dotted decimal format as the IPv4 address. The subnet mask is created by placing a binary 1 in each bit position that represents the network portion and placing a binary 0 in each bit position that represents the host portion. A /24 prefix is expressed as a subnet mask as 255.255.255.0 (1111111111111 1.111 11111.00000000), The remaining bits (low order) of the subnet mask are zeroes, indicating the host address within the network The subnet mask is configured on a host with the IPv4 address to define the network portion of that address. Networks are not always assigned a /24 prefix. Depending on the number of hosts on the network, the prefix that is assigned may be different. Having a different prefix number changes the host range and broadcast address for each network. 418 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.For example, let's look at the host 172.16.55.87/27: address 172.16.55.87 10101100. 00010000. 0011 subnet mask 255.255.255.224 h a network addres 172.16.55.64 10101200, 00010000. 09031 09.01000000 Two-Level and Three-Level Addresses When the IP version 4 (IPv4) method of identifying addresses and address classes was developed, a two-level address (network and host) seemed sufficient, Each IP address required the definition for which part of the IP address was network and which part was host, Based on this definition, networks were divided into different address classes (A, B, and C), Each address class had a default mask that was associated with it. The mask was predefined and its configuration was not necessarily needed. As the number of network-connected devices grew, it became clear that these classes were an inefficient use of network addresses. To overcome this problem, a third level of addressing, which consisted of subnets, was developed, A subnet address includes the original classful network portion plus a subnet field. This complete network prefix is also known as the extended network prefix. The subnet field and the host field are created from the original classful host portion. To create a subnet address, you can borrow bits from the original host field and designate them as the subnet ficld. At this point, the classless network, as opposed to the classful network, was introduced, The classful network took into account the predefined classes of IP addresses (A, B, and C), and the classless network removed those boundaries. The classless network approach was introduced to replace the addressing architecture of the classful network design in order to help slow down the rapid exhaustion of IPv4 addresses. However, subnets cannot work without way to identify the part of the address that is network+ significant and the part that is host-significant. For this reason, explicit subnet masks need to be configured. Subnet Creation The subnet address is cteated by taking address bits from the host portion of Class A, Class B, and Class C addresses. Usually, a network administrator assigns the subnet address locally. Like IP addresses, each subnet address must be unique. ‘When creating subnets, many potential individual host addresses (endpoints) are lost. For this, reason, you must pay close attention to the percentage of addresses that are lost when you create subnets. The algorithm that is used to compute the number of subnets uses powers of 2 (© 2010 Cisco Systems, ne. LAN Connestions #17When taking bits from the host field, itis important to note the number of additional subnets ‘that are being created each time one more bit is borrowed. Borrowing 2 bits creates four possible subnets (2?= 4). Each time another bit is borrowed from the host field, the number of subnets that are created increases by a power of 2, and the number of individual host addresses decreases by a power of 2. Some examples are as follows: m= Using 3 bits for the subnet field results in 8 possible subnets (2° = 8) Using 4 bits for the subnet field results in 16 possible subnets (2"= 16) Using 5 bits for the subnet field results in 32 possible subnets (2° = 32) Using 6 bits for the subnet field results in 64 possible subnets (2° = 64) In general, the following formula can be used to calculate the number of usable subnets if the umber of subnet bits that are used is specified: ‘Number of subnets = 2° (where s is the number of subnet bits borrowed) 418 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.How End Systems Use Subnet Masks ‘The end system uses the subnet mask to compare the network portion of the local network address with the destination network address of the packet to be sent. This topic describes the process that end systems follow in using subnet masks. End System Subnet Mask Operation = Host D Host Other Networks o Before an end system can send a packet to its destination, it must first determine if the destination address is in the local network. The subnet mask defines the network part of the IP address. The end system compares the network portion of the local network address with the destination network address of the packet to be sent. Ifthe network portion of the local network address is the same as the destination network address, then the end system will use the Address Resolution Protocol (ARP) process to bind the IP address to the MAC address. If the network portion of the local network address is not the same as the destination network address, then the packet must be forwarded to the default gateway router for transmission to the destination network. (© 2010 Cisco Systems, ne. LAN Connections +19How Routers Use Subnet Masks The subnet mask identifies the network-significant part of an IP address. Routers need this information to determine how to get a packet to the desired destination. This topic describe how routers use subnet masks. How Routers Use Subnet Masks Host A ey 10.1.1.7724 Host B 10.3.1.23124 10.3.2.1/24 Roule Table A Route Table B 4011 0194 2019 10410104 @0rt 10.2.2.0/24 e0/0 10.2.2.0724 eat 10310124 e0!0 1031004 e017 10.3.2.0/24 e0/0 ‘ All routers have routing tables, Depending on the location of the router in the network hierarchy, the table may be small and simple or large and complex. The router populates the routing table with the network-significant part of all of the known networks. If the network is not directly attached to the router, the router stores the address of the next-hop router to which the packet should be forwarded. For routers to function without the need to store all of the destination networks in their tables, they usc a default route to which packets that do not match any entry in the routing table are forwarded, Default routes are stored in the routing table also. When forwarding the packets, routers compare the network-significant part with the destination network addresses of packets that need to be forwarded, This figure shows two hosts, where each of them is connected to its own router. When Host A sends a packet to Host B, the packet reaches Router A. Router A must look into its routing table to determine the path to reach the destination network. The destination network is known and exists in the routing table. The packet is sent to Router B, Router B uses its own routing table to determine the path to the destination and forwards the packet to the correct interface. The following table explains the exact procedure for routing with subnet masks. 420 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Procedure for Routing with Subnet Masks Step Action Notes 1 Host A determines that the destination Network requires the use ofits default, gateway router (Router Al. Router A has a route to the destination network 410.3.1.0 and forwards the packet to Router B through the indicated interface. Because the 10.3.1.0/24 network is directly connected to Router B interface fa0/2, Router B will use ARP to determine the MAC address of Host B. (© 2010 Cisco Systems, ne. LAN Connections 421Applying the Subnet Address Scheme areaz0 rraiess s ‘fa00 ‘fa0it var22 vrav6300 J vrareaiee rraveaee i perigee wrraiest (ese) Tey ae a wai ge When configuring routers, each interface is connected to a different network or subnet segment. ‘An available host address from each different network or subnet must be assigned to the interface of the router that connects to that network or subnet. In this example, the router has two Ethemet interfaces. The interface that is connected to the 172.16.2.0 subnetwork is assigned the IP address of 172.16.2.1. The other interface is connected to the 172.16.3.0 subnetwork and is assigned the IP address of 172,16.3.1. All of the attached hosts need to have addresses within the range of the subnet. Any host that is configured with an address outside of the subnet range would not be reachable. The reachability of the hosts relies on the ability of the router to route packets to their destinations. [f any host is not configured within the correct subnet range, the reachability is broken and the router will not be able to route packets to that host. 422 interconnecting Gisco Networking Devices: Accelerated (CGNAX) vi. {© 2010 Cisco Systems. Ine.Mechanics of Subnet Mask Operation You have learned why subnet masks exist, and how end systems and routers use subnet masks. This topic describes how subnet masks are created and how they work Octet Values of a Subnet Mask * Subnet masks, ike IP addresses, are represented in the dotted decimal format, such as 255.255.255.0. * The number 1 reflects the network part of the IP address. wae 2 16 8 4 2 4 Moo 0 © oo Oo 128 HM Mo 0 0 0 o 0 = Hie M@ MM o o o o o = aaa @ HMM o o o 0 = Bao BOOM o o o = Bae BOB Ho o-B BEEBE B:-& BEER REE e- Bs Although subnet masks use the same format as IP addresses, they are not IP addresses ‘themselves, Each subnet mask is 32 bits long, divided into four octets, and is usually represented in dotted-decimal notation like IP addresses. In their binary representation, subnet masks have all 1s in the network and subnetwork portions, and have all Os in the host portion. Octet Values of a Subnet Mask Because the high-order bits of the subnet masks are contiguous 1s, there are only a limited number of subnet values within an octet. You will recall that we only need to expand an octet if ‘the network and host division falls within that octet. Therefore, there are a limited number 8-bit pattems that are used in address masks, The subnet field always immediately follows the network number. The bits that are borrowed to create a subnet mask must be the first bits in that octet. The borrowed bits must start with the most significant bit (MSB) of the default host field. This figure shows the borrowed bits, where value 7 is from 1 to 8, The subnet mask is the tool that is used by the router to determine which bits are routing (network and subnet) bits and which bits are host bits, The last column in the figure shows the decimal representation of the subnet mask for each combination of borrowed bits. If the subnet mask for an octet is represented by 255, then all the equivalent bits in that octet of the address are network bits. Similarly, if the subnet mask for an octet is represented by 0, then all the equivalent bits in that octet of the address are host bits. In each of these cases, it is not necessary to expand this octet to binary to determine the network and host portions. (© 2010 Cisco Systems, ne. LAN Connestions 423The figure shows only one octet because the decimal representation of each octet is the same. In Class A, the default subnet address is 255.0.0.0 ot 1111111 1.00000000,00000000.00000000. If the three highest-order bits from the next highest-order host octet are borrowed, they add up to 224, This value translates to 255.224.0,0 or 11111111.11100000,00000000,00000000. The same approach applies to the other classes. The only difference is in the default subnet mask that is used for the different classes. In Class B, the default subnet address is 255.255.0.0 ot 11111111.11111111.00000000.00000000. In Class C, the default subnet address is 255.255.255.0 or IIL1111-11111111.11111111,00000000. 424 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Default Subnet Masks In regard to IP addressing, the subnet mask identifies the addressing information that is, necessary to send packets toward their final destinations. The subnet mask identifies which bits within the IP address are the network and subnet bits. This figure shows the default subnet masks and the default classful prefix length for Class A, Class B, and Class C addresses. The subnet mask itself is indicated with 1s in the binary notation for the mask. All other bits are indicated as Os. {© 2010 Cisco Systems, Ine. LAN Connedtions 425Computing Usable Subnetworks and Hosts One of the decisions you must make when creating subnets is to determine the optimal number of subnets and hosts. This topic describes a process for planning subnets. Possible Subnets and Hosts for a Class C Network im. (10 > Bits ta Borrow 2 “ 6 a a 16 a 1“ 7 1 7 ° @ 2 ° omar Computing Hosts for a Class C Subnetwork Each time 1 bit is borrowed from a host field, there is one less bit that remains in the host field, Each additional bit in the network part increases the number of subnets possible. At the same time, each bit fewer in the host part decreases the number of possible hosts per subnet. The number of subnets increases by a power of 2 and the number of host addresses that can be assigned decreases by a power of 2 ‘Asan example, consider a Class C network address in which all 8 bits in the last octet are used for the host ID. Therefore, there are 256 possible numbers. The actual number of usable addresses that are available to assign hosts is 254 (256 - 2 addresses [the broadcast and the subnet addresses cannot be used). ‘Now imagine that this Class C network is divided into subnets. If2 bits are borrowed from the default cight-bit host field, the size of the host field decreases to 6 bits. All possible combinations of Os and Is that could occur in the remaining 6 bits produce a total number of possible hosts that could be assigned in each subnet. This number, which formerly was 256, is now 64. The number of usable host numbers decreases to 62 (64 - 2). In the same Class C network, if 3 bits are borrowed, the size of the host field decreases to 5 bits, and the total number of assignable hosts for each subnet decreases to 32 (2°). The number of usable host numbers decreases to 30 (32 - 2). The number of possible host addresses that can bbe assigned to a subnet is related to the number of subnets that have been created. This last example gives eight additional usable subnets in a Class C network. Each of these eight subnets can have 30 (32 - 2) usable host addresses. £28 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Possible Subnets and Hosts for a Class B Network Tm . im -———> Bis to Borrow 4 2 6 2766 Computing Hosts for a Class B Subnetwork ‘Now consider a Class B network address in which 16 bits are used for the network ID and 16 bits are used for the host ID. Therefore, there are 65,536 (2'*) possible addresses that are available to assign to hosts (65,534 are usable addresses after subtracting the two addresses— the broadcast and the subnet addresses—that cannot be used). Now imagine that this Class B network is divided into subnets. If2 bits are borrowed from the default 16-bit host field, the size ofthe host field decreases to 14 bits. All possible combinations of Os and 1s that could occur in the remaining 14 bits produce a total number of possible hosts that could be assigned in each subnet. Thus, the number of hosts that are assigned to cach subnet is now 16,382. In the same Class B network, if3 bits are borrowed, the size of the host field decreases to 13 bits, and the total number of assignable hosts for each subnet decreases to 8192 (2"). The number of usable host numbers decreases to 8190 (8192 - 2). This last example shows six (8 - 2) usable subnets in @ Class B network. Each of these six subnets can have 8190 (8192 - 2) usable host addresses. {© 2010 Cisco Systems, Ine. LAN Connections 427The following table includes all possible subnets and host for Class B network Subnetting a Class B Network Number of Bits Number of Number of Bits Number of host Borrowed possible subnets | remaining in Host | Possible Per () z 1D (24-s=h) ‘Subnet (2-2) 1 2 15 32766 2 4 14 16382 3 8 13 ate0 4 16 12 4094 6 32 1" 2046 6 64 10 1022 7 128 8 510 8 256 8 254 8 512. 7 128 10 1024 6 62 1" 2048 5 30 12 4096 4 4 13 192 3 6 14 16384 2 18 32768 1 0 16 65536 ° 0 428 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.ANetwork ira Possible Subnets and Hosts for a Class 1 2 2 8,388,006 2 4 2 4.104,302, @ 2 2.097.150 a 09/182 3 é 2 4194004 2 2 2 19388008 1 0 24 16777216 e 0 Computing Hosts for a Class A Subnetwork Finally, consider a Class A network address in which 8 bits are used for the network ID and 24 bits are used for the host ID. Therefore, there are 16,777,216 (2) possible addresses that are available to assign to hosts (16,777,214 are usable addresses after subtracting the two addresses—the broadcast and the subnet addresses—that cannot be used). Now imagine that this Class A network is divided into subnets. If 6 bits are borrowed from the default 24-bit host field, the size of the host field decreases to 18 bits. All possible combinations of 0s and 1s that could occur in the remaining 18 bits produce a total number of possible hosts that could be assigned in each subnet. This number is now 262,144. The number of usable hosts decreases to 262,142 (262,144 - 2). {© 2010 Cisco Systems, Ine. LAN Connections 429The following table includes all possible subnets and host for Class A network, Subnetting a Class A Network Number of Bits Number of Number of Bits Number of host Borrowed possible subnets | remaining in Host | Possible Per (6) 2s D ‘Subnet (2h-2) (24-s=h) 1 2 23 3388606 2 4 22 4194302 3 @ 2 2097150 4 16 20 1048574 8 32 19 524286 6 64 18 262142 7 128 17 181070 8 256 16 65534 8 512 15 32766 10 1024 4 76382 1 2048 13 8190 12 4096 12 4094 13 at92 4 2046 14 16384 10 1022 18 32768 ° 510 16 65536 8 254 17 431072 7 128 18 252144 6 62 19 524288 5 30 20 1048576 4 14 a 2097152 3 6 2 4194304 2 2 2 3388608, 1 0 24 16777216 0 0 430 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Applying Subnet Mask Operation Most network administrators work with existing networks, complete with subnets and subnet masks in place. Network administrators need to be able to determine, from an existing IP address, which part of the address is the network and which part of the address is the subnet. Applying the subnet mask operation provides this information. This topic describes how to apply the subnet mask operation. Procedure for Implementing Subnets ‘1. Determine the IP address that is assigned by the registry authority 2. Based on the organizational and administrative structure, determine the number of subnets that are required. 3. Based on the address class and required number of subnets, determine the number of bits that you need to borrow from the host ID. 4. Determine the binary and decimal value of the subnet mask. 5. Apply the subnet mask to the network IP address to determine the subnet and host addresses. 6. Assign subnet addresses to specific interfaces for all devices that are connected to the network. The procedure that is described in this figure explains how to select the number of subnets you need for a particular network and then apply a mask to implement subnets. Procedure for Implementing Subnets Step | Action Example 1 Determine the IP address for your network a assigned by the registry author. ‘Assume that you are assigned a Class B address of 172.16.0.0 Based on your organizational and administrative structure, determine the number of subnets that are required for the Network. Be sure to plan for future growth. ‘Assume that you are managing a worldwide network in 25 countries, Each country has an average of 4 locations, Therefore, you will need 00 subnets. 3 Based on the address class and the number of subnets that you selected determine the number of bits thal you need to-borrow from the host ID. To create 100 subnets, you need to borrow 7 bits (2" = 128), Determine the binary and decimal values of the subnet mask that you select For a Class B address with 16 bits in the network ID, when you borrow 7 bits, the mask is 23. Binary value of the mask 14411111.11111111.11111110.00000000 Decimal value of the mask: 255,255,254.0, (© 2010 Cisco Systems, ne. LAN Connections 4-31Step | Action Example 5. | Apply the subnet mask for the network IP address to determine the subnet and host addresses, You will also determine the network and broadcast addresses for each subnet, 6. | Assign subnet addresses to specific interfaces on all ofthe devices that are connected to the: network Determining the Network Addressing Scheme When working in a classful networking environment that uses fixed-length subnet masks, you can determine the entire network addressing scheme, based on a single IP address and its corresponding subnet mask, Eight Easy Steps for Determining Subnet Addresses — Example IP Address: 192.168.221.37 Subnet Mask 129 Write the octet that is being | Host octet: 37 spltin binary. Host octet in binary: 00100101 ‘Wine the mask oF clas ‘Assigned mask 255 258 255 40 (729) prefix length in binary Host octet in binary: 11111000 Draw a line to delineate the | Spit octet (binary): 00100]101 significant bits in Ue Spit mask (binary): “TTTTTOVO assigned IP address. Cross tl the task so you ean view he significant bits in the IP address, This figure shows the first three of eight steps that are used to determine the subnet addresses of a given IP address. In this example, the IP address and subnet mask are as follows: Mm IP address: 192.168,221.37 mt Subnet mask: 255.255.255.248 432 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.ht Easy Steps for Determini Subnet Addresses - Example (cont, ) Peed Copy the significant bits: 001001000 (network address) four times. }001 001008 (frst address in subnet) Inthe first ine, define the \(ast address in subnet) network address by placing sata ouaeee)e all zeros in the ‘onsighificant bits. Em Network adress. 192 168.201.22 Inthe lasting define the | | Sibnet mask 265 265 208-248 Drone ares y Fie suet 192 108.921 90 slacing al ones Fist ost stores” 102 168 22133, Last host address: 192,168,291 38 In the middle lines, defn Broadcast address: 102.168,227,39 tha test ana iact host Next subnet. 192.168.221.40-— umber. Increment the subnet bits | 0070000 (next subnet) by one, This figure shows the last five of eight steps that are used to determine the subnet addresses of a given IP address. When subnet addresses are defined, the host part includes two addresses that cannot be used for any host. The first address is all 0s in the host part of the address. All Os define the subnet itself. ‘The second address is all 1s in the host pat of the address. All 1s define the broadcast address on that subnet, After converting the addresses from binary to decimal, the addresses for the subnets are as follows: mw Network address: 192.168,221.32 mt First host address: 192.168.221.33 m= Last host address: 192.168.221.38 Broadcast address: 192.168.221.39 Next network address: 192.168,221.40 ‘Notice that the range of the address block, including the subnet address and directed-broadcast address in this example, is from 192.168.221.32 through 192.168.221.39, which includes eight addresses, The address block is the same size as the number of host bits (2" {© 2010 Cisco Systems, Ine. LAN Connections 4.83Class C Example Given the address of 192.168.5.139 and knowing that the subnet mask is 255.255.255.224, the subnet number is HI111111.11111111.11111111,11100000 oF /27, a Example: Applying a Subnet Mask for a Class C Address IP Address 192.168.5.139 Subnet Mask 27 IP Addres TE IE 11000000 | rororoo | ooco0101 | seqprons caveaats [inerin [atiiit | rpoo00 | ar 1000000 [0101000 [00000701 | 10000000 192 168 5 128 12 168 5 "10000001=129 192 168 5 10017110=158 192 168 5 10071111=159 192 168 5 70100000160 |} Steps to Determine Class C Subnet Addresses Step _| Description Example 1 Write down the octet that is being spit in binary. | 10001017 2 Write down the mask or classful prefix length in| 11100000 binary. 3. Draw a lin to delineate the significant bits in the | 400 01014 assigned IP address, 4444 00000 Cross out the mask so that you can view the significant bts in the IP address, 4 Copy the significant bits 4 times. 400 00000 (frst subnet address) 5. Inthe fist line, define the network address by | "00 00001 (frst host address) placing 0s inthe remaining host bits 100 11110 (last host address) 6 In the last ling, define the directed-broadcast 100 11144 (broadcast adress) address by placing 1s in the host bits. 7 In the middle lines, define the ist and last host ID for this subnet, 8. Increment the subnet bits by 1 to determine the | 101 00000 (next subnet address) next subnet address, Repeat Steps 4 through 8 for all subnets, 434 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Subnet Addresses Table Subnet | Subnet iD Host Range Broadcast Address Number ‘alos | 192.1685.0 192.168 5.1 to 192.168 5.50 192.168.5.31 1 192.1685.32 | 192.168.5.33 0 192.168.5.62 192.168.5.63 2 192.108564 | 192.168.5650 102.168.5.94 192.168.5.95 3 192.1685.96 | 192.168.5907 to 102.168.5126 192.1685.127 4 192.1685.128 | 192.168.5.129 to 192.168.5.158 192.168.5.169 5 192.168.5160 __ | 192.168.5.161 to 192.168.5.190 192.168.5.191 6 192.1685.192 | 192.168.5.193 to 192.168.5.222 192.168.5223 ‘Alts | 102.1685.228 | 192.168.5225 to 192.168.5254 192.168.5255 (© 2010 Cisco Systems, ne. LAN Connections 435Class B Example Given the address of 172.16.139.46, and knowing that the subnet mask is 255.255.2400 or /20, you can determine the subnet and host addresses for this network. OT Example: Applying a Subnet Mask for a Class B Address Address 172.16.139.48 Subnet Mask /20 10101100 | 00010000 | t00q1011 | 00101110 saitiat1 | 11111111 | 4117000 | 00000000 | 720 10101100 | 00010000 | 10000000 | 00000000 172 16 128 0 172 16 | 10000000 _00000001=128.1 172 46 | aoo0rt1 _111711110=148.254 172 46 | tooort attiitt=148.256 Next Network [ETA 16 [10010000 o0000000=1440 |! 498 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Steps to Determine Class B Subnet Addresses Step _| Description Example 1 Write down the octet that is being spit in binary. | 10001011 2 Write down the mask or classful prefix length in | 11170000 binary. 3 Draw a line to delineate the significant bits in the assigned IP address. 4000 | 1011 Cross out the mask so that you can view the 44440000 significant bts in the IP address, 4 Copy the significant bits 4 times. +1000 0000 (frst subnet adcress) 5. Inthe frst line, define the network address by | 1000 0001 (frst host address) placing 0s in the remaining host bis. 1000 1110 (last host address) 6 In the lasting, define the directed-broadcast 7000 1111 (broadcast address) address by placing 1s inthe host bits. 7 In the middle lines, define the fist and last host ID for this subnet. 8. Increment the subnet bits by 1 to determine the | 1001 0000 (next subnet address) next subnet address, Repeat Steps 4 through 8 for all subnets, ‘Subnet Addresses Table ‘Subnet Subnet ID Host Range Broadcast Number alos | 172.1600 172.18.0-1 to 172.16.16.254 172.16.15.255 7 972.46.16.0 172.46.16.1 0 172.18.81.254 172.16.31.285 2 172.16.82.0 172.18.82.1 10 172.18.47.254 172.16.87.256 Subnet numbers 8 through 12 13 172.16.208.0 172.16.208.1 to 172.16.223.258 172.16.228.256 14 172.16.224.0 172.16.224.1 to 172.16 238.258 172.16.230.255 ‘alts | 172162400 172.16.240.4 to 172.16.255.256 172.16.255.255 (© 2010 Cisco Systems, ne. LAN Connections 47Class A Example Given the address of 10.172.16.211 and knowing that the subnet mask is /18, you can determine the subnet and host addresses for this network. a Example: Applying a Subnet Mask for a Class A Address IP Address 10.172.16.211 Subnet Mask /18 doootor0 | rorer100fefptonoo | rror00r1 riniiiit | rrr74474 | tpo000 [00000006 |e ooeor010 | rere foneonennecoocoo0 folse|eirva ta |fERTONnE| EEO 70 172 [06000666 -C6000007=07 10 [tre [oor —trrrrr10-68288 70 | tre [oorrrrtt trtiiaes 286 70 | 172 [otoec060 eoo00005-e40 Steps to Determine Class A Subnet Addresses Step _| Description Example 1 Write down the octet that is being spit in binary. | 00010000 2. Write down the mask or classful prefix length in| 11000000 binary 3. Draw aline to delineate the signiicant bits in the | 90 | 010000 assigned IP address, 444 000000 Cross out the mask so that you can view the significant bits in the IP address. 4 Copy the significant bits 4 times. (00 000000 (rst subnet address) 5. Inthe fist line, define the network address by | 90 000001 (frst host address) placing 0s in the remaining host bis. (00 111110 (ast host adress) 6 In the last ling, define the directed-broadcast 00411111 (hroadcast address) 7 In the middle lines, define the first and last host 1D for this subnet. 8 Increment the subnet bits by 1 to determine the | 01 000000 (next subnet address) next subnet address, Repeat Steps 4 through 8 forall subnets. £38 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Subnet Addresses Table Subnet | Subnet 10 Host Range Broadcast Number ‘alos | 100.00 10.0.0. to 10.0.68.254 10.0.63.255 1 10.0.64.0 10.0.84.1 to 10.0.127.254 10.0.127.255 2 70.0.1280 10.0-128.1 to 10.0.191.254 10.0.194.255 ‘Subnet numbers 3 through 1020 021 10.255.64.0 10.255.64.1 to 10.255.127.264 10.285.127.255 to22 | 10.255.128.0 | 10.255.128.1 to 10.256.191.254 | 10.255,101.256 Ais | 10.255.1920 | 10.256.192.1t0 10.255.256.254 _| 10.255.255.255 (© 2010 Cisco Systems, ne. LAN Connections 439Summary This tpi summarizes the key points that were discussed in tis lesson A Summary + Networks, particularly large networks, are often divided into smaller subnetworks, or subnets. Subnets can improve network performance and control. Asubnet address extends the network portion. A subnet address is created by borrowing bits from the original host portion and designating them as the subnet field. Determining the optimal number of subnets and hosts depends on the type of network and the number of host addresses that are required. End systems use subnet masks to compare the network Portion of the local network addresses with the destination addresses of the packets to be sent. a Summary (Cont.) * Routers use subnet masks to determine if the network portion of an IP address is in the corresponding routing table or if the packet needs to be sent to the next router. * Subnet masks are usually represented in the dotted decimal rotation lke IP addresses. In their binary representation, subnet masks have all 1s in the network and subnetwork portions and all Os in the host portion, 440 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Summary (Cont.) * Follow these steps to determine the subnetwork and host addresses using a subnet mask: 11, Write the octet being spiit in binary. 2. Write the mask in binary and draw a line to delineate the significant bits. 3. Cross out the mask so you can view the significant bits, Copy the subnet bits four times. 5. Define the network address by placing all zeroes in the host bits. 6. Define the broadcast address by placing all ones in the host bits. 7. Define the first and last host numbers. Increment the subnet bits by one. (© 2010 Cisco Systems, ne. LAN Connections +i£42 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 3 Exploring the Packet Delivery Process Overview Understanding the packet delivery process is a fundamental part of understanding Cisco networking devices. You must understand host-to-host communications and routers in order to administer @ network. This lesson describes host-to-host communications through a router. Objectives Upon completing this lesson, you will be able to describe how a host-to-host connection is made and maintained. This ability includes being able to meet these objectives: Describe Layer 2 addressing Describe Layer 3 addressing Describe host-o-host packet delivery = Describe the use of the show ip arp command Describe the use of common Cisco 10S tools to verify connectivityLayer 2 Addressing Host-to-host communications require Layer 2 addresses. This topic describes Layer 2 addressing in the host-to-host communications model, Layer 2 Addressing = MAC addresses are assigned to hosts and network devices that provide a Layer 2 function = Hosts and network devices maintain a MAC address table. Tx f 0800:0393:1111 f 0800:0333:2222 osonanaz 2222 eo T= oaDo 2221111 L2=0800:0392:2222 12 = 0800.0920:1111 MAC addresses are assigned to end devices such as hosts. The physical interfaces on a router provide a Layer 2 function and are also assigned a MAC address. Each host and network device that provides a Layer 2 function maintains a MAC address table. £44 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Layer 3 Addressing ‘This topic describes Layer 3 addressing in the host-to-host communications model. a Layer 3 Addressing * Layer 3 addresses are assigned to hosts and network devices that provide a Layer 3 function. * Network devices maintain a Layer 3 address table La= 10216831 L3= 192.1683.2 \ddress Table 9216841 13 192,168.42 Layer 3 addresses are assigned to end devices such as hosts and to network devices that provide Layer 3 functions. The router has its own Layer 3 address on each interface. Each network device that provides a Layer 3 function maintains a Layer 3 address table. {© 2010 Cisco Systems, Ine. LAN Connections 445Host-to-Host Packet Delivery The steps to deliver an IP packet over a routed network are like the steps to send a letter ‘through a postal delivery service. This topic describes the process of delivering an IP packet. yz Js e283 Host-to-Host Packet Delivery (1 of 17) =a o. jour0222:1111 owoo222:2222 1p ogonoasa222 12 oaon.oaaats44 Lestayer2 Tas agora There are a number of steps that are involved in delivering an IP packet over a routed network. The host sends any packet that is not destined for the local IP network to the default gateway. The default gateway is the address of the local router, which must be configured on hosts (PCs, servers, and so on), £48 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Host-to-Host Packet Delivery (2 of 17) Lo= 1eRT0030 z= non nz222002 wa Tae Layers In this example, host 192.168.3.1 has data that it wants to send to host 192.168.4.2. The application does not need a reliable connection because User Datagram Protocol (UDP) is selected, Because itis not necessary to set up a session, the application can start sending data, UDP prepends a UDP header and passes the protocol data unit (PDU) to IP (Layer 3) with an instruction to send the PDU to 192.168.4.2. IP encapsulates the PDU in a Layer 3 packet and passes it to Layer 2 {© 2010 Cisco Systems, Ine. LAN Connestions 447Host-to-Host Packet Delivery (3 of 17) 928831 Le = onoao2222222 Layer 2 checks for the mapping between the Layer 2 and Layer 3 addresses. The corresponding mapping does not exist and the Address Resolution Protocol (ARP) holds the packet while it resolves the Layer 2 address. “£48 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Host-to-Host Packet Delivery (4 of 17) Packing Lat Lae sonteeat wuaap Naciaimnay TO=TORTGEA2 2090002222222 >< agnnnain2702 12 anonaaanssss (2 ~ 080002221891 12> Layer2, 3 = Leyor3 To send the packet over the line, the host needs the Layer 2 information of the next-hop device. The ARP table in the host does not have an entry and must resolve the Layer 2 address (MAC address) of the default gateway. The default gateway is the next hop for the packet delivery. ‘The packet waits while the host resolves the Layer 2 information, {© 2010 Cisco Systems, Ine. LAN Connestions 449Host-to-Host Packet Delivery (5 of 17) Parking Let LsswertesaT 12 = ang 0279 2009 Toe ter Te842 12 -anon.o99 1444 92.10032 62.100.4.1 oson.9338:2222 © L2=0800:0338:1111 This example differs from the previous examples. The two hosts are on different segments: 192.168,3.0/24 and 192.168.4.0/24, Because the host is not running a routing protocol, it does ‘not know how to reach the other segment. It must send the frame to its default gateway, where the frame can be forwarded. If the host does not have a mapping for the default gateway, the host uses the standard ARP process to obtain the mapping. The host sends an ARP request to the router £50 interconnecting Cisco Networking Devices: Accelerated (CGNAX) v1.1 {© 2010 Cisco Systems. Ine.Host-to-Host Packet Delivery (6 of 17) Router: Ijust received an ARP request. Let me add host 192.168.3.1 to my ARP table with a MAC address cof 0800:0222:2222. 19236837 osoo02222222 (3. tacosoopesenns (2=0800:0222:1111 The user has programmed the IP address of 192.168.3.2 as the default gateway. Host 192.168.3.1 sends out the ARP request, and the router receives it, The ARP request contains information about the host, and the router adds the information in its ARP table. Host-to-Host Packet Delivery (7 of 17) Parking Lot Packet Rauier Vilsend an ARP reply that am 192.168.3.2 with a MAC of 0800.0333.2222. Lowteatoaat LS 18216842 216531 on t92.10032 Las onsoosssriis 12~08000222.1111 2080002222222 13 pson.os33.9222 12 sane 2,15 Lage 3 ‘The router processes the ARP request like any other host, and sends the ARP reply with its own information. {© 2010 Cisco Systems, Ine. LAN Connections 4-51Host-to-Host Packet Delivery (8 of 17) | Lracret 4 La 490 46044 alee tee oeonossa nny (27 00000222+091 19216831 a seo t0n.92 12 0000:0222:2222 127 Sepo.ps90.222 ‘The host receives an ARP reply to the ARP request and enters the information in its local ARP table. Host-to-Host Packet Delivery (9 of 17) b C= @ Sas eases metas 2 = anon 200-1444 p= n900.02077222 |= oegno33%2222 _—_—L2 = O800:029%:1111 Tate ae ‘Now the Layer 2 frame with the application data can be sent to the default gateway. Note that the ARP reports a mapping of the destination IP address (192.168.4.2) to the MAC address of the default gateway instead of the actual destination MAC address, {© 2010 Cisco Systems. Ine. “£52 Interconnecting Cisco Networking Devices: Accelerated (CGNAX) v1.1Host-to-Host Packet Delivery (10 of 17) [\\scseet Router (2: | received a rame with my ||| Router (3: This isnt my Wao fnocotps WO || [ote td oe, outer neato rrwara ths packet ‘The pending frame is sent with the local host IP address and MAC address as the source. However, the destination IP address is that of the remote host, but the destination MAC address is that of the default gateway. The router receives the frame and must decide where to send the data, {© 2010 Cisco Systems, Ine. LAN Connections 4-83Host-to-Host Packet Delivery (11 of 17) Destination [Wort Hop | hterface Toe [Comenea [faa Taam [Comecea [aT Tages [gpean nietace ne §S2'1663 028 Segment ean on hispacke sro athe host} [Router L3:L, send tis packet ono9222 . When the frame is received by the router, the router recognizes its MAC address and processes the frame. At Layer 3, the router sees that the destination IP address is not its address. A host Layer 3 device would discard the frame, However, because this device is a router, it passes all packets that are for unknown destinations to the routing process. The routing process will determine where to send the packet. {© 2010 Cisco Systems. Ine. “£54 interconnecting Gisco Networking Devices: Accelerated (CCNAX) v1.1Host-to-Host Packet Delivery (12 of 17) TRovier La Vhave an interface on the 192.108 4 0/20 seyrnen ean forward nis packet rect tothe host| [Router U2: L2, 5 a LSS MeT6R34 a= 192.16832 Lostezteaas L871 108k? z= 090002222222 (2 gaoo.oass 2222 z= oabu.ogas.r111 +2 = 0800.0222:1111 The routing process looks up the destination IP address in its routing table. In this example, the destination segment is directly connected. Because of this functionality, the routing process can pass the packet directly to Layer 2 for the appropriate interface. Host-to-Host Packet Delivery (13 of 17) "ARP: The ARP request wil say ane] 4 that | am 152.168.4, eninst |” | Are you 192.168.4.29 eS = z= onooazenze22 2 conan asaa 77771 = onan gaan t444 TB 0800:00221114 218831 a onsen inesnp tenes 19216842 _ Tole nae Layer 2 will use the ARP process to obtain the mapping for the IP address and the MAC. address. The router asks for the Layer 2 information in the same way as hosts. An ARP request for the destination Layer 3 address is sent to the link. {© 2010 Cisco Systems, Ine. LAN Connections 4-88Host-to-Host Packet Delivery (14 of 17) Js 2 = 0800502222222 > ogq0.0338.2222 L2 = 0800-0885:1111 Ws 19216831 30 yep s68a2 La te2.t6041 Ta=os00022:1111 = 102,168.42 ination receives and processes the ARP request Host-to-Host Packet Delivery (15 of 17) Pathing Lot ‘The host receives the frame that contains the ARP request and passes the request to the ARP process. The ARP process takes the information about the router from the ARP request and places the information in its local ARP table. The ARP process generates the ARP reply and sends it back to the router. £58 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Host-to-Host Packet Delivery (16 of 17) arg Lot Router AR tjust got an ART repy tom 192 186-42 et me aca i IP and HAAG to iy ARP table Router ARP- Now Ihave a mapping Tran giva layne? 2mapping fr 102.188-42 Router ARP: Layer 8, Thave 39210842 mapped ane Jasco n229"111 ety [ ane L s L a —_——_ S—___ a oan oss vga cswwussa ry 12 08000221111 Ls 192.1683 Ls 192 16542 L2= 102,169.32 Lo 021694.1 (2 Laer = Layers ‘The router receives the ARP reply and takes the information that is required for forwarding the ppacket to the next hop. The router populates its local ARP table and starts the packet forwarding process. Host-to-Host Packet Delivery (17 of 17) Router 2 Tean send out that pending packet oer Ls 192.1683 ‘The frame is forwarded to the destination. {© 2010 Cisco Systems, Ine. LAN Connections 4-87Using the show ip arp Command This topic describes a the use of the show ip arp command. Using the show ip arp Command * Verify the content of the ARP table. To display the ARP cache (the ARP table), use the show ip arp EXEC command as follows: show ip arp [ip-address] [host-name] [mac-address] [interface type number) Syntax Description ip-address (Optional) ARP entries matching this IP address are displayed. hostname (Optional) Hostname ‘mac-address (Optional) 48-b1 MAG address: interface type number | (Optional) ARP entries that are leamed via this interface type and number are displayed Usage Guidelines The ARP establishes correspondence between network addresses (an IP address, for example) and LAN hardware addresses (Bthemet addresses). A record of each correspondence is kept in a cache for a predetermined amount of time and then discarded. The table describes the following sample output from the show ip arp command: Routerk#ehow ip arp Protecol address Age(min) Hardware Addr Type Internet 192.168.6020 = 0800.0222.1111 ARPA 458 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Field Description Protocel “The protocel forthe network address in the Address fold ‘Address “The network address that corresponds tothe hardware adress. ‘Age (min) “The age in minutes ofthe cache enty. A hyphen () means thal the address is local Hardware Addr “The LAN hardware address of a MAC address that corresponds to the network address. Type Indicates the encapsulation ype that Cisco 10S Software is using in the network address in this entry. Possible values include the following: = Advanced Research Projects Agency (ARPA) = Subnetwork Access Protocol (SNAP) = _ Session Announcement Protocol (SAP) Interface Indicates the interface that is associated with this network address, For more details about the show ip arp command, refer to Cisco IOS IP Addressing Services, Command Reference on the following link hutp:/'www.cisco.comlen/USidocsios/ipaddr/command/reference/iad_book.html (© 2010 Cisco Systems, ne. LAN Connections +59Using Common Cisco IOS Tools This topic describes the use of common Cisco IOS tools to verify connectivity. The ping Command Ping [protocol {host-nane | systen-address)] * To diagnose basic network connectivity, use the ping command in user EXEC or privileged EXEC mode. 1000004 * Check the connectivity to IP address 10.0.0.2. To diagnose basic network connectivity, you can use the ping command in user EXEC or privileged EXEC mode as follows: ping [protocol {host-name |system-address}] Syntax Description protocol (Optional) Protocol keyword, either appletalk, atm, clns, decnet, ipx, or srb. Ifa specific protocol is nat specified, a basic ping will be sent using IP version 4 (PVA), hhost-name | Hostname ofthe system to ping, a host-name or system-address is not ‘specified at the command line, it will be required in the ping system dialog ‘system- ‘Address of the system to ping. Ifa host-name or systom-address Is not address specified at the command line, it will be required in the ping system dialog This example represents a simple network with two routers. The RouterX router uses the ping 10.0.0.2 command to check the reachability of the neighboring router interface. By default, five Internet Control Message Protocol (ICMP) packets are sent and five replies are required for a perfectly successful test. The RouterX router receives all five replies. The following ping command output represents a perfectly successful test: RouterXiping 10.0.0.2 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 Success rate is 100 percent (5/5), round-trip min/avg/max 4/6/8 ms +60 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.For more details about the ping command, refer to Cisco IOS Configuration Fundamentals Command Reference on the following link: http://www. ciseo.com/en/US/docs/ios/fundamentals/command/teference/ef_book html (© 2010 Cisco Systems, ne. LAN Connections 4-67The traceroute Command Roster traceroute [protocol] destination * Use the traceroute command to discover the routes that, packets actually take. vat 104.42 re ‘va04 19290019 1921004 © Check the route to IP address 192.168.1.4, To determine the routes that packets will actually take when traveling to their destination address, you can use the traceroute command in user EXEC or privileged EXEC mode as follows: traceroute [vrf vrféname] [protocol] destination Syntax Description protocol (Optional) Protocol keyword, either appletalk, cins, ip, ipv6, ipx, oldvines, or vines. When nol specified, the profocol argument is based on an examination by the software of the format af the destination argument, destination | (Optional in privileged EXEC mode; required in user EXEC mode) The ‘destination address or hostname for which you want to trace the route, The ‘software determines the default parameters for the appropriate protocol and the tracing action begins. This example represents a network with four routers. The RouterX router uses the traceroute 192.168.1.4 command to verify the path that packets will take to the RouterW router. The RouterX router receives replies from all the hops. The following traceroute command output represents the path from RouterX to RouterW: RouterX#traceroute 192.168.1.4 ‘Type escape sequence to abort Tracing the route to 192.168.1.4 1 10.1.1,2 4 msec 4 msec 4 msec 2.172.16.1.3 20 msec 16 msec 16 msec 2192.168.1.4 16 meee * 2 For more details about the traceroute command, refer to Cisco IOS Configuration Fundamentals Command Reference on the following link: bhutp:l/www.cisco.com/en/US/docs/ios/fundamentals/command/reference/ef_book.html 462 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Summary This topic summarizes the key points that were discussed in this lesson. a Summary * The physical interfaces on a router provide a Layer 2 function and are assigned a MAC address. * Layer 3 addresses are assigned to end devices such as hosts and to network devices that provide a Layer 3 function, «Ifthe hosts are not on the same segment, the frame is sent to the default gateway. A router will change the Layer 2 address as needed, but will not change the Layer 3 address. The show ip arp command displays the mapping between network addresses and MAC addresses that the router has learned, + Common Cisco IOS Software connectivity tools include ping and traceroute. (© 2010 Cisco Systems, ne. LAN Connections 4-63464 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 4 Starting a Cisco Router Overview A Cisco router goes through its startup procedure when it is first tumed on and there is no configuration that is saved. When the startup is complete, you can enter the initial software configuration. Recognizing correct router startup is the first step in installing a Cisco router. The router must start successfully and have a valid configuration to operate on the network. This lesson describes how the router starts and how to verify its initial operation. Objectives Upon completing this lesson, you will be able to start a Cisco 10S router and use command-line interface (CLI) commands to configure and monitor the Cisco router. This ability includes being able to meet these objectives: m= Start a Cisco router Start the initial setup process for a Cisco router Log in to a Cisco router = Show the hardware and software status of a Cisco routerial Startup of a Cisco Router The startup of a Cisco router requires verifying the physical installation, powering up the router, and viewing the Cisco IOS Software output on the console. This topic describes the initial startup of Cisco routers. Initial Startup of the Cisco Router + System startup routines initiate the router software. * The router falls back to startup alternatives if needed, 1. Before you start the router, verify the power, cabling, and ‘console connection 2 Puch the pwr switch to “an * Observe the enue hont sequence ‘oe caste = Giseas 108 Softwares cult text appears on the console. To start router operations, the router completes the following tasks: = Runs the power-on self-test (POST) to test the hardware Finds and loads the Cisco IOS Software that the router uses for its operating system. = Finds and applies the configuration statements about router-spe functions, and interface addresses fic attributes, protocol When a Cisco router powers up, it performs a POST. During the POST, the router executes diagnostics to verify the basic operation of the CPU, memory, and interface circuitry. After verifying the hardware functions, the router proceeds with the software initialization During the software initialization, the router finds and loads the Cisco IOS image. When the Cisco 10S image is loaded, the router finds and loads the configuration file, if one exists. Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.This table lists the steps that are required for the initial startup of a Cisco router. Startup of Cisco Routers Step | Action Before starting the router, verify the folowing: = Allnetwork cable connections are secure, ‘= Your terminal is connected to the console port. = Your console terminal application, such as HyperTerminal, is selected 2, _| Push the power switch to “on” 3. | The Cisco 10S Software output text appears on the console. Observe the boot sequence of the router on the consol, (© 2010 Cisco Systems, ne. LAN Connections 467Initial Setup of a Cisco Router When the router starts, it looks fora device configuration file. [Ft does not find one, the router executes a question-driven initial configuration routine called “setup.” This topic describes the initial command-line output and explains how to complete the setup dialog. Bootup Output from the Router Towbar ond 49 now nvattable o Prose RETURN to get etarted. novterx> —=="User-Made Prompt = Configured router with the existing configuration enters user-mode prompt = gysten Contiguration Dialog — Loneanue wien contiqueseson aiaing? (yee/nel yee Setantt anttioge are tm ngs Rearkat G1" SS HORE] "= Unconfigured router without the configuration enters system configuration dialog After a router completes the POST and loads a Cisco 10S image, it looks for a device configuration file in its NVRAM. The NVRAM of the router is a type of memory that retains its contents even when power is tumed off. If the router has a configuration file in NVRAM, the user-mode prompt appeats. This figure shows the RouterX> prompt. When starting a new Cisco router or when starting a Cisco router without a configuration in NVRAM, there will be no configuration file. If no valid configuration file exists in NVRAM, the operating system executes a question-driven initial configuration routine that is referred to as the system configuration dialog or setup mode. Setup mode is not intended for entering complex protocol features in the router. Use setup mode to bring up a minimal configuration. Rather than using setup mode, you can use other various configuration modes to configure the router 468 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Setup Script Review and Use = Depending on the software revision, this text may appear or the router will ask if the configuration that was created can be used. When using the setup mode and after you complete the configuration process for all of the installed interfaces on the router, the setup command shows the configuration command script ‘that was created, Depending on the software revision, the router asks if the configuration that was created can be used or the setup command offers the following three choices: = [0]: Go to the EXEC prompt without saving the created configuration = [1]: Go back to the beginning of the setup without saving the created configuration, [2]: Accept the created configuration, save it to NVRAM, and exit to the EXEC mode. Ifyou choose [2], the configuration is executed and saved to NVRAM, and the system is ready to use. To modify the configuration, you must reconfigure it manually. The script file that is generated by the setup command is additive. You can turn on features, with the setup command, but not off In addition, the setup command does not support many of the advanced features of the router or those features that require a more-complex configuration, For more details about setup command, refer to Cisco IOS Configuration Fundamentals Command Reference on the following Link: http://www. cisco.com/en/US docs/ios/fundamentals/commanditeference/ef book html (© 2010 Cisco Systems, ne. LAN Connections 4-69Logging into the Cisco Router When you configure a Cisco router from the CLI on a console or remote terminal, Cisco 10S Software provides an interpreter that is called the EXEC. The EXEC interprets the commands that are entered and carries out the corresponding operations. This topic describes how to log in to a Cisco router to begin the initial configuration, Logging into the Cisco Router * The user-mode prompt gives you a subset of commands that are available in the privleged-mode prompt. " Apassword can be required when changing to the privileged- mode prompt, iit is configured. “4g jed-Mode Prompt After you have configured a Cisco router from the setup utility, you can reconfigure it or add to the configuration from the user interface that runs on the router console or auxiliary port. You can also configure a Cisco router by using a remote-access application such as SSH. The Cisco IOS Software command interpreter, the EXEC, interprets the commands that are entered and carries out the corresponding operations. You must log in to the router before entering an EXEC command. For security purposes, the EXEC has two levels of access to commands: User mode: Typical tasks include checking the router status. m= Privileged mode: Typical tasks include changing the router configuration, When you first log in to the router, a user-mode prompt is displayed. The EXEC commands that are available in user mode are a subset of the EXEC commands that are available in privileged mode, These commands provide a means to display information without changing the configuration settings of the router. To access the complete set of commands, you must enable the privileged mode with the enable command and supply the enable password, if it is configured, Note ‘The enable password is displayed in cleartext by using the show run command, The secret password is encrypted, so itis not displayed in cleartext. f both the enable and secret passwords are configured, the secret password overrides the enable password, 470 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.‘The EXEC prompt is displayed as a pound sign (#) while in privileged mode. From the privileged level, you can access global configuration mode and the other specific configuration modes, such as interface, subinterface, line, router, route-map, and several others. Use the disable command to retum to the user EXEC mode from the privileged EXEC mode, Use the exit or logout command to end the current session, (© 2010 Cisco Systems, ne. LAN Connections 471a Router User-Mode Command List + You can abbreviate a command to the fewest characters that make a unique character string * Enter the ? command in the user prompt to show the commands that are available at that prompt. Secess-profile clear disable help Login Legeue Apply user-profile to interface Reset functio: Open a terminal connection open lat connection tog in af a particular Exit from the BERC Enter @ question mark (?) at the user-mode prompt or at the privileged-mode prompt to display a list of commands that are available in the current mode. Note ‘The avallable commands vary with different Cisco 10S Software versions. Notice “-- More at the bottom of the sample display. This output indicates that multiple screens are available as output. You can perform any of the following tasks: m= Press the Spacebar to display the next available screen. = Press the Enter key to display the next line. Press any other key to return to the prompt. 472 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.a Router Privileged-Mode Command List * You can complete a command string by entering the unique character string and then pressing the Tab key. * Enter the ? command in the user prompt to show the commands that are available at that prompt. ce temporary Access List entry For manual emergency mod. Change current directory ‘file to another Debugging functions (# sg") Enter the enable user-mode command to access the privileged EXEC mode. Normally, if'an enable password has been configured, you must also enter the enable password before you can access the privileged EXEC mode. Enter the ? command at the privileged-mode prompt to display a list of the available privileged EXEC commands, as shown in this figure. Note The available commands vary with different Cisco 10S Software versions. (© 2010 Cisco Systems, ne. LAN Connections eryShowing the Router Initial Startup Status ‘After logging in to a Cisco router, the router hardware and software status ean be verified by using the following router status commands: show version, show running-config, and show startup-config. This topic describes the router status commands. show version Command Routaribohoy arson Step: //neecasco.coa/Cecheupport now: eyste Bootstrap, Version 12-4(13=)%, RELIAEE SOPTWARE (f01) [3 Sectsitoyn async) inteceacer Use the show version EXEC command to display the configuration of the system hardware, the software version, the memory size, and the configuration register setting In the example in this figure, the RAM memory is assigned with 249,856 KB available for main memory and 12,288 KB available for I/O memory (shared by all of the interfaces). The 1/0 memory is used for holding packets while they are in the process of being routed. The router has two Fast Ethemet interfaces and two serial interfaces. This output is useful for confirming that the expected interfaces are recognized at startup and are functioning, from a hardware perspective. The router has 239 KB used for startup configuration storage in the NVRAM and 62,720 KB of flash storage for the Cisco IOS Software image. The show version command displays information about the currently loaded software version, along with hardware and device information. Some of the information that is shown from this command is as follows: Software version: Cisco IOS Software version (stored in flash) = Bootstrap version: Bootstrap version (stored in boot ROM) System uptime: Time since last reboot System restart info: Method of restart (such as power cycle or crash) Software image name: Cisco IOS filename that is stored in flash. Router type and processor type: Router model number and processor type 474 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.= Memory type and allocation (shared and main): Main processor RAM and shared packet 1/0 buffering m= Software features: Supported protocols or feature sets m= Hardware interfaces: Interfaces that are available on the router = Configuration register: Sets bootup specifications, console speed setting, and related parameters ‘The show running-config command, which is used in privileged EXEC mode, displays the current running configuration that is stored in RAM. With a few exceptions, all configuration commands that were used will be entered into the running-config and implemented immediately by Cisco 10S Software. The show startup-config command displays the startup configuration file that is stored in NVRAM. This is the configuration that the router will use on the next reboot. This configuration does not change unless the current running configuration is saved to NVRAM. For more details about show version, show running-config, and show startup-config commands, refer to Cisco 10S Configuration Fundamentals Command Reference on the following link: itp:/www.cisco.com/en/US/docsios/fundamentals/command/reference/cf_book html (© 2010 Cisco Systems, ne. LAN Connections 475Summary This topic summarizes the key points that were discussed in this lesson. a Summary * The Cisco router startup sequence is similar to the startup sequence of the Cisco Catalyst switch, After performing POST, the router finds and loads the Cisco IOS image Finally finds and loads the device configuration file + When starting a new Gisco router or a Cisco router without a configuration in NVRAM, the operating system executes a question-driven inital configuration routine, referred to as the system configuration dialog, or setup mode * Use the enable command to access the privileged EXEC mode from the user EXEC mode. + After logging in to a Cisco router, you can verity the intial startup status of a router by using the router status commands: show version, show running-config, and show startup-contfig. 478 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 5 Configuring a Cisco Router Overview When the hardware installation is complete and the Cisco router has the initial configuration, you can begin configuring the router for a specific intermetwork. You must be familiar with the Cisco 10S command-line interface (CLD), its modes and operation, before configuring more- advanced features such as IP routing, This lesson describes how to implement a basic configuration for a Cisco router. Objectives Upon completing this lesson, you will be able to implement a basic configuration for a Ciseo router. This ability includes being able to meet these objectives: Describe the router configuration modes m= Configure a router from the CLI = Configure router interfaces m= Configure a router IP address Verify the router interface configurationCisco Router Configuration Modes From privileged EXEC mode, you can enter global configuration mode, which provides access to the specific router configuration modes. This topic describes the router configuration modes. and how to save a configuration, Overview of Router Modes JS User EXEC Mode Roaearsanania geeicz (ona) Prwoged EXEC Mode ([Roatartcontigure tarasnai] Sonal Contgueaton Made [Router (contig) Ca SSS Reuter (eonfig-i8) 4 ay) Ee aeaeeeteeTy ‘The first step in configuring a Cisco router is to use the setup utility. The setup utility allows you to create a basic initial configuration. For more-complex and specific configurations, you can use the CLI to enter terminal configuration mode. After the basic initial configuration or after a successful login procedure, the routers display the ‘user EXEC mode prompt. In user EXEC mode, the network engineer has a limited set of available commands, In order to start the router configuration, the network engineer must enter the privileged EXEC mode. The enable command is used to enter the privileged EXEC mode. From the privileged EXEC mode, you can enter the global configuration mode with the configure terminal command, From global configuration mode, you can access the specific configuration modes, which include the following: Interface: Supports commands that configure operations on a per-interface basis. = Subinterface: Supports commands that configure multiple virtual interfaces on a single physical interface, = Controller: Supports commands that configure controllers (for example, El and T1 controllers). = Line: Supports commands that configure the operation of a terminal line (for example, the console or the vty ports). = Router: Supports commands that configure an IP routing protocol. £78 Interconnecting Cisco Networking Devices: Accelerated (CGNAX) v1.1 {© 2010 Cisco Systems. Ine.If you enter the exit command, the router will go back one level. You can enter the exit command from one of the specific configuration modes to return to global configuration mode Press Ctrl-Z to leave the configuration mode completely and return the router to the privileged EXEC mode, In terminal configuration mode, an inctemental compiler is used. Each configuration command that is entered is parsed as soon as the Enter key is pressed. If there are no syntax errors, the command is executed and stored in the running configuration and itis effective immediately. Commands that affect the entire router are called global commands. The hostname and enable password commands are examples of global commands. Commands that point to or indicate a process or interface that will be configured are called major commands. When they ate entered, major commands cause the CLI to enter a specific configuration mode. Major commands have no effect unless @ subcommand that supplies the configuration entry is immediately entered, For example, the major command interface serial O has no effect unless it is followed by a subcommand that tells what is to be done to that interface. The following are examples of some major commands and the subcommands that go with. them: Router (config) #interface serial 0 (major command) Router (config-if) #shutdown (subcommand) Router (config-if) #1ine console 0 (major command) Router (config-Line) #password cisco (subcommand) Router (config-Line) #router rip (major command) Router (config-router) #metwork 10.0.0.0 (subcommand) Entering a major command switches from one configuration mode to another. It is not, necessary to retum to the global configuration mode first before entering another configuration mode, (© 2010 Cisco Systems, ne. LAN Connections 4-79Saving Configurations fheopy running-config « tion filename (e ding configuration. Rowterxt Copy the current running configuration to NVRAM. After you enter the commands to configure the router, the running configuration is changed. You must save the running configuration to NVRAM. If the configuration is not saved to NVRAM and the router is reloaded, the configuration will be lost and the router will revert to the last configuration saved in NVRAM. Use the copy running-config startup-config command to save the running configuration to the startup configuration in NVRAM. For more details about the eopy command, refer to Cisco IOS Configuration Fundamentals Command Reference on the following link: http://www. cisco.com/en/US docs/ios’fundamentals/command/reference/cf_book.html 480 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Configuring a Cisco Router from the CLI The CLI is used to configure the router name, password, and other console commands. This topic describes some essential configuration tasks, including hostname and console line configuration. Configuring Router Identi Router Name. Router (config)#hostnane Router Routerk (config) # Messago-of-tho-Day Banner Rontarx (contig) #hannar nord # system. Authorized access ony! & Rourerx contig) # One of the first tasks in configuring a router is to name it. Naming the router helps you to better manage the network by enabling you to uniquely identify each router within the network. The name of the router is considered to be the hostname and is the name that is displayed at the system prompt. Ifno name is configured, the default router name is Router. The name of the router is assigned in global configuration mode. In the example that is shown, the name of the router is set to RouterX. Use the hostname global configuration command to set the name of the router. You can configure a message of the day (MOTD) banner to be displayed on all of the connected terminals. This banner is displayed at login and is useful for conveying messages, such as impending system shutdowns that might affect network users. When you enter the banner motd global configuration command, follow the command with one or more blank spaces and a delimiting character of any kind. In the example, the delimiting character is a pound sign (#). After entering the banner text, terminate the message with the same delimiting character, For more details about the hostname and banner motd commands, refer to Cisco 10S Configuration Fundamentals Command Reference on the following link: http://www.cisco.com/en/US docs/ios_fundamentals/command/reference/cf_book.html (© 2010 Cisco Systems, ne. LAN Connections 4-87Console-Line Commands * Modify console session timeout Bouterk configi#iine console 0 Routert configlinel #logging synchronous * Redisplay interrupted console input Other console-line commands include exee-timeout and logging synchronous. In this figure, the exec-timeout command sets the timeout for the console EXEC session to 20 minutes and 30 seconds, which changes the session from the default timeout of 10 minutes. The logging synchronous console-line command is usefill when console messages are being displayed while you are attempting to input EXEC or configuration commands. Instead of the console messages being interspersed with the input, the input is redisplayed on a single line at the end of each console message that interrupts the input. This functionality makes reading the input and the messages much easier. The following cxample shows how the console messages interrupt the interface serial 0/0 command entered, Routerx (config) #interface ser saan 9 00:26;44.887; ¥LINK-5-CHANGED. administratively down ‘Mar § 00:26:45.887: ¥LINEPROTO-S-UPDOWN: Line pratecol on I Serial0/o, changed state co downial 0/0 erface Serialo/o, changed state to ‘tace The following example shows the same situation except that this time the logging synchronous console-line command is used. Now the input is redisplayed on a single line. Routerx (contig) #legging synchronous Routerx (config) #interface ser saan 9 00:26;44.887; ¥LINK-5-CHANGED. administratively down tar 9 00:26:45.887. $LINEPROTO-S-UPDOWN: Line protocol on Intexface Serialo/0, changed state to down Routerx (config) #imterface Serial 0/0 erface Serialo/o, changed state to For more details about the exee-timeout and logging synchronous commands, refer to Cisco 10S Configuration Fundamentals Command Reference on the following link: http://www. cisco.comien/US/docsfios/fundamentals/command/reference/ef_book html 482 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Configuring Cisco Router Interfaces ‘The main function of a router is to forward packets from one network device to another. For the router to perform this task, you must define the characteristics of the interfaces through which the packets are received and sent, This topic describes the commands that are used to configure interfaces on Cisco routers. Configuring an Interface Routerk (config) Vinterface type number Routerx (contig 44) # * type includes serial, Ethemet, Token Ring, FDDI, HSS, loopback, dialer, null, asyne, ATM, BRI, tunnel, and so on. * number is used to identify individual interfaces. Routerk (config) Hintertace type slot/pare RouterX config t)# * For modular routers, select an interface. Routerk (config) Finterface serial © Routerx (config-if}fistertace £2 0/0 Routerk config tf} * Enter the serial 0 and Fast Ethernet 0/0 interface configuration mode. The router interface characteristics include, but are not limited to, the IP address of the interface, the data-link encapsulation method, the media type, the bandwidth, and the clock rate. You can enable many features on a per-interface basis. Interface configuration mode commands modify the operation of Ethernet, serial, and many other interface types. When you enter the interface command, you must define the interface type and number. The number is assigned to each interface based on the physical location of the interface hardware in the router and is used to identify each interface. This identification is critical when there are multiple interfaces of the same type in a single router. Examples of an interface type and number are as follows Router (config) #interface serial 0 Routerx (config) #interface fa 0/0 An interface in a Cisco 2800 and 3800 Series Integrated Services Router, or other modular router, is specified by the physical slot in the router and port number on the module in that slot, as follows: Routerx (config) #interface fa 1/0 For more details about the interface command, refer to Cisco IOS Interface and Hardware Component Command Reference on the following link: http://www. cisco.com/en/US Mdocs/ios/interface/command/referencelir_book html (© 2010 Cisco Systems, ne. LAN Connestions 4-83Configuring an Interface (Cont.) (config if) description sering ® string is a comment or a description to help you remember what is attached to this interface, = The maximum number of characters for the string argument is 238, ‘Routerk (config) #inverface Serial 0 Routerx config-if) description Link to Router * Add the description text to the Serial 0 interface. x (confiig-if) ¥oxit * Leave current interface configuration mode. You can add a description to an interface to help remember specific information about that interface. Two common descriptions might be the network that is serviced by that interface or ‘the customer that is connected to that interface. This description is meant solely as a comment to help identify how the interface is being used. To add a description to an interface configuration, use the deseription command in interface configuration mode. To remove the description, use the no form of this command. A Serial 0 interface in the RouterX router is connected to the Router! router. The following example shows the commands that are used to add the description on the Serial 0 interface: Routerx (config) #interface Serial 0 Routerx (config-if) #description Link to Router] The description will appear in the output when the configuration information that exists in the memory of the router is displayed. The same text will appear in the show interfaces command display output, as follows: Routerx (config) #show interfaces

Serial0/0/0 is administratively down, line protocol is down (disabled) Hardware is HD64570 Description: Link to Routert MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, Liability 255/255, txload 1/258, rxload 1/255

To quit interface configuration mode and to move into global configuration mode, enter the exit command at the RouterX(config-if}# prompt as follows: Routerx (config-if) Hexit 484 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.For more details about the description (interface) command, refer to Cisco 10S Interface and Hardware Component Command Reference on the following link: bttp://www.cisco.com/en/US/docs/ios/interface/commanditeference/it_book.html (© 2010 Cisco Systems, ne. LAN Connections 4-85Disabling or Enabling an Interface Rosearxiconfig-t2)bsnutdove Stimr-s-cunago: Iatertace derielé, changed state to adainsstratively dows * Administratively turn off an interface Bocterficontigare tarainal Routerxicontig-{#)#a0. ssutdowe Stiwn--urpom. Zaterface geriai0, changed state to up * Enable an interface that is administratively shut down ‘You may want to disable an interface to perform hardware maintenance on a specific interface or a segment ofa network. You may also want to disable an interface if problem exists on a specific segment of the network and you must isolate that segment from the rest of the network. The shutdown subcommand administratively tums off an interface. To reinstate the interface, use the no shutdown subcommand. When an interface is first configured, except in setup mode, you must administratively enable the interface before it can be used to transmit and receive packets. Use the no shutdown subcommand to allow Cisco JOS Software to use the interface. For more details about the shutdown (interface) command, refer to Cisco [OS Interface and Hardware Component Command Reference on the following link: http://www. cisco.com/en/US docs/ios/interface/command/referencelir_book html 486 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Configuring the Cisco Router IP Address +h interface on a Cisco router must have its own IP address to uniquely identify it on the network. This topic describes how to configure the IP address for each interface on a Cisco router Configuring IP Addresses * Unique addressing allows communication between end stations. + Path choice is based on destination address, RAT OA... TBARS. o2.68.14 @ 372.18.0.1 258.255.0.0 * Configure IP address to the Serial 0 interface on router RouterX Unique IP addressing is required for the communication between the hosts and other network devices. Bach router link to each LAN is associated to a dedicated and unique subnet. The router needs to have an IP address configured on each of its links to each LAN, The routers, determine the path to the destination based on the destination IP address, which is written in the IP header. (© 2010 Cisco Systems, ne. LAN Connections +87To configure an interface on a Cisco router, complete these steps. Step | Action Results and Notes 1. | Enter global configuration mode using the Tris command displays a new prompt: ‘configure terminal command. Router (config) # Routerfeonfigure terminal 2. | Identity the specific interface that requires an IP | This command displays a new prompt, for ‘address by using the interface ‘ype slovport ‘example, as follows: command Router (config-if}# Router (config) #interface serial 0 3. _ | Setthe IP address and subnet mask for the This command configures the IP address interface by using the Ip address jp-address ‘and subnet mask forthe selected ‘mask command. interface, Router (config-if}#ip addres 172.18.0.1 255.255.0.0, 4, | Enable the interface to change the state from ‘Tris command enables the current administratively down to up by using the no interface. shutdown command. Router (config-if)#ne shutdown 5. | Exit configuration mode forthe interface by using | This command displays the global the exit command, configuration mode prompt. Router (config-if) Hoxit Router (config) # The following example shows how to configure the IP address on the Serial 0 interface on RouterX: RouterX#configure terminal Routerx (config) #interface serial 0 Routerk (config-if)#ip addr 172.18.0.1 255.255.0.0 For more details about the ip address command, refer to Cisco 10S IP Addressing Services Command Reference on the following link: ttp:{/www.cisco.com/en/US/docs/ios/ipaddr/command/referencefiad_book.html +88 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Verifying the Interface Configuration When you have completed the router interface configuration, you can verify the configuration by using the show interfaces command. This topic describes the show commands and the output that will be seen to verify the configuration. Router show interfaces Command fo packet a/eee 5 Runuta outpue rate 0 Bica/seg, 0) packeta/see * Verify the statistics forall interfaces configured on the router The show interfaces command displays the status and statistics of all of the network interfaces on the router. Alternatively, the status for a specific interface can be displayed by using the show interfaces type slot command. Output fields for an Ethernet interface and their meanings are shown in this table (© 2010 Cisco Systems, ne. LAN Connedtions 4-89Output Description Ethernet..is (up | down | administratively down} Indicates whether the interface hardware is currently active, down, ori ‘an administrator has taken it down, line protocol is| Indicates whether the software processes that manage the line protocol {up down} consider the interface usable (that is, whether keepalives are successful, I the interface misses 3 consecutive keepalives, the line protocol is marked as down. hardware Hardware type (for example, MCI Ethemet, serial communications interface [SCI], Bus Ethernet) and address. Internet address IP address followed by the prefix length (subnet mask). MTU Maximum transmission unit (MTU) of the interface. Bw Bandwidth ofthe interface, in kilobits per second. The bandwidth parameter is used to compute routing protocol metrics and other caloulations. DLY Delay of the interface, in microseconds rely Relabilly ofthe interface as a fraction of 256 (255/255 is 100% reliability), calculated as an exponential average over 5 min. load Load on the interface as a fraction of 255 (255/256 is completely Saturated), calculated as an exponential average over 5 min, encapsulation Encapsulation method that is assigned to an interface, keepalive Indicates whether keepalives are set, ARP type “Type of Address Resolution Protocol (ARP) that is assigned. loopback Indicates whether loopback is sot. last input Number of hours, minutes, and seconds since the last packet was successfully received by an interface, Useful for knowing when a dead interface failed output ‘Number of hours, minutes, and seconds since the last packet was successfully transmitted by an interface, Useful for knowing when @ dead interface failed ‘output hang Number of hours, minutes, and seconds (or never) since the interface | was last reset because of a transmission that took too long, When the number of hours in any of the previous fields exceeds 24 hr, the number of days and hours is cisplayed. If that field overflows, asterisks are displayed. Tast clearing Time at which the counters that measure cumulative statistics that are ‘shown in this raport (such as number of bytes transmitted and received) were last reset to 0, Note that variables that might affect routing (for ‘example, load and reliability) are not cleared when the counters are Cleared. Asterisks indicate elapsed time that is too large to be displayed ‘output queue, input queue, drops ‘Number of packets in output and input queues, Each number is followed by a slash (), the maximum size of the queue, and the number (of packets that were dropped because of a full queue. 480 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Output Description ‘ive minute input rate five minute output rate ‘Average number of bits and packets that are transmitted per second in the last 8 min, If the interface is notin promiscuous mode, it senses. network traffic that it sends and receives (rather than all network trafic) ‘The S-minute input and output rates should be used only as an approximation of traffic per second during a given -minute period. ‘These rates are exponentially weighted averages with atime constant (FS min, A period of 4 timo constants must pass before the average will be within 2% of the instantaneous rate of @ uniform stream of traffic ‘over that period. packets input Total number of error-free packets that were received by the system bytes input “Total number of bytes, including data and MAC encapsulation, in the error-free packels that were received by the system ro butters Number of received packets that were discarded because there was no buffer space in the main system. Compare with ignored count.” Broadcast storms on Ethernet are often responsible for no input buffer events. received...broadeasts ‘Total number of broadcast or multicast packets that were received by the interface, Tho number of broadcasts should be kept as low as practicable, An approximate threshold is less than 20% of the total number of input packets. unis ‘Number of Ethernet frames that are discarded because they are smaller than the minimum Ethemet frame size, Any Ethernet frame that is less. than 84 bytes is considered a runt. Runis are usually caused by collisions. If there is more than one runt per milion bytes received, it ‘should be investigated. giants ‘Number of Ethernet frames that are discarded because they exceed the maximum Ethernet frame size. Any Ethernet frame that is greater than 1518 bytes is considered a giant. input eror Includes runts, giants, no buffer, cyclic redundancy check (CRC), frame, overrun, and ignored counts. Other input-elated errors can also ‘cause the input error count fo be increased, and some dalagrams may have more than one error. Therefore, this sum may not balance with the ‘sum of enumerated input error counts eRe ‘CRC generated by the originating LAN sation or far-end device does nat match the checksum that was calculated from the data raceived. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself A high number of CRCs is usually the result of collsions ora station transmitting bad data, frame Number of packets received incorrectly having @ GRC error and a nonintager number of octets. On a LAN, this is usually the result of Collisions or a malfunctioning Ethemet device, ‘Number of times that the receiver hardware was unable to hand-receive dala to a hardware buffer because the input rate exceeded the abilly of the receiver to process the data ignored Number of received packets that were ignored by the interface because the interface hardware ran low on internal buffers. These buffers are different from the system buffers that are mentioned in the buffer description. Broadcast storms and bursts of noise can cause the ignored count to be increased input packets with dribble condition detected Dribble bit error indicates that a framo is slightly too long, This frame €eror counter is incremented just for informational purposes; the router accepts the frame. packets output Total number of messages that were transmitted by the system (© 2010 Cisco Systems, ne. LAN Connections 4.99Output Description bytes “Total number of bytes, including data and MAC encapsulation that were transmitted by the system, underruns ‘Number of tes that the transmitter has been running faster than the router can manage. This may never be reported on some interfaces. output errors ‘Sum ofall errors that prevented the final transmission of datagrams out ofthe interface being examined. Note that this may not balance with the ‘sum of the enumerated output errors, because some datagrams may have more than one error, and others may have errors that do not fll into any of the specifically tabulated categories. colisions Number of messages that were retransmitted because of an Ethernet collision. Ths is usually the result of an overextended LAN (Ethemet or transceiver cable too long, more than two repeaters between stations, for too many cascaded multiport transceivers). A packet that collides is ‘counted only once In output packets. interface resets ‘Number of times an interface has been completely reset, This can happen if packets that wore quoued for transmission were nat sent within several seconds. On a serial line, this can be caused by a malfunctioning modem that is not supplying the transmit clock signal or itcan be caused by a cable problem. Ifthe system notices that the ‘carrier detect (CD) line of a serial intarfaco is up but the line protocol is down, it periodically resets the interface to restart it Interface resets ‘can also occur when an interface is looped back or shut down, For more details about the show interfaces command, refer to Cisco 10S Interface and Hardware Component Command Referen |nttp:/Awww.cisco.com/en/US/docsiios/interface/command/referen on the following link: ir_book.html 492 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Interpreting the Interface Status ienow Antartace #2.0/0 |Fastatnerneto/0 1s up, Line protocol is uw + Rardwaro 10 tanod), across tf 000m. Bede. 9801. {ofa 000m. ede. 9601) Peceripeion. 100pye tink ra fe tehe Carrer Detect ‘Keepalives Operational a. an-nfa i015 up, line protocol is up ‘Connection probiom.. 1801 up, line protocal ie down Ingertace problem fa le dawn line protocol down Disabled fa 00 is administratively down, ine protocol is down, * Verify the status of the Fast Ethernet 0/0 interface on router RouterX One of the most important elements of the show interfaces command output is the display of the line and data-link protocol status. This figure indicates the key summary line to check and the status meanings for a serial interface. For other types of interfaces, the meanings of the status line may be slightly different. The first parameter refers to the hardware layer and, essentially, reflects whether the interface is, receiving the carrier detect signal from the other end (the DCE if using serial connection). The second parameter refers to the data link layer, and reflects whether the data link layer protocol keepalives are being received. Based on the output of the show interfaces command, possible problems can be fixed a follows: m= Ifthe interface is up and the line protocol is down, a problem exists. include the following: Some possible causes — _ Nokeepalives — Mismatch in encapsulation type = Clock rate issue If the line protocol and the interface are both down, a cable might never have been attached ‘when the router was powered up, ot some other interface problem exists. For example, in a back-to-back connection, the other end of the connection may be administratively down. Ifthe interface is administratively down, it has been manually disabled (the shutdown command has been issued) in the active configuration. (© 2010 Cisco Systems, ne. LAN Connections 4-83Verifying a Serial Interface Configuration Routerxtshow interface serial 20/0/0 Mardvare 1s PovergUICC Serial Internet address 2 10.140.4.2/24 ‘ru 1500 bytes, [BW GAMBLE) DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, kespalive set (10 sec) Last input 00:00:09, cutpet 00:00:04, output hang never Last clearing of “show interface” counters never Input queue: 0/75/0 (size/max/drops) ; Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/1/256 (active/max active/nax total) Reserved Conversations 0/0 (aileceted/ase allocated) 5 minute input rate 0 bits/sec, 0 packets/sec, 5 minute output rate 0 bits/sec, 0 packeta/ a

I: * Verify the status of the serial 0/0/0 interface on router Routerx After configuring a serial interface, use the show interfaces serial command to verify the changes. In this example, the show interfaces serial 0/0/0 command is used. Note that the line and protocol are up and that the bandwidth is 64 kb/s. +04 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Summary This topic summarizes the key points that were discussed in this lesson. Summary * From the privileged EXEC mode, you can enter the global configuration mode, providing access to other configuration modes such as the interface configuration mode or line configuration mode. * One of the first tasks in configuring a router is to name it. Naming the router helps you to better manage the network by enabling you to uniquely identify each router within the network. * The main function of a router is to relay packets from one network device to another. To do this, the characteristics of, the interfaces through which the packets are received and sent must be defined. Interface characteristics, such as the IP address and bandwidth, are configured using the interface configuration mode. Summary (Cont.) «Ina TCP/IP environment, end stations communicate seamlessly with servers or other end stations, This communication occurs because each node that uses the TCPIIP protocol suite has a unique 32-bit logical IP address. * When the router interface configuration has been completed, it’can be verified by using show commands, (© 2010 Cisco Systems, ne. LAN Connections 495495 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 6 Understanding Cisco Router Security Overview After you secure physical access to your network, you must ensure that access to the Cisco router via the console and vty ports is secure. In addition, you must ensure that unused router ports do not become a security risk. This lesson describes basic router security. Objectives Upon completing this lesson, you will be able to implement a basic security configuration for a Cisco router. This ability includes being able to meet these objectives: Describe how to mitigate hardware, environmental, electrical, and maintenance-related security threats to Cisco routers m= Configure password security = Configure the login banner Describe Telnet and SSH for remote accessPhysical and Environmental Threats Improper and incomplete network device installation is an often-overlooked security threat. Software-based security measures alone cannot prevent network damage due to poor installation. This topic describes how to mitigate hardware, environmental, electrical, and ‘maintenance-related security threats to Cisco routers. OT Common Threats to Physical Installations * Hardware threats * Environmental threats * Electrical threats * Maintenance threats ‘There are four classes of unsecure installations or physical access threats: m= Hardware threats: Threats of physical damage to the router or router hardware. = Environmental threats: Threats such as temperature extremes (too hot or too cold) ot humidity extremes (too wet or too dry). Electrical threats: Threats such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss. m= Maintenance threats: Threats such as poor handling of key electrical components (ESD), lack of critical spare parts, poor cabling, poor labeling, and so on, Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Configuring Password Security You can use the command-line interface (CLI) to configure the password and other console commands. This topic describes password configuration and other essential configuration tasks. Configuring a Router Password [Routers (config) Hine console 0 foster (contig-iine) tpenaword cisco [> jS—-S Sal the Console Password Rowterx(confighfiine vey 0 & Routerx (config-Line) #login : Routerx(config-Line) #password sanjose pam = Sat the Vitual Terminal Password [Routerx (config) enable password ciscohiy Se = Sat the Enable Password [Routerx (config) Venable secret sanfraa| 1 Set te Enable Secret Password [Routerx (contig) ¥eerv Routerx (config) tno. 2 = Sat the Service Password Encryption Caution These passwords are for instructional purposes only. Passwords that are used in an actual Implementation should meet the requirements of a “strong” password, Like securing a switch, you ean secure a router by using a password to restrict access. Using a password and assigning privilege levels are simple ways to provide terminal access control in a network. A password can be established on individual lines, such as the console, and to the privileged EXEC mode. Passwords are case-sensitive. +h Telnet port on the router is known as a vly terminal, There are @ maximum of five default vty ports on the router, which allows for five concurrent Telnet sessions. On the router, the vty ports are numbered from 0 through 4. You can activate up to 11 additional optional vty terminals (5 to 15) if needed. You can use the line console 0 command, followed by the login and password subcommands, to require login and establish a login password on a console terminal or a vty port. By default, login is not enabled on a console or vty port. You can use the line vty 0.4 command, followed by the login and password subcommands, to require login and establish a login password on incoming Telnet sessions. To activate and configure the additional vty lines, use the line vty 5 15 command, followed by the login and. password subcommands You can use the login local command to enable password checking on a per-user basis, using the usemame and password that is specified with the username global configuration command, The username command establishes username authentication with encrypted passwords. (© 2010 Cisco Systems, ne. LAN Connections 4-99The enable password global configuration command restriets access to the privileged EXEC mode, You can assign an encrypted form of the enable password command, called the enable secret password. The enable secret command with the desired password at the global configuration mode prompt is required for this functionality. If the enable secret password is configured, itis used rather than enable password, not in addition to it. You can also add a further layer of security, which is particularly useful for passwords that cross the network or are stored on a TFTP server. Cisco provides a feature that allows the use of enerypted passwords. To set password encryption, enter the service password-encryption command in global configuration mode Passwords that are displayed or set after you configure the service password-encryption command will be encrypted. To disable a command, enter no before the command. For example, use the no service password-encryption command to disable password encryption For more details about the password, enable password, enable secret, and service password- encryption commands, refer to Cisco IOS Security Command Reference on the following link: http://www. cisco.com/en/US docs/ios/sccurity/command/reference/sec_book.html #100 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Cisco AutoSecure = The AutoSecure command initiates a security audit and then allows for configuration changes. = AutoSecure first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router. * Cisco AutoSecure attempts to ensure maximum security by disabling the services most commonly used by hackers to attack a router, Cisco AutoSecure is a Cisco IOS security CLI command feature. You can deploy one of these two modes, depending on your needs: m= Interactive mode: Prompts the uscr with options to enable and disable services and other security features. = Noninteractive mode: Automatically executes a Cisco AutoSecure command with the recommended Cisco default settings. Caution Cisco AutoSecure attempis to ensure maximum security by disabling the services most ‘commonly used by hackers to attack @ router, However, some of these services may be needed for successful operation in your network. For this reason, you should not use the Cisco AutoSecure feature until you fully understand its operations and the requirements of your network. Cisco AutoSecure performs the following functions: = Disables the following global services: Finger Packet assembler/disassembler (PAD) ‘Small servers Bootstrap Protocol (BOOTP) servers HITP service Identification service Cisco Discovery Protocol Network Time Protocol (NTP) Source routing (© 2010 Cisco Systems, ne. LAN Connections 4-107m= Enables the following global services: — Password encryption service — Tuning of scheduler interval and allocation — TCP synwait-time — TCP keepalive messages — Security policy database (SPD) configuration — Internet Control Message Protocol (ICMP) unreachable messages Disables the following services per interface: — ICMP — Proxy Address Resolution Protocol (ARP) — Directed broadcast — Maintenance Operation Protocol (MOP) service — ICMP unreachables — ICMP mask reply messages Provides logging for security, including the following functions: — Enables sequence numbers and time stamp — Provides a console log — Sets log buffered size — Provides an interactive dialog to configure the logging server IP address Secures access to the router, including the following functions: — Checking for a banner and providing the ability to add text for automatic configuration — Login and password — Transport input and output — exec-timeout commands — Local authentication, authorization, and accounting (AAA) si ire Shell (SSH) timeouts and ssh authentication-retries commands — Enabling only SSH and Secure Copy Protocol (SCP) for access and file transfers to and from the router — Disabling Simple Network Management Protocol (SNMP) if not being used Secures the forwarding plane, including the following functions: — Enabling Cisco Express Forwarding or distributed Cisco Express Forwarding on the router, when available — Antispoofing — Blocking all Internet Assigned Numbers Authority (IANA)-reserved IP address blocks — Blocking private address blocks, if the customer desires — Installing a default route to Null0, if'a default route is not being used #102 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.— Configuring a TCP Intercept for a connection timeout, if the TCP Intercept feature is available and the user desires it — Starting an interactive configuration for Context-Based Access Control (CBAC) on interfaces facing the Internet, when using a Cisco IOS Firewall image — Enabling NetFlow on software forwarding platforms For more details about auto secure command, refer to Cisco [OS Security Command Reference on the following link: http://www.cisco.com/en/US docs/ios/security/command/reference/sec_book.html (© 2010 Cisco Systems, ne. LAN Connedtions 4-103Configuring the Login Banner You can use the CLI to configure the message of the day and other console commands. This topic describes some essential configuration tasks to enable the login banner. Configuring the MOTD Banner * Define and enable a customized banner to be displayed before the username and password login prompts Routerktpanner mtd # Access for authorized wser® only, Ple To define a customized banner to be displayed before the username and password login prompts, you can use the banner login command in global configuration mode. To disable the login banner, you can use the no banner login command When you enter the banner login command, follow the command with one or more blank spaces and a delimiting character. In this example, the delimiting character is a quote mark (“). ‘Affe the banner text has been added, terminate the message with the same delimiting character. Warning Caution should be used when selecting the words that are used in the login banner. Words like *welcome” may imply that access is not restricted and allow hackers to defend their actions. You can also configure a Message of the day banner (motd), that will be display to all terminals at connection time, The motd banner would be configure with the same logic, and the command sequence would look like this: RouterX(config)#banner motd #This router will not be accessible today between 10 and 11 PM for maintenance reasons # For more details about the banner login and banner motd commands, refer to Cisco TOS, Configuration Fundamentals Command Reference on the following link: ‘http://www cisco.com/en/US/docs/ios/fundamentals/command/reference/ef_book.html #104 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Telnet and SSH Access This topic describes Telnet and Secure Shell (SSH) methods for selecting which access mode is enabled for remote access. Telnet vs. SSH Access = Telnet ~ Most common access method = Unsecure + SSH ~ Encrypted ~ IP domain must be defined — Key must be generated ~ Telnet access must be disabled for better security, Telnet is the most common method of accessing a network device. However, Telnet is an “unsecure way of accessing a network. SSH is a secure replacement for Telnet, which gives the same type of access. Communication between the client and server is enerypted in both SSH version 1 (SSHv1) and SSH version 2 (SSHv2). Implement SSHv2, if possible, because it uses a more enhanced security encryption algorithm. When encryption is enabled, a Rivest, Shamir, and Adleman (RSA) eneryption key must be generated on the router. In addition, an IP domain must be assigned to the router: (© 2010 Cisco Systems, ne. LAN Connections 4-105Telnet vs. SSH Access (Cont.) Routerk(config) Fusersane cleo password cleco Routers (config) #ip domain-nane cisco.con Routerx (config) #erypte Key generate ©: Choose the size of the key modulus in the range of 360 to 2048 r your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes, (121: 1024 6 20:92:15. 613: ¥SSH-S-HNABLED: SSH 1.99 hae been enabled Routerx (config line] #tranepore input * Router configuration to accept SSH connections only Before implementing SSH, first test the authentication without SSH to make sure that authentication works with the router. The following configuration shows local authentication, which allows you to use Telnet to connect to the router with the username “cisco” and password “cisco”: Routerx (config) #username cisco password cisco RouterX (config) #line vty 0 4 RouterX(config-line}#login localln order to enable and test authentication with SSH, you must add to the previous statements. Then test SSH from the PC and UNIX stations. The following configuration enables SSH and disables Telnet access: Routerx (config) #ip domain-name cisco.com Routerx (config) #erypte key generate rsa The name for the keys will be: RouterX.cieco.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes, How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non- exportable... [0K] ‘war 16 20:32:15,613: ¥SSH-S-ENABLED: SSH 1.99 hae been enabled Routerx (config) #ip ssh version 2 Routez} (config) #line vty 0 4 Routerx(config-Line) #legin local Routerx (config-line) #transport input ssh #108 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.If you want to prevent non-SSH connections, the transport input ssh command limits the router to SSH connections only. Straight (non-SSH) Telnet connections are refused. The following configuration enables SSH connections only: Routerx (config) #line vty 04 Routerx (config-line) transport input ssh Test to ensure that non-SSH users cannot use Telnet to connect to the router. For more details about the ip domain name command, refer to Cisco IOS IP Addressing Services Command Reference on the following link: http://www.cisco.com/en/US/docs/ios/ipaddr/command/referencefiad_book.html For more details about the erypto key generate rsa, ip ssh version, transport input ssh. commands, refer to Cisco 108 Security Command Reference on the following link: http://www. cisco.com/en/US ddocs/ios/security/command/reference/sec_00.html (© 2010 Cisco Systems, ne. LAN Connections 4-107Summary This topic summarizes the key points that were discussed in this lesson. a Summary * The first level of security is physical. * Passwords can be used to restrict access. * The login banner can be used to display a message before the user is prompted for a username. + Telnet sends the session traffic in cleartext. SSH encrypts the traffic, 4108 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 7 Using Cisco SDM Overview Cisco Router and Security Device Manager (SDM) is an easy-to-use, Java-based device management tool that is designed for configuring LAN, WAN, and security features on @ router. This lesson describes how to use Cisco SDM. Objectives Upon completing this lesson, you will be able to describe and use the features and elements of Cisco SDM. This ability includes being able to meet these objectives: = Describe the features of Cisco SDM = Explain how to use the elements of the Cisco SDM interface = Explain the function of each of the five Cisco SDM wizardsCisco SDM Overview This topic provides an overview of Cisco SDM. a Cisco Router and Security Device Manager Cisco SDM is an intuitive, web-based device management tool for Cisco TOS Software-based routers. Cisco SDM simplifies router and security configuration by using wizards, which help you quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the command-line interface (CLI). Cisco SDM is supported on Cisco 830 Series, Cisco 1700 Series, Cisco 1800 Series, Cisco 2600XM, Cisco 2800 Series, Cisco 3600 Series, Cisco 3700 Series, and Cisco 3800 Series routers, as well as on selected Cisco 7200 Series and Cisco 7301 routers. £110 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.What Is Cisco SDM? * Embedded web-based management tool * Provides intelligent wizards to enable quicker and easier deployments, and does not require knowledge of Cisco IOS CLI or security expertise * Tools for more advanced users: — ACL editor — VPN cryptography map editor ~ Cisco IOS CLI preview Cisco SDM allows you to easily configure routing, switching, security, and quality of service (QoS) services on Cisco routers while helping to enable proactive management through performance monitoring. Whether you are deploying a new router or installing Cisco SDM on an existing router, you can remotely configure and monitor these routers without using the Cisco 10S Software CLI. The Cisco SDM GUI aids nonexpert users of Cisco 10S Software in day-to-day operations, provides easy-to-use smart wizards, automates router security management, and assists you through comprehensive online Help and tutorials. Cisco SDM smart wizards guide you, step by step, through router and security configuration by systematically configuring LAN and WAN interfaces, fitewalls, intrusion prevention systems (IPSs), and IPsec virtual private networks (VPNs). Cisco SDM wizards can intelligently detect incorrect configurations and propose fixes, such as allowing DHCP traffic through a firewall if the WAN interface is DHCP-addressed. Online Help in Cisco SDM contains appropriate background information, in addition to step-by-step procedures to help you enter correct data in Cisco SDM. Networking and security terms, and other definitions that you might need, are included in an online glossary. For network professionals who are familiar with Cisco IOS Software and its security features, Cisco SDM offers advanced configuration tools to allow you to quickly configure and fine-tune router security features, allowing you to review the commands that are generated by Cisco SDM before delivering the configuration changes to the router. Cisco SDM helps you configure and monitor routers from remote locations using Secure Sockets Layer (SSL) and Secure Shell version 2 (SSHv2) connections. This technology helps enable a secure connection over the Internet between the user browser and the router, When deployed at a branch office, a router that is enabled with Cisco SDM can be configured and monitored from corporate headquarters, which reduces the need for experienced network administrators at the branch office, (© 2010 Cisco Systems, ne. LAN Connections 4-117OT Supported Cisco Routers and Cisco lOS Software Releases * Cisco SDM is supported on a number of Cisco router platforms and Cisco 10S Software releases. * Always verify Cisco SDM router and Cisco IOS Software release support at www.cisco.com/go/sdim, Cisco SDM is supported on a number of Cisco routers and associated Cisco IOS Software Always consult the latest information regarding Cisco SDM router and Cisco IOS Software release support at http://www.cisco.com/go/sdm. Cisco SDM comes preinstalled on several Cisco router models that were manufactured after June 2003 and that were purchased with the VPN bundle, Ifyou have a router that does not have Cisco SDM installed, and you would like to use Cisco SDM, you must download it from hitp://www.Cisco.com and install it on your router. Ensure that your router contains enough flash memory to support your existing flash file structure and, the Cisco SDM files. Information on installing Cisco SDM on a Cisco router is beyond the scope of this course. 412 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Cisco Configuration Professional * Alternative GUI to Cisco SDM to manage Cisco devices * Refer to ww.c'sco,com/qolciscocp for more information Cisco Configuration Professional is a GUI-based device management tool for Cisco 10S Software-based access routers, including Cisco integrated services routers, Cisco 7200VXR Series Routers, and the Cisco 7301 router, Cisco Configuration Professional simplifies router, firewall, IPS, VPN, unified communications, WAN, and basic LAN configuration through. easy-to-use wizards. With Cisco Configuration Professional, you can remotely configure and monitor Cisco routers without using the Cisco IOS Software CLI. Cisco Configuration Professional is an alternative to Cisco SDM. Like Cisco SDM, Cisco Configuration Professional assumes a general understanding of networking technologies and terms, but assists individuals unfamiliar with the Cisco CLL Cisco Configuration Professional is currently supported on Windows platforms only. Cisco Configuration Professional is included on a CD at no additional cost with several integrated services routers. Itis also available as a free download from http://www cisco.com/go/ciscoep. Always consult the latest information regarding Cisco Configuration Professional router and. Cisco 10S Software release support at http:/www.cisco.com/go/eiscocp. {© 2010 Cisco Systems, Ine. LAN Connections 4-113Cisco SDM User Interface This topic describes the various elements of the Cisco SDM user interface. Configuring Your Router to Support Cisco SDM Enable the HTTP and HTTPS servers on your router. * Create a user account that is defined with privilege level 15 (enable privileges). * Configure SSH and Telnet for local login and privilege level 15. Configuring Your Router to Support Cisco SDM You can install and run Cisco SDM on a router that is already in use without disrupting network traffic, but you must ensure that a few configuration settings are present in the router configuration file. ‘Access the CLI using SSH or the console connection to modify the existing configuration before installing Cisco SDM on your router. Step 1 Enable the HTTP and HTTPS servers on your router by entering the following commands in global configuration mode: Routericonfigure terminal Enter configuration commande, one per line. End with CNTL/Z Router (config) #ip http server Router (config) #ip http secure. Router (config) #ip http authentication local Router (config) #ip http timeout-policy idle 600 life 86400 requests 10000 Note Ifthe router supports HTTPS, the HTTPS server willbe enabled. If not, the HTTP server wil be enabled. HTTPS is supported in all mages that support the cryptography IPsec feature sel, starting from Cisco 10S Release 12.25(T). 4114 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Step 2 Stop 3 Create a user account that is defined with privilege level 15 (enable privileges). Enter the following command in global configuration mode, replacing username and ‘password with the strings that you want to use: Router (config) du password name username privilege 15 secret 0 For example, if you chose the username “tomato” and the password “vegetable”, you would enter: Router (config) #username tomato privilege 15 secret 0 vegetable ‘You will use this username and password to log in to Cisco SDM. Configure SSH and Telnet for local login and privilege level 15. Use the following commands: Router (config) #line vty 0 4 Router (config-line) #privilege level 15 Router (config-line) #legin local Router (config-line) #transport input telnet ssh Router (config-line) (© 2010 Cisco Systems, ne. LAN Connestions 4-115Cisco SDM Startup ee Start Cisco SDM Cisco SDM is stored in the router flash memory. Itis invoked by executing an HTML file in the router archive, which then loads the signed Cisco SDM Java file. To launch Cisco SDM, complete the following steps: Step1 From your browser, enter the following URL: httpsif/touter IP address ‘The https:// designation specifies that the SSL protocol is used for a secure connection, The http:// designation can be used if SSL is not available. Stop2 The Cisco SDM home page will appear in the browser window. The username and password dialog box will appear. The type and shape of the dialog box will depend on the type of browser that you are using, Enter the username and password for the privileged (privilege level 15) account on your router. The Cisco SDM Java applet will begin loading to your PC. Step3_ Cisco SDM is a signed Java applet. This applet may cause your browser to display a security warning, Accept the certificate. Step4 Cisco SDM displays the Launch page. When the Launch window appears, Cisco SDM displays the Cisco SDM home page. The home page gives you a snapshot of the router configuration and the features that the Cisco TOS image supports. Cisco SDM starts in wizard mode, in which you can perform configuration tasks using a sequence of windows that break the configuration task into manageable steps. 216 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Toolbar Router Information Configuration Overview co SDM Main Window Layout and Navigation The home page supplies basic information about the router hardware, software, and configuration, and contains the following sections: = Host Name: This hostname is the configured name of the router. About Your Router: This area shows basic information about your router hardware and software, and contains the ficlds that are shown in this table. Hardware Description Model Type “The router model number. Available/Total Memory ‘Available RAM and total RAM. Total Flash Capacity Flash plus webflash memory (if applicable). Software Description 108 Version ‘The version of Cisco 10S Software that is currently running on the router. Cisco SDM Version “The version of Cisco SDM software that Is currently running on the router. Feature Availabilty “The features available in the Cisco 10S image thatthe router is using are designated by a check. The features that Cisco SDM looks for are IP firewall, VPN, and IPS. The More Link The More link displays a popup window that provides additional hardware and software details, as follows: m= Hardware Deti In addition to the information presented in the About Your Router window, this tab displays information about the following: — Where the router boots from (flash memory or the configuration file) — Whether the router has accelerators, such as VPN accelerators (© 2010 Cisco Systems, ne. LAN Connections 4-117— A diagram of the hardware configuration Software Details: In addition to the information presented in the About Your Router section, this tab displays information about the feature sets included in the Cisco 10S image. Configuration Overview This section of the home page summarizes the configuration settings that have been made. If ‘you want to view the running configuration, click View Running Config. Interfaces and Connections This area shows the following information: = Up: The number of connections that are up. = Down: The number of connections that are down. = Double arrow: Click to display or hide details. m= Total Supported LAN: Shows the total number of LAN interfaces that are present in the router. m= Total Supported WAN: The number of WAN interfaces that are present on the router and that are supported by Cisco SDM. = Configured LAN Interface: The number of supported LAN interfaces that are currently configured on the router. Total WAN Connections: The total number of WAN connections that are present on the router and that are supported by Cisco SDM. = DHCP Server: Configured and not configured. = DHCP Pool (Detail View): If one pool is configured, this area shows the starting and ending address of the DHCP pool. If multiple pools are configured, it shows a list of configured pool names, m= Number of DHCP Clients (Detail View): Current number of clients leasing addresses. m= Interface: Name of the configured interface. — Type: Interface type — IP Mask: IP address and subnet mask — Description: Description of the interface Firewall Policies This area shows the following information: Active: A firewall is in place. m= Inactive: No firewall is in place. ‘Trusted: The number of trusted (inside) inter Untrusted: The number of untrusted (outside) interfaces, DMZ: The number of demilitarized zone (DMZ) interfaces. Double arrow: Click to display or hide details. Interface: The name of the interface to which a firewall has been applied. 4118 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.= Firewall icon: Whether the interface is designated as an inside or an outside interface. NAT: The name or number of the Network Address Translation (NAT) rule that is applied to this interface. m= Inspection Rul : The names or numbers of the inbound and outbound inspection rules, Access Rule: The names or numbers of the inbound and outbound access rules. Virtual Private Network Routing This area shows the following information = Up: The number of active VPN connections. = Double arro “lick to display or hide details. IPsec (Site-to-Site): The number of configured site-to-site VPN connections, GRE over IPsec: The number of configured Generic Routing Encapsulation (GRE) over IPsec connections. m= XAUTH Login Required: The number of Cisco Easy VPN connections awaiting an Extended Authentication (XAUTH) login. Note ‘Some VPN servers or concentrators authenticate clients using XAUTH. Ths functionality shows the number of VPN tunnels awaiting an XAUTH login. If any Cisco Easy VPN tunnel is waiting for an XAUTH login, a separate message panel is shown with a Login button. Click Login to enter the credentials for the tunnel. I XAUTH has been configured for a tunnel, it will not begin to function until the login and password have been supplied. There is no timeout after which it wil stop waiting; it wil wait indefinitely for this information. m= Easy VPN Remote: The number of configured Cisco Easy VPN Remote connections. = Number of DMVPN Clients: If the router is configured as a Dynamic Multipoint VPN (DMYPN) hub, the number of DMVPN clients, m= Number of Active VPN Clients: If the router is functioning as a Cisco Easy VPN Server, the number of Cisco Easy VPN Clients with active connections. m= Interface: The name of the interface with a configured VPN connection, m= IPsec Policy: The name of the IPsec policy that is associated with the VPN connection. This area shows the following information: Number of Static Routes: The number of static routes that are configured on the router. = Dynamic Routing Protocols: the router, st of any dynamic routing protocols that are configured on (© 2010 Cisco Systems, ne. LAN Connedtions 4-119Intrusion Prevention This area shows the following information: Active Signatures: The number of active signatures that the router is using, These signatures may be built-in, or they may be loaded from a remote location. = Number of IPS-Enabled Interfaces: The number of router interfaces on which IPS has been enabled, 4120 _Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Cisco SDM Wizards This topic describes some of the Cisco SDM wizards. OT Cisco SDM Wizards + Interfaces and connections: Configure WAN = interfaces for PPP, Frame Relay, or HDLC, and ae configure LAN interfaces, along with DHCP services / * Firewall: Configure firewall features B * VPN: Configure VPN features ve * Security audit: Perform a router security audit, % with a button for router lockdown + IPS: Intrusion prevention system ae + QoS: Quality of service a @ Cisco SDM contains several wizard options, as shown in this figure. m= Interfaces and Connections: This menu contains several wizards that are designed to help you configure how the router connects to the network. You can access a LAN wizard to ‘configure the LAN interfaces with a static or DHCP-assigned IP address. You can also access a WAN wizard to configure PPP, Frame Relay, and High-Level Data Link Control (HDLC) WAN interfaces. Additionally, you can configure the router as a DHCP server, Refer to http://www.cisco.comigo/sdm for the latest information about wizards and the interfaces that they support = Firewall wizard: This wizard is used to configure the firewall features. You can access a basic firewall setup, which consists of predefined access control lists (ACLs) for standard services, and an advanced firewall setup, where you can define each rule manually. VPN wizard: This wizard is used to configure the VPN features. You can configure your router as a VPN client for a site-to-site VPN, or as a VPN server for Cisco IOS WebVPN or Cisco Easy VPN. m= Security Audit wizards: There are these two options, as follows: — The router security audit wizard — _ Aneasy one-step router security lockdown wizard = Quality of Service wizard: This wizard is used to configure a basic QoS policy for outgoing traffic on WAN interfaces and IP Security (IPsec) tunnels, Note At the end of each wizard procedure, all changes are automaticaly delivered to the router Using Cisco SOM-generated CL commands. You can choose whether to preview the commands to be sent, The default is to not preview the commands. (© 2010 Cisco Systems, ne. LAN Connections 4-121Summary This tpi summarizes the key points that were discussed in tis lesson A Summary * Cisco SDM is a useful tool for configuring Cisco access. routers. Cisco Configuration Professional is an alternative to Cisco SDM. * Cisco SDM contains several easy-to-use wizards for efficient configuration of Cisco access routers. + Cisco SDM allows you to customize Cisco access router configurations using advanced features. 4122 _Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Lesson 8 Using a Cisco Router as a DHCP Server Overview Originally, network administrators had to manually configure the host address, default gateway, and other network parameters on each host. However, DHCP provides configuration parameters to Internet hosts. DHCP consists of these two components A protocol for delivering host-specific configuration parameters from a DHCP server to a host =A mechanism for allocation of network addresses to hosts This lesson describes the use of @ Cisco router as a DHCP server. Objectives Upon completing this lesson, you will be able to configure a Cisco IOS DHCP server using Cisco SDM. This ability includes being able to meet these objectives: Describe the features of DHCP Describe using a router as a DHCP server Describe how to use Cisco SDM to enable the DHCP server to function on a router = Describe how to monitor DHCP server functionsUnderstanding DHCP This topic describes the features of DHCP. OT Understanding DHCP = DHCP is built on a client-server model: ~ The DHCP server host allocates network addresses and deliver configuration parameters. = “Client” — a host requesting initialization parameters from a DHCP server. = DHCP supports three mechanisms for IP address allocation: — Automatic allocation: DHCP assigns a permanent IP address toa client. = Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time. — Manual allocation: A client IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the client. = Dynamic allocation is the only method that allows automatic reuse. DHCP is built on a client-server model. The DHCP server hosts allocate network addresses and deliver configuration parameters to dynamically configured hosts. The term “client” refers to a hhost that is requesting initialization parameters from a DHCP server. DHCP supports these three mechanisms for IP address allocation: = Automatic allocation: DHCP assigns a permanent IP address to a client. = Dynamic allocation: DHCP assigns an IP address to a client for a limited time (or until the client explicitly relinquishes the address) = Manual allocation: A client IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the client, Dynamic allocation is the only one of the three mechanisms that allows automatic reuse of an address that is no longer needed by the client to which it was assigned. Dynamic allocation is particularly useful for assigning an address to a client that will be connected to the network only temporarily, or for sharing a limited pool of IP addresses among a group of clients that do not need permanent IP addresses. Dynamic allocation may also be a good choice for assigning an IP address to a new client that is being permanently connected to a network in which IP addresses are so scarce that itis important to reclaim them when old clients are retired, 4124 Interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.DHCP qe cent DHCPDISCOVER ‘When a client boots up for the first time, it transmits a DHCPDISCOVER message on its local physical subnet. Because the client has no way of knowing the subnet to which it belongs, the DHCPDISCOVER message is an all-subnets broadcast (destination IP address of 255.255.255.255). The client does not have a configured IP address, so the source IP address of 0.0.0.0 is used. DHCPOFFER A DHCP server that receives a DHCPDISCOVER message may respond with a DHCPOFFER message, which contains initial configuration information for the client. For example, the DHCP server provides the requested IP address. The DHCPOFFER message also contains an Options field that is used to provide additional information such as the subnet mask or the default gateway (“router”). This Options field can also be used to specify several other values, including the IP address lease time, renewal time, domain name server, and NetBIOS Name Service (Microsoft Windows Internet Name Service (Microsoft WINS)). This DHCPOFFER message is sent to the client MAC address at Layer 2, The destination IP address is the address offered by the server. DHCPREQUEST After the client receives a DHCPOFFER message, it responds with a DHCPREQUEST ‘message, indicating its intent to accept the parameters in the DHCPOFFER. The DHCPREQUEST is sent to the broadcast address (at Layer 2 and Layer 3), because the client is not sure yet if this address can safely be used Jor if another DHCP client is also going to try to use it) DHCPACK After the DHCP server receives the DHCPREQUEST message, it acknowledges the request with a unicast DHCPACK message, thus completing the initialization process, {© 2010 Cisco Systems, Ine. LAN Connections 4-125Using a Cisco Router as a DHCP Server This topic describes how a Cisco router can provide DHCP server support. a Using a Router as a DHCP Server Cisco IOS Software includes a full DHCP server implementation: * Assigns IP addresses from specified address pots within the router * Can be configured to assign the IP address of these components: — DNS server ~ Default router Cisco routers running Cisco IOS Software provide complete support for a router to be a DHCP. server. The Cisco IOS DHCP server is a complete DHCP server implementation that assigns and manages IP addresses from specified address pools within the router to DHCP clients. You can configure a DHCP server to assign additional parameters, such as the IP address of the Domain Name System (DNS) server and the default router. The Cisco IOS DHCP server accepts address assignment requests and renewals and assigns the addresses from predefined groups of addresses that are contained within DHCP address pools. These address pools can also be configured to supply additional information to the requesting client, such as the IP address of the DNS server, the default router, and other configuration parameters. The Cisco JOS DHCP server can accept broadcasts from locally attached LAN segments or from DHCP requests that have been forwarded by other DHCP relay agents within the network Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Using Cisco SDM to Enable the DHCP Server Function This topic describes how to use Cisco Router and Security Device Manager (SDM) to enable the DHCP server function on the router. DHCP Server Using a Router DHCP Poot. 10.10.10.100~ 10.10.10.200 Default Router: 10.10.10.1 I 10.10.10.1/24 3 2010 afi Router Client (Host) (OHCP Server) In this example, you enable the DHCP server for the 10.10.10.1/24 interface using a pool of addresses from 10.10.10.100 through 10.10.10.200. This router will be advertised as the default router (default gateway) to the clients, (© 2010 Cisco Systems, ne. LAN Connections 4-127Additional Tasks This figure shows the Cisco SDM tool that configures the DHCP server on the router. The DHCP server function is enabled from within the Additional Tasks tab in the Cisco SDM tool. From the list, click DHCP Pools. Then click Add to create the new DHCP pool. 4128 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.DHCP Pool some [Feruras Mere Urctea tect Povonae Ome ave omienamnry [matters [TOOT ox | coe |e ‘The Add DHCP Pool window allows you to configure the DHCP IP address pool. The IP addresses that the DHCP server assigns are drawn from a common pool that you configure by specifying the starting and ending IP addresses in the range. The Add DHCP Pool window shows the following fields: = DHCP Pool Name: A character string that identifies the DHCP pool. = DHCP Pool Network and Subnet Mask: The IP addresses that the DHCP server assigns, are drawn from a common pool that you configure by specifying the starting IP address in the range and the ending address in the range ‘The address range that you specify should be within the following private address ranges: = 10.1.1. to 10,255.255.255 = 172.16.1.1 to 172.31.255.255 = 192.168.0.0 to 192.168.255.255 ‘The address range that you specify must also be in the same subnet as the IP address of the LAN interface. The range can represent a maximum of 254 addresses. The following examples are valid ranges: = 10.1.1.1 to 10.1.1.254 (assuming that the LAN IP address is in the 10.1.1.0 subnet) = 172.16.1.1 to 172.16.1.254 (assuming that the LAN IP address is in the 172.16.1.0 subnet) Cisco SDM configures the router to automatically exclude the LAN interface IP address in the pool. ‘You must not use the following reserved addresses in the range of addresses that you specify: — The network of subnetwork IP address — The broadcast address on the network {© 2010 Cisco Systems, Ine. LAN Connections 4-128Starting IP: Enter the beginning of the range of IP addresses for the DHCP server to use in assigning addresses to devices on the LAN. This IP address is the lowest-numbered IP address in the range. Ending IP: Enter the highest-numbered IP address in the range of IP addresses, Lease Length: The amount of time that the client may use the assigned address before it must be renewed. DHCP Options: Use this pane to configure DHCP options that will be sent to hosts on the LAN that request IP addresses from the router. These are not options for the router that you are configuring; these are parameters that wil be sent to the requesting hosts on the LAN. To set these properties for the router, click Additional Tasks on the Cisco SDM category bar, click DHCP, and configure these settings in the DHCP Pool window. DNS Server: The DNS server is typically a server that maps a known device name with. its IP address. If you have a DNS server that is configured for your network, enter the IP address for the server here, DNS Server2: If there is an additional DNS server on the network, you can enter the IP address for that server in this field Domain Name: The DHCP server that you are configuring on this router will provide services to other devices within this domain. Enter the name of the domain here. WINS Server: Some clients may require Microsoft WINS to connect to devices on the Internet. If there is a Microsoft WINS server on the network, enter the IP address for the server in this field. WINS Server2: If there is an additional Microsoft WINS server on the network, enter the IP address for the server in this field. Default Router: The IP address that will be provided to the client for use as the default gateway. Import All DHCP Options into the DHCP Server Database: Select this check box to allow the DHCP options to be imported from a higher-level server. This import is typically used with an Internet DHCP server. 4130 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.a Cisco lOS DHCP Server Configuration * DHCP server configuration is supported in Cisco IOS CLI. * CLI configuration provides additional DHCP configuration options. * CLI configuration is faster, Rocter (eonfag) tsp dhcp excluded-addrees 20.10,10.0 10,20.10.99 * Cisco 10S DHCP server configuration DHCP server configuration is supported through Cisco SDM or Cisco IOS commandeline interface (CLI). The Cisco SDM GUI tool introduces an easier way of configuration for users ‘that are not familiar with Cisco IOS CLI. For more-experienced users, Cisco IOS CLI provides additional DHCP configuration options and faster configuration, To configure Cisco IOS DHCP, follow these steps: Step1 Using the ip dhep pool global configuration command, create a DHCP IP address pool for the IP addresses you want to use. The configuration mode will change to hep pool configuration mode. Step2 Using the network command, specify the network and the subnet to use. Step3 Using the domain-name command, define the DNS domain name. Stop 4 Using the dns-server command, define the primary and secondary DNS servers. Step5 Using the default-router command, define the default gateway. Step6 Using the lease command, specify the lease duration for the addresses that are provided from the DHCP server. The example shows a seven-day lease: lease 7. Step7 Using the exit command, exit the dhep pool configuration mode. Step8 Using the ip dhep exeluded-address global configuration command, exclude addresses in the pool range that you do not want to assign to the clients. The following example shows a configured Cisco IOS DCHP server on a router Router (config) #ip @hep pool mydheppool Router (dhep-config)#metwork 10.10.10.0 /8 Router (dhep-config) #domain-name mydhepdomain.com Router (dhep-config) #dns-server 10.10.10.98 10.10.10.99 Router (dhep-config) #default-router 10.10.10.1 Router (dhep-config) #leage 7 Router (dhep-config) Hexit (© 2010 Cisco Systems, ne. LAN Connections 4-13110.10.10.0 10.10.10.99 Router (config) #ip @hep excluded-addr. For more details about Cisco [OS DHCP-related commands, refer to Cisco IOS IP Addressing Services Command Reference on the following link: http://www.cisco.com/en/US/docs/ios/ipaddr/command/referencefiad_book.html 4132 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Monitoring DHCP Server Functions ‘This topic describes how to monitor DHCP server functions. a Checking the DHCP Configuration t= ou Ome Boat You can verify the DHCP configuration parameters from the DHCP Pools tab. You u can also view additional information regarding the leased addresses by clicking DHCP Pool Status. DHCP Pool Status fener ‘OHOP Peet Name: WO_4_Pool IP addrecees leaced 4030.10.08 ‘The DHCP Pool Status window shows a list of the currently leased addresses, {© 2010 Cisco Systems, Ine. LAN Connections 4-133The show ip dhcp binding Command Routerxdshow ip ahep binding IP address Hardware address tan mpiration Tyre 10.10.10-203 00a0.9602.324e Fab 01 2010 12:00 AM Automatic: * Display the address bindings on a Cisco IOS DHCP server To verify the operation of DHCP, use the show ip dhep binding command. This command displays a list of all IP address to MAC address bindings that have been provided by the DHCP service. For more details about the show ip dhep bindings command, refer to Cisco IOS IP Addressing Services Command Reference on the following link: hitp://www.cisco.comlen/US/docs/ios/ipaddr/command/reference/iad_book html 4134 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.The show ip dhcp conflict Command Routerktshow ip dhep conflict IP address Detection Method _—Detection tine 172.16.1.32 Ping Feb 16 2007 12:28 PM 172.16.1.64 Gratuitous ARP Feb 23 2007 08:12 aw * Display the address conflicts found by a DHCP server To display address conflicts that are found by a DHCP server when addresses are offered to the client, use the show ip dhep conflict command in user EXEC or privileged EXEC mode. Router#show ip dhcp conflict [ip-adéress] The server uses ping to detect conflicts. The client uses Gratuitous Address Resolution Protocol, (GARP) to detect clients. If an address conflict is detected, the address is removed from the pool and the address is not assigned until an administrator resolves the conflict. The following example displays the detection method and detection time for all IP addresses that are offered by the DHCP server that have conflicts with other devices. RouterX#show ip dhep conflict IP address Detection Method Detection time 172.16.1.32 Ping Feb 16 2007 12:28 PM 172.16.1.64 Gratuitous ARP Feb 23 2007 08:12 AM Field Descriptions for the show ip dhcp conflict Command Field Description IP address The IP address of the host as recorded on the DHOP server, Detection Method ‘The manner in which the IP addresses of the hosts were found on the DHCP server. This field can be ping or GARP. Detection time The date and time when the conflot was found For more details about the show ip dhep confliet command, refer to Cisco 10S IP Addressing Services Command Reference on the following link http://www. cisco.comien/US/docs/ios/ipaddr/commandireferencefiad_book html (© 2010 Cisco Systems, ne. LAN Connedtions 4-135Summary This topic summarizes the key points that were discussed in this lesson. a Summary * DHCP is built on a client-server model. DHCP server hosts. allocate network addresses and deliver configuration parameters, * Cisco IOS Software includes a DHCP server. * Cisco SDM can be used to configure a DHCP server on a router. Alternatively, Cisco OS CLI can be used to configure the DHCP server. * Cisco SDM can be used to monitor a DHCP server on the router. The show ip dhep conflict Cisco |OS command can be used to find conflicts. 4136 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Module Summary This topic summarizes the key points that were discussed in this module. Module Summary * Binary numbers are based on the “powers of 2.” + IP addressing: — Dotted decimal representation of a binary string — Identifies the network, subnet, and host = Routers have a startup process where they test the hardware and load the operating system and configuration. * Basic router configuration is usually done through the console ort using CLI and consists of the host address and interface IP. addressing, = Routers have hardware, environmental, electrical, and maintenance-related security threats, similar to switches. Module Summary (Cont.) * Basic router security consists of a login banner and Telnet and SSH. = The Cisco 10S DHCP server is a full HCP server that can be configured using Cisco SDM. (© 2010 Cisco Systems, ne. LAN Connections 4-1374138 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.Module Self-Check Use the questions here to review what you leamed in this module, The correct answers and solutions are found in the Module Self-Check Answer Key. an Q2) Q3) Q4) 5) Q6) Qn All computers function using the (Source: Understanding Binary Basics) A) base-10 system B) decimal system ©) numeric system D) binary system The decimal number 10 converts to the binary number__. (Source: Understanding Binary Basics) A) 10 B) 1010 © 10 D) —_ 1000 Which of the following binary octets has an LSB of 0? (Source: Understanding Binary Basics) A) 01100011 B) 10100101 ©) 10011010 D) 10011001 IP addresses are represented using (Source: Understanding Binary Basics) A) 32-bit binary numbers B) 16-bit decimal numbers C) — & bit binary numbers D) 8 sets of 4-bit decimal numbers 2 to the fifth power is (Source: Understanding Binary Basics) A) 285 B) 128 ©) 2 multiplied by itself $ times D) none of the above The decimal number 205 converted into a binary number is___. (Source: Understanding Binary Basics) A) 1011101 B) 11001001 ©) 110001019 D) 11001101 The decimal number 452 converted into a binary number, using successive division by vis (Source: Understanding Binary Basics) A) 111000100 B) 110000100 ©) 111001100 D) 101000100 (© 2010 Cisco Systems, ne. LAN Connections 4-1398) a Q10) Quy Qi2) Q13) Qi4) What is the decimal equivalent of the binary number 11000111? (Source: Understanding Binary Basics) A) 218 B) 199 Q 179 D) 208 ‘The binary number 11101000111 converted into a decimal number, using powers of 2, is___. (Source: Understanding Binary Basics) Ay 1183 B) 1873 ©) 1638 D) 1863 How many octets docs a Class A network have in the host field? (Source: Constructing a Network Addressing Scheme) a3 B) 2 o 1 D4 What is the practical minimum number of bits that can be borrowed to form a subnet? (Source: Constructing a Network Addressing Scheme) aot By) 2 oO 3 D4 Using 6 subnet bits, how many usable subnets are created? (Source: Constructing a Network Addressing Scheme) A) 88 B60 Qo 2 D) 66 How many host addresses can be used in a Class C network? (Source: Constructing a Network Addressing Scheme) A) 253 B) 254 © 255 D) 256 What is the maximum number of bits that can be borrowed to create a subnet for a Class € network? (Source: Constructing a Network Addressing Scheme) A) B) ° D) wan 2140 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.is) Qi6) ain ig) ais) Q20) an A subnet mask tells the router to look at which portions of an IP address? (Source: Constructing a Network Addressing Scheme) A) mask and host bits B) _ host and network bits, C) host and subnet bits D) network and subnet bits Ifa router does not match the appropriate address portions to a number on its routing, table, it (Source: Constructing a Network Addressing Scheme) ‘A) sends the packet back to the sender B) __ passes the packet to the next router in the hierarchy ©) adds that number to its table D) discards the packet Which of the following subnet masks falls on octet boundaries? (Source: Constructing a Network Addressing Scheme) A) 255.0.0.0 B) — 255.255.0.0 ©) 235.255.255.0 D) _allof the above Which two of the following are binary default subnet masks? (Choose two.) (Source: Constructing a Network Addressing Scheme) A) 11111111.00000000,00000000.00000000 B) _IIIIIIIL.IIII1111,01000000.00000000 ©) ALI1111.11111111.11111111,00000000 D) —255.255.224.0 Which part of the IP address 172.17.128.47 does the subnet mask 255.255.0.0 tell the router to look for? (Source: Constructing a Network Addressing Scheme) A) 172.17.128.47 B) —172.17.128 © a7 Dy) 10.172.47 255.255,224.0 translates into the binary number (Source: Constructing a ‘Network Addressing Scheme) A) 11111111,00000000.11100000.00000000 B) _I1II1111.11100000,00000000.00000000 ©) LIII1111.11111111.11100000,00000000 D) —_HII1111.11111111.11110000.00000000 To see how many bits you should borrow from the host portion of the network address to give you the number of subnets that you need, you should (Source: Constructing a Network Addressing Scheme) A) subtract the number of subnets that you need from the host portion B) add the bit values from right to left until the total (decimal value) is just greater than the number of subnets that you need ©) add the bit values from left to right until the total (decimal value) is just greater than the number of subnets that you need D) none of the above (© 2010 Cisco Systems, ne. LAN Connections 4-147Q22) Q23) Q24) Q25) 226) Q27) How should you power up a Cisco router? (Source: Starting a Cisco Router) A) Press the Reset button B) Tum the power switch to “on.” ©) Connect the fiber cable to another router D) _ Attach the power cable plug to the router power supply socket. When you start a Cisco router, what should you see on the console? (Source: Starting a Cisco Router) A) Cisco IOS debug messages B) the Diagnostic Console menu ©) Cisco 10S Software output text D) _a graphical picture showing the real-time status of the LED ‘What is the primary purpose of setup mode on a Cisco router? (Source: Starting a Cisco Router) A) to display the current router configuration B) to complete hardware and interface testing ©) to bring up a minimal feature configuration D) to fully configure a Cisco router for IP routing Which statement best describes what the user EXEC mode commands allow you to configure on a Cisco router? (Source: Starting a Cisco Router) A) You cannot configure anything: the user mode commands are used to display information. B) The user EXEC mode allows you to perform global configuration tasks that affect the entire router ©) The user EXEC mode commands allow you to enter a secret password so that you can configure the router. D) The user EXEC mode commands allow you to configure interfaces, subinterfaces, lines, and routers, Which Cisco IOS command is used to retum to user EXEC mode from the privileged EXEC mode? (Source: Starting a Cisco Router) A) exit B) quit ©) disable D) —_userexee Match each type of help available with the Cisco IOS CLI to its description. (Source: Starting a Cisco Router) 1. context-sensitive help 2. console error messages 3. command history buffer A) provides a list of commands and arguments associated with a specific command B) allows recall of long or complex commands or entries for reentry, review, or correction ©) identifies problems with router commands incorrectly entered so that you ean alter or correct them, 2142 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Q28) What information does the show running-config command provide on a Cisco router? (Source: Starting a Cisco Router) A) current (running) configuration in RAM B) system hardware and names of configuration files, ©) amount of NVRAM used to store the configuration D) version of Cisco IOS Software running on the router Q29)_ Which Cisco 10S command displays the configuration of the system hardware and the software version information? (Source: Starting a Cisco Router) A) show version B) show interfaces C) show startup-config D) show running-config Q30) Match cach router prompt to its Router) configuration mode. (Source: Configuring a Cisco 1 Tine router 3. interface 4. controller 5. subinterface A) Router(config-i# B) —_Router(config-line}# ©) Router(config-subif}# D) _Router(config-router)# BE) Router(config-controller}# Q31)_ Ifyou enter a major command on a Cisco router, what happens? (Source: Configuring a Cisco Router) A) The router returns you to user EXEC mode. B) The router retums a list of possible commands, ©) The router invokes a global configuration command, D) The router switches you from one configuration mode to another. Q32)_ Which Cisco 10S command creates a message to be displayed upon router login? (Source: Configuring a Cisco Router) A) hostname hostname B) banner motd message C) hostname interface description D) description interface description Q33) If both the enable seeret and the enable password commands are configured on your router, how do you get to the # prompt? (Source: Configuring a Cisco Router) A) Enter the enable seeret command. B) __ Enter the enable password command, C) Enter either the enable seeret or the enable password command. D) _ Enter both the enable seeret and the enable password commands. (© 2010 Cisco Systems, ne. LAN Connedtions 4-143Q34) 035) Q36) Q37) Q38) Q39) 40) Which Cisco IOS command will you usc to set the console session timeout to 15 minutes and 30 seconds? (Source: Configuring a Cisco Router) A) set exee timeout 15 30 B) console timeout 15 30 ©) timeout 1530 D) _exec-timeout 15 30 Which Cisco 10S command configures a serial port in slot 0, port 1, on a modular router? (Source: Configuring a Cisco Router) A) interface serial 0-0-1 B) interface serial 0.01 C) interface serial 0/0/1 D) interface serial 0/0-1 Which Cisco IOS command should you use to set the clock speed to 64 kb/s on a serial, interface on a Cisco router? (Source: Configuring a Cisco Router) A) clock rate 64 B) clock speed 64 ©) clock rate 64000 D) clock speed 64000 AA serial interface displays “Seriall is up, line protocol is down.” Which two situations may cause this error? (Choose two.) (Source: Configuring a Cisco Router) A) The clock rate has not been set. B) The interface has been manually disabled. C) No cable is attached to the serial interface. D) There are no keepalives. E) There is a mismatch in the encapsulation type. Which two of the following would be considered a physical threat? (Choose two.) (Source: Understanding Cisco Router Security) A) auser leaving their password in their desk B) someone turning off the power to the switch to block network access ©) someone turning off the air conditioning system in the network closet D) someone breaking into the cabinet that contains the network documentation Which four of the following can be protected with a password? (Choose four.) (Source: Understanding Cisco Router Security) A) console access By vtyac C) tty access D) user-level access BE) EXEC-level access Which of the following is a customized text that is displayed before the username and password login prompts? (Source: Understanding Cisco Router Security) A) message-of-the-day banner B) login banner C) access warning D) user banner E) warming message e148 Interconnecting Cisco Networking Devices: Accelerated (GGNAX) v1.1 {© 2010 Cisco Systems. Ine.Q41) Which of the following is the most secure method of remotely accessing a network device? (Source: Understanding Cisco Router Security) A) HTTP B) Telnet c) SSH D) RMON 5) SNMP 42) Which of the following describes the Cisco Router and Security Device Manager? (Source: Using Cisco SDM) A) _Itis a PC-based management system that can be used to configure features such as a DHCP server. B) _Itis a web-based management system that can be used to configure features such as a DHCP server ©) Itisa server-based management system that can be used to configure features such as a DHCP server. D) _Itisaclient-based management system that can be used to configure features, such as a DHCP server. Q43)_ Where do Cisco SDM files reside? (Source: Using Cisco SDM) A) the PC B) the router ©) the local client D) —_anetwork server Q44)_ Which two of the following are functions of DHCP? (Choose two.) (Source: Using a Cisco Router as a DHCP Server) A) DHCP dynamically assigns host names to client devices. B) DHCP dynamically assigns IP addresses to client devices. ©) DHCP dynamically assigns a default gateway to client devices. D) DHCP dynamically assigns security access levels to client devices. Q45)_ Which of the following describes the DHCP server provided by Cisco IOS Software? (Source: Using a Cisco Router as a DHCP Server) A) Itisa full DHCP server. B) Its support is limited to assigning IP addresses to clients, ©) It must obtain its DHCP information from a master DHCP server. D) _Ithas limited DHCP support and can only assign IP addresses and default gateways to clients, Q46) Which four of the following are required DHCP parameters when configuring a DHCP setver on a Cisco router? (Choose four.) (Source: Using a Cisco Router as a DHCP. Server) A) pool name B) lease time ©) domain name D) default router E) DNS server addresses F) WINS server addresses G) DHCP network and subnet H) starting and ending addresses (© 2010 Cisco Systems, ne. LAN Conneetions 4-145Q47) Which command can be used to see if an address in the DHCP pool another device? (Source: Using a Cisco Router as @ DHCP Server) A) ship dhep bindings B) ship dhep database ©) ship dhep mapping D) ship dhep conflicts already in use by 4-148 interconnecting Cisco Networking Devices: Accelerated (CCNAX) v1.1 {© 2010 Cisco Systems. Ine.