CCENT & CCNA Exam Prep

Chapter 1. Standard Internetworking Models 4

Internetwork 4

OSI model 4

TCP/IP model 7

Cisco 3-layer hierarchical model 8

Chapter 2. Physical Layer Networking Concepts 10

Network Media 10

Physical layer devices 11

Chapter 3. Data Link Networking Concepts 13

Ethernet 13

Data Link Layer Devices 14

Chapter 4. General Network Security 16

Network attacks 16

Solutions and preventions 17

Chapter 5. IP At The Network Layer 18

IPv4 and IPv6 18

Network layer devices 19

Chapter 6. Introduction to Cisco Routers and Switches 21

LAN interfaces 21

WAN interfaces 21

Memory components 22

Cisco Internetworking Operating System(IOS) 23

Chapter 7. Foundation of Cisco IOS Operations 24

Router/Switch startup procedure 24

EXEC sessions 25

Chapter 8. Foundation Cisco Configuration 28

1
 Global Configuration 28

Line Configurations 29

Interface configuration 29

More configurations 30

Troubleshooting and Backup Commands 32

Chapter 9. Understanding the Cisco SDM 35

Chapter 10. Introduction to Routing and Routing Protocols 36

Routing table and types of routes 36

Types of routing protocols 37

Chapter 11. Distance Vector Routing Protocols 39

Routing loops, its solution, and other methods of convergence 39

Distance-vector protocols, RIP 40

Chapter 12. Link-State and Hybrid Routing Protocols 43

Link-State Routing Protocols and OSPF 43

OSPF 43

Area, AS and OSPF topology 43

Configuring OSPF 45

Balanced Hybrid Operations 46

Configure EIGRP 47

Chapter 13. Foundation Switching Operations 49

Switch operation 49

Switch loops 49

Switch Configuration and Troubleshooting 51

Chapter 14. Enhanced Switching Operations 52

PortFast, UplinkFast, and BackboneFast 52

RSTP and PVST 52

Chapter 15. Virtual LAN 54

2
Chapter 16. Implementing Switch Security 57

Physical and Basic Logical Security 57

Switchport port-security 57

VLAN security 58

Chapter 17. Understanding Wireless Networking 59

IEEE 802.11 standard 60

Chapter 18. Wireless Security and Implementation Considerations 61

Wireless attacks 61

Wireless security: encryption, detection, and authentication 61

Wireless topology 62

Troubleshooting 63

Chapter 19. Using Access Lists 64

Chapter 20. Enabling Internet Connectivity with NAT 67

Types of NAT 67

Configure NAT at ICND1 68

Chapter 21. Command-Line NAT implementation 70

Chapter 22. Wide Area Network Connections 72

WAN options 72

WAN link data encapsulation 73

PPP 74

4 features of LCP 74

PPP configuration and troubleshooting 76

Chapter 23. Frame Relay 77

Chapter 24. Understanding VPN connectivity 82

3
Chapter 1. Standard Internetworking Models

Internetwork

Internetwork, or internet with lowercase i, refers to a big network made up of smaller,

connecting networks. Internet with the uppercase i, on the other hand, is the biggest
internetwork or internet. Examples of internetwork includes MAN, WAN, VPN, etc.

Ethernet is the most pervasive LAN architecture used today, other technologies
include FDDI and Token Ring. LAN may contain switches, bridges, repeaters, or routers
to connect to a WAN or MAN.

WAN is made up of smaller networks connected using routers, the connectivity from
router to router is a circuit leased from a telephone or communications company.

Storage Area Network (SAN) is a subnetwork or a network that allow users on a larger
network to connect various data storage devices using clusters of data servers and
special channels such as Fibre Channel or SCSI. SAN can be created using Cisco MDS
9000 series Multilayer SAN switches.

VPN is a private network that can access public networks remotely. VPN uses
encryption and security protocols to retain privacy while accesses outside resources.
When employed on a network, VPN enables an end user to create a virtual tunnel to a
remote location. For instance, telecommuters use VPN to log into company networks
from home.

OSI model

For the OSI model, every layer communicates with its adjacent layers and the
corresponding layer on another system. Upper layers refers to layers of OSI model that
communicate between applications, this include Application(7), Presentation(6), and
Session(5). Lower layers, on the other hand, is concerned with the transportation of
data over a physical device, these layers are Transport(4), Network(3), Data link(2), and
Physical(1).

Application layer:
• Provides interface between hostʼs communication software and other applications
• Evaluate what resources are needed to establish communication and their availability
• Synchronizes data between client/server applications
• Manage error control and data integrity between applications
• Provide system-independent processes to a host
• Some protocols supported in this layer: HTTP, HTTPS, FTP, TFTP SFTP, DNS, NTP,
NNTP, SMTP, POP3, IMAP4, SNMP, DHCP, NFS(allow files from different operating
system to be shared), and Telnet(provides terminal emulation to a remote host by
creating a virtual terminal).

4
Presentation layer is responsible for encryption, decryption, compression, and
decompression. Some protocols include: JPEG, ASCII, EBCDIC, TIFF, GIF, PCT,
MPEG, MIDI, RTF, QuickTime, etc.

Session layer is primarily concerned with dialog control, or session among devices. It
also functions as an intermediary for applications that need to manage sessions.
Session Layer Protocol Function Description

Network File System (NFS) Accesses remote resources transparently, represents

files and directories as if local to the user system.
Developed by SUN and used on Unix workstations.

Structured Query Language A query language that requests, updates, and manages
(SQL) databases. Developed by IBM, compatible with XML
and HTML.

Remote Procedure Call Basis for client/server communications. Calls are

(RPC) created on the client and then carried out on the server.

AppleTalk Session Protocol Like RPC but used for AppleTalk client and server
(ASP) services

X Window Communicates with remote Unix machines and enables

the user to operate the device as if attached locally.

Digital Network Architecture Proprietary to Digital Equipment Corporation

Session Control Protocol Networking (DECnet) protocol, also known as DECnet
(DNA SCP) session.

Transport layer is responsible for end-to-end connections and data delivery between
two hosts. Its main function is to segment and reassemble data to travel in the network
transparently for the upper layers. Other functions include 1) fault detection, 2) error
recovery, and 3) establishing, maintaining and disconnecting virtual circuits.

TCP, UDP and SPX(connection-oriented) operate in this layer. This layer provide
reliable data transmission through:
• Acknowledgments—Delivered segments are acknowledged to the sender using
acknowledge packets. If they are not acknowledged, the sender will retransmit.
• Sequencing numbers are assigned to data segments to place in the right order
• Flow Control—Provides buffer controls that prevent packet flooding to the destination
host. Buffers store bursts of data for processing when the transmission is complete.

5
Network layer is where packet path called route is determined. Routers and layer 3
switch are implemented in the layer, along with IP, IPX, and AppleTalk DDP, Appleʼs
datagram delivery protocol. 2 types of packets are used in layer 3:
• Data Packets contain data and are used to transport across the internetwork;
supported by IP and IPX protocols.
• Route Update Packets send updates to neighbor routers about its routing entries;
supported by routing protocols such as RIP, EIGRP, and OSPF.

A router at the Network layer follows these steps:

1. Router checks the destination IP address of the incoming packet on its interface.
2. Packets destined for that router are processed, whereas packets destined for another
router must be looked up in the routing table.
3. The router determines an exit interface based on the routing table and sends the
packet to the interface for framing and forwarding. If there is no route in the routing
table, the packet is dropped by the router.

Data link layer ensures reliable data transfer between Network and Physical layers
using 2 domains:
• Broadcast Domain is a group of nodes that can receive each otherʼs broadcast
messages and are segmented by routers. (MAC address:FFFF FFFF FFFF)
• Collision (Multicast) Domain is group of nodes that share the same media and are
segmented by switches. A collision occurs if two nodes attempt a simultaneous
transmission. Carrier Sense Multiple Access Collision Detection (CSMA/CD) is an
access method that sends a jam signal to notify the devices that there has been a
collision. The devices then halt transmission for a random back-off time.

Data Link Layer contains MAC and LLC sub-layers, with MAC referring to the physical
MAC address on every network device. LLC, on the other hand, is responsible for
framing, error, and flow control.
As data pass through LLC sub-layer, a Source Server Access Point(SSAP) and a
Destination Server Access Point(DSAP) field, each 1 byte long, is added to the 802.3
frame (Ethernet frame uses Type field instead). These fields indicate which upper layer
protocol send and will receive the data. Devices used at Data Link layer:
• Bridges connect two segments in a single network or two networks together. They
forward data in the software.
• Switches are multi-port bridges that utilize Application Specific Integrated Circuit
(ASIC) hardware to forward frames. Each port of the switch has a dedicated bandwidth.
Note: Although both devices create a separate collision domain for each connected
device, all the devices connected to either are a part of the same broadcast domain.
Remember that broadcast domains are segmented at the Network layer by routers.

Layer 1 moves bits between nodes. Electrical, mechanical, procedural, and functional
requirements are defined at the Physical layer to assist with the activation,
maintenance, and deactivation of physical connectivity between devices. Layer 1 also
include the 1) Specification of voltage, wire speed, and pin-out cables, 2) Capability to

6
receive and transmit a data signal, and 3) Identification of the interface used to set up
data terminal equipment (DTE) and data communication equipment (DCE). DCE is
typically found at the service provider. DTE services can be accessed with either a
model or a channel service unit/data service unit (CSU/DSU).
All Cisco routers are DTE devices by default, but you can made them to act as DCE in
a lab using ʻclock rateʼ command. When you are connected to a CSU/DSU, the router is
also configured with ʻclock rateʼ command, but it will be ignored.

Cisco routers have a default ʻbandwidthʼ of 1544, ISR have default bandwidth of
ʻ2000000ʼ.

TCP/IP model

TCP/IP model was created by the Department of Defense(DoD) for data

communication in event of a disaster. This model has Application, Transport, Internet
and Network Access layers.
Application (Process/Application) layer is equivalent to the upper layers of OSI model.

Transport, or Host-to-Host layer, includes TCP and UDP.

TCP fills the ʻSequence Numberʼ, ʻAcknowledgement numberʼ, and ʻWindowʼ to ensure
reliability, and implements Positive Acknowledgement and Retransmission(PAR):
• The source device begins a timer when a segment is sent and retransmits if the timer
runs out before an acknowledgment is received.
• The source device keeps track of segments that are sent and requires an
acknowledgment for each segment.
• The destination device acknowledges when a segment is received by sending a
packet to the source iterating the next sequence number from the source.

Windowing is a method for traffic congestion control where a window is determined by

the receiving system to limit the number of data segments (bytes) that can be sent by
the source device without an acknowledgment from the recipient. Window sizes vary
and can change throughout the duration of a connection. Increasing a window size
enables more data segments to be transmitted to the recipient before acknowledgment.

When using TCP, a connection-oriented communication session is established using

call setup or three-way handshake, which involves:
1) A “connection agreement” segment (SYN packet) is sent to the recipient asking to
synchronize systems.
2) The second and third segments acknowledge the request of 2-way connection and
determine the rules of engagement. Sequencing synchronization is requested of the
receiving device. This step is associated with the term SYN-ACK packet.
3) A final segment (ACK packet) is sent as an acknowledgment that the rules have
been accepted and a connection has been formed.

7
Both TCP and UDP use port numbers to identify their application. Public applications
are assigned port numbers below 256. Numbers 256-1023 are allocated to companies.
Numbers above 1023 are dynamically assigned by an application. Access lists can use
port numbers to filter traffic, these are TCP ports: FTP(20, 21) Telnet(23)
SMTP(25) DNS(53) HTTP(80) POP3(110) NNTP(119) HTTPS(443)

UDP is connectionless and its header has only ʻSource Portʼ, ʻDestination Portʼ,
ʻLengthʼ, and ʻChecksumʼ. Here are some of its port numbers:
DNS(53) DHCP(67, 68) TFTP(69) NTP(123) SNMP(161)

Internet layer is where IP, ICMP, ARP(Layer 2 and 3), RARP, and Proxy ARP operate.
IP locates a device with logical or virtual addressing allocated by the Internet Assigned
Numbers Authority (IANA).
• ICMP is used in ʻpingʼ and ʻtracerouteʼ utilities to send echo requests. The L3 protocol
doesnʼt have to be IP, you can check what are available by ʻping ?ʼ. To find a network
address other than its IP address, use ʻshow cdp entry * protocolʼ to get it. Traceroute
can do the same
• The Address Resolution Protocol (ARP) maps a known IP address to a MAC address.
To find an MAC address on the same subnet, send an ARP request in the broadcast
domain; if device is present, it will reply with its MAC address. Gratuitous ARP send an
ARP broadcast looking for its IP address so every host know it is alive.
• Reverse Address Resolution Protocol (RARP) maps a MAC address to an IP address.
• Proxy Address Resolution Protocol (Proxy ARP) can be used when device A is looking
for device B, assuming device B is on the same subnet as it is. In reality, device B is not
physically present on the subnet, but device C (usually router) knows how to reach
device A. Thus, when ARP request for device B is broadcasted, device C answers and
reply with its own MAC address. Some Unix machines (especially Solaris) rely on Proxy
ARP versus default gateways.

Network Interface layer manages hardware addressing and physical data transfer.

Cisco 3-layer hierarchical model

This model is most effective when you plan to implement a small- to moderate-sized
network, which is sub-grouped into access, distribution, and core layer.

Access, or desktop layer, is where end users and Layer 2 switches are located. Virtual
LAN (VLAN) workgroups are defined by virtual access lists or filter lists to allow for a
continuation of the policies implemented at the Distribution layer. Users may access
locally available resources at this level or they may be directed to the Distribution layer
to access remotely available resources.

Distribution, or workgroup layer implement various policies to provide network

management and security. This layer performs 1) determine the best path for a
packet(routing), 2) routing between VLAN, 3) filtering using NAT, QoS, filtering, etc. 4)

8
access WAN, 5) defining broadcast and multicast domains, 6) translating between
different types of media.
Policies implemented in this layer should not occur at the Core Layer

Core layer is foundation of the network, Cisco Catalyst 6500 or 7000 series operate
here. This layer is concerned with speed and ensures reliable delivery of packets.

Cisco also have Enterprise Composite Network Model(ECNM) for larger-scale network
implementation.

9
Chapter 2. Physical Layer Networking Concepts

Topology can be defined as either the physical or logical layout of a network. Physical
topology consists of the cables, workstations, and other peripheral devices. A logical
topology refers to how the network actually communicates.

Bus, or linear bus network topology refers to the design in which network devices are
connected to one single cable called trunk or backbone using T-connectors. Electrical
signals are sent from one end of the cable to the other, and all connected devices
receive that electrical signal transmission (data is not secure). Both ends of the cable
require a terminator to stop the electrical signal from echoing back down the cable.
This topology is easy to implement and requires a general low cost. However, it does
not have any redundancy, meaning a cable break causes the entire network to go down.

A ring network topology is set up so that one device is directly connected to two other
devices on the same network. When a device emits a data signal transmission, the
transmission is sent in a single direction to the next connected device. Dual ring may be
implemented to provide redundancy.

Star network topology is the most popular today, in which all network devices are
connected to the central device. If the central device is hub, a logical bus will be
created; the logical topology is also known as hub-and-spoke.

Mesh, or partial mesh network topology is designed to provide redundancy; itʼs usually
more expensive than other topologies.

Network Media

Crosstalk is an electrical or magnetic field originating from one communications signal

that can affect the signal in a nearby circuit. There are Near End crosstalk(NEXT) and
Far-End crosstalk(FEXT). NEXT is crosstalk measured at the transmitting end of a
cable. FEXT is crosstalk measured at the far end of the cable from where the
transmission was sent.
Note: when talking about network speed, bandwidth refers to speed of an analog
communication, while in digital environment itʼs data rate. When talking about bandwidth
along with throughput, bandwidth refers to ideal rate at which data can transfer, while
throughput is the actual rate at which data travel.
If each signal event represent exactly one bit, then baud rate = data rate. However, if
not, data rate = change in signal event * baud rate

Coaxial cable consist of a single copper wire surrounded by a plastic insulation cover
and a braided copper shield. There are:
Thin coax, or thinnet: < 185 m, .25 inches in diameter, BNC connectors, 10Base2;
Thick coax, or thicknet: < 500 m, AUI adapters, vampire taps, 10Base5

Twisted pair cabling include UTP and STP, where STP has an additional shield.

10
UTP: < 100 m, EMI and crosstalk, 8 wires twisted into 4 pairs, RJ-45. There are:
★ CAT 1 is used for telephony purposes
★ CAT 2 can handle data up to 4 Mbps
★ CAT 3 has bandwidth of 10 Mbps
★ CAT 4 speeds up to 16 Mbps, designed to use with Token Ring
★ CAT 5 speeds up to 100 Mbps, most popular choice today
★ CAT 5e has bandwidth of 1 Gbps for Gigabit Ethernet network
★ CAT 6 has speed exceed 1 Gbps
Pinout describe the purpose of each pin in a connector.
Straight-though cable use 4 wires, located on pin 1, 2, 3, and 6.
Crossover cable also use these 4 wires located on pin 1, 2, 3, and 6; pin 1 and 3 are
exchanged, so are pin 2 and 6. This cable is used to connect like devices.
Rollover, rolled, or console cable use 8 wires to connect from a host to a console serial
communications (COM) port to a router. This cable is usually coated light blue.

Fiber optics, or optical cabling can be either multimode(MM) or single-mode(SM) and

use SC, ST, or MT-RJ connectors; they can be made of plastic or glass.
★ Multimode (MM) is generally used for shorter distances and is ideal for a campus-
sized network. MM also has a larger diameter of optical fiber than SM fiber.
★ Single-mode (SM) is used to span longer distances. SM also allows for a higher data
rate than MM and faster data transmission speeds.

Wireless LAN are networks that use Radio Frequency(RF) to transfer data, this include
Wireless Fidelity(Wi-Fi), Infrared, and Bluetooth. Spread Spectrum WLANs determine
how data traverse RF media. There are 2 types of spread spectrum: Direct Sequencing
Spread Spectrum(DSSS) and Frequency-Hopping Spread Spectrum(FHSS).
Standard, RF range 802.11a, 5GHz 802.11b, 2.4 GHz 802.11g, 2.4 GHz

Speed < 54 Mbps < 11 Mbps < 54 Mbps

Transmission Range Lower than g Greater than a and g Lower than b

Infrared is used in short distance applications and transmit less than 16 Mbps; it is
easily refracted or reflected.
Bluetooth, on the other hand, uses 2.4 GHz range of a 720 Kbps/channel with 10 m
distance range. It has 2 power levels for different need of distance.

Physical layer devices

Repeaters are transceiver that amplifies the message when it receives one; outdated
A hub can be defined as a multiple port repeater. A hub consists of 2 to 24 ports and
may be called a workgroup hub. There are active and passive hubs. Active hubs have a
separate power supply to assist with the gain(increase) of a signal before it is forwarded
out all connected ports. A power signal increased by a factor of 10 would indicate a gain
of 10. Passive hubs do not regenerate the incoming signal.

11
 A switch creates a separate collision domain for each network segment, therefore
increasing the number of collision domains.

Network Interface Card(NIC) provides connectivity and status of the network.

12
Chapter 3. Data Link Networking Concepts

Token Ring technology is defined in IEEE 802.5, which utilizes a token-passing media
access method to create a logical ring topology for a physical star or ring. With token-
passing, a three-byte token (or special bit pattern) is inserted in a frame and passed in a
single direction from one node to another until it forms a complete loop. The node that
has possession of the token is the only one that can send data at any given time on that
LAN. Because only one node can send data at a time, collisions are avoided. Token
Ring can run at 4 or 16 Mbps, has high overhead and more expensive than Ethernet.

The MAU has Ring In (RI) and Ring Out (RO) ports. The RO of the first MAU is
connected to the RI of the next MAU. This continues until the final MAU, which connects
back to the first MAU RI port via its own RO port.

FDDI implements a token ring technology on a dual ring. This protocol is created by
American National Standards Institute(ANSI) under ANSI X3T9.5 specification. This
protocol uses fiber optic cables and run at 100 Mbps. Currently used as backbone
Failure detection is detected by beaconing, which signals at every device that it can
reach. As it travels around the loop, if beaconing stops at some point for an extensive
period of time, this indicates a break in the network.

Copper Distributed Data Interface (CDDI) is a 100 Mbps token-passing protocol that
runs over copper wire rather than fiber-optic cable.

Ethernet

Ethernet is the most popular networking technology in todayʼs world. It started in 1970s
by Xerox, Digital Equipment Corp(DEC) and Intel, it was called DIX Ethernet. It is
defined in IEEE 802.3 and further divided into Fast Ethernet(100 Mbps), Gigabit
Ethernet(1000 Mbps/1 Gbps), 10 Gigabit Ethernet(10 Gbps), and Long Reach Ethernet.

Ethernet direct data to devices based on its MAC address. All addressing used in
Ethernet LAN is either individual(unicast) or group (multicast and broadcast) addresses.
Individual addresses, identifies the MAC address of an individual LAN or NIC card.
Group addresses can be:
✴ Multicast addresses always begin with 0100.5E in its MAC address
✴ Broadcast packets are sent to all devices on the segment of the LAN, which has
address value of FFFF.FFFF.FFFF

Framing is the process of interpreting data that is either received or sent out across the
network. A frame can be broken down into 3 sections:
✴ The Data Link header portion of the frame contains the destination MAC address (6
bytes), source MAC address (6 bytes), and data length (2 bytes).

13
✴ The Logical Link Control portion of the frame contains Destination Service Access
Point (DSAP), Source Service Access Point (SSAP), and control information. All three
are 1 byte long. The Service Access Point (SAP) identifies an upper-layer protocol. As
more and more protocols became available, the identifier needs more space, which is
located in subnetwork access protocol(SNAP) header.
✴ The data field can be anywhere from 43 to 1497 bytes long. Data-link trailer, also
known as data and cyclical redundancy check (CRC) portion contains FCS (frame
check sequence, 4 bytes) and CRC to provide error detection.

10Base2 are connected with RG-58 coaxial cable using BNC connectors. It uses no
connectivity devices, other 10Base standards using a hub must have CSMA/CD
enabled. 10Base5 also uses coaxial cable and no connectivity devices.

10BaseT has length of 100 m and used with CAT 3, 4, 5 UTP or STP cables.

10BaseFL uses fiber-optic(with SC or ST connector), has a maximum length of 2 km.

Fast Ethernet, or 100Base-X, is defined in 802.3u, and include:

✴ 100BaseTX is used with CAT 5 UTP or STP at 100 meters.
✴ 100BaseT4 can use CAT 3, 4, 5 UTP or STP cable at a maximum distance of 100 m.
✴ 100BaseFX is used for fiber optic medium with SC or ST connectors, distance range
from 412 m to 10,000 m.

Gigabit Ethernet refers to the combination of standards in IEEE 802.3ab and 802.3z.
802.3ab refers to 1000Base-T and 1000Base-TX uses UTP greater than CAT 5, at a
maximum distance of 75 m.
802.3z refers to Gigabits standard not using UTP, these include:
✴ 1000Base-CX uses STP with 9-pin shielded connector with 25 m range.
✴ 1000Base-LX transmits using long wavelength laser, used with both SM and MM(both
50 and 62.5 micron can be used). Half-duplex with a range of 316 m and full duplex with
at range of 5 km.
✴ 1000Base-SX transmits using short wavelength laser, used only with MM, both 50
and 62.5 micron diameter. [(Half-duplex, 62.5-micron, 275m), (Half-duplex, 50-micron,
316m), (Full-duplex, 62.5-micron, 275m), (Full-duplex, 50-micron, 550m)].

802.3ae, or 10 Gigabit Ethernet(10GbE), uses fiber-optic cable to reach the staggering

speed of 10,000 Mbps.

Cisco Long Reach Ethernet (LRE) was developed to provide broadband service over
existing telephone-grade or Category 1, 2, or 3 wiring. Speeds vary between 5 - 15
Mbps and can reach a maximum segment length of up to 5000 m.

Data Link Layer Devices

14
 Devices at this layer logically segment the network can create new collision domains,
which are groups of nodes that share the same media and are segmented by switches
or bridges. Switches and bridges:
✴ Learn all the MAC addresses in its segment and MAC addresses of the source device
that send the packets
✴ Eliminating loops caused by redundant connections using STP

Transparent bridges are not known to other network devices. If the frameʼs destination
MAC address is on a different segment of that LAN, the device forwards the frame to
that segment. If the frameʼs destination MAC address is on the same segment as the
source MAC address, the device filters the frame. That frame reaches its destination
without the assistance of a bridge or switch.

Layer 2 switches are multi-port bridges. Switches utilize (ASIC) hardware chips to
forward frames. Also, each port of the switch has a dedicated bandwidth. A popular
ethernet switch port is the 10/100 ethernet port, where you can set the port to pass
traffic at 10 Mbps or 100 Mbps.

Hubs are set to half-duplex by default, it has a higher overhead than Layer 2 devices.
Collision occur on half-duplex may chew as many as 50 - 60% of bandwidth. Full-duplex
is available with dedicated switch port connections to a single device. If a switch port
connection is configured for full-duplex, the CSMA/CD algorithm must be disabled. An
ethernet connection set for full-duplex allows for 100% transmission speeds in both
directions.

Microsegmentation occurs when a switch creates a dedicated path for sending and
receiving transmissions with each connected host. Each host then has a separate
collision domain and a dedicated bandwidth.

15
Chapter 4. General Network Security

Network attacks

In todayʼs network, attacks are everywhere. They are generally 3 classes of attacks, 1)
access attacks, 2) reconnaissance attacks, and 3) Denial of Service(DoS) attacks.

Access attacks are attempts to access another user account or network device through
improper means or bypass the authentication process, there are: 1) password attacks,
2) trust exploitation, 3) port redirection, and 4) man-in-the-middle attack.

An alternative to using password is Terminal Access Controller Access Control System

(TACACS) or Remote Authentication Dial-In User Services (RADIUS).

Trust exploitation can occur in 1) Reliance on the trust a client has in a server, or 2)
Reliance on the trust the server has in the client. Based on these trust relationships, if
client or server is compromised, all information in the network are compromised as well.

Port redirection is a form of trust exploitation in which the untrustworthy source uses a
machine with access to the internal network to pass traffic through a port on the firewall
or access control list (ACL). The port in question normally denies traffic, but with
redirection, attacker can bypass security measures, open a tunnel for communication.

Man-in-the-middle attack happens when the attacker places him/herself between the 2
communicating hosts and intercept the messages during the session. The attacker can
also reformat the data to do further damages.

Reconnaissance attacks are used to gather network information for a future attack.
There are 1) packet sniffers (also known as network monitors), 2) ping sweeps, 3) port
scanners, and 4) information queries.

Packet sniffer, network analyzer, packet analyzer, Ethernet sniffers are all names for a
software program (or a piece of hardware with software installed on in) that captures
traffic sent over the network, which is then decoded and analyzed by the sniffer.
Monitoring software, such as WireShark, can be installed to prevent this.

Ping sweeps send an echo request to numerous hors IP addresses at the same time
to see which hosts respond with an echo reply.

A port scanner is a software program that surveys a host network for open ports. The
programs can be utilized by administrator or hacker, depending on their purpose.

Information queries can be done with utilities like ʻnslookupʼ, which send requests via
the Internet to resolve hostnames from IP addresses or vice versa.

16
 DoS are implemented to deny services that are normally available to clients, there are
1) distributed DoS(DDoS) attack, 2) TCP SYN attack, and 3) smurf attacks.

DDoS attack is performed by compromising client systems to send a DoS attack to the
target; these systems are known as zombies or slaves.

TCP SYN attacks are performed by flooding a device with SYN requests from a
nonexistent address until the system fills up and stops reacting. TCP intercept can be
configured on a router to block a TCP SYN attack. This enables the router to terminate
any sessions that have not been established within an allotted time frame.

With a smurf attack, multiple broadcast ping requests are sent to a single target from a
spoofed IP address. Adding the ʻno ip directed-broadcastʼ command to a router might
help mitigate a potential smurf attack.

Solutions and preventions

AAA, or triple A, is a group of 3 services that are used to increase network security.
✤ Authentication: Identifies a user by login and password.
✤ Authorization: Determines what a user is allowed to do.
✤ Accounting: Assembles and sends usage information (such as logging).
Note: AAA works in conjunction with TACACS or RADIUS to log network activities.

Access Control List(ACL) is a list of allow and deny addresses that can block these
attacks: IP spoofing, TCP SYN attacks, smurf attacks, ICMP and traceroute.

Protocols such as SSH, SNMP, Syslog, and NTP can be used to provide further
security. SSH provide strong authentication and encryption (UDP port 22) to ensure
secure communications between an SSH client and SSH server.
SNMP is a management protocol that monitors the network and collects statistics to
analyze network performance and ensure network security. Itʼs best to use SNMP
version 3, which provides cryptographic authentication and management traffic
encryption. SNMP uses UDP port number 161 for connectivity.
With syslog, log messages are collected from the Cisco device and are sent to a
syslog server to keep record of any network occurrences. For syslog to work properly,
NTP must be configured. Each logged message has an associated severity level,
ranging from 0 to 7 (0 = emergency). Syslog uses UDP port 514 for connectivity.

Encryption protocols should be used to prevent easy access to sensitive data. These
protocols include SSH, IPsec (layer 3), and SSL (security for layer 7, use asymmetric
encryption and certificates to exchange a session key for encryption data along a block
decipher).

Security systems such as firewalls, IPS and IDS can be implemented to lessen risks.

17
Chapter 5. IP At The Network Layer

The network layer

1) determines the fastest path to send a packet based on its destination address.
2) handles ICMP, ARP and proxy ARP requests.

IPv4 and IPv6

IPv4 is the current version of IP address used; it has a network ID of 0.0.0.0, and a
broadcast IP address of 255.255.255.255.
Class A has first octet from 1-126, with 126 networks and 16,777,214 hosts.
Class B has first octet from 128-191, with 16,382 networks and 65,534 hosts.
Class C has first octet from 192-223, with 2,097,150 networks and 254 hosts
Class E is for research purposes(240-255), and class D is for multicast(224-239).

When calculating the total number of class A, B, or C hosts available, you subtract 2
from the total because one address is used as network ID and another as broadcast IP.
The network, or subnet ID, is the IP address with all host bits turned off(0), it is used to
represent the network. Broadcast IP is the address in which the message will be sent to
all devices on the network.

To alleviate the use of IP addresses, RFC 1918, NAT, and PAT are implemented. RFC
defines private IP address space. PAT is usually used after NAT is exhausted.

Variable-length subnet masking(VLSM) is subnetting within a subnet. It just makes IP

addresses more manageable. The CIDR(/8, /16, etc) indicate the bits used for subnet.
Binary Dec. Subnet CIDR Host-C CIDR Host-B CIDR Host-A

10000000 128 2 /25 128-2 /17 512-2 /9 131072-2

11000000 192 4 /26 64-2 /18 1024-2 /10 262144-2

11100000 224 8 /27 32-2 /19 2048-2 /11 524288-2

11110000 240 16 /28 16-2 /20 4096-2 /12 1048576-2

11111000 248 32 /29 8-2 /21 8192-2 /13 2097152-2

11111100 252 64 /30 4-2 /22 16384-2 /14 4194304-2

11111110 254 128 /31 2-2 /23 32768-2 /15 8388608-2

In a packet, subnet mask is not presented.

IPv6 has 3 types of addresses: unicast, multicast, and anycast. Anycast can be
described as one-to-closest communication. With anycast, you assign the same IP

18
address to multiple devices. So, when a packet is destined for this IP address, the path
to the closest destination device is chosen.
There are also 4 types of addresses: link-local, unique/site-local, global, and multicast.

Link-local start with FE80. Itʼs local identifier is 64 bit long, consist of the MAC address
of the device FFFE placed right in between. If the MAC address is 0017:C101:DCF6,
the local identifier is 0017:C1FF:FE01:DCF6.

Unique/site-local is defined in RFC 3513 and RFC 4193; they are private address. It has
the first 7 bits as 1111 110, thus depending on the eighth bit, private address can start
with FC or FD.

Global address has global routing prefix (48 bits or less) and the first 3 bits are 001. The
subnet ID is made up of the remaining bits after the prefix. This type of address start
with 2001 and has CIDR of 16. Remember the interface ID or local identifier make up
the last 64 bits of the address.

Multicast address has first 8 bits of FF. The next 4 bits or flag bits each have their own
meaning, which can be determined using the abbreviation 0RPT:
0 indicates an unassigned bit. R indicates whether the bit is a rendezvous point.
P indicates whether the bit is based on a unicast address.
T can be either a 0 for a permanently assigned address or 1 if not.
The scope field indicates how far the multicast address will travel. This bit is defined by
one of the following seven hexadecimal digits:
1 = Interface 2 = Link 3 = Subnet 4 = Admin
5 = Site 8 = Organization E = Global

IPv6 works with DHCPv6, a stateful protocol. With a stateful protocol, a dedicated
server maintains a table of the information that was gathered. IPv6 also supports a
stateless protocol for auto-configuration. This means that a dedicated server is no
longer required.

IPv6 and IPv4 can integrate together with dual-stack, tunneling, or translation. Dual-
stack can support 1) IPv4-only when IPv6 is disabled, 2) IPv6-only when IPv4 is
disabled, or 3) IPv4 and IPv6 concurrently.
There are manual and automatic tunneling. Manual tunneling requires that the network
administrator configure a point-to-point tunnel by hand. Automatic tunneling uses a
different address type such as 6to4 to set up a dynamic tunnel.

Other functions that work with IPv6 is ICMPv6 to perform ping and traceroute on IPv6.

Network layer devices

Both routers and Layer 3 switches operate at network layer, they:

❖ Suppress broadcasts or multicasts

19
❖ Determine the best path for data transfer (routing)
❖ Strip down/add to Data Link layer frames (encapsulation/decapsulation)
❖ Implement access lists for packet filtering (permit/deny statements)
❖ Set up quality of service (QoS) qualifiers to measure network performance

Routers join 2 networks to create an internetwork or WAN by creating new broadcast

domains, which is a group of nodes that can receive one anotherʼs broadcast
messages. When a packet from an internal segment of the network (connected with the
router) sends a packet to a remote segment, the router acts as the default gateway and
changes the source address to its own address. Routers maintain routing tables so it
know where to send the packets, the routing table contains:
❖ Network Address
❖ Interface: Exit interface used to forward packets
❖ Metric: Distance to reach a remote network
Routers provide packet switching between networks and can provide packet filtering
based on a network address or application layer port level. Routers use
❖ Route update packets, supported by routing protocols(such as RIP, EIGRP, and
OSPF), to update its routing table.
❖ Data packets send to different places, supported by routed protocols (IP and IPX)

Layer 3 switches also perform the listed functions and differ from routers in 1) they can
process traffic faster than routers, 2) use ASIC hardware instead of microprocessors
(used by routers), and 3) layer 3 switches are recommended to use in a Campus Area
Network(CAN). An example is Cisco Catalyst 8500 series.

20
Chapter 6. Introduction to Cisco Routers and Switches

Communication line connect physical devices using hardware interfaces and modules.
Interfaces provide a physical point of interaction between two networks, this includes
the cable, plug, socket, or signal that sync up together to communicate among devices.
Modules, on the other hand, are self-contained components that can be added to
devices for expansion purposes; modular router is one such device. However, fixed-port
routers have no room for future modules.

LAN interfaces

Local area network (LAN) interfaces are used to provide a point of interconnection
between Cisco switches and other network devices. Cisco provides a wide selection of
switches that can be implemented on a LAN and offer end-user connectivity.

The Cisco 2950 series switches include 2950-12, which offers 12 built-in ethernet
ports, whereas the 2950-24 has 24 built-in ethernet ports; some switches even offer
Gigabit Ethernet slots, which would be located to the right of other ports. The normal
Ethernet ports that are labeled 10/100 allow for either a 10 Mbps or 100 Mbps
connection speed, connected using RJ-45 connector. The ports are hot-swappable.
Back panel of the switch contains the power output and console port, which is
connected to a terminal with a rollover cable for initial cable configuration.

The Gigabit Ethernet slots are available for Gigabit Interface Converters (GBICs). A
GBIC interface module can be inserted into the Gigabit Ethernet slot to allow for
different media connections to that port. The physical media can range from copper to
single-mode fiber.

The naming convention for the ports is simple, each interface begins with a 0/#, where
# equals the port number on the switch. Top-left port is 1, bottom left is 2, and so on.

WAN interfaces

WAN interfaces are used to provide communications between different networks, they
are: BRI, Synchronous Serial, Asynchronous Serial, High-Speed Serial Interface (HSSI),
and T1 Controller Card.

BRI is an ISDN service that consists of two Bearer(B) running 64 Kbps channel each
and one Delta(D) channel running at 16 Kbps. Voice, video, and data can be carried
over the B-channels. Combination of data is used on the D-channel.
Cisco offers an 8-port ISDN-BRI with a built-in Network Termination Type 1(NT-1)
Network Module that contains a BRI U interface. It doesnʼt need a separate NT-1
device.

21
 A synchronous serial interface synchronizes clocks for the bit stream of both the
sending and receiving end of a serial link (adjusting data rate). This way, both ends of a
serial link are functioning at the same speed.
Asynchronous serial interface does not provide adjustment for data rate. Cisco offers
4-port asynchronous/synchronous serial network module that can set 4 ports as
synchronous or asynchronous.

High-speed serial interfaces offer up to 52 Mbps transmission rates to the WAN from
the Ciscoʼs 2-port HSSI port adapter.

T1, also known as Digital Signal Level 1(DS1), offers 1.544 Mbps bandwidth that
consists of 24 digital signal level 0(DS0) channels that are 64 Kbps each and an
additional 8 Kbps reserved for management overhead. A T1 controller card can be
installed in a routerʼs T1 slot to communicate with and control the 24 DS0 channels.

Data Communications Equipment or Data Circuit-Terminating Equipment (DCE) is a

device that connects the Data Terminal Equipment(DTE) to a service providerʼs
communications line. The DCE side of a connection sets the clock speed for a serial
connection. DCE may be:
❖ Modem that converts between analog and digital signals of the phone and computer.
❖ Channel Service Unit/Data Service Unit (CSU/DSU) serves as the intermediary
between the service provider and the WAN router. In most cases, the CSU/DSU
provides the clock speed for the router. A CSU/DSU may be a separate unit or it could
be incorporated into a WAN interface card (WIC).
❖ BRI NT-1 is a separated hardware as termination point for the communications line.

Data Terminal Equipment(DTE) is a device that connects to the service provider via the
DCE. DTE is a Customer-Premises Equipment(CPE), it can be a router, PC, or server. If
CSU/DSU functions as WIC, you use a CAT 5 or 6 with two RJ-45 connectors. If CSU/
DSU is not a WIC, a DB-60 connector is used with the router while CSU/DSU uses EIA/
TIA (232, 449, or 530), or V.35 and X.21 (developed by ITU)

Note: In US, the demarcation point is located between ISP and DCE, while in most
other countries, the point is located between DCE and DTE.

Memory components

Read-only memory (ROM) is also called EPROM contains Power on Self Test (POST),
ROM Monitor (ROMmon), bootstrap, and RXBOOT. ROM is non-volatile.

Flash is installed on either an electrically erasable, programmable, read-only memory

(EEPROM), SIMMs or Personal Computer Memory Card International Association
(PCMCIA) card. Flash memory contains the Cisco Internetworking Operating System
(IOS) image. Data is retained when device reloads.

22
 RAM, also known as DRAM, contains running IOS, running-configuration, routing table
and ARP cache that are erased when the device shut down or reloads. Run-From-Flash
(RFF) routers executes IOS image file from Flash without RAM.

Nonvolatile random-access memory (NVRAM) stores the startup configuration and

configuration register. This is the configuration that is loaded when the machine is
booted.

Cisco Internetworking Operating System(IOS)

Cisco IOS is the operating system for Cisco devices. IOS is a package of routing,
switching, internetworking and telecommunications functions built into a multitask
operating system that receive commands through command line interface(CLI).

A feature set is a package of the features that is offered in addition to the basic IOS
functions of an IOS software release. You can select more than one feature set per
release, which may be identified as standard, enhanced, or advanced. The name of a
file located on IOS shows many information, for instance, in c2600-ipbase-1.122-1.T.bin:
[c2600—Hardware platform (Cisco 2600 router)], [ipbase—Feature set], [1 —File format
(compressed re-locatable)], [122—IOS version number], [1 —Maintenance release
number], [T—Train identifier](T for Technology, S for Service Provider, E for Enterprise).

Cisco switches support PoE, originally called “inline power”, now defined by IEEE
802.3af.

23
Chapter 7. Foundation of Cisco IOS Operations

A router can be configured through Console Port, Auxiliary Port, SSH, Telnet and
HTTP. Out-of-band refers to connecting the device without have IP connectivity and
uses an interface used specifically for this purpose. In-band, on the other hand, refers to
connecting a device over the same path and interface as data stream; it can have IP
connectivity to the device.

Console port is an out-of-band port used to gain access to CLI of IOS through a
rollover cable, which has all the wires flipped over on the other side (1 - 8, 2 - 7, etc).
The cable connects using two RJ-45 connectors(and a DB-9 adapter, in case your PC
has no extra port), or one DB-9 connector(for the COM port) at one end of the cable.
You must have 1) an ASCII terminal emulation (tty) software program such as
HyperTerminal running, and 2) if connect using COM port, set COM configuration to
9600 baud, 8 data bits, no parity bits, 1 stop bit, and no flow control.

Auxiliary port(AUX), like console port, also provide session access using rollover cable.
However, it has flow control capability, meaning you can connect an external modem to
this port, and dial into the modem remotely to access EXEC session.

Telnet is used to access EXEC session in-band, in other words, you need to have IP
connectivity to the device you are connecting; at least 5 Telnet EXEC sessions are
allowed on most devices. Some configuration is required.

HTTP and HTTPS uses in-band management communication method that has a
graphical interface. The HTTP EXEC session is made possible by a HTTP server
service that can run if configured on the Cisco device. For security purposes, some
Cisco routers do not have this functionality enabled by default.

SSH is a more secure way to tele-communicate, thus its in-band configuration can
provide encrypted data to prevent compromise of data. Some previous configuration is
required, and the terminal application must support SSH to connect with the device.

Router/Switch startup procedure

During POST, ROM perform a series of tests for critical hardware components for
startup and basic operation. ROM are hard-coded with their program (do not require
constant source of power). If a failure occurs, the result can range from a non-
functioning interface to complete device failure.

After POST is performed, another ROM runs bootstrap code, which searches for
configuration register(2 byte) code used to located IOS image. This code can have
several values, ranging from:
✓ 0x2100, boot directly into ROM and load ROMmon.

24
✓ 0x2102-0x210F, device boot normally and search for IOS image location in NVRAM.
The default value is 0x2102.
✓ In old devices, 0x2101 boot a mini IOS in ROM known as Rxboot (command that
looks like Router(boot) > or Switch(boot) >). This IOS can allow you to reach a TFTP
server and download a working IOS to the device.

You may want to change the configuration register due to:

To force the system into the ROM monitor mode
To select a boot source and default boot filename
To enable or disable the Break function
To control broadcast addresses
To set the console terminal baud rate
To load operating software from ROM
To enable booting from a Trivial File Transfer Protocol (TFTP) server

ROMmon stands for ROM monitor, is the state a device would enter when major failure
occurs. This mode enables you to perform elementary functions to manually get the
device back to a functioning state. You can copy a new IOS file to the Cisco device over
the console port or a TFTP server. This utility is used in password recovery.
ROMmon can be entered by sending a break sequence (Ctrl+Break in HyperTerminal)
in the terminal session in the first 60 seconds of bootup. It has a prompt that looks like
(rommon 1 >).
NOTE: when downloading IOS, itʼs better to increase console speed, otherwise, it will
take a very long time.

During bootstrap, the device decides where to boot next. Normally (0x2102-0x210F),
the device looks for “boot system” command in startup-config in NVRAM. If this
command is not found, the device boots the first file found in Flash. If no file is found in
Flash, the device broadcast to its connected segment, hoping to find a TFTP server with
IOS image.

When IOS image has being loaded, configuration parameters must be applied. The
default location of configuration file is startup-config in NVRAM. If not found, the device
looks for startup-config in TFTP server if there is one. Usually, startup-config in TFTP
would provide enough parameters for you so you can enter Telnet and finish the rest of
the configuration. However, if this step is not present, the device enters Setup Mode.
Setup Mode can also be entered by configuration register 0x2142, you can exit by
answering ʻnoʼ when asked to continue with Setup Mode or when asked to save the
configuration; you can also exit at any time with ʻCtrl+Cʼ.

A Cisco router can become a TFTP server host for a router system image thatʼs run in
flash memory. The global configuration command is tftp-server flash: ios_name.

EXEC sessions

25
 User EXEC is for lower level personnel to access the device with limited command and
power to perform functions such as troubleshooting and statistical display. You can find
out the list of commands available by entering ʻ?ʼ at device-name >.

Privileged EXEC contain more command to perform more functions, these functions
may include debugging, editing and much more privileged operations (including “show
running-config” and “show startup-config”). To enter this mode, type ʻenableʼ and the >
sign changes to #. To exit, type ʻdisableʼ.

When you type ʻconfigure terminalʼ in privileged mode, you enter global configuration
mode. This mode contains other modes such as interfaces, sub-interfaces, routing
protocols, and controller. The command prompt would look like Router/Switch(config) #.
Remember that any command applied is immediately saves in running-config.

From Global Configuration, you can configure interface-specific commands that apply
to only one interface. To configure, you must enter interface configuration mode by
specifying the interface you want to configure. If you have a fixed-device(non-modular),
you specify an interface by “interface” command followed by interface type and interface
number (and remember Cisco routers start their numbering schema with 0). With
modular device, the naming convention is different. “interface” command followed by
interface type, then by module-number/interface-number.

Line configurations are specific to those EXEC lines through which a user can gain
access to the Cisco device. Specifically, you can configure options such as logins and
passwords for a user trying to gain User EXEC access to the console and auxiliary
ports, as well as the 5 vty (virtual teletype) Telnet lines into a router or switch. From
Global Configuration, you must utilize the keyword, “line”, followed by the EXEC line
number you want to configure(which is console or auxiliary followed by the interface
number starting from 0). The prompt changes to Router (config-line)#, regardless of the
line you are configuring.

Other than global configuration, you can change the startup-config using ʻ#configure
memoryʼ; this command merges startup-config and running-config. Likewise, ʻ#configure
networkʼ also merge the configuration, but itʼs used for managing TFTP server where
you store your router configuration.

Some shortcut to the Cisco CLI are:

At any level, you can find a list of corresponding commands using ?, and search for a
certain command using l? For commands starting with l. With enough keystrokes, you
can press ʻtabʼ for the system to autocomplete for you.
Key Sequence Description
Ctrl-A Moves the cursor to the beginning of the current line
Ctrl-R Redisplays a line

26
Ctrl-U Erases a line
Ctrl-W Erases a word
Ctrl-Z Ends configuration mode and returns to privileged EXEC mode
Tab Finishes a partial command
Backspace Removes one character to the left of the cursor
Ctrl-P or Up Arrow Allows you to scroll forward through former commands
Ctrl-N or Down Arrow Allows you to scroll backward through former commands
Ctrl-E Moves the cursor to the end of the current line
Ctrl-F or right arrow Moves forward one character
Ctrl-B or left arrow Moves back one character
Esc+B Moves back one word
Esc+F Moves forward one word
“exit” command allow you to leave the current mode and go back to the last mode,
while Ctrl+Z or “end” brings you back to Privilege EXEC, regardless of the current mode

Some common syntax errors:

✓ Ambiguous Command is displayed when several commands start with those same
characters, and you must type more letters of the command for the IOS to recognize
your particular command.
✓ Incomplete Command is the keyword syntax error, you need to add more keywords to
tell the IOS what you want to do with this command.
✓ Invalid Input, also known as the “fat finger”, is displayed when you mistype a
command. The IOS displays a caret mark (^) at the point up to which the IOS could not
understand your command.

27
Chapter 8. Foundation Cisco Configuration

Global Configuration

ʻconfig - registerʼ enable you to change the default operations of the router or switch by
setting the configuration register. This is done by typing the command followed by the
configuration register number (in hexadecimal, preceded by 0x).
However, playing with the register is dangerous since you have no idea what it will do.
If you accidentally did something to the change the register, you can change it back by
booting into ROMmon and enter ʻconfreg 0x2102ʼ.

ʻboot systemʼ can set the location where the IOS file will be stored. E.g the following
code save file c2600-do3s-mz.120-5.T1 at TFTP server (located at 172.16.1.1).
“Router(config) #boot system tftp c2600-do3s-mz.120-5.T1 172.16.1.1”

To change the hostname of the device (Router or Switch by default), use ʻhostnameʼ
command followed by the new name, separated by a space.

To provide a login banner (also known as message of the day) to notice or say
anything to users, use ʻbanner motdʼ command followed by the message enclosed in 2
identical delimiter (which can be any key, or keys).

You can set the password for privileged EXEC using ʻenable passwordʼ or ʻenable
secretʼ command followed by the wanted password. The ʻenable secretʼ password is
secure because it utilizes a non-reversible one-way MD5 (Message Digest 5)
cryptographic hash of the password. On the other hand, the ʻenable passwordʼ
command is in clear text. When used together, ʻenable secretʼ overrides the password
set in ʻenable passwordʼ. To disable, use ʻno enable secretʼ or ʻno enable passwordʼ
command followed by the original password.
The ʻservice password-encryptionʼ command encrypts all clear text passwords in the
configuration with a Cisco proprietary encryption. It is still recommended that you use
ʻenable secretʼ for stronger security.

Cisco router/switch dynamically/statically support domain name resolution by default

(converts between host names and IP addresses). To set up statically, uses ʻip hostʼ
command followed by host name and then IP addresses, each separated by a space.

If you use DNS server, you can specify it by ʻip name-serverʼ followed by the IP
address of the DNS servers (up to 6). Domain resolution is enabled automatically on a
device, to disable it, use ʻno ip domain lookupʼ command.
To assign your Cisco device to IP domain, use ʻip domain-nameʼ command followed by
the domain name.

SSH is a secure method of remote access to Cisco devices because RSA public key
cryptography for authentication and encryption prevent compromise of data. To use this

28
service, you need to have 1) IPSec(DES or 3DES) IOS feature-set and 2) SSH-
supported terminal client such as Putty.
Then, you configure a host name other than its default and assign the device to the
domain. It generates an RSA key whose default length is 512 bits, but itʼs suggested to
use one greater than 1024 bits. To generate the key, use ʻcrypto key generate rsaʼ, then
the command will prompt you to enter a size, in bits, for the password; at the end of the
process, SSH is automatically enabled.
To define a username and password for SSH client, use ʻ(config)#username
username-you-want password password-you-wantʼ.

Line Configurations

To set password for console user EXEC at line configurations, enter the mode by ʻline
consoleʼ followed by the interface number and followed by ʻloginʼ and ʻpasswordʼ
followed by the password you want. To set a time-out, use ʻexec-timeoutʼ followed by
the number of minutes and the number of seconds separated by a space (10 minutes
by default).

The IOS sends all alerts and notification messages to the console port by default. To
mitigate the situation, use the ʻlogging synchronousʼ command. Now, IOS still send a
notification to the terminal session, but returns a new line to the user with the
information user was working with.

You can also set passwords for users communicating through the auxiliary port. This
can be done in line configuration starting at ʻline auxiliaryʼ followed by the interface
number. Then ʻloginʼ, ʻpasswordʼ, and ʻexec-timeoutʼ are used like the console port.

Establishing EXEC session on your device through Telnet and SSH is very insecure
and itʼs strongly recommended that you add a vty password since any user can access
User EXEC. An ʻenable passwordʼ must be set to access Privileged EXEC over all
Telnet or SSH session.
For Telnet, when you assign password to all vty lines, you must specify the range of
those lines. Remember that Telnet allow a maximum of 5 sessions to be established the
same time, these session lie on vty line 0 to 4. ʻline vtyʼ followed by the line to start with
and then the line to end with, separated by a space. Then, you go on with the ʻloginʼ
ʻpasswordʼ, and ʻexec-timeoutʼ command.
Note: itʼs possible to set a password for each line, but users have no idea what line they
are connected to, they need to guess the passwords. IOS allows only 3 tries.

Interface configuration

Interface configuration session should be entered by ʻinterfaceʼ followed by serial or

parallel depending on the device, then the interface number (for modular devices, itʼs
usually 0/0, while for fixed interface, itʼs usually 0).

29
 To assign an IP address and a subnet mask to this device, you use ʻip addressʼ
command followed by the IP address and the subnet mask separated by a space.
Remember that you can not use the same network address for 2 routers, since routers
can not be in the same network; this will cause an IP address overlap.

You can also provide a description for the interface using ʻdescriptionʼ command
followed by the description (after a space).

All router interfaces are in a disabled, or ʻshutdownʼ state by default; it can only be
enabled using ʻno shutdownʼ command in the wanted interface.
You can also use the ʻno keepalivesʼ command if your router is not connected with any
layer 2 device (Switches or bridges). A keepalive is a mechanism that the IOS uses to
send messages to itself or to the other end to ensure a network interface is alive.

Most LAN interfaces are able to auto-sense and negotiate speed, but you can
manually set them using interface configuration. Enter the interface you want, then use
ʻspeedʼ followed by the number of data rate in Mbps (without writing Mbps), and ʻduplexʼ
command followed by half/full/auto.

Here are some settings you can apply to WAN interfaces. Sometimes, when you have
a serial cross-over cable between two routersʼ serial interfaces in a lab environment, the
serial interface with the DCE cable attached to it has to provide timing for the network
for data to be recognized on this link. To provide this synchronous timing, use ʻclock
rateʼ command, followed by the speed in bps.
Another command for WAN is ʻbandwidthʼ, used to redefine bandwidth other than the
default value. Assuming a T1 circuit (1.544 Mbps), if you are using a different
bandwidth, enter it after ʻbandwidthʼ in Kbps (without writing Kbps).

If you want to return your router or switch to its default configuration, you can use the
Privileged EXEC command, “erase startup-config”, and reboot the device with the
“reload” command. After the router or switch reboots, you should enter into Setup Mode
because the configuration in NVRAM was erased.

More configurations

All the work have to be saved in the end (into NVRAM), use ʻcopyʼ command, while
can be followed by running-config, startup-config, flash, or tftp. (interface configuration)

ʻshowʼ command is one of the most important commands and shows all the commands
in the file you specified. For instance, you can open ʻshow running-configʼ to see all the
details in running-config. A sample of ʻshow running-configʼ is shown below:

ʻshow controllerʼ command contains a lot of technical notes. However, ʻshow controller
serialʼ identifies whether a DTE or DCE cable is attached to the serial interface. This is
useful to check the status of clocking and whether it needs configuration.

30
CCNA1720#show running-config To backup your IOS to a TFTP server or
Building configuration. . . download a newer version to your router or
Current configuration: switch, you must identify 1) the amount of Flash
version 12.4
service timestamps debug uptime memory available, 2) IOS filename located in
service timestamps log uptime Flash, and 3) current IOS version running.
service password-encryption To see status of your flash, use ʻshow flashʼ.
hostname CCNA1720 However, to see configuration information about
enable secret 5$1$nLCr the current version, use ʻshow versionʼ. This
$gNidpLSZvMnm2wFW6ACLm0 command contains current IOS version, IOS
enable password
714120A0A0107382A29 image location, available interfaces, Flash
boot-start-marker memory, uptime, and configuration register.
boot-end-marker
memory-size iomem 15 Except ʻshow running-configʼ and ʻshow
no aaa new-model startup-configʼ are used only in privileged
ip subnet-zero EXEC, the rest of the show commands are both
ip host corerouter 172.16.1.1
ip name-server 172.16.1.254 used in Privilege and User EXEC.
ip cef
interface FastEthernet0 There is also ʻshow interfacesʼ that show
ip address 172.16.1.1 255.255.0.0 details about the interface. A sample output is
no ip directed-broadcast shown on the next page:
full-duplex
interface Serial 0/0
bandwidth 64 Txload and rxload check if link is congested
ip address 192.168.1.1 255.255.255.0 Line protocol up means the keepalives are
no ip directed-broadcast received successfully.
no fair-queue Subnet zero is on by default in new IOS.
ip classless Hardware is the make and MAC address of
ip http server router. MTU is the Maximum Transmission Unit
banner motd ^C This is a private
system and may be accessed only by (max data a packet can contain), logical
authorized users. 3Unauthorized bandwidth, cumulative delay, inbound and
access is strictly prohibited and will outbound load.
be enforced to the full 3 extent of Loopback and keepalives are not set.
the law. ^C
line con 0
exec-timeout 1 30
password 7045802150C2E Laye Laye Possible symptoms
login r1 r2
line vty 0 4
exec-timeout 1 30 Up Up Interface is functional
password 702050D480809
login Up Down Encapsulation mismatch; lack of
End clocking on serial interfaces;
missing keepalives

Down Down Cable is disconnected or

attached to a shutdown interface

Down Down Local interface was not enabled

with ʻno shutdownʼ command

31
 Encapsulation is layer 2
Router#show interfaces FastEthernet 0/0 encapsulation frame
FastEthernet0/0 is up, line protocol is up Received is the data
Hardware is Gt96k FE, address is 001a.2f66.fa1a (bia 001
a.2f66.fa1a) received, runt is smaller
Internet address is 172.16.0.1/16 than MTU, giants are
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, larger than MTU.
reliability 255/255, txload 1/255, rxload 1/255 Collision packets and
Encapsulation ARPA, loopback not set other packets are also
Keepalive not set reported.
Full-duplex, 100Mb/s, 100Base-TX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:10, output 00:00:10, output hang never If you are
Last clearing of “ show interface” counters never troubleshooting, the
Input queue: 0/75/0/0 (size/max/drops/flushes); Total second line tells you the
output drops: 0 connection status of the
Queueing strategy: fifo interface and its layer 2
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec protocol status. Use this
5 minute output rate 0 bits/sec, 0 packets/sec chart.
322 packets input, 70336 bytes
Received 322 broadcasts, 0 runts, 0 giants, 0 throttles ʻshow ip interface briefʼ
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored gives a short report of the
0 watchdog statistics. Columns include
0 input packets with dribble condition detected
343 packets output, 72188 bytes, 0 underruns ʻinterfaceʼ, ʻip addressʼ,
0 output errors, 0 collisions, 3 interface resets ʻOK?ʼ, ʻmethodʼ, ʻstatusʼ,
0 babbles, 0 late collision, 0 deferred and ʻprotocolʼ.
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out Troubleshooting and
Backup Commands

ʻclear countersʼ reset the statistics of the show commands so you can view current up-
to-date data.

ʻpingʼ can be used in user or privilege EXEC by typing ʻpingʼ followed by the IP address
or the domain name. The response is composed of ʻ.ʼ and ʻ!ʼ, where ʻ!ʼ indicate a
successful ping, and ʻ.ʼ indicate a timeout has occurred for the packet. A ʻUʼ indicate a
ʻDestination Unreachableʼ message; this is sent when the device does not know how to
reach the destination network. NOTE that the first packet is likely to be unsuccessful.
Using just ʻpingʼ will allow you to send a customized ping by answering a few question.

ʻtracerouteʼ command sends an ICMP message and record every router on the way so
you can see how long it takes to reach a certain destination. This utility can also be
used to troubleshoot if you suspect one of the routers on the route is malfunctioning.

ʻdebugʼ command is another troubleshooting utility that can display real-time

information such as routing updates, packet forwarding, etc. However, this utility
consumes a lot of processor CPU to produce a lot of results and testings, thus, not
recommended for daily use. Before using the ʻdebugʼ mode, you can use ʻshow

32
processesʼ command to check whether it is suitable to do so. If your CPU is utilized at
over 60% for any of the fields, DO NOT use the ʻdebugʼ command. When you are done
with this utility, turn it off with ʻno debug allʼ or ʻundebug allʼ.
To see accurate timestamps for your debug messages, it is highly recommended that
you configure the clock to reflect the correct date and time by using the clock command
in Privileged EXEC. In addition, to add a timestamp to the debug output, use the
“(config)#service timestamp”.

To backup your IOS configuration file or images, you need to create a copy at the
TFTP server. Before you start copying, you need to:
1) TFTP server must have the TFTP service running. You can search the Internet for
evaluation TFTP servers from companies such as SolarWinds and FutureSoft.
2) Your device must be cabled correctly. If youʼre using a switch, plug the TFTP server
into the switch with a straight-through ethernet cable. If youʼre going directly between
a router and the TFTP server, use a cross-over cable.
3) You must have IP connectivity to the server. In other words, your interface should be
on the same subnet as the server.
4) There must be enough room on the TFTP server and your deviceʼs memory to store
these files. If your Flash memory cannot store two files, the IOS erases the old file.
After you have these done, you can start copying using ʻcopy flash tftpʼ, where flash is
the original location of the file. The prompt will ask a few questions. Successful tries are
displayed as ʻ!ʼ.

You need to reboot the system with ʻreloadʼ (Privilege EXEC) for new file to take place.
Before the device reboots, it will ask you if you want to save the changes (if modification
occur), or you can save files configuration with ʻcopyʼ command yourself.
The ʻcopyʼ command is also used for backup and recovery. DO remember to add the
ʻunwrittenʼ commands such as ʻno shutdownʼ.
In Unix and DOS, running-config is referred by system:running-config, startup-config
by nvram:startup-config, tftp 172.16.1.16 by tftp://172.16.1.16/file-name, and flash by
flash:file-name.

Cisco discovery protocol(CDP) is used to gather information of directly connected

Cisco neighbors using multicast (0100:0CCC:CCCC) every 60 seconds (on all
connected functional interfaces. CDP is a Cisco proprietary, layer 2 protocol that works
independent of media and layer 3 protocols used. Use the ʻshow cdp neighborsʼ
command to list connecting neighbors and their status (1. Device ID, 2. Local Interface,
3. Hoodlum, 4. Capability, 5. Platform, 6. Port ID).

ʻshow cdp neighbors detailʼ or ʻshow cdp entry *ʼ will show information in ʻshow cdp
neighborsʼ plus layer 3 information and IOS version of connecting devices.
Note that CDP is on by default, to disable it globally, enter ʻ(config)#no cdp runʼ. To
disable it on a particular interface, ʻ(config-if)#no cdp enableʼ.

33
 Telnet remote session can be established by using ʻtelnetʼ command followed by the
IP address of the router. As previously said, you also need to have a vty password. You
can verify the session opened using ʻshow sessionsʼ command and limit unwanted
access by using an access control list(ACL).
You can temporarily suspend the Telnet session(it is still running) by Ctrl+Shift+6
followed by ʻxʼ key. And resuming is simply pressing ʻenterʼ key with no commands
entered. You can also use ʻresumeʼ command, followed by the connection number
found in ʻshow sessionsʼ. The entry with asterisk indicate the last paused session.
To leave a Telnet session, you can enter ʻexitʼ or ʻlogoutʼ at the router, or ʻdisconnectʼ
followed by the connection number (at the user end).

You can monitor the activity of one device on a PC using ʻterminal monitorʼ command
typed in privileged EXEC.

Cisco routers can also serve as a DHCP server for a LAN, but it needs to have an
assigned IP address for the interface connecting the LAN. First, you enter the DHCP
session by ʻip dhcp pool pool-nameʼ where pool-name is the name for the DHCP pool.
This command is entered in global configurations, and looks like Router(dhcp-config)#.
Once in the session, you can use ʻnetworkʼ command, followed by the network address
and the subnet mask separated by a space, or you can have the network address
followed by a CIDR, separated by a space.
ʻdefault-routerʼ is followed by the IP address of the default gateway.
ʻdns-serverʼ is followed by the IP address of the DNS server.
ʻdomain-nameʼ command is followed by the domain name of the network.
ʻleaseʼ command is followed by the number of days, hours, and minutes of the lease.
ʻexitʼ command allow you to leave the session.
ʻip dhcp excluded-addressʼ can be followed by one or two IP addresses. If followed by
one IP address, it excludes the address from the pool of available IP addresses. If
followed by two IP addresses, the server exclude all the addresses within the specified
range (established by the 2 addresses) of IP addresses.
ʻshow ip dhcp bindingʼ show a list of devices using the DHCP server.

Router can implement DHCP service to dynamically assigned an IP address using ʻip
address dhcpʼ command at the interface you want. All connecting client will utilize
DHCP service.
Entering command ʻshow dhcp leaseʼ at privileged EXEC will allow you to view the
DHCP configuration on all your interfaces.

When enabling DHCP in a large network, your router has to deal with all the
processes, thus, may run out of memory and create router amnesia. Best advice is to
keep lease short.

34
Chapter 9. Understanding the Cisco SDM

Cisco offers Security Device Manager(SDM) in addition to CLI, which is used to

configure options for software-based router. Note that this service is only offered in ISR.
To check whether or not you have a SDM, open your web browser and type http://
Router-IP-Address, to see if the SDM page loads.
However, for this to work, you need to have an interface in the administratively up/up
state, router IP and subnet mask set up, ʻip httpsʼ command set for browser https port,
and this port is not blocked, java plugins installed, and all other sorts of things.

When you insert the SDM CD, a wizard shows up, guiding the installation process. You
can choose either First-Time Router Setup or Install SDM. The SDM contains much
information about your device spread across different sections. In ʻHomeʼ tab, ʻAbout
Your Routerʼ and ʻConfiguration Overviewʼ can be used in troubleshooting (ʻView
Running Configʼ shows the configuration document), whereas ʻConfigureʼ is used to set
configurations of the device. To change any configurations, click ʻAdditional Tasksʼ at left
and find the configuration you want (located under different headings). Double clicking
any configuration will open a smaller window where you can change the setting.

In ʻConfigureʼ tab, Router Properties, you can set up ʻhostnamesʼ, ʻDomain Nameʼ,
ʻBannerʼ, and ʻEnable Secretʼ.
In Router Access from Additional Task, you can also configure router username and
password, as well as accounts for Telnet and SSH clients.

DNS and DHCP information can be configured in Additional Task.

To configure router interface, click the ʻConfigureʼ tab and select ʻInterfaces and
Connectionsʼ from Tasks. Here, you can ʻCreate Connectionʼ and ʻEdit Interface/
Connectionʼ. Double-click the interface name brings up a list of settings you can alter in
a smaller window. Enable or disable the connections using the button on the tab.

The system can be monitored using ʻMonitorʼ tab, Tasks listed are: Logging, NAC
Status, QoS Status, VPN status, Firewall Status, Interface Status, and Overview. These
can be used to monitor CPU, Memory and Flash usage.

35
Chapter 10. Introduction to Routing and Routing Protocols

To send some data to a host on the same network, your PC broadcast ARP request
(for that host) and send the data when destination MAC address is returned.
To send some data to a host on a remote network, your PC broadcast ARP request for
local default gateway (router) MAC address, and send the data to router A (MAC SA =
your PC, MAC DA = router A, IP SA = your PC, IP DA = remote PC). Router A looks at
destination IP address and search in its routing table for a route, once found, router A
sends ARP for router B, the next hop (SA = router A, DA = router B, IP SA = your PC, IP
DA = remote PC). Router B looks at the destination IP address and know itʼs a packet in
its network, so it send an ARP broadcast, looking for certain PC with the destination IP
address and forward the packet once MAC address is replied. (SA = router B, DA =
remote PC, IP SA = your PC, IP DA = remote PC)

When troubleshooting, check the configuration information in for your network. Make
sure your computer is connected to the interface, you can even check the correct MAC
IP addresses for the default gateway by using ʻarp -aʼ command (displays computerʼs
ARP table). This ARP entry will continue to remain in the computerʼs volatile memory as
long as it keeps getting used (before every 5 minutes). To delete an ARP entry, use ʻarp
-dʼ command or all entries using ʻarp *ʼ.
Know that if you can not ping an IP address, check your configuration information,
make sure all cables are connected, ping internal addresses to make sure it isnʼt your
routerʼs fault.

Routing table and types of routes

The routing table is a list of all reachable network stored in RAM. The table is
generated by using ʻshow ip routeʼ in User EXEC and comes from 3 sources:
➡ Connected interfaces: As soon as you assign an IP address to a working (up/up)
interface, the router associates all IP addresses in that subnet to the entry; entry remain
in the table as long as interface is active.
➡ Static routes are manual entries that specify the destination network and the next hop
(router). These routes remain in the routing table as long as itʼs not deleted. Static
routes allow a maximum of 16 equal cost routes to be used in load balancing. For
routing table entry, [AD/hop] where AD, by default, is 1
➡ Routing protocols: Protocols that dynamically advertise networks. Remain in the table
as long as the next hop is valid and hello packets are being received.

When conflict arises between multiple routes, administrative distance decide which
route has higher priority. It ranges from 0 to 255; smaller the value, higher the priority.
Routed Source Conn Static BGP EIGRP OSPF RIPv1 EIGRP BGP
ected (ext) (int) ,v2 (ext) (int)

Default Distance 0 1 20 90 110 120 170 200

36
 A routing table entry can be “C 10.1.0.0/16 [90/2297856] via 192.168.1.10, Serial
0/0/0”, where administrative distance=90/metric=2297856 exited on Serial 0/0/0. This
route is directly connected, and packets for 10.1.0.0/16 will be sent to 192.168.1.10.
Packets with no match entries are sent using default route. If this route canʼt reach the
destination, packet is dropped and DU error message generate.
The longest match rule states that when a packet has multiple possible network entries
to use, the more specific subnet is used over the less specific. In other words, the
longer the number of bits in the subnet mask (thus the smaller subnet), the more
chance it has of being the chosen network. Longest match rule always prioritize AD.

Stub network describes a network whose router is connected to only one other router.
In this case, using static route is a good idea. To configure a static route, use the ʻip
routeʼ command followed by the destination network address, destination subnet mask,
and the IP address of next hop (router) in the path. Instead of next hop address, the
command can be followed by an interface name, which must contain only one link.
If an administrative distance is not specified, the default is 1(value for static routes).

You can force the static route to remain even if the next hop is down using ʻpermanentʼ
after ʻip routeʼ command. An administrative distance value greater than 1 can be added
after the command to specify a backup or alternate route; these routes are known as
floating static routes. They are not placed in the routing table if the subnet currently has
another route with a lower administrative distance.

Another type of route is called default route, used if a destination IP address does not
have a network entry in the routing table. The command is ʻip route 0.0.0.0 0.0.0.0ʼ
followed by the IP address of the next hop or the name of the local interface.
To define a default route for layer 2 switch, use ʻip default-gatewayʼ command instead.
Notice that the default route will readily configured if you use DHCP service.

Configuring static and default route using SDM is very easy. Open ʻConfigureʼ tab,
select ʻRoutingʼ from Tasks and under ʻStatic Routingʼ, click ʻAddʼ button. A smaller
window will show up and you can enter information as needed. You can make it floating
route or permanent, depending on your configuration.

To double-check the routes, use ʻshow ip routeʼ command in User EXEC. To see
routing entry for a specific route, follow the above command with network address. To
remove a route, use ʻclear routeʼ command followed by the IP address of the route in
Privileged EXEC, or remove the current routing table using ʻclear route *ʼ

Types of routing protocols

Routed protocols are protocols such as those in the IP protocol suite that are used to
carry the data across our network. Routing protocols are exchanged between routing
devices to determine the optimal path to route the routed protocols. Implementing
routing protocols is a good solution for internetwork with many hosts and paths. Routing
protocols use these to calculate the metric, value assigned to routes.

37
➡ Hop count: the number of routers that packet must travel before reaching destination
➡ Bandwidth: The cumulative bandwidth of the links to the destination in Kbps.
➡ Delay is the time (in microseconds) a packet takes from source to destination.
➡ Reliability is the consistency of the links and paths based on interfaces error rates.
➡ Load: The cumulative amount of congestion of the links toward the destination.
➡ MTU: The maximum frame size that is allowed to traverse the links to the destination.
➡ Cost: An arbitrary number typically based on the bandwidth of the link.

Routing protocols can be classful or classless. Itʼs not good to use classful routing
protocols with VLSM networks because classful protocols automatically summarize the
subnets. However, if you must use subnets with classful protocol, implement same
subnet mask for the networks, this is Fixed-Length Subnet Mask(FLSM).
On the other hand, classless routing protocols are good at different subnet with
different subnet mask, design known as Variable-Length Subnet Mask(VLSM). With
classless routing protocols, you can also summarize like you do with classful protocols.

Networks under 1 administrative domain is known as an autonomous system(AS).

Routing protocols route within an AS are Interior Gateway Protocols(IGPs), while routing
protocols that route between ASs are known as Exterior Gateway Protocols(EGPs).

In addition to classful/classless, IGP/EGP, routing protocols can also be Distance

Vector, Link State, or Advance Distance Vector/Hybrid.
➡ Distance vector, or routing by rumor, update (entire routing table) to connected
routers every period. When router receives them, it extract the new information and
send to other routers along with its own routing table.
➡ Link-state, each router know the states and metrics of all links in its area(for the
same destination). However, it consumes much memory and CPU of the router as it
keeps 1) neighbor table of all discovered neighbors, 2) topology table of all possible
routes to reachable networks, and 3) routing table that contains the best route based on
the lowest metric calculated from the topology table. Link-state routing protocol sends
update 1) over very long period, or 2) whenever there is a topology change.
➡ Advance Distance Vector, or Hybrid (Balanced Hybrid) is the combined, better
version of distance vector and link-state routing protocols.

In case where multiple protocols are used in a domain, you need to transfer network
information from one routing protocol to another with redistribution, which occurs in:
➡ One-way redistribution: Networks from an edge protocol are injected into a core
routing protocol (one way). This method is the safest way to perform redistribution.
➡ Two-way redistribution: Networks from each routing protocol are injected into the
other. This is the less preferred method since it may create routing loops as a result of
difference in convergence times when a topology change occurs.

38
Chapter 11. Distance Vector Routing Protocols

Distance-vector protocols operations, also known as routing by rumor, are legacy

routing protocols that uses Bellman-Ford algorithm. A router update its own routing table
(every 30 seconds, default), whether or not the table has changed. The recipient routers
then extract useful information, along with its routing table, send the update to its
neighbors. Routers in such a domain maintain a flat relationship with one another.

If a new route to the same destination (as one of the old route) exist, the metric value
is checked. If the new route has a higher metric than the older route, it is discarded. If 2
routes has equal metric (equal network, equal cost, and equal method), both are used
to perform load balancing (4 routes by default, 6 routes max). On the other side, if the
new route has less metric, it replaces the old route in the routing table.
As the update passes one router, it increases its hop count by one.

Routing loops, its solution, and other methods of convergence

Routing loops are very troublesome, and in case they occur, one of indicators is a high
(infinity) hop count of a particular route. To mitigate the loops, some measures are
integrated within the routing protocol and most of them canʼt be disabled.

Counting to infinity is a routing loops that saturate network bandwidth while

continuously loop between 2 or more routers. To deal with this, most routing protocols
have a maximum hop count, so when routes continuously increase the hop count, it will
reach infinity (1+max hop count) hop count so the route is dropped.
[ RIPv1,v2 (distance vector) -> max hop count = 15; EIGRP (hybrid) -> max hop count =
224, OSPF (link state) -> no max hop count ]

Another solution is split horizon, which prevents routers advertise routes back to the
router from which they learned from, thus eliminating possible loops. Remember that
split horizon is one of the things you can manually disable if necessary.

Route poisoning, is the way the router send a route with an infinite hop count when the
router detects a failure in the route.

With poison reverse, the routers override the split horizon rule and send an update
back to the source router, showing a failure has been acknowledged. While other
routers put the network in a “possible down” state with hold-down timer.

Hold-down timers are activated when a router receives a poisoned update. During this
time, router ignores updates regarding the remote route(now in “possible-down” state)
until the hold-down timer expires, especially those that has a lower metric. However, if a
new route with a lower metric is shown, that route will be implemented. This way,
distance vector routing protocol is the slowest protocol to converge.

39
 Flash, or triggered updates send update packets to other routers when a topological
change occurs, rather than waiting for a period of time.

Invalid, or dead timer, is set every time a router receive updates from another router, if
another update fails to be sent during the timer, it is considered dead and the router use
router poisoning to inform others about this failure. Default value is 180 seconds
To manually clear all routes, use ʻclear ip route *ʼ, or clear a route by using its network
address instead of *.

Distance-vector protocols, RIP

RIP for IP is defined under RFC 1058. It is a simple routing protocols with hop count as
its metric. RIP is classful and automatically summarize subnetted networks to their
default classful boundaries. You can only advertise directly connected and classful
network when configuring RIP.

RIP requires manual redistribution to advertise networks from a different routing source
and other RIP-learned networks. When configuring a static default route in a RIP router,
use ʻdefault-information originateʼ to redistribute the default route in its routing updates
to its neighbors. The neighbors receive these updates set that router as their default
gateway, if a static default with a lower administrative distance is not found. The routing
table subsequently displays the learned 0.0.0.0/0 subnet as a RIP-learned network.

To configure for RIP, enter Global Configuration, and type ʻrouter ripʼ, then ʻnetworkʼ
command followed by the local network address with no subnet mask. Remember: any
subnetted networks will be updated as though they are one (major) network.
To remove a network entry, use ʻno networkʼ followed by the network address you want
to remove. To set a different number of paths for load balancing, use ʻmaximum-pathsʼ
followed by the number of paths. To disable load balancing, set max-paths to 1.

You can set an interface as passive (using ʻpassive-interfaceʼ followed by name of the
interface in ʻrouter ripʼ mode) so that it stops sending updates, this way, bandwidth is not
wasted sending updates to computers.

RIPv2 is created with the following improvements:

- Multicast updates: RIPv2 uses a reserved multicast address of 224.0.0.9 to
communicate with other RIPv2 neighbors.
- Classless support: RIPv2 support both classful and classless routing. This means
RIPv2 can support VLSM and discontiguous networks by ʻno auto-summaryʼ command.
- Authenticated updates: RIPv2 authenticate routers. Configuration: Keychain name is
defined after ʻkey chainʼ command in global configuration. Then, identify key with a
number after ʻkeyʼ and define password following ʻkey-stringʼ. Back to global-config,
keychain name after ʻip rip authentication key-chainʼ and ʻip rip authentication mode
md5ʼ for MD 5 encryption; both commands entered in interface configuration mode.

40
 Enter RIPv2 with ʻrouter ripʼ, then ʻversion 2ʼ. By default, RIP is configured to send v1
and accept v1 and v2 updates (ignore subnet mask and authentication when processing
v2 updates). To revert back to RIPv1, use ʻversion 1ʼ or ʻdefault versionʼ. These
commands tell the router to receive only v1 updates, and ignore v2 updates.

To configure RIP in SDM, ʻConfigureʼ -> ʻRoutingʼ -> ʻDynamic Routingsʼ section ->
ʻEditʼ button.

To verify RIP, you can use ʻshow running-configʼ. Another command is ʻshow ip routeʼ,
where RIP is indicated by R. The routing entry should contain administrative-distance/
metric(less than 15). ʻshow ip protocolsʼ shows detailed information about IP routing
protocols used and their status. All commands are entered in privileged EXEC.

To troubleshoot RIP, you can use ʻdebug ip ripʼ command to see a list of real-time
updates. If you donʼt know what debug command to use, you can find a list of these in
ʻshow debugʼ command.

A possible problem with RIP occurs when multiple paths (with equal cost) to the same
network has different speed. However, RIP only cares about hop counts, when load-
balance between these links, the situation is called pinhole congestion.

RIP uses the following 4 timers to regulate its routing process:

- Route update timer: time to send a complete copy of its routing table, default to 30 s
- Route invalid timer: time unheard to declare route invalid, initiate route poisoning,
default to 180 seconds
- Holddown timer: time to allow route come back up, default to 180 seconds
- Route flush timer: after a route is declared invalid, if not heard before this timer
expires, the route is flushed (default 240 seconds).
So a route takes at least 7 minutes to flush a route

Here is a comparison between different routing protocols:

RIPv1 RIPv2 IGRP EIGRP ISIS OSPF

Distance Vector Yes Yes Yes Yes No No

Link State No No No No Yes Yes

Route auto-summary Yes Yes Yes Yes No No

Manual route summary No Yes Yes Yes Yes Yes

VLSM No Yes No Yes Yes Yes

41
 RIPv1 RIPv2 IGRP EIGRP ISIS OSPF

Cisco proprietary No No Yes Yes No No

Convergence Slow Slow Slow Very Fast Fast

fast

Size of Network Small Small Large Large Very Large Large

Network staff support Poor Poor Good Poor Fair

42
Chapter 12. Link-State and Hybrid Routing Protocols

Link-State Routing Protocols and OSPF

Subnets, status of links, and metric of subnets are all included in the LSA (Link-State
Advertisement), which are sent to neighbors when a router first comes alive. Smaller,
Hello packets are sent (every 30 minutes by default) to inform others the link is alive.
In event of topology change, a Link-State Update(LSU) is flooded to all connected
routers, these routers then flood the update to its neighbors, then recalculate the routing
table using Shortest Path First(SPF) algorithm. This way, routing loops are prevented.

Link-State routing protocol maintain 3 tables, which is CPU and memory consuming:
- Topology table, or database, contains information received by LSA for this area.
- Neighbor, or adjacency table, is a list of all active neighbors
- Routing table is a list of best routes determined by SPF algorithm, these routes come
from the topology table.

OSPF

Open Shortest Path First, OSPF is a link-state routing protocol defined in IETF. OSPF
is classless by default, all networks must be known with its subnet mask. Link-state
protocol speed up convergence and perform route summarization.

OSPF metric = 108/network-bandwidth, this means the smaller the value, the faster the
route. 56 Kbps: metric = 1785, 64 Kbps: metric = 1562, T1: metric = 64, E1: metric = 48,
10 Mbps: metric = 10, 100 Mbps: metric = 1, 1 Gbps: metric = 1. For bandwidth over
100 Mbps, the metric will always be 1 unless you change 108 to something bigger.

OSPF router identify each other with unique 32-bit Router ID. This is the highest
(regardless of class) IP address assigned to an active logical interface called loopback
interface; these interfaces canʼt go down unless the router is malfunctioning or turned
off. It is recommended that you configure a loopback IP address (NOT 127.0.0.0/8).
If no logical interface is present, the highest IP address of an active physical interface
will be the Router ID. If there is a logical interface, logical IP address overrides any
physical IP address, even if it has a lower value.

Area, AS and OSPF topology

Area is a logical grouping of networks in Link-State protocols, routers in different area

maintain different topology database, while routers in the same area have identical
topology database. The area border routers(ABR) send information between areas and
automatically summarize the subnets located inside the area to the rest of the AS.

Area 0, or backbone area, handles traffic from one area to another. If a network need
only one area, itʼd be area 0. All areas must be connected to this area. This area
consists of very fast backbone routers, which must be either an ABR or inside area 0.

43
 To simplify a big network, you can divide an autonomous system(AS) into different
areas. If a link goes down within the area, only devices within that area need to be
notified, because the rest of the OSPF AS is aware of only the summarized route.

Area number ranges from 0 to 4,294,967,295.

Stub network has router connect to only one router, so stub area has only one path in
or out of an area (one ABR), which is also the default gateway and the default route. A
backbone area can never be configured as a stub area.

Different OSPF interfaces can have different topologies:

- Broadcast multiaccess: multiple devices share the same network medium. Broadcasts
and multicasts are heard by all devices sharing that medium (such as Ethernet).
- Non-broadcast multiaccess(NBMA): multiple devices share the same network medium.
Devices cannot hear broadcasts because the medium is separated by other routers,
such as with Frame Relay. This topology has slower links, thus longer timer.
- Point-to-point: has only two devices on a shared network link.

OSPF elect a Designated Router (DR) and a Backup Designated Router (BDR) in
broadcast and NMBA topologies. These routers reduce update overhead by sending the
broadcast or multicast to DR or BDR (BDR replaces DR in case of DR failure). If routers
come alive at different times, the first alive will the be DR and the second is the BDR.
However, if all routers comes alive together, an election will take place, which is based
on 1) priority, default value is 1 (priority = 0 -> ineligible), higher priority wins. 2) if priority
is tied, router ID is compared, higher ID wins. NOTE: first winner is DR, second is BDR.
When a topology change occur, LSU is sent to the DR and BDR on 224.0.0.6. DR then
multicast this change to all routers in the are using 224.0.0.5, the same channel Hello
packets use.

When an OSPF router first come alive, it multicast a Hello message to all OSPF
interface through 224.0.0.5. Information contained in the hello messages includes:
router ID, hello/dead intervals, known neighbors, area ID, priority, DR address, BDR
address, authentication password (similar to RIPv2), and stub area flags (if the area is
configured as a stub area). A router that receives this hello message adds that neighbor
to its neighbor table only if the configuration match its own.

No update information has been exchanged at this point. If the topology has a DR
elected (indicated in hello messages), this router synchronizes its topology table with
DR because the DR always has the latest information. If the topology is point-to-point,
the two routers synchronize with the neighbor on the other side of the link.
Now, the device is said to have formed an adjacency. Now the router runs SPF
algorithm to calculate the best routes to each subnet.

44
Configuring OSPF

First step is to configure loopback interfaces with ʻ(config)#interface loopbackʼ followed

by an identifying number. Then, use ʻip addressʼ, note the subnet, or host mask is
255.255.255.255. This mask is used since this interface doesnʼt connect anything.

Enter OSPF session by ʻrouter ospfʼ following a process ID, an arbitrary value ranging
from 1 to 65535, for tracking different OSPF. This number remains local and does not
have to be equal in all router configuration.

OSPF uses wildcard, or inverse mask to tell IOS about its subnet. Every octet in
wildcard mask complements every octet in the subnet mask; they add up to 255. Enter
ʻnetworkʼ command followed by IP network address -> inverse mask -> ʻareaʼ followed
by area number. Here are some other ways you can specify the subnetworks.
Command Description

network 192.168.1.1 0.0.0.0 area 0 The interface with the IP address of 192.168.1.1
and its subnet are advertised in OSPF

network 192.168.0.0 0.0.255.255 area 0 Interfaces and their subnets starting with 192.168
are advertised in OSPF

network 192.0.0.0 0.255.255.255 area 0 Interfaces and their subnets starting with 192 are
advertised in OSPF

network 0.0.0.0 255.255.255.255 area 0 All interfaces and their subnets are advertised in
OSPF

The above are necessary configurations, while these are optional configurations.
• To configure an area as stub, use ʻarea area-number stubʼ
• To automatically summarize a set of networks, use ʻarea area-number rangeʼ followed
by IP network address and the subnet mask of the summarized network.
• To redistribute the default route into OSPF to be learned dynamically by other OSPF
routers, use ʻdefault-information originateʼ command.
• To manually change the cost of a route, enter cost follows ʻ(config-if)#ip ospf costʼ. To
manually override the priority, follow it by ʻ(config-if)#ip ospf priorityʼ.

To set loopback interface in SDM, ʻConfigureʼ -> ʻInterfaces and Connectionsʼ -> ʻEdit
Interface/Connectionʼ tab -> ʻAddʼ button -> ʻNew Logical Interfaceʼ -> ʻLoopbackʼ.
To configure OSPF parameters, ʻConfigureʼ -> ʻRoutingʼ -> ʻDynamic Routingʼ section -
> ʻEditʼ button.

45
 To verify your configuration, ʻshow running-configʼ ʻshow ip protocolsʼ and ʻshow ip
routeʼ commands can be used to view status of OSPF and its routing table. Routes with
O IA in front means it is a route learned from ABR.
To see the neighbor table, use ʻshow ip ospf neighborʼ command. In the result,
Neighbor ID is the neighborʼs router ID, Pri = priority, state = DR, BDR, or DROTHER.
To see the topological database, use ʻshow ip ospf database summaryʼ. From the
output, you can see that Link State ID is the network address of the current network and
Advertising Routing is the ABR.
ʻshow ip ospf interfaceʼ command reveal information about all the information you need
to know about OSPF in all interfaces running OSPF.
NOTE: both ʻshow ip ospf neighborʼ and ʻshow ip ospf interfaceʼ show DR/BDR router.

To debug OSPF events, use ʻdebug ip ospf eventsʼ command, you would be able to
see a list of hello LSAs. Note that real routing information is not included in LSAs.
There is also ʻdebug ip ospf packetsʼ.

Balanced Hybrid Operations

The most popular hybrid routing protocol (Cisco proprietary) is EIGRP, an enhanced
version of IGRP. It uses a 32-bit cumulative composite metric made up of bandwidth
and delay (each multiplied by 255). These values are automatically assigned to an
interface, whether or not a routing protocol is used. Optional metric factors include
reliability, load and MTU. (“BW”, “DLY”, “reliability”, and “txload” in ʻ#show interfaceʼ)

EIGRP offers load balancing up to 6 unequal paths (4 by default), and has a maximum
hop count of 224. EIGRP has neighbor, topology, and routing table and multicast at
224.0.0.10. For different topologies, there are different timers. Specifically, point-to-point
and broadcast topologies have a 5-second hello interval and 15-second dead timer,
whereas NBMA topologies such as Frame Relay have a 60-second hello interval and
180-second dead timer (different from OSPF).

EIGRP develop a new algorithm called Diffusing Update Algorithm(DUAL) to prevent

loops and promote fast convergence. EIGRP can route in IP, IPX, and AppleTalk.
Remember that for different protocols, EIGRP maintain different tables. If you use all 3
protocols at one time, EIGRP will maintain 9 tables.

EIGRP can automatically perform redistribution since external(AD = 170) networks are
tagged, while internal(AD = 90) are not. EIGRP support classful(default) and classless.

Advertised distance is the metric to a destination network of the next-hop router.

Feasible distance is the metric of local router to the destination network; feasible
distance = advertised distance + local router metric.
The route with the smallest feasible distance is the successor routes. Equal metric
routes are all called successor routes, while all other possible routes to the said remote
network are feasible successors. Feasible successors are meant to replace successors

46
when they fail; these routes are chosen only if 1) the route will not cause a loop and 2) if
advertised distance from the next hop is less than the successorʼs feasible distance.
NOTE: successor routes -> routing table, feasible successor -> topology table.

If a destination network does not have a feasible successor, it is in a passive state.

When the successor fails, the network is in active state since it actively queries directly
connected neighbors for routes to the remote network. When a new route is found, it
becomes the successor; the current router has to wait until response from all routers are
received (stuck in active, SIA timer = 180 seconds) to prevent loops.

Stub routing is implemented in EIGRP for hub-and-spoke topology. If the spoke

networks become inaccessible, the router (configured as stub) connecting the down
network immediately deny access, thus speeding up convergence. To configure, use
ʻ(config-router)#eigrp stubʼ.

EIGRP can support IPv6 using protocol-dependent modules

Configure EIGRP

To configure EIGRP, you must first assign an unique AS number (from 1 to 65535) to
all routers running EIGRP in the same administrative domain (number must match), by
ʻ(config)#router eigrpʼ followed by the AS number.
ʻ(config-router)#networkʼ followed by major network address(EIGRP is classful by
default). Then, follow the network address by the wildcard mask (NOT subnet mask).
To enter classless, use ʻno auto-summaryʼ. This supports VLSM, discontiguous
networks, and route summarization at any bit level. If auto summarization is not turned
on, you must manually configure route summaries with ʻ(config-if)#ip summary-address
eigrpʼ followed by the network address then the subnet mask.

All WAN connection are assumed to have 1544 Kbps speed at a serial interface, to
change this (if you are using another speed), use ʻbandwidthʼ following the speed you
want at an interface configuration mode.

To use unequal load balancing with ʻvarianceʼ, follow it with a number from 1 to 128 (1
= equal load balancing). The number “n” means load balancing between 2 destinations
is shared between routes
1) That has a metric <= n * metric-of-successor-route.
2) Exception: if next hop router (of a feasible successor) has a advertised distance
greater than feasible distance of the current successor route, the route will not be
used in unequal load balancing and stay in topology table.

To use the 192.168.1.0 network in your routing table as a gateway of last resort, use ʻip
default-network 192.168.1.0ʼ.

47
 ʻshow ip protocolsʼ, ʻshow ip routeʼ, ʻshow ip eigrp neighborsʼ, and ʻshow ip eigrp
topologyʼ can be used to display configuration about EIGRP. In ʻshow ip routeʼ, D EX
refers to route learned through another routing source redistributed into EIGRP.

Troubleshoot with ʻdebug ip eigrpʼ

48
Chapter 13. Foundation Switching Operations

Switch Ethernet interfaces = ports.

Half-duplex (1x data rate) utilizes 50 - 60% of bandwidth (due to collision) and use
CSMA/CD, while full-duplex (2x data rate) doesnʼt uses CSMA/CD but utilize 100% of
bandwidth (wires used for collision detection). You can only run half duplex using hub.

Switch operation

Switches forward frames to its destination based on the destination MAC address
stored in Content Addressable Memory (CAM) table. These entries are gathered by
source MAC addresses of outgoing frames.
When a frame arrives, switch checks its CAM table for destination MAC address. If
match, frame is sent to that client; this is filtering (no excess traffic). If no match found,
[ or if the destination MAC address is a broadcast (FFFF.FFFF.FFFF) or multicast
(0100.5E00.0000-5E7F.FFFF) address, ] frame is send to all connected device (except
the sending device); this is flooding.

MAC entries in CAM table are deleted after 300 seconds of inactivity (no sending or
receiving) except static MAC address (configured on a port-to-port basis).

Switches differ in the way they process and forward frames, here are some methods:
‣ Store-and-Forward: buffers the entire frame and check Cyclic Redundancy Check
(CRC) and Frame Check Sequence (FCS). If the result of CRC frame is fine, it will be
forwarded to the destination, if not, frame is dropped. This method may add some work
load on the switch (latency or delay varying), but for fast switches, itʼs not a problem.
‣ Cut-through: switch wait for enough bits to send the frame based on the destination
MAC address. It does not contain any error-checking mechanisms. This is implemented
in latency-sensitive situations, where low-processing power switches are used.
‣ Fragment-free is a hybrid of the above transmission methods. It buffers the first 64
bytes of the data (where all collisions occur). It blocks invalid frames by making sure the
frames are not involved in a collision.

A frame is made up of: Preamble (7) -> start of frame (1) -> destination address (6) ->
source address (6) -> frame length (2) -> data (< 1500) -> CRC and FCS (4)

Switch loops

A switch loop can occur when there are more than 1 switch (to form a redundant
network) on the network. When switching loop occurs, unwanted effects such as
broadcast storm form and fill up the bandwidth. This can be avoided with Spanning Tree
Protocol (STP), a once-proprietary protocol from DEC, now defined in 802.1d.

49
 STP works in LLC sublayer, and is enabled by default. STP forms non-looping paths
throughout the network by performing an election and calculations, which dictate what
ports will remain in a blocking state. STP provide redundant links when primary link fails.

Every device assume it is the Root Bridge when they start up. An election is performed
(when network topology changes) by comparing devicesʼ Bridge ID, which is composed
of the administrative bridge priority and bridge MAC address. Priority is examined first,
which is an arbitrary number ranging from 0 to 61440 (by increment of 4096), with
default set to 32768 (0x8000); it is written before the MAC address and separated
using :. The device with the lowest bridge ID becomes the Root Bridge.

Bridge IDs are advertised to bridges/switches by the Root Bridge (most of the time)
using Bridge Protocol Data Units (BPDUs) every 2 seconds. BPDU also contain the cost
of a route (main factor in port decision, mechanism that decides which port is Root/
Blocked/Designated). Cumulative cost is the inverse of bandwidth of a link. The lower
the cumulative cost, the faster the path. Cost for 10 Gbps is 2, 1 Gbps is 4, 100 Mbps is
19, and 10 Mbps is 100. Costs of different segments are added together for remote
destinations.

After Root Bridge is determined, each non-Root Switch/Bridge communicates with the
Root Bridge using the fastest port, or Root Port(1 per device). Designated port, is used
to communicates with other switches, all ports on Root Bridge are designated port.

To prevent loops, every port that is not designated or root is blocked, or in a state of
not forwarding data; the port can still receive BPDU. This port is located on switches
with the largest Bridge ID.

All Root/Designated ports are determined by

1. The port with a switch advertising the lowest Bridge ID.
2. If the same Bridge ID (parallel links to the same switch), the lowest port priority is
used. The port priority is an arbitrary number assigned to an interface that can be
administratively set to choose one link over another. The default value is 128.
3. If port priority is equal, the lowest interface number is chosen.

If a port doesnʼt hear from its connected neighbors in 20 seconds (max age timer), the
neighbor is considered dead (topology change). The switch this port belongs to sends a
special BPDU called Topology Change Notification (TCN) to the Root Bridge. When it
arrives, the Root Bridge broadcast a special BPDU to all switches telling them to
remove MAC addresses not active for 37.5 seconds.

In a network, a port can be in either disabled, blocking, listening, learning, and

forwarding states. Disabled means an interface is shut down.
In the listening state, the port listens to BPDUs but does not send data. Learning state
builds CAM table based on MAC addresses learned; doesnʼt send data. Both listening

50
and learning state take 15 seconds to transition, while blocking state take somewhere
from 0 to 20 seconds.
The ports switch to listening state then learning state, this process takes a total of 30
seconds and is called forward delay. So, STP topology change can take up from 30 to
50 seconds.

The max age(20 s) and forward delay timers(30 s) are based on a network diameter of
7 switches including the root bridge (7 switches between host A and host B). These
timers are dictated by Root Bridge by default. To change the timers, you configure the
changes only on Root Bridge. A very small diameter could cause switching loops when
you add more switches to the network and didnʼt increase the timers.

Switch Configuration and Troubleshooting

Switches can be configured remotely by assigning IP address to VLAN. Enter interface

Configuration mode and type ʻip addressʼ followed by IP address of switch and the
subnet mask (or ʻip address dhcpʼ, and show DHCP info with ʻshow dhcp leaseʼ) then
ʻno shutdownʼ. To configure remotely, you also need ʻip default-gatewayʼ followed by the
default gateway address in the Global Config.

You can configure multiple switch interfaces using ʻinterface rangeʼ followed by the
type of interface (Gigabit Ethernet, etc), first interface number ʻ-ʼ last interface number.

To set the priority, use ʻ(config)#spanning-tree vlan VLAN-number priorityʼ following

priority. To automatically assign a switch to be the Root Bridge, use ʻspanning-tree vlan
VLAN-number root primaryʼ; above command are used in Global Config. ʻ(config)#
spanning-tree vlanʼ + VLAN.no, you can change Hello and dead. To change the default
cost, use ʻspanning-tree costʼ followed by the cost at the interface configuration mode.

To verify your STP, use ʻshow spanning-treeʼ command; to view its current status, use
ʻdebug spanning-treeʼ command.

If you canʼt connect console, 1) switch power on and operate correctly? 2) terminal
application with correct settings? 3) did someone changed your password?

If you canʼt connect remotely, 1) switch power on and operate correctly? 2) use ʻpingʼ
and ʻtracerouteʼ to make sure routers are working well, also check default gateway 3)
did someone changed your password?

If switch canʼt forward frames, 1) switch power on and ports operate correctly? 2)
ʻshow interfaceʼ command tell you if an interface is administratively shut down (down/
down), incorrect speed and duplex(interface bounce up and down), in up/down
(excessive collision).

If switch work intermittently, 1) check if STP is running by ʻdebug spanning-treeʼ

51
Chapter 14. Enhanced Switching Operations

PortFast, UplinkFast, and BackboneFast

STP provide loop-free environment in as much as 50 seconds, but there are ways to
reduce it. One of them is PortFast, which enables a port to directly enter forward state to
enable instant data transfer. You must not plug a switch to an interface and enable
PortFast on that interface since this may create a loop.
BPDU Guard watch ports with PortFast on, and shut it down when a BPDU is received
on that port (since the interface is not suppose to be part of STP). To configure PortFast
and BPDU Guard, ʻ(config-if)#spanning-tree portfastʼ and ʻ(config-if)#spanning-tree
bpduguard enableʼ. OR, ʻ(config)#spanning-tree portfast bpduguard defaultʼ and
ʻ(config)#spanning-tree portfast defaultʼ

If you have switches in both access and distribution layer with the Root Bridge at the
distribution layer. When the Root Bridge fails, you may want to replace it with another
switch quickly, this can be done by UpLinkFast.
For UplinkFast to work, the access layer switch must have 1) direct knowledge of link
failure (link to the switch), 2) it must have one port in a blocking state, and 3) the link
failure must be on the root port. To enable, ʻspanning-tree uplinkfastʼ at Global
Configuration.

If you have a failure between switches in the distribution layer, where all of these
switches connect to the Access Layer switch. The non-Root Bridge communicate with
the access Layer switch to reach the Root Bridge instead of advertising itself as the new
Root Bridge. This case is called BackboneFast. ʻ(config)#ʻspanning-tree backbonefastʼ

To verify, use ʻ#show spanning-tree summaryʼ. NOTE: the above features can only be
implemented in network which all routers are Cisco router.

EtherChannel bundle individual physical links to form a single logical link. Even if a link
fails, backup link can come up quickly and load balance new stream. To configure,
ʻ(config-if-range)#channel-groupʼ + group-number + “mode on”ʼ, this configure a new
logical interface that can be accessed by ʻ(config)#interface Port-channelʼ following
group-number.

RSTP and PVST

To enable fast convergence in non-Cisco networks, use Rapid STP(RSTP) in 802.1w;

it is backward-compatible (can interoperate) with 802.1d.
In RSTP, port roles: disabled, discarding(blocking + listening), learning, and forwarding.
There are also Alternate (blocking port that becomes the root port if failed; immediately
begin forwarding once root port fails) and Backup ports (discarding port that becomes
designated port if failed; immediately begin forwarding once designated port fails).

52
 In RSTP, device connecting switches in full-duplex is link-type point-to-point (such as
another switch), and half duplex is called link-type shared (such as a hub). Non-switch/
hub devices are edge connections (such as computers). RSTP manage to converge
link-type point-to-point and edge-type faster than link-type shared.

Each switch generate its own BPDU messages passed to the next switch. These
messages let other switches know itʼs alive; 3 misses will be considered down. If RSTP
switch received BPDU from 802.1d STP switch, only STP BPDU is sent back.
When a topology change is detected, TCN is broadcast to all switches (from the switch
that detect the anomaly) instead of going through the Root Bridge.

For edge connections, PortFast is configured. If BPDU is received, it immediately

transit to link-type point-to-point.
When a point-to-point link comes up between two switches, a handshake occurs
between two switches using BPDUs to establish their local port roles.

To transit port to a forwarding state in RSTP, you use proposal/agreement handshake.

When switch A (receives a BPDU) calculates a local port to be the designated port for a
segment, it immediately sends a proposal to its neighbor to transit to forwarding state.
When RSTP switches receive proposals, they determines the Root Port (port received
the proposal), and put all non-edge ports in discarding state to avoid loop. The process
of blocking all non-edge point-to-point link is called synchronization or sync.
However, if the port is in a blocking state, no messages will be replied back, and the
other port remain in discarding state.

When switch B has successfully synced all its ports, it sends an agreement back to the
switch A to allow forwarding(from the Root Port and start learning MAC addresses).
When switch A receives the agreement message on its designated port, it immediately
begins forwarding and learning MAC addresses as well.

53
Chapter 15. Virtual LAN

Each VLAN represent a separate broadcast domain in which only devices within the
same VLAN can communicate with each other. In other words, there is a separate STP
running for each VLAN, this is called per VLAN STP, or PVST.

VLAN can be assigned statically, dynamically, or protocol-based (voice VLAN).

Static-assigned switch ports (to VLAN) are called access ports. When multiple VLANs
are assigned to a port, the port receives and send traffic that traverse only within those
VLANs. This method takes a lot of work and is subject to human errors.
Dynamic-assigned VLAN membership requires VLAN membership policy server
(VMPS), this can be a server or a high-end switch that associate every MAC with a
VLAN; this method takes a lot of initial setup and database maintenance.

You switch has a default native VLAN, VLAN 1, that is used to manage access ports.
Remember that you can not assign an IP address to a switch, but you can assign an IP
address to a VLAN to remotely manage your switch. If you change the VLAN on the port
in which your management station or your router (if managing it remotely) is connected,
you lose the ability to manage the switch with Telnet, SSH, HTTP, or SNMP.

To create a VLAN, assign it a number between 2 and 1001 and place it after
ʻ(config)#vlanʼ. Other than a numeric identifier, you may choose to assign the VLAN a
name by placing it after ʻ(config-vlan)#nameʼ. By default, if you do not assign a VLAN
name, itʼs going to look like VLAN+VLAN-ID. Finally, you assign it to a switch port.
VLAN-specific configurations are permanently stored in (vlan.dat) Flash.
To statically assign a VLAN to a port, use ʻ(config-if)#switchport access vlanʼ followed
by the VLAN number. These will not be displayed in running or startup-config. To verify
them, use ʻshow vlanʼ.

VLAN can span multiple interconnected switches; the traffic are carried over interfaces
called trunks. The trunk links need to be at least 100 Mbps since they carry all the traffic
between 2 switches. As frames leave one switch, a VLAN identifier is added to the
frame header, as the frames get received by another, the VLAN identifier helps the
switch to forward the frame to the correct VLAN and the identifier is removed so the
process is transparent to the end user. This process of sending multiple messages
destined for different users is called multiplexing.

One trunking method is interswitch link (ISL, Cisco-proprietary), which encapsulate

original frame and add 26-byte header and 4-byte CRC trailer; exceed MTU and is
dropped unless other switch supports ISL (recognize this giant). Switches supporting
ISL also have to be point-to-point. (no IP address on sub-interface)

On the other hand, 802.1Q (IEEE standard) trunk inserts a 4-byte VLAN identifier in
the frame header (after source address). This does not increase the frame size a lot,
thus, can pass other non-802.1Q intermediary devices without being dropped. Since the
header is changed, FCS (error checking) field must be recalculated.

54
 802.1Q also assigns a native VLAN, this means a frame can go untagged from one
switch to another if both switches had configured the same native VLAN. Thus, there is
no need to insert the VLAN identifier and there is no need to recalculate FCS field.
However, native VLAN must be the same on both switches or information will be leaked
to other, unwanted VLANs. By default, the native VLAN is VLAN 1.

To configure trunking, first select the method you want to use. Enter an interface
configuration mode (that is already assigned a VLAN), then use ʻswitchport trunk
encapsulationʼ followed by isl or dot1q. Now, to enable the access port to start trunking,
use ʻswitchport mode trunkʼ.

Dynamic Trunking Protocol(DTP) dynamically enable the trunking process (discussed

above). It is a Cisco proprietary protocol that has a default state of desirable. There are:
• Access: doesnʼt trunk, contain single VLAN.
• Trunk: permanently trunks and negotiate trunking
• Dynamic Desirable: negotiate trunking if other side is trunk, desirable, or auto.
• Dynamic Auto: negotiate trunking if other side is trunk or desirable.
• Nonegotiate: do not use DTP but permanently trunks (to connect to non-Cisco switch)

ʻshow interface trunkʼ shows the status of the interface running trunk. This interface will
not be shown in the output of ʻshow vlanʼ since it is no longer an access port.

Cisco proprietary VLAN Trunking Protocol(VTP) makes configuring VLAN a lot easier
within an established VTP domain; these messages multicast at 0100:0CCC:CCCC.
Switches using VTP can be:
• Client listens to server configurations but can not add, remove or change
configurations. These switches also propagate to other switches to ensure the
advertisement is heard across the entire VTP domain. However, client switches do not
permanently store VLAN information in their VLAN database; these switches forget
about the configurations once they are shut down.
• Server can add, remove and change configurations propagated throughout the
network. All switches are in server mode by default. After changes are made to the
configuration, they are multicasted out (along with the revision number) to all switches
which use the new configuration (if the revision number is higher than the current
revision number) and store them in vlan.dat in Flash. If the revision number equal or
less, switches do not accept the new configuration.
• Transparent are allowed to modify their local configuration without broadcasting the
updates in the domain; these switches do not use the configurations provided by server.
These configuration are stored in their VLAN database. However, if this switch connects
other client switches, and the server switches send updates, the transparent switch will
help to deliver the updates from the server to the client. In this mode, you need to use
extended range VLAN number (support 802.1Q) of 1006 to 4094 (these VLANs are not
recognized by VTP, thus, transparent to them). Information in this mode is shown in
running and startup-config, revision number = 0

55
 VTP pruning determine whether or not a frame for VLAN is forwarded to a particular
switch.

To configure VTP, enter domain name by ʻ(config)#vtp domainʼ followed by the domain
name. ʻ(config)#vtp passwordʼ followed by password (must be the same for the same
domain). ʻ(config)#vtp modeʼ followed by transparent/server/client.

ʻshow vtp statusʼ displays the revision number of the VTP updates from the server, the
operating mode, domain name, pruning status, and the MD5 digest of the password.

To route between VLAN, you either need a Layer 3 switch or configure a router-on-a-
stick (most effective).
In Router-on-a-stick, the router can see all the VLAN traffic over a single link (trunk
link) by dividing one physical interface into several logical sub-interfaces, each interface
connecting one VLAN. To create a sub-interface, use ʻ(config)#interfaceʼ followed by the
interface name slot-number/module-number.sub-interface-number. It is good practice to
use the sequential number(this number is only used on router side), you do not need ʻno
shutdownʼ command since it is not a physical interface. Note the physical interface used
must be at least a Fast Ethernet for efficient trunking to occur; since there is one
physical interface involves, the router connects to only one switch.
IP address assigned to the sub-interface becomes the default gateway for that VLAN.
You also need to specify the encapsulation type with ʻencapsulationʼ command following
isl or dot1q and followed by the VLAN number.

Layer 3 switch is another option, but it is less common because it does not have a
serial interface; it offers more routing options instead. If you decide to perform
interVLAN routing with layer 3 switch, the result is called switched virtual interfaces
(SVI). In this case, the configuration becomes easier as you only need to 1) create
VLAN interface with ʻ(config)#interface vlanʼ following the VLAN number, and 2) assign
an IP address to use on the VLAN.

Cisco IP phone connect to switches and send IP traffic over LAN to a gateway device
that connects it to a traditional voice network. You can group these devices into a VLAN
so their traffic does not collide with traffic from other VLAN(separate broadcast domain).
Voice VLAN or auxiliary VLAN, is a VLAN assigned for Voice over IP. Using these
ports, you can configure QoS and other methods to differentiate voice traffic differently
from the data. By giving the voice traffic higher priority over the data traffic, you are
minimizing the possibility that your data traffic will impede the voice packets from
reaching their destination and deteriorate voice quality.
To configure voice CLAN, enter interface config, ʻswitchport access vlanʼ followed by
the access VLAN number, then ʻswitchport voice vlanʼ followed by voice VLAN number.

Separate VLAN = different broadcast domain = different subnet

56
Chapter 16. Implementing Switch Security

Physical and Basic Logical Security

The first step in any policy is ensuring the physical access of the device by placing it
into a safe cool place where only authorized personnel are allowed access.
Then, you should to secure the logical access to the device.

Start with the console and auxiliary port, 1) implement a strong password. 2) Use login
with username and password at global configuration, and ʻlogin localʼ at the line
configuration so user is prompted for username and password when s/he tries to log in.
An alternative to ʻusername wanted-username password wanted-passwordʼ is
ʻusername wanted-username secret wanted-passwordʼ, which creates a MD5 hash.

Another way to secure your switch is by using SSH instead of Telnet to remotely
access the switch. First, give a name to your device and a domain name which it
belongs by ʻip domain-nameʼ command. Generate the RSA key (at least 1024-bit) with
ʻcrypto key generate rsaʼ command, then create a username and password (remember
to use ʻlogin localʼ) at line-config. A recommended step is ʻtransport input SSHʼ, (use
only SSH as remote access) which should occur before creating an account. You can
also limit remote access by implementing ACL.
Other things you should do include: disable EXEC access on unused terminal access
ports by ʻno execʼ at line configuration.

Switchport port-security

To secure your MAC addresses, limit them to a maximum number following ʻswitchport
port-security maximumʼ (default is 1). This command disables an interface if a maximum
number of MAC addresses is exceeded. You are re-enable it by administratively shut it
down then enable the interface with ʻshutdownʼ and ʻno shut downʼ.

ʻswitchport port-security violationʼ followed by restrict/protect/shutdown. This command

allow you to perform some action against violations in the network, the default action is
to shut down the interface. Restrict increase a violation counter and alert the
administrator using SNMP trap. Protect keyword only allows traffic from the secure port;
packets are dropped until the number of MAC addresses drops below the maximum.

You can also specify which MAC address gets access to the port (default is 1) by
specifying it with ʻswitchport port-security mac-addressʼ command. This command has
to be entered in interface configuration, after ʻswitchport port-securityʼ command.
Instead of a MAC address, you can specify ʻstickyʼ keyword to dynamically learn.

ʻshow port-security interfaceʼ followed by the interface number or nothing, you will get
information about the selected interface or all interfaces. ʻshow port-security addressʼ
will display a list of secure MAC address you have configured. Note that sticky MAC

57
address will show a type of ʻSecureDynamicʼ while static MAC address you secured are
shown as ʻSecureConfiguredʼ.

VLAN security

VLAN security can be compromised when the attacker figures out the IP address of
management VLAN (by default, is VLAN 1); this logical interface is responsible for
PVST, VTP, CDP running on the VLAN. You can prevent a potential attack by 1)
administratively shut down all unused interfaces and put unused ports into a dummy
VLAN. 2) Set other VLANs as management VLAN.

By default, all VLAN traffic goes through the trunk. You can limit the amount of data
travel through the trunk by ʻswitchport trunk allowed vlanʼ followed by the VLAN list such
as 1-50, 60, 70.
Verify this with ʻshow interfaces trunkʼ command (STP and active VLAN will reflect your
previous selection). You can further edit the VLAN list with ʻswitchport trunk allowed vlan
addʼ, ʻswitchport trunk allowed vlan removeʼ, or ʻswitchport trunk allowed vlan exceptʼ
commands.

CDP, or Cisco Discovery Protocol, should be disabled whenever possible (mostly, on

switches connected to end devices) by configure ʻno cdp enableʼ on individual interfaces
in privileged EXEC or disable it globally by ʻno cdp runʼ in global configuration.

You can increase security in VTP by using ʻ(config)#vtp passwordʼ followed by

password you want.

58
Chapter 17. Understanding Wireless Networking

LAN can operate in Ethernet or Token Ring. However, Ethernet stand out as the
winner even though Token Ring has no collision, this is because Ethernet is faster.

Wireless LAN(WLAN) is defined and standardized by:

๏ International Telecommunication Union-Radiocommunication Sector (ITU-R):
Regulates the radio frequencies (RF) used for wireless transmission
๏ Institute of Electrical and Electronic Engineers (IEEE): Maintains the 802.11 wireless
transmission standards
๏ Wi-Fi Alliance: Ensures certified interoperability between 802.11 wireless vendors

Devices connect to Wireless AP(WAP) operates in half-duplex using CSMA/CA since it

has no collision detection. WLAN also suffers from wireless range and signal
interference, but the degradation of most RF signals are made due to the path which the
signal is on. Every object the signal must pass through can degrade the signal in some
way. Reflective surfaces, such as metal or glass, cause RF waves to bounce off.
Uneven surfaces, such as a gravel road, piles of merchandise in a warehouse, a desk,
or a cubicle can cause the signal to reflect and scatter in many directions. Finally, as
wireless signals pass through physical objects, they are absorbed. This absorption rate
differs depending on the type of material the signal passes through. There is also
interference.

WLAN runs in the unlicensed wireless bands established by US Federal

Communications Commission(FCC) but free of regulation; this means a wireless device
can run without licensing fee to pay to FCC. Industrial, Scientific, and Medical bands
operate at 902 - 928 MHz, 2.4 - 2.483 GHz, 5.15 - 5.3 GHz, and 5.725 - 5.825 GHz.
Companies that do not want to pay to FCC are forced to share the unlicensed band,
causing interference. Key facts about RF:
1) Higher frequencies allow for higher data rates.
2) Higher frequencies have shorter transmission distances (range).
3) Shorter distances can be compensated for by using high-powered antennas.
4) Every country has its own restrictions on how powerful your radio transmission can
be for the unlicensed bands.
If signal is not powerful enough, you may consider implementing several AP.

An overlap (use of different channels) of 10 - 15% is a good WLAN design.

Channel 1 2 3 4 5 6

Range 2401-23 2406-28 2411-33 2416-38 2421-43 2426-48

Channel 7 8 9 10 11 12 13

Range 2431-53 2436-58 2441-63 2446-68 2451-73 2456-78 2461-83

59
 Each channel consists of 22 MHz frequency bandwidth(range), and overlap with
adjacent channels. Thus the only channels commonly used are 1, 6, 11 since they donʼt
overlap each other. Devices adjacent to each other must have non-overlapping
channels so signals donʼt interfere. This is one possible solution to interference.
Remember the 5 GHz band have up to 23 non-overlapping channels.

IEEE 802.11 standard

802.11a is clearly better than 802.11b, but didnʼt became popular because the silicon
chip for 802.11a was in a shortage. 802.11g is backward compatible with 802.11b.
802.11n adds Multiple Input Multiple Output(MIMO) technology, which utilizes multiple
antennas to send and receive between devices to increase throughput.
802.11a 802.11b 802.11g 802.11n

RF band 5 GHz 2.4 GHz 2.4 GHz 2.4 &/ 5 GHz

Bandwidth 54 Mbps 11 Mbps 54 Mbps 248 Mbps

Channels Up to 23 3 3 Unknown

Outdoor ≈ 75 m ≈ 100 m ≈ 95 m ≈ 160 m

Range

Indoor Range ≈ 25 m ≈ 45 m ≈ 40 m ≈ 70 m

Release Date 1999 1999 2003 2008

Technology OFDM DSSS DSSS&OFDM DSSS&OFDM

60
Chapter 18. Wireless Security and Implementation Considerations

Wireless attacks

Wireless network is the most dangerous and insecure, not only it has plain data lay in
sight, encryptions are no as secure as you think it would. There are commonly 3 types
of security holes in wireless networks, war driving, direct hacking, and employee
ignorance.

War driving is a technique of discovering wireless networks by driving through a

particular location with 802.11 compatible wireless antenna and a GPS device. This
way, exact location of the network can be pinpointed even though the network may be
encrypted, hidden or authenticated.

Direct hacking is the next step to hack the network after a complete scan is finished.
This step can come in many forms:
• Breaking into the WLAN: attacker start breaking the authentication or encryption as
soon as the scan is finished. If successful, attacker joins the wireless network and
begins scanning the internal network of your organization to find available resources.
• Decrypting data: data transmitted in the air can be easily intercepted and decrypted
after the attacker decode the key.
• Attempting a wireless DoS attack: If the intruder is successful, the wireless access
point that he attacks is rendered inoperable to your company. This is not uncommon,
though most people ignore it and have no idea what valuable information is lost.

Another possible threat is employee ignorance in the danger of using their own
wireless AP in the company, where there is already network access. This can easily
allow access to the company data without the need to bypass all the security set by the
network administrator.

Wireless security: encryption, detection, and authentication

Wireless security can be broken down into 3 major categories: encryption, detection
and authentication.

Wired Equivalent Privacy(WEP) is the first measure of security released for wireless
networking. It uses the static preshared keys(PSKs) to generate an encryption
algorithm. WEP uses an encryption formula called RC4 that takes every piece of data
and scramble it with PSK. When received, the reverse formula is used to decrypt the
data. Both client and the WAP must have the PSK entered manually.

The number of bits of encryption determines the complexity and scrambling of data.
The more bits there are, the more complex your data will be, and the longer it will take
to decrypt it. WEP2, is 128-bit version of WEP released in 2002. Although it makes the
algorithm slightly more difficult to break, the flaws in the standard cause it to crumble.

61
 Wi-Fi Protected Access(WPA) uses another encryption algorithm called Temporal Key
Integrity Protocol (TKIP) with 128 bit key. It is compatible with hardware that WEP uses.

Another standard, called WPA2, also known as 802.11i, is proposed in 2004, operates
on different hardware than WEP, WEP2, and WPA. It uses Advanced Encryption
Standard(AES), which is much stronger than the previous standards. It is backward
compatible with WEP, WEP2, and WPA, but does not support the old hardwares.

Wireless authentication can be implemented using 802.1x (a port-based access

control), which designates 3 network devices that participate in network authentication:
the supplicant, the authenticator, and the authentication server.

When the user want to access the network, he must first send his authentication
credentials (such as a username and password) to the authenticator, which forwards
them to the authentication server. When the authentication server receives the
credentials, it checks them against its database and then tell the authenticator whether
the device has passed authentication.
If the device fails authentication, its access to the network is terminated or severely
limited, depending on how you (as the administrator) decide to restrict the device. If the
device passes authentication, the supplicant and authentication server generate a
dynamic encryption key known as the session key. This provides the same security as
PSK but does not needed to be entered statically.

A preventive measure (Detection) you can take against employee ignorance is

Wireless IPS. This system sets up various sensors that detect when a policy is violated.
The minute a rogue access point shows up in the network, the system can alert you,
pinpointing the location of the access point on a map of your campus. Other events can
also be set to determine other types of security breach.

Wireless topology

Wireless technology can be implemented in ad hoc or infrastructure mode.

Ad hoc uses Independent Basic Service Set (IBSS) topology; each wireless device
independently manages the wireless network. Data from this type of network originates
from and forwards to the wireless device. Ad hoc networks typically are very limited in
range and has security holes.
Infrastructure is more common and implement the use of WAP (Wireless AP); there
are Basic Service Set (BSS) or Extended Service Set (ESS). BSS contains a single
WAP while ESS has 2 or more WAP to cover the area (allow roaming).

A wireless network will run at the speed of the slowest client, and speed is slower as
the client moves farther from the WAP. For 802.11b, the steps goes from 11 Mbps -> 5.5

62
Mbps -> 2 Mbps -> 1 Mbps. For 802.11a/g, the steps are 54 Mbps -> 48 Mbps -> 36
Mbps -> 24 Mbps -> 18 Mbps -> 12 Mbps -> 9 Mbps -> 6 Mbps. These numbers give
you an idea of the amount of interference in an area and your proximity to the AP.

Troubleshooting

To generally troubleshoot, follow these steps:

• Ensure hardwired operations
• Install WAP in tested switch ports
• Configure basic network (with no security) and test
• Configure secured network and test

To troubleshoot the client side, follow these:

• Verify the wireless card is enabled
• Move to a “known good” region of the building
• Verify that client can identify the wireless network with their wireless utility
• Ensure the wireless client has the correct wireless security information and supports
your security standards. (if you use WEP, your client MUST support WEP)

Here are steps to troubleshoot WAP:

• Verify that the wireless access point is running the latest firmware version
• Test the wireless reception radius at different times of the day
• Verify your wireless channel configuration.
• Consider the materials around and close to the access point.

63
Chapter 19. Using Access Lists

An access list is a list of permit and deny statements that the device queries for
permitted entry. Unless data is explicitly permitted, all data are implicitly denied. The
order of the statements specify its priority, a statement located upper in the ACL is
queried before lower statements and device stop query once a permit statement is
found.

Deny statements, on the other hand, often occur at the end of ACL and never
displayed through any show command.

In older IOS, the access list is arranged exactly as you entered; you can not rearrange
entries unless you completely remove them all. In newer versions, sequence number is
assigned to each entry, so you can manipulate each entry.
In the CCNA exam, you will be using an old IOS ACL.

How you apply your ACL dictates what function the ACL really serves. A few functions
you have to know for the CCNA exam are:
1) Packet filtering, filters inbound or outbound traffic at the network layer. You can filter
based on source IP address (standard) or along with destination address, protocol
number, and port number (extended). Note that too many criteria may cause your
router to have significant CPU load.
2) Quality of Service(QoS) separate different data streams and prioritize them so the
more important, or latency-sensitive data (VoIP) come through faster. In other words,
prioritized traffic (permitted) leave first, while other data (denied) leave later.
However, in traffic policing (a QoS method), you can limit the bandwidth of the
applications you placed on the permitted list, while denied applications are not
restricted of bandwidth.
3) Dial-on-Demand Routing(DDR) is a technique in which a host or router automatically
initiate a dial-up (not-always-on) connection over an ISDN or public network. This
method reduces network usage by closing the connection once no more data needs
to be transmitted or received.
4) Network Address Translation(NAT) ACL determines whether a host is permitted to
translate with NAT. A denial does not prevent data from being sent, but it denies the
host from being translated with NAT before it is sent.
5) Router filtering uses what is known as distribute list, which is applied in protocol
configuration mode to limit networks that can reached and receive traffic from. The
command is ʻ(config-router)#distribute-listʼ followed by ACL number and “in” or “out”
NOTE: an inbound traffic refers to traffic coming into an interface. An outbound traffic
refers to traffic going out of an interface.

To configure an ACL, first enter ʻaccess-list ?ʼ to see the list of available ACL number
you can use (this list also point out what routed protocol you are using). Know that
standard ACL has number from 1 to 99, while extended ACL has number from 100 to
199. In case these are not enough, you can use the backup range of 1300-1999
(standard), or 2000-2699 (extended).

64
 ʻaccess-list ACL_numberʼ can be followed by deny/permit/remark, where remark is a
comment you can enter for an entry. Deny/permit is harder, letʼs experiment with permit.
ʻaccess-list ACL_No permitʼ can be followed by IP address then wildcard mask (a
0.0.0.0 means an entry must match the exact address completely). To match a single
IP address, you can follow the above command with ʻhostʼ keyword, then the IP address
without the inverse mask. Optional ʻlogʼ keyword can be added so every time a match
shows, it is logged into a file in the router.
You can permit any IP address to enter your network by ʻaccess-list ACL_No permit
0.0.0.0 255.255.255.255ʼ or ʻaccess-list ACL_No permit anyʼ
You can verify your ACL with ʻ#show ip access-listsʼ or ʻ#show running-configʼ.

Only one access list can be implemented for a protocol in an interface; you can apply
one for inbound and one for outbound traffic. These lists goes into effect immediately
when applied, so check them carefully (one last time) before you implement it.
One common mistake is to list all the unwanted networks as denied, then apply,
forgetting about the implicit denial and cause the entire network to go down.
Another common fault is making changes to an ACL while applied to an interface.
Although this may be successful, it is not recommended.

To apply ACL at an interface, use ʻ(config-if)#ip access-groupʼ + ACL_No + in/out. The

best practice of standard access lists is to apply them on the interface closest to the
destination.

To remove (clear all entry) of an access list, use ʻno access-listʼ + ACL_No. However,
this list still applies (if you apply it to any interface) for the ʻaccess-groupʼ command
(disable an ACL to an interface by ʻno ip access-group ACL_Noʼ + in/out); right now, this
ACL allows all traffic to come through. When any line is added to the ACL, implicit deny
start working AGAIN.
NOTE:ʻno access-listʼ does NOT delete the ACL; it empties the entries you can re-enter.

You can also configure ACL in VTY lines, with ʻ(config-line)#access-classʼ + ACL_No +
“in”/“out”

If you are configuring access lists on your router remotely, be sure to allow your remote
Telnet session access into the router in the access list. It is a very common mistake to
create an access list that kills the remote Telnet session and requires the administrator
to drive to the site (or contact someone on-site) to reconfigure the router through the
console port. It is, therefore, a good practice to issue the following command before
applying an access list remotely: ʻRouter# reload in 5ʼ
This instructs the router to reboot itself in 5 minutes if there is no administrative
intervention. This way, if you lock yourself out of the router, it reboots and sets its
configuration back to what it was before you applied the access list. If the access list
applies successfully without limiting remote access, be sure to issue the ʻreload cancelʼ
command to stop the automatic reboot countdown.

65
 Extended ACL has a more complex syntax than standard ACL. Generally, the
command should be ʻaccess-listʼ + (100-199) + (protocol) + (source_information) +
(destination_information).
ʻaccess-list ACL_Noʼ can be followed by deny/permit/dynamic/remark, where dynamic
is a way in which a temporary entry is dynamically entered in the ACL (like ʻstickyʼ) when
the user successfully authenticates to the router; this entry is removed after a certain
period of time but this is not in the scope of CCNA exam.
Following the above command is the protocol information, which can be specified
numerically (0-255, SAP field in IP header) or alphabetically; there is an extensive range
of protocols you can apply ACL to. In the CCNA exam, you need to know IP, TCP, UDP,
and ICMP.
The protocol information is followed by IP address as discussed in previous section.
Note additional source and destination information must also be added to the
command. For a PC, a source port (in an application) is a randomly generated port in
the registered port range (1024-49151), while destination port is the destination service
used. Thus, you usually DO NOT know the source port (use ʻanyʼ), but you can specify
destination protocol information (if this is an outbound ACL). As for the destination, you
are most likely to use eq (equal), such as ʻ(config)#access-list 150 permit tcp host
10.1.1.5 any eq 80ʼ to enable HTTP port.

Extended ACL are applied just like standard ACL with ʻip access-groupʼ or ʻaccess-
commandʼ. However, it is recommended to implement extended ACL closer tot eh
source of the network traffic.
Remember that to set the network to be able to use the rest of the connections, the
only protocol that encompasses ALL TCP/IP traffic is the IP protocol. So, the command
should look like ʻaccess-list 125 permit ip any anyʼ.

To ensure security, one possible measure you can enable ʻaccess-list ACL_No permit
tcp any any establishedʼ. This way, (data from Internet) only data with corresponding
established session are exchanged.
Cisco created Context Based Access Control (CBAC), implemented in firewall feature-
set IOS versions.

Named ACL allow ACL to be created with names and perform some simple editing, this
is done with ʻip access-listʼ + standard/extended/resequence, now you enter (config-std-
nacl) mode where you can add and remove entries separately. Entries can be
numbered (at the beginning) to mark a sequence number (you donʼt have to be
sequential, so you can add more entries between them). These entries are listed by
their sequence number, the larger number, the higher in the ACL (more priority). To
remove an entry, ʻnoʼ command followed by the sequence number.
ʻip access-list sequence 10 30ʼ moves entry with sequence number 10 to sequence
number 30

ʻshow access-listsʼ output all configured ACL. ʻshow running-configʼ, and ʻshow ip
interfaceʼ (show only the ACL number). ʻshow ip access-listsʼ (list matches found)

66
Chapter 20. Enabling Internet Connectivity with NAT

Theoretically, a router running NAT(Network Address Translation) is capable of

allowing 65,536 (number of hosts on a Class B network) devices to share a single
Internet-valid IP address.

It is commonly known that private addresses are non-routable, however, this is not true
as ISP blocked private addresses in the ACL to prevent duplicated address. Networks
connected to the Internet typically use these private IP addresses internally and then
translate them when attempting to access the Internet.

Types of NAT

Static NAT maps IP address in a one-to-one relationship. It is common to map a

private IP address with a public one anything going to the public address will be
received in the private address and anything sent out will be seen as that public
address. Although static NAT does not allow sharing of a single address, it does
eliminate end-to-end traceability and enables servers to be accessed from the Internet.
Static NAT can also be configured to statically translate individual TCP or UDP ports to
the same host or many different hosts. This way, NAT can act as a type of firewall and
offer different services through a single IP address. In some cases, you can even
redirect port numbers.

Dynamic NAT is used in situations where there are many entries that needed to be
configured one-to-one mappings. You provide the list of addresses devices currently
use and then a list of addresses to be mapped to.

NAT overload, or PAT (Port Address Translation), enable a single IP address to support
many internal clients. By generating different source port number, PAT can track what
data is for which device, therefore, representing many devices with 1 IP address. A
source socket (IP address + source port) is used to identify a piece of data. Request for
data is replied back in the source socket, which is translated by the NAT table to be
forwarded to the correct device. However, if 2 devices are generated the same source
port, a device session MUST be reset and a different number is chosen.
NAT address can be described in these terms:
- Inside/outside: refers to where a device is physically located. If a device is “inside,” it is
in your network. If a device is “outside,” it is outside of your network.
- Local/global: refers to where an IP address is located to a NAT device, a device whose
address is translated by a NAT router (private to public). If the IP address is considered
“local,” it is seen as a device on the local subnet from the perspective of a NAT device
(this may or may not be true). If the IP address is considered “global,” it is seen as not
on the local subnet from the perspective of a NAT device.
Together, NAT addresses can be
- Inside local address refers to everything inside your network; itʼs the private IP
addresses. If an inside local address were to communicate with another inside local
address, this is standard LAN connectivity.

67
- Inside global address is address located in your network, but connects with the
outside. In other words, it is a public IP address assigned to a network in NAT overload.
- Outside global addresses refer to the standard public IP addresses that are outside of
your network.
- Outside local addresses: The IP address of an outside host as it appears to the inside
network. These addresses can be allocated from the RFC 1918 space if desired. These
addresses get translated by NAT.

Configure NAT at ICND1

NAT overload is known as “basic NAT” in SDM. You access this service by opening
ʻConfigureʼ tab and choose NAT from sidebar. Click ʻBasic NATʼ radio button and then
ʻLaunch the selected taskʼ. You need to choose an interface connected to the ISP in the
wizard. The range of IP addresses that you select using the checkbox represents
internal IP address ranges.
This means any device using the said IP address ranges will use the public IP address
that is assigned to the said interface. Then, you are done.
To verify, use ʻshow running-configʼ (inside, outside interface + access list used)

The above method enable Internet access to the Internet, but to obtain access FROM
the Internet, you need static NAT mappings through Advanced NAT or Edit NAT
configurations in SDM.
You can select Advance NAT instead of Basic NAT in SDM; after outside interface, the
screen asks you to enter any additional public IP addresses. These addresses are for
other purposes, such as obtaining connection FROM the Internet. Then, enter networks
connecting you internal networks; itʼll be listed as ʻDesignatedʼ if you already have one.
Click ʻNextʼ, you enter a window that configures static NAT mappings. Click ʻaddʼ button
to add a new connection, where you enter the private IP address to map and then select
the public IP address from drop-down list. This method maps a full public IP address to
a private IP address(or network), every port entry of the device(or network) corresponds
to the public addressʼ entry.
The Cisco router supports only individual NAT port mappings for the IP address
assigned to the outside interface. You cannot fully map the outside interface IP address
to an internal server because it is partially used for communication by the Cisco router.

Port mappings allow you to map individual ports on public IP addresses to individual
ports on private IP addresses. Port mapping allow you to map a single public address to
different ports on different devices, so data destined for different ports goes to different
devices using one public IP address.
ʻAddʼ button -> select private and public address -> choose type of device under
Additional Information. If you choose ʻOtherʼ, you may specify an alternative port to
forward the data to (data comes into x port in public address, but goes to y port in
private address).

68
 Another way of configuring static NAT mapping is using ʻEdit NAT Configurationʼ tab
(another tab under NAT in Configure) in SDM. This is most conveniently when you
already have Basic NAT set up. You can choose to use:
- Designate NAT Interfaces: allocate or reallocate which interfaces on your router
connect to the inside or outside networks.
- Address Pool: create one or more pools of IP addresses to use for dynamic NAT.
- Translation Timeouts: let you set time limits for memory-resident idle NAT entries, after
the time limit the idle entry is deleted. The default is 86400 seconds (4 days).
- Add: Opens a window allowing you to add static or dynamic NAT mappings.
- Edit: Opens a window allowing you to edit the selected NAT mapping.
- Delete: Removes the selected NAT mapping.
ʻClone selected Entry on Addʼ option prepopulates the new NAT entry window (opened
by clicking the Add button) with whatever entry you have selected. This option allow you
to use 2 same servers in a network using the same port without port redirection. Some
other options are included here:
- Static/Dynamic: Choose the style of NAT you want to apply.
- Direction: is ʻFrom inside to outsideʼ and ʻFrom outside to insideʼ. Regardless of the
choice, 2-way translation always occur, but this option gives you more flexibility in
dynamic NAT.
- Inside IP Address/Network Mask: inside address(es) you want to translate.
- Outside Interface(s)/Type: enter the individual IP address or interface you want to
translate. If the Type drop-down box has the IP address selected, the IP address field
and the Interface field can be modified.
- Redirect Port/Original Port/Translated Port: choose protocol & port numbers to
translate.

To check if NAT is working, use ʻshow ip interface briefʼ command. ʻshow ip nat
statisticsʼ gives you some information about the NAT running in your network. There will
be hits and misses; the number of hits defines how many packets match an existing
NAT mapping. Misses are packets sent before a session is established between the 2.
The other command is ʻshow ip nat translationsʼ, which shows a list of IP addresses
separated in to 4 columns, inside/outside local/global addresses. This command will tell
you which device has access and is NATted into what address in the first section, which
is followed by a list of addresses that access the internal addresses and other stuffs.
This command also support many filtering options as viewing just one website can
generate many entries (all the DNS lookups and files).

To troubleshoot, the first thing you can determine is by looking at the interfaces using
ʻshow running-config interfaceʼ command followed by the interface name and number.
Then, you can test connectivity by ping the NAT server from internal clients; use the IP
address to prevent any DNS problems. In the last step, you can delete all the entries in
the NAT table using ʻclear ip nat translations *ʼ, and the server will rebuild the table.

69
Chapter 21. Command-Line NAT implementation

To configure NAT on command line interface (CLI), first step is to identify inside and
outside interfaces with ʻip nat insideʼ and ʻip nat outsideʼ at the appropriate interface.

Then, it is show time for ʻip natʼ command. This command can be followed by ʻinside/
outside/log/pool/service/translationʼ; the most important keywords are inside and
outside. You can choose to use any one of them, but it is a good idea to stick with one
to prevent from getting confused.

If you go with inside, the next keyword you need is ʻsourceʼ or ʻdestinationʼ. ʻip nat
inside sourceʼ means you want to convert a private IP address from inside of your
network to something else, this something else can be ʻlist/route-map/staticʼ where list
means dynamic NAT and static is static NAT.
Thus, to convert 192.168.1.50 to 5.1.1.10 statically using CLI, use ʻ(config)# ip nat
inside source static 192.168.1.50 5.1.1.10ʼ. This command can be followed by
ʻextendableʼ, which enables you to have multiple inside global address mapped to the
same inside local address. It can also be followed by ʻno-aliasʼ. to set up a one-way
NAT mapping from the inside to outside. (The outside interface does not pass requests
through to the inside host, but the inside host is translated to the outside.)

Remember in ʻshow ip nat translationsʼ, static entries should have only entries in
“inside local” and “inside global” if it does not intend to forward traffic to the outside.

To configure NAT to allow all traffic from TCP port 25 (SMTP) to go to the local email
server at 192.168.1.100 (inside global address = 5.1.1.10), you configure ʻip nat inside
source static tcp 192.168.1.100 25 5.1.1.10 25ʼ. Instead of a destination address, you
can also enter ʻinterfaceʼ followed by the interface name and number, end the command
with the port number.

On the other hand, to configure dynamic NAT, you need to create a pool of address
instead of specifying one. Scenario: there are 2 networks, 192.168.1.0/24 and
192.168.2.0/24, each need communication with one another (router sits in between).
192.168.2.0/24 wants to represent itself as 192.168.1.200 - 255/24 (to 192.168.1.0/24),
while 192.168.1.0 wants to represent itself as 192.168.2.200 - 255/24 (to
192.168.2.0/24).

1) Assign inside and outside interfaces

2) To create a NAT pool named NETWORK1 with address range from 192.168.1.200/24
to 192.168.1.255/24, use ʻ(config)#ip nat pool NETWORK1 192.168.1.200
192.168.1.255 prefix-length 24ʼ
3) To create a NAT pool named NETWORK2 with address range from 192.168.2.200/24
to 192.168.2.255/24, use ʻ(config)#ip nat pool NETWORK2 192.168.2.200
192.168.2.255 prefix-length 24ʼ

70
4) Create ACL for traffic to go through by ʻaccess-list 50 permit 192.168.1.0 0.0.0.255ʼ
and ʻaccess-list 51 permit 192.168.2.0 0.0.0.255ʼ
5) Implement ʻip nat inside source list 50 pool NETWORK2ʼ (allow 192.168.1.0/24 to
enter 192.168.2.0/24 as 192.168.2.200-255/24). This command can be followed by
optional keyword ʻoverloadʼ, use in PAT configuration. Implement ʻip nat inside source
list 51 pool NETWORK1ʼ (allow 192.168.2.0/24 to enter 192.168.1.0/24 as
192.168.2.200-255/24).

To configure NAT overload (PAT), imagine a scenario when 172.16.0.0/16 network

(using Ethernet 0 interface) has a web server located in 172.16.1.80. Inside global
address is not known, but we will use interface Serial 0.
1) define inside and outside interface
2) Create ACL for internal network on ʻaccess-list 75 permit 172.16.0.0 0.0.255.255ʼ
3) ʻip nat inside source list 75 interface Serial 0 overloadʼ configure ACL from
172.16.0.0/16 to go to interface Serial 0 and overload into the public IP address used
by that interface. (if your inside global IP address is 198.222.16.32, use it instead of
interface Serial 0)
4) Since you also have to configure the web server, here is what your command should
look like: ʻip nat inside source static tcp 172.16.1.80 80 interface Serial 0 80ʼ.
Note: you can also configure a pool of inside global addresses, thus, if one address has
all the ports used (said to be maxed out), another address can come to the rescue.

ʻshow running-configʼ show what commands you have entered into your router to get
NAT running, ʻshow ip nat translationsʼ a snapshot view of current NAT translations
active on your router. ʻshow ip nat statisticsʼ, show how many translations are currently
active, how many total translations have occurred, and how much of your NAT pool is
being used (if performing dynamic NAT).
Remember that the number of “hits” and “misses” does not reflect how many NAT
translations have been successful or unsuccessful. Rather, it reflects how many times a
packet matches an existing translation in the table (a hit) and how many times a new
translation needed to be created (a miss).

Remember, if you are using a router-on-a-stick configuration to route between VLANs,

the ʻip nat insideʼ command needs to be on each subinterface for NAT to translate
correctly and not only on the physical interface. That rule goes for any configuration that
uses subinterfaces, including Frame Relay.
A tip in testing is ʻtelnet 4.2.2.2 53ʼ

You can debug NAT with ʻdebug ip natʼ command, which of course, needs to take
place when the router is not very busy, remember to use ʻshow processesʼ before that.

You can also use ʻclear ip nat translations *ʼ to wipe out your NAT table. This doesnʼt
adversely effect your network in any way, but certainly rules out problem for bad NAT
translations

71
Chapter 22. Wide Area Network Connections

CCNA exam focuses on leased line and frame relay WAN technology (Layer 1 & 2).

Broadband enable you to send multiple signal over the wire at a time, most small
offices use this method; broadband is yet the more reliable way. Baseband only send
one signal at a time.

WAN options

A WAN technology needs a switching technology to complement the connection, there

are circuit-switching, packet-switching, cell-switching, and dedicated leased line.

Circuit-switching, also known as dial-on-demand connection, need a dedicated

(physical) channel or circuit during the transmission, which tears down when
transmission is complete, an example is the telephone system. Circuit-switched network
are connection-oriented (for reliable data delivery), some (especially ISDN), may be
charged in per-user or per-minute basis. E.g ISDN, POTS

Packet-switching enable the service provider to create a large pool of bandwidth for
their clients, rather than dedicate specific amounts of bandwidth to each client (as in
leased lines). The client can then dictate what circuits they would like established
through the service provider network between their sites (these are called permanent
virtual circuits), providing an end-to-end connection. However, the delivery of data is not
guaranteed, nor is the delay time. E.g ATM and Frame Relay

Leased line is the most expensive WAN technology because the user becomes the
temporary owner of the line. It is most appropriate for services like VoIP. The actual cost
is effected by the length of the line, and the amount of bandwidth required. E.g T1

VPN is not a type of WAN connection, but often used to accomplish the same purpose.
By purchasing a connection at each site, and form a full mesh between sites, you can
have a secure path to a remote network by implementing encryption algorithms. Since
the algorithm is very strong and require intense processing, you may need a router VPN
card, a PIX firewall (Ciscoʼs firewall platform), or a VPN concentrator (a specific device
manages and maintains many VPN connections) in addition to your router.

Metro ethernet technology is another alternative to WAN connections. It comprises of a

large network of fiber-optic lines that were abandoned due to the economic downturn.
This fiber is owned by ISP and provide speeds of 1000 Mbps or greater, all at much less
cost than a standard T1 line. WAN link can even terminate onto a standard Category
5E/6 UTP copper cable and plug directly into a switch using a fiber to copper converter.
This enables the WAN connections to be managed completely through VLANs with no
dedicated router hardware in place. Metro Ethernet is beginning to stretch between
cities, to provide service between major metropolitan areas. Metro ethernet is becoming

72
quite popular in government organizations that have many locations in the same
general geographic region.

Channel Service Unit/Data Service Unit (CSU/DSU) often acts as a demarcation point,
where service providerʼs WAN and your LAN meets (your router connects to CSU/DSU);
CSU/DSU uses serial interface. You router DC-60 (60 pins) or Smart Interface to
connect to CSU/DSU; the latter interface is more efficient since it uses less space on
WAN Interface Card, WIC; WIC interface can be installed into a Cisco router.
CSU/DSU requires a cable that converts from router interface (DB-60 or Smart Serial)
to a CSU/DSU interface. Connectors for CSU/DSU include V.35, X.21, EIA/TIA-232,
449, and 530. Another type of interface on CSU/DSU is T1, which uses RJ-48
connector. RJ-48 looks just like RJ-45, but it uses STP and has different properties than
RJ-45.

WAN link data encapsulation

WAN link also need to have a data link encapsulation, which both sides (routers) have
to support and use. Frame Relay and ATM both use its own encapsulation, whereas T1
can use SLIP, PPP, or Ciscoʼs HDLC data link encapsulation.

Serial Line Internet Protocol(SLIP) is a standards-based protocol for point-to-point

serial connections that use only TCP/IP. This was primarily used for dial-up connections
to the Internet back then; it has been widely replaced by PPP.

Point-to-Point Protocol(PPP) is an improvement to SLIP and added support for non-

TCP/IP protocols and encrypted authentication (among many other features). PPP is
the most popular protocol for connecting point-to-point WAN over different vendors.

Cisco High-Level Data Link Control(HDLC) comes in 2 versions, open and proprietary.
Open version support only one protocol at a time (TCP/IP, IPX/SPX, or AppleTalk),
where as proprietary supported more than 1 protocol and was more efficient with a
smaller overhead. You can enable DHLC by entering serial interface ʻ(config-
if)#encapsulation hdlcʼ.

X.25 Link Access Procedure, Balanced(LAPB) is the base of Frame Relay and
currently used in not-so-technologically-advanced countries.

Frame Relay is faster than X.25, by removing old error correction technologies
(reducing overhear) and is used in many well-developed areas today.

Asynchronous Transfer Mode(ATM) chops data into cells (each 53 bytes long). ATM is
very similar to Frame Relay and can operate over fiber-optics.

73
 PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA) are implemented to use
PPP on Ethernet or ATM; it is primarily used on DSL.

PPP

PPP is a protocol suite made up of Network Control Protocol (NCP), Link Control
Protocols (LCP), and ISO DHLC at LLC sublayer to provide different features. PPP can
function over nearly any type of WAN connection that does not implement its own,
specific mechanism for transporting data (such as frame relay and ATM). This means
you can use PPP to connect if you are using an asynchronous (modem-like) connection
or a synchronous (high-speed) point-to-point serial connection.

The first layer is ISO HDLC, which allow PPP to support multiple devices with basic
communications.

The second layer is LCP, which negotiates with the device for the features given to it.
These features include ʻAuthenticationʼ, ʻCallbackʼ, ʻCompressionʼ, and ʻMultilinkʼ.

The third layer is the NCP, which is responsible for supporting multiple protocols. It has
open-sourced, network-layer that can connect to any suitable protocols, examples
include IPCP, IPXCP, and CDPCP (Ciscoʼs CDP).

4 features of LCP

This sections talks about the features included in PPP. Authentication requires a
username and password for the connecting device to bring up the WAN connection.
This is not very useful in point-to-point connection, but a good security measure for
PSTN. The Password Authentication Protocol (PAP) and the Challenge Handshake
Authentication Protocol (CHAP) are 2 authentications supported by PPP.

PAP is an early authentication, and authentication time is decided by the client:

1. Client dials up to a router running PPP.
2. After the link (connection) is established, the client sends its username and password
at the LCP (feature) layer.
3. The PPP router checks the username and password against its user database and
allows or denies the client.
This method is not secure, and should only be used with old equipment since it can
suffer from play-back attacks and packet sniffing. A hacker captures (sniff) packets from
a conversation and then send a similar packet to mirror the connection. Authentication
of PAP is also done in clear text, which makes it even more vulnerable to intruders.

CHAP is more secure than PAP, it goes through:

1. Client dials up to a router running PPP.
2. The router sends a challenge message to the client.
3. The client responds with the hash of the password it is configured to use.

74
4. If the hash from client matches the router hash, the client is allowed into the network.
5. After the client is authenticated, the router sends re-authentication messages at
random intervals, requiring the client to send the password hash whenever prompted.
In CHAP, the router/server is control of the process and demand the password to be
sent; in this case, playback attack is difficult to implement. Even if succeeded, the
connection will not be long. Hash, notice, is different than encryption because it is
identical on the router and client. It is the result of an irreversible mathematical algorithm
of the original password. The router doesnʼt decrypt the hash either, it just compares the
sent hash with the hash on it. This particular hash, is called MD5 hash.
The client and server must have identical password or authentication fails.

Another feature is callback, which enables a dial-up server/router running PPP to use a
predefined number to call the person initially dialed. This feature is very secure as it
requires the dial-up user to authenticate and then be present at the predefined phone
number to be able to receive the return call. The other advantage is the toll
consolidation, or simply lowers the long distance charges. Callback is performed in:
1) A user dials into a router using PPP and authenticates.
2) Upon a successful authentication, the router terminates the connection (typically
without any notification) and dials the user back at the predefined number configured
by the administrator.
3) Upon reconnect, the user authenticates a second time.
4) Upon a successful authentication, the user is granted network access.

The third feature is the Compression, which is designed to make your WAN to run
faster. However, this requires a little contribution from the routerʼs CPU and processor,
and by how much depends on the type of compression algorithm you use.

One of the compression type is called Stacker, or Lemped-Ziv. For every packet, it look
up the character stream in the dictionary, replace the characters with codes, and begin
again. This process is applied to every packet, and is suitable for stream with constantly
varying data types, since the same technique applies. The CPU resources are heavily
relied, but has less effect on the router memory resources.

Another type is called predator, which attempts to predict the next character stream
that will be sent based on the index file. This method works well on stream with similar
traffic patterns, it uses more memory resources than routerʼs CPU (as long as the index
file is not very big).

Microsoftʼs proprietary Point-to-Point Compression (MPPC) offers slightly better CPU

and memory usage. This is a proprietary version, but there is another version, defined
under RFC 2118, that allow other devices to connect to a MPPC client (but not using it).

75
 The final feature of the quartet is multilink (MLPPP), which enable you to convert
multiple WAN connections into a single, logical connection (this can be two 33.6 Kbps
modems or four T1 lines). You can assign an IP address, configure authentication, or
optimize the line with compression.
This way, several physical entities can be managed centrally and exact load balancing
is performed (although this may slightly add to the processor and memory usage).

PPP configuration and troubleshooting

To enable PPP, you need ʻ(config-if)#encapsulation pppʼ command set (enabled on

both DCE and DTE).

In CCNA exam, two-way configuration in router is used, this means when 2 routers
connect each other, both have to authenticate to another. To setup two-way
authentication using CHAP, you 1) turn on PPP authentication, 2) configure hostname
(serves as the PPP username; isnʼt same) for the authenticating router, 3) create user
account on each side, and 4) turn on CHAP PPP.

As first 2 steps have been discussed, we move on to the third step. To set up an
username and password, enter Global Configuration, and use ʻusername other-router-
username password other-router-passwordʼ command. In case of implementing CHAP,
password created on both routers have to be the same.

To set the compression type of the session, enter the interface session, type
ʻcompressʼ followed by the name of the compression algorithm, which can be found
using ʻcompress ?ʼ command. Again, the same thing must be set for both routers.

You can verify your configuration using ʻshow interface briefʼ or ʻshow interfaceʼ
command followed by the interface name/number. If the router negotiated Link Control
Protocol (LCP) options, the state will be LCP Open. If the LCP negotiations had failed
(most likely because of an authentication problem), the LCP state would rotate between
Listen, ACKSent, or TERMSent. In the line below LCP Open, you can verify all the
Network layer communication occurring across the PPP link; note CDP is used here as
a network layer protocol.
You can also check your compression statistics using ʻshow compressʼ. Note that all
traffic sent over PPP (generated by routers) are not compressed.

Troubleshooting can be done in utilize of ʻdebug ppp negotiationʼ command, which

show the list of PPP actions, another useful command is ʻdebug ppp authenticationʼ.

76
Chapter 23. Frame Relay

Virtual circuits are logical links through service provider networks that give routers the
impression that they are linked directly together. If you perform a traceroute, you will find
that the distance between the router at one side and the router at the other side is 1 hop
only, when the truth is, they may be far, far apart.

You do not have to know what is performed by the service provider as a network
administrator, but you do know that you purchase these virtual circuits they can connect
distant networks in one hop.

Frame relay is less expensive than T1 lines, and unlike other WAN technology, it is not
point-to-point. If you wish, one router can connect to 5 routers at the same time.

Here are 3 designs of frame relay:

• Hub and spoke: one main, central router (HQ) will be the hub, while branch office
router will be the spoke. In this situations, the branch offices rarely communicate with
each other, but they often access resources at the HQ. When branch offices need to
communicate with each other, the data must go through HQ (hub); this is tandem
switching. This presents a challenge for companies that use VoIP, the delay makes the
phone call sound bad. Also, if HQ router (hub) fails, the entire network go down.
• Partial mesh: sits between hub and spoke and full mesh. At critical sites, multiple
virtual circuits are established to maintain redundancy, while at not-so-important sites,
only one virtual circuit may be implemented.
• Full mesh: gives network maximum redundancy while minimum packet latency.
However, this is also the most costly option.

There are permanent virtual circuit(PVC) and switched virtual circuit(SVC).

A permanent virtual circuit (PVC) is a permanently established circuit through the
Frame Relay service provider network. It enables the routers at each end to
communicate with each other without any setup process. A PVC closely emulate a
leased-line connection between your devices.
A SVC is also connected end-to-end between routers, and they may bill on a usage
basis; these connections have largely decreased over the year.

Your router communicate with you ISP using local management interface(LMI). In older
version of IOS, you need to manually set your router to the type of LMI your ISP uses.
In newer versions, your router can automatically detect and set LMI.

Like MAC addresses are used in LAN to identify devices, a number called data link
connection identifier (DLCI) is used in Frame Relay (WAN) to identify routers.
However, unlike MAC addresses that contain source and destination address in a
frame, DLCI ONLY identifies the PVC source device used in its encapsulation. Also,
DLCI are locally unique, where as the range of a location is defined by ISP. This means
that DLCI may be the same on both receiving and sending router, when they represent
entirely different, unique routers.

77
 Local access rate, also known as line speed, is the maximum physical speed at which
your Frame Relay connection may be; about 44 Mbps. However, your actual throughput
can never exceed line speed.

How fast your virtual circuit can travel is determined by Committed Information Rate
(CIR). Each virtual circuit come with a standard called CIR, is the minimum speed of
virtual circuit promised by the ISP; most of the time, you are gonna get speed higher
than that. If everyone is using the bandwidth, the ISP may decide to cut back and
reduce your bandwidth.
Line speed is the bottleneck at which your total amount of CIR should not exceed
since that is the maximum speed your ISP will provide you no matter how much virtual
circuits you purchased.
There are virtual circuits with 0 Kbps of CIR, when purchasing this, you need to
consider the reputation of the ISP, otherwise, you may end up with no bandwidth at all.

Discard eligible is the state of traffic when you have speed above CIR you purchased;
these traffic are automatically tagged as De (by the ISP), meaning that it will be the
packets dropped when the line gets busy.

Other than special configuration, your PVC should run at the maximum speed, or line
speed. If the difference between your CIR and Local Access Rate vary greatly, your
PVC will soon begin to become congested (one is slower than the other). The service
provider will send messages to the router sending the large amount of traffic attempting
to tell it to slow down using Backwards Explicit Congestion Notification(BECN) and
Forwards Explicit Congestion Notification(FECN) message.

When a router is sending a large file at a speed faster than the receiving router can
perform, ACK field change to BECN, telling sending router that it need to slow down. By
default, your Cisco router ignores the BECN message since it is a Frame Relay Traffic
Shaping. If your router doesnʼt slow down, ISP may liquidate your traffic and cause
dramatic performance reduction.
FECN actually donʼt tell the receiving router to slow down. In situation where the traffic
is not using TCP (thus no ACK field). ISP tags some traffic heading called FECN (same
as BECN, just send the other way) to the receiver. If the receiving router is configured to
support FECNs, it generates some “junk” (called a Q.922 test frame), puts it in a frame,
and sends it back to the sender. The junk in the packet is really junk. The sending router
in Arizona drops it after it is received.

Frame relay is a non-broadcast mutiaccess(NBMA) network, this means frame relay

can be connected to several devices, but no broadcast is permitted between these
devices (split horizon is working). However, for hub and spoke designs, if one spoke
would like to let all other know about something, split horizon in hub will prevent so; this

78
is especially true when routers use distance vector routing protocol. The solutions are 1)
disable split horizon, 2) use sub-interfaces.

Sub-interfaces enable you to break your single, physical interface into multiple, logical
interfaces. You still have only a single physical connection to the Frame Relay service
provider, however, your router sees it as multiple connections. There are two categories
of Frame Relay sub-interfaces: point-to-point and multipoint. Only the point-to-point
interface type is designed to fix the split-horizon issue by creating a sub-interface for
each PVC connection.

Multipoint means you have multiple PVCs terminating under a single, logical interface.
Point-to-point means you connect a remote router to a local logical interface called
sub-interface without the need to violate the split-horizon rule, thus ensure that you will
not have routing loop. IP address is configured here.

Frame Relay works in Data link layer, but to perform routing, a router needs to know
the Layer 3 address; there are 2 ways to do this: inverse ARP and static mapping.

Inverse ARP operate by:

1) Connect your router to ISP through serial interface
2) Your service provider uses LMI to identify your router and send your router a list of
DLCIs it can use to reach your remote site
3) Router sends a inverse ARP message to one the DLCI, this message tells the remote
router to send its IP address back.
4) Once replied, your router maps DLCI number and IP address for future record.
NOTE: inverse ARP does not operate on sub-interfaces. For Inverse ARP to function
properly, you must leave all assigned DLCIs under the physical interface, which causes
this interface to become a multipoint interface (if you have multiple DLCI numbers).

Static mapping, you can manually enter the DLCI to IP address mapping for each
PVC. This gives you complete control over the mapping process and enables you to
have more than one interface (unlike Inverse ARP).
DLCI is a number that start from 16.

There are 3 Frame Relay situations you can configure:

Your router is connected to another router in a point-to-point fashion; it is the easiest

configuration since configuration occur automatically. To start up your Cisco proprietary
Frame Relay, use ʻ(config-if)#encapsulation frame-relayʼ. However, to use IETF
standard, ʻ(config-if)#encapsulation frame-relay ietfʼ.

To verify, use ʻ#show frame-relay lmiʼ. Note, sent and received messages should be
about equal and increase on a steady basis. If something is wrong, ʻNum Status
Timeoutsʼ field increment steadily.

79
 Continue verifying with ʻ#show frame-relay pvcʼ (if you are using svc, use something
else) see all the PVC connection. The line below the table is important, it shows you the
DLCI of your connection and status of your PVC, which can be active/inactive/deleted/
static.
Active: successfully connected through between the two endpoints (routers). This is
the normal state if everything is working properly.
Inactive: working properly on your end of the connection (the local side); however, the
other side of the connection is either not configured or offline.
Deleted: having problems at your side (local side) of the connection. Most likely, you
are attempting to use a DLCI number that the service provider has not configured.
Static: PVC has been manually entered by you (the administrator) rather than
dynamically discovered from the service provider.

ʻ#show frame-relay mapʼ show the DLCI and corresponding IP address for all the
connections; it also show the status of the PVC connection.

Also, note we previously discussed that old IOS can not automatically detect the type
of LMI used by ISP, thus you need to issue ʻ(config-if)#frame-relay lmi-typeʼ followed by
cisco/ansi/q933a. Of course, you would need to know the LMI used by ISP before doing
this.

Your routers can also be configured using sub-interfaces, this is a hub and spoke using
point-to-multipoint design. Multipoint design can be accomplished by 1) placing the
configuration under the physical interface itself or 2) use a sub-interface.
To create a sub-interface, just use ʻ(config)#interface serial 0.ʼ followed by a number
from 0 to 4294967295. Then, follow the number by ʻpoint-to-pointʼ or ʻmultipointʼ.
Remember, multipoint is configured on the hub, while ʻpoint-to-pointʼ is configured on
spokes.
In this situation, you need to configure for tandem switching, especially static maps, for
the spokes to communicate with each other. It is recommended to integrate your
network to use only one mapping method, either inverse ARP or static map. For
instance, ʻ(config-if)#frame-relay map ip 192.168.5.2 503 broadcastʼ stand for “if you
want to reach remote router at 192.168.5.2, use local DLCI 503”. ʻbroadcastʼ keyword is
added to end for the configuration violate split horizon and send the message out to all
devices (so the spokes know each otherʼs existence).
Remember the configuration mapping for the spoke have to contain static mapping to
other spokes and the hub using the same DLCI.

Note, other than WAN connection, you also need to configure routing to the remote
network using a routing protocol to make sure that you can send your data between.
Verify with ʻ#show ip routeʼ.

Also know that since split horizon is working, spoke will not have other spokesʼ network
entry in their routing table. To overcome this, you can either 1) move to point-to-point
connection, or 2) implement ʻno ip split horizonʼ at the hubs.

80
 Point-to-point design requires you to create a logical sub-interface for each PVC
coming out of your locations. This actually means you create 2 logical sub-interfaces
(belong to the same physical interface), each with a DIFFERENT IP address, thus,
spoke know other spokes and can have their network entries in their routing table. After
you create the sub-interfaces, the router sees them as completely independent
connections. The only disadvantage of a point-to-point configuration is that you must
configure a separate subnet for each PVC, whereas the multipoint allowed all routers to
share a common subnet.

To configure a point-to-point design, follow this command (ʻ(config)#interface serial 0.ʼ

followed by a number from 0 to 4294967295. Then, follow the number by ʻpoint-to-pointʼ
or ʻmultipointʼ.) by ʻpoint-to-pointʼ instead of ʻmultipointʼ.
Then, use ʻip addressʼ command to assign the IP address and ʻframe-relay interface-
dlciʼ to assign DLCI number.
In the case of point-to-point design, your logical interfaces are actually listed in ʻshow
ip interface briefʼ.

To troubleshoot, ʻdebug frame-relay lmiʼ focuses on your direct communication with the
service provider. When ʻmyseqʼ field increments, you LMI language is likely to be
incorrect. To fix this, ʻshow frame-relay lmiʼ shows the current LMI you are using, then
change it to match the LMI supported by your service provider.
Status of 0x0 = inactive; status of 0x2 = active; status of 0x4 = deleted.

81
Chapter 24. Understanding VPN connectivity

VPN can be an alternative to WAN, although it is not a WAN. VPN is:

• Cheaper than WAN, and establish more meshed topology.
• Remote-access connections is easier since you no longer need to dial with modem.
• Scalability allow the company to grow easily without serious cost to add significant
infrastructure.

However, with the good, there is also the bad:

• VPN is not secure itself, since you are moving data over the Internet. Encryption
protocols may be implemented.
• Higher overhead due to the encryption and authentication and in VPN itself.
• When using VPN, there is no guarantee of arrival, especially, the delay time is
uncertain, making latency-sensitive applications such as VoIP difficult to implement.

VPN connections comes in site-to-site and remote-access; VPN connections are often
represented as logical tunnels.
Site-to-site VPNs are the direct replacement for private-line WAN connections. They
allow offices to maintain permanent or semipermanent connections between each other
through the Internet.

VPN connection can be permanent or semipermanent. Using a permanent VPN

connection, whenever you transmit data between the two locations, it immediately
passes through without delay. The drawback is that router or firewall resources are
always being consumed to maintain the VPN connection.
Semipermanent connections are an “on-demand” style of VPN. When the VPN is
needed, the router or firewall establishes the VPN connection. When the VPN is no
longer required (data is no longer attempting to pass between offices), the router or
firewall tears down the tunnel. Because the router or firewall does not need to maintain
idle VPN connections, a semipermanent connection allows you to maximize your
resources. On the flip side, VPN connections take a moment to establish when data
needs to be transmitted. This may result in the initial connection attempt between
offices experiencing delay or failure while the VPN tunnel is formed.

Remote-access VPNs typically are used to allow telecommuting or mobile workers to

connect to the corporate network from home or hotel-like location. This connection is
always semi-permanent.
Remote VPN can be configured through a system called Cisco Easy VPN. An
alternative is SSL VPN, which basically enable you to remotely log into your network
using a web browser (eliminating the need for another software).

SSL VPN can come in clientless and thin client.

Clientless allow you to create a web page listing the resources that the user can
access after he or she has successfully authenticated to the VPN. The clientless VPN
does not allow users to use applications on their own PC over the VPN.

82
 Thin client ask to install and ActiveX or Java-based plug-in program after user
successfully authenticate to VPN. This program will be responsible for the user
connection to the remote network, right now, only TCP-application can be utilized.

To run a VPN connection, you must have a router or firewall that supports VPN
connectivity (such as the Cisco ISR or ASA Firewall) and a VPN client (only if you are
deploying a remote-access VPN).
Integrated service routers(ISR) are considered business class routers that can
manage site-to-site and remote-access VPN connectivity. ASA firewalls (PIX firewall)
are used to handle many security aspects of network and also support both VPN
methods.
ISRs are designed to handle routing as their primary function (which they do quite well)
and handle VPNs as a secondary function (which they do fairly well). The ASA is
designed to handle VPNs and other firewall processes as its primary function (which it
does quite well) and routing as a secondary function (which it does fairly well).
If you are managing a site-to-site connection, two routers or two ASA firewalls are all
that will be required. If you are managing remote-access VPN connections, you will also
need to consider a VPN client.

Cisco VPN client: If you purchase a Cisco SmartNET agreement (Ciscoʼs fancy name
for an extended support and warranty agreement) with your ISR router or ASA firewall,
you can download the latest versions of the Cisco VPN client. This provides the most
compatibility (supports many features) when used with the Cisco VPN solution. For
example, you can enable a VPN-triggered firewall that begins working as soon as the
user connects to the VPN. This firewall can protect the client from being compromised
by Internet-based attacks while connected to the VPN. When the user disconnects from
the VPN, the firewall disables itself to allow unfiltered Internet and local network access.
The rules of this firewall can be controlled by the Cisco administrator (thatʼs you!).
Certicom client: The Certicom client is a widely supported VPN client that can be
installed on portable devices such as a PDA. This allows the user to connect to the
corporate VPN from the PDA device and perform tasks such as checking corporate
email.
Cisco VPN 3002 hardware client: You can install this lower-cost device in a small
office/home office (SOHO) environment. It establishes on-demand VPN connections
when data that needs to cross the VPN is sent. This can be done without installing any
software on the client PCs or requiring extra training on the use of VPN software.
Although this product is considered end of life (EOL—no longer manufactured by
Cisco), other products like this are manufactured by third-party companies that are
compatible with the Cisco VPN solution.
. Third-party IPsec VPN software: The industry-standard IPsec protocol is supported in
many other VPN clients. So, if you or your company has purchased some other non-
Cisco, IPsec-compatible VPN software, chances are you can make it work with the
Cisco VPN solution. It may just take a little more work!

IPsec (layer 3) stands for IP security, a suite of sub-protocols that is used to protect
data (TCP/UDP data) crossing a network. IPsec is better suited in describing a

83
framework of protocols, IPsec itself DOES NOT actually provide any direct security.
What this means is that IPsec describe what combination of different protocols would
work best to secure data, but it does not actual secure the data itself. IPsec framework
include IPsec protocol, encryption, authentication, and DH.

Encryption is officially called data confidentiality. Its function is to make any data that
you send unreadable to unauthorized devices and yet understandable to authorized
devices. Each device that wants to encrypt or decrypt data needs the appropriate key.
A key is an extremely advanced mathematical formula that is designed to scramble data
when it is sent between devices.
The basic steps for symmetric encryption are:
1. Clear-text (unencrypted) data is sent to the encryption algorithm (key). The key runs
the data through a sophisticated mathematical formula that renders the data
unreadable.
2. The encrypted data is transmitted across the potentially unsecured network and is
received by the destination device.
3. The destination device uses the same key to decrypt the scrambled data, returning it
to its original, clear-text form
There are DES, 3DES and AES.
DES: It was originally developed by IBM to support a 56-bit key (the longer the key, the
more secure the algorithm). By todayʼs standards, DES is considered a relatively weak
encryption method.
3DES ran the DES algorithm three times with different encryption keys (thus the name
3DES). This significantly improved the strength of the original DES algorithm.
AES: offers the strongest encryption at 128, 192 and 256 bit encryption.

The Diffie-Hellman (DH) key exchange algorithm addresses a gigantic missing piece of
the symmetric encryption systems we just talked about. Again, the symmetric encryption
algorithms (including DES, 3DES, and AES) use a “shared key” approach in which the
same key can encrypt and decrypt data. This is very efficient on processing cycles, but
it raises a question. If the same key encrypts and decrypts data, how do both of the
devices get the key? Simple! The devices just send the key to each other over the
network. So, next question: If they just send the key to each other over the network,
couldnʼt someone intercept the key and use it to decode all the transmissions? Ah, now
that is the problem, and this is where the DH key exchange algorithm comes in. The
goal of the DH algorithm is to give devices a way to securely exchange the shared key
over a public network. To accomplish this, it uses an advanced process in which both
endpoints exchange results to a mathematical formula over a clear network. Using
these results, each VPN endpoint can determine a shared secret value that is used to
generate symmetrical encryption keys (which are much easier for the devices to
process) to use for the VPN session.
The DH key exchange algorithm uses monstrously huge numbers (some more than
300 digits long) to accomplish its mathematical cryptographic process. Although DH is
much more secure than symmetric encryption, it is much harder on the deviceʼs
processor. This is why DH cryptography is used only briefly at the start of the session to
generate symmetric encryption keys.

84
 Although the Diffie-Hellman algorithm has long been used to secure symmetric
encryption key exchange over a public network, SSL is a cryptographic protocol that
provides secure communications over the Internet for things such as web browsing,
instant messaging, and email. It is discussed here because SSL VPNs are continuing to
increase in popularity. As with Diffie-Hellman, the goal of SSL is to provide secure
communications over a public network. To accomplish this, SSL uses a dual-key
approach. Each device uses a public and private key system. These keys are reverse
mathematical formulas to each other. In other words, anything that the public key
encrypts, the private key can decrypt. Anything that the private key encrypts, the public
key can decrypt. The public and private keys use mathematical algorithms that are so
complex that it is impossible for someone who has one key to generate the opposite.
For example, if you have a public key, it is feasibly impossible to figure out what the
private key is, and vice versa.

The SSL key exchange goes through the following steps:

1. PC1 and PC2 send each other their respective public key encryption formula.
2. One of the devices (PC1 in this example) generates a shared-secret key (symmetric
encryption) that will be used to encrypt and decrypt data for the session.
3. PC1 encrypts the shared-secret key using the public key of PC2 and transmits the
key to PC2.
4. PC2 decrypts the shared-secret key using its private key. Now that both PC1 and
PC2 have the same shared-secret key, it can and will be used to encrypt and decrypt all
communication for the secured session. SSL uses asymmetric encryption (public and
private keys) at the start of the conversation to provide a secure exchange of a shared
secret key. As soon as the devices have the shared secret key, the SSL session
converts to using symmetric encryption because it is much more efficient on the
deviceʼs processors.

When many IT people think of authentication, they equate it to entering a username

and password to log on to a PC. This form of authentication is designed to verify that
the person using the computer is who he says he is. Authentication as it applies to
IPsec performs a similar, but not identical, job. When sending data over an unsecured
network, you must ensure that the data received is exactly the same as the data sent
and that the data is received from a trusted source. If the data changed somewhere
between the sending and receiving devices, the security protocol should detect the
change and reject the data. Authentication is often used synonymously with the terms
data integrity and hashing in the IPsec world. Technically speaking, authentication
verifies that the device sending the data is the “true” device (not a fake). Data integrity
ensures that the data does not change from one end to the other.
The process to accomplish data integrity is similar to encryption, but with a slightly
different angle. As with encryption, hashing passes all the data contained in the packet
(above Layer 3) through a mathematical algorithm. However, the job of this
mathematical algorithm is not to scramble the data, but rather to come up with a result,
which is known as the hash. As an example, the mathematical algorithm might say
something like “Add up all the vowels in this data packet,” and the result might be 96.

85
This result (known as the hash) is then appended to the end of the data and is sent to
the receiver.
The step-by-step hashing process goes like this:
1. The sending device passes the data to be transferred through a hashing algorithm
and comes up with a result (the hash).
2. The hash is appended to the data and is sent to the receiving device.
3. The receiving device receives the data and runs it through the same hashing
algorithm to generate a result. The result is then compared to the result that was
originally appended to the data. If the hashed values are the same, the receiving
device is assured that the data did not change during transmission. If the values are
different, the data did change, and the receiving device discards it.
There are 2 popular hashing: MD5 (128-bit) and SHA-1(160-bit)

Right now, there are 2 engines that IPsec runs:

Authentication Header (AH): The AH protocol was the first IPsec engine to be
released. It supported only authentication (verifying the sending and receiving devices)
and data integrity (ensuring that data does not change in transmission). AH does not
support any encryption.
. Encapsulating Security Payload (ESP): The ESP protocol was the second IPsec
engine to be released. It filled in the massive missing piece of AH: encryption. The
ESP protocol supports all three pieces of the IPsec framework: authentication, data
integrity, and encryption. Because of this, it is by far the more popular of the two IPsec
engines.

86