Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise
1 Networking in the Enterprise
1.0 Chapter Introduction
1.0.1 Introduction Page 1:

1.0.1 - Introduction Enterprise networks provide application and resource support to local and remote users anywhere and at any time. Intranets and extranets form the structure of a large enterprise network. Internal and external traffic patterns affect security and network performance. Advanced security and networking technology supports telecommuters so they can work productively away from the office. After completion of this course, you should be able to: Describe an enterprise. Identify traffic flows through an enterprise, and describe the importance of an intranet and extranet. Describe the different types and handling of traffic in the enterprise. Define the role and importance of a telecommuter. Describe the function and importance of VPN's.

1.1 Describing the Enterprise Network
1.1.1 Supporting the Business Enterprise Page 1: As businesses grow and evolve, so do their networking requirements. A large business environment with many users and locations, or with many systems, is referred to as an enterprise. Common examples of enterprise environments include:

• •

Manufacturers Large retail stores

• • • •

Restaurant and service franchises Utilities and government agencies Hospitals School systems

The network that is used to support the business enterprise is called an enterprise network. Enterprise networks have many common characteristics, some of which are:

• • • •

Support for critical applications Support for converged network traffic Need for centralized control Support for diverse business requirements

An enterprise network must support the exchange of various types of network traffic, including data files, email, IP telephony, and video applications for multiple business units.

1.1.1 - Supporting the Business Enterprise The animation depicts the growth of a business into an enterprise. The concept being communicated by the animation is that of a small business expanding, first with a connection to the Internet, and then the establishment of a branch network in the same city. Branches that are in two additional cities are connected back to the head office via the Internet. Home users, known as teleworkers, are added. Finally, an international office is connected. The animation begins by showing a small, single-location company. The company then expands by increasing its number of employees and connecting to the Internet. Next, the company grows to multiple locations in the same city. At this point, the animation shows two locations in New York, both interconnected through the Internet. Next, the company, now an enterprise, grows to multiple cities. The two locations in New York are now connected through the Internet to new locations in Orlando and Boston. Next, the enterprise hires teleworkers. The animation shows home users added in various cities. The enterprise expands to other countries, depicted by a connection to Osaka. In the final animation, the enterprise centralizes network management in a network operations center (NOC) located in the home office, New York. Note: Not all enterprise networks are international.

Page 2: Businesses increasingly rely on their network infrastructure to provide mission-critical services. Outages in the enterprise network prevent the business from performing its normal activities, which can cause lost revenue and lost customers. Users expect enterprise networks to be up 99.999% of the time.

To obtain this level of reliability , high-end equipment is commonly installed in the enterprise network. Enterprise class equipment is designed for reliability, with features such as redundant power supplies and failover capabilities. Designed and manufactured to more stringent standards than lower end devices, enterprise equipment moves large volumes of network traffic.

Purchasing and installing enterprise class equipment does not eliminate the need for proper network design. One objective of good network design is to prevent any single point of failure. This is accomplished by building redundancy into the network.

Other key factors in network design include optimizing bandwidth utilization, ensuring security and network performance.

1.1.1 - Supporting the Business Enterprise The diagram depicts redundant connections in a network. Multiple hosts are connected to switches. The switches also have connections between them. The same switches are connected to routers that, in turn, connect to the Internet. A redundant link occurs between the two routers. There are speech bubbles in the diagram, as follows: I have redundant routes to the Internet. I have redundant routes to the Server Farm.

1.1.2 Traffic Flow in the Enterprise Network Page 1: To optimize bandwidth on an enterprise network, the network must be organized so that traffic stays localized and is not propagated onto unnecessary portions of the network. Using the three-layer hierarchical design model helps organize the network. This model divides the network functionality into three distinct layers: Access Layer, Distribution Layer, and Core Layer. Each layer is designed to meet specific functions.

The access layer provides connectivity for the users. The distribution layer is used to forward traffic from one local network to another. Finally, the core layer represents a high-speed backbone layer between dispersed end networks. User traffic is initiated at the access layer and passes through the other layers if the functionality of those layers is required.

Even though the hierarchical model has three layers, some enterprise networks use the Core Layer services offered by an ISP to reduce costs.

1.1.2 - Traffic Flow in the Enterprise Network The diagram depicts the three layers of a hierarchical design model. The Access Layer contains three switches. Connected to these switches are eight computers, five IP telephones, one server, and one network printer. The Distribution Layer consists of three routers, one switch, one web server, a DNS server, and an email server. The Core Layer has the high speed concentrator links to the internet cloud. Brief descriptions of the hierarchical design model layers are included, as follows: Access Layer Provides a connection point for end-user devices to the network Allows multiple hosts to connect to other hosts through a network device such as a switch Exists on the same logical network Forwards traffic to other hosts on the same logical network Passes traffic to the Distribution Layer for delivery if the message is destined for a host on another network Distribution Layer Provides a connection point for separate local networks Controls the flow of information between local networks Ensures that traffic between hosts on the same local network stays local Passes on traffic that is destined for other networks Filters incoming and outgoing traffic for security and traffic management purposes Contains more powerful switches and routers than the Access Layer Passes data to the Core Layer for delivery to a remote network if the local network is not directly connected Core Layer Provides a high-speed backbone layer with redundant (backup) connections Transports large amounts of data between multiple end networks Includes very powerful high-speed switches and routers

Page 2: The Cisco Enterprise Architectures divides the network into functional components while still maintaining the concept of Core, Distribution, and Access layers. The functional components are:

• • •

Enterprise Campus: Consists of the campus infrastructure with server farms and network management Enterprise Edge: Consists of the Internet, VPN, and WAN modules connecting the enterprise with the service provider's network Service Provider Edge: Provides Internet, Public Switched Telephone Network (PSTN), and WAN services

All data that enters or exits the Enterprise Composite Network Model (ECNM) passes through an edge device. This is the point that all packets can be examined and a decision made if the packet should be allowed on the enterprise network. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can also be configured at the enterprise edge to prevent against malicious activity.

1.1.2 - Traffic Flow in the Enterprise Network The diagram depicts the Cisco Enterprise Architectures with three sub-blocks, labeled Enterprise Campus,

Enterprise Edge, and Service Provider Edge. There are also two smaller blocks, labeled Enterprise Branch and EnterpriseTeleworker. The following information is included for each block: Cisco Enterprise Architectures Enterprise Campus Building Access - Two Layer 3 switches This Access Layer module contains Layer 2 or Layer 3 switches to provide the required port density. Implementation of V LAN's and trunk links to Building Distribution Layer occurs here. Redundancy to Building Distribution switches is important. Building Distribution - Two Layer 2 / 3 distribution switches This Distribution Layer module aggregates building access using Layer 3 devices. Routing, access control, and Q o S are performed at this layer. It is critical to provide redundancy in this area. Campus Core - Two Layer 2 / 3 distribution switches, directly connected with multiple links. This Core Layer module provides high-speed interconnectivity between Distribution Layer modules, data center server farms, and the Enterprise Edge. Redundancy, fast convergence, and fault tolerance are the focus of the design in this area. Server Farm and Data Center - Two servers and a single computer, Network Management takes place here. This module provides high-speed connectivity and protection for servers. It is critical to provide security, redundancy, and fault tolerance in this area. Management - This critical area monitors performance by monitoring device and network availability. Enterprise Edge E-Commerce - One departmental server and router Internet Connectivity - One departmental server and router WAN and Metro Ethernet Site-to-Site VPN - One router Remote Access and VPN - One bridge and one switch This module extends the enterprise services to remote sites and enables the enterprise to use Internet and partner resources. It provides Q o S, policy enforcement, service levels, and security. Service Provider Edge ISP A - Defined as multiple networking devices ISP B - Defined as multiple networking devices Frame Relay / A T M /Metro Ethernet - Defined as multiple networking devices PSTN - Defined as multiple networking devices Enterprise Connection Enterprise Branch - One Layer 2 / 3 distribution switch Enterprise Teleworker - One desktop computer

Page 3: A well-designed network not only controls traffic but also limits the size of failure domains. A failure domain is the area of a network impacted when a key device or service experiences problems.

The function of the device that initially fails determines the impact of a failure domain. For example, a malfunctioning switch on a network segment normally impacts only hosts on that segment. However, if the router that connects this segment to others fails, the impact is much greater.

The use of redundant links and reliable enterprise-class equipment minimize the chance of disruption in a network. Smaller failure domains reduce the impact of a failure on company productivity. They also simplify the troubleshooting process, thereby shortening the downtime for all users.

1.1.2 - Traffic Flow in the Enterprise Network The concept being communicated in this diagram is the impact of failure domains. An edge router connects to the Internet and to two switches. Switch 1 has a small network attached. Switch 2 has one hub and one switch attached, with several computers connected to each. If the router fails, the entire network fails. If Switch 1 fails, only its attached network fails. If Switch 2 fails, both of the attached networks fail. If the hub or Switch 3 fails, only their individually attached networks fail.

Page 4: Packet Tracer Activity

Observe the flow of traffic through an enterprise network.

Click the Packet Tracer icon to begin.

1.1.2 - Traffic Flow in the Enterprise Network Link to Packet Tracer Exploration: Observing Traffic Flow in an Enterprise Network Observe the flow of traffic through an enterprise network.

1.1.3 Enterprise LANs and WAN Page 1: Enterprise networks incorporate both traditional LAN and WAN technologies. In a typical enterprise network, multiple local networks at a single campus interconnect at either the Distribution Layer or the Core Layer to form a LAN. These local LANs interconnect with other sites which are more geographically dispersed to form a WAN.

LANs are private and under the control of a single person or organization. The organization installs, manages, and maintains the wiring and devices that are the functional building blocks of the LAN.

Some WANs are privately owned; however, because the development and maintenance of a private WAN is expensive, only very large organizations can afford to maintain a private WAN. Most companies purchase WAN connections from a service provider or ISP. The ISP is then responsible for maintaining the back end network connections and network services between the LANs.

When an organization has many global sites, establishing WAN connections and service can be complex. For example, the major ISP for the organization may not offer service in every location or country in which the organization has an office. As a result, the organization must purchase services from multiple ISPs. Using multiple ISPs often leads to differences in the quality of services provided. In many emerging countries, for example, network designers will find differences in equipment availability, WAN services offered, and encryption technology for security. To support an enterprise network, it is important to have uniform standards for equipment, configuration, and services.

1.1.3 - Enterprise LANs and WANs The diagram depicts a cloud labeled Public WAN that has four links extending out of it. The first link has an ISP connected, located in North America. The second link has an ISP connected, located in Europe. The third link is to a private WAN, located in South America. The fourth link is to a private WAN, located in Australia.

Page 2: Features of a LAN:

• • • • •

The organization has the responsibility of installing and managing the infrastructure. Ethernet is the most common technology used. The focus of the network is in the Access and Distribution Layers. The LAN connects users, provides support for localized applications and server farms. Connected devices are usually in the same local area, such as a building or a campus.

Features of a WAN:

• • • • •

Connected sites are usually geographically dispersed. Connectivity to the WAN requires a device such as a modem or CSU/DSU to put the data in a form acceptable to the network of the service provider. Services are provided by an ISP. WAN services include T1/T3, E1/E3, DSL, Cable, Frame Relay, and ATM. The ISP has the responsibility of installing and managing the infrastructure. The edge devices modify the Ethernet encapsulation to a serial WAN encapsulation.

1.1.3 - Enterprise LANs and WANs The diagram depicts two buildings labeled Paris and Hong Kong. Paris has the following network hardware: a router, R1, connected to a CSU/DSU connecting directly to the CSU/DSU, then connecting to a router, R2 located inside Paris. Directly connected to router R1 is a small switched LAN. The CSU/DSU forms the link to the WAN, which can use a myriad of protocols to connect

to the Hong Kong business. The common protocols implemented are HDLC, P P P, Frame Relay, and A T M. The CSU/DSU at the Hong Kong business location receives the transmission from the Paris business, and forwards it to the relevant client located within its premises.

Page 3:

1.1.3 - Enterprise LANs and WANs The diagram depicts an activity in which you must classify the terms as either a LAN technology or WAN technology. One.Frame Relay. Two.100Mb U T P. Three.T 1/E 1. Four.Services provided by ISP. Five.Access Layer. Six.POP. Seven.Services provided by enterprise. Eight.Ethernet. Nine.Distribution Layer switches. Ten.CSU/DSU. Eleven.A T M.

1.1.4 Intranets and Extranets Page 1: Enterprise networks contain both WAN and LAN technologies. These networks provide many of the services associated with the Internet, including:

• • • • •

Email Web FTP Telnet/SSH Discussion forums

Many companies use this private network or intranet to provide access for local and remote employees using LAN and WAN technologies.

Intranets may have links to the Internet. If connected to the Internet, firewalls control the traffic that enters and exits the intranet.

1.1.4 - Intranets and Extranets The diagram depicts a map of the world with people spread out over large distances. People from around the world are connected to each other through the Enterprise Intranet, accessed through the Internet. Depicted here is a large Enterprise Intranet that employees may access from multiple locations around the world.

Page 2: Intranets contain confidential information and are designed for company employees only. The intranet should be protected by a firewall. Remote employees who are not connected to the enterprise LAN must authenticate before gaining access.

In some situations, businesses extend privileged access to their network to key suppliers and customers. Common methods for doing this are:

• • •

Direct WAN connectivity Remote logins to key application systems VPN access into a protected network

An intranet that allows external connections to suppliers and contractors is an extranet. An extranet is a private network (intranet) that allows controlled access to individuals and companies outside the organization. An extranet is not a public network.

1.1.4 - Intranets and Extranets The diagram depicts preferred external suppliers and customers with approved access to the company intranet. Company A B C is connected to two suppliers that are geographically separated. The two partners and the two customers are also connected to Company A B C, defined as a Large Enterprise Extranet.

1.2 Identifying Enterprise Applications
1.2.1 Traffic Flow Patterns Page 1: A properly designed enterprise network has defined and predictable traffic flow patterns. In some circumstances traffic stays on the LAN portion of the enterprise network and at other times it traverses the WAN links.

2. WAN. External traffic is sent to the Internet via the edge routers. 1.When determining how to design the network it is important to consider the amount of traffic destined for a specific location and where that traffic most often originates. The flow patterns choices are LAN. Controlling the flow of traffic on a network optimizes bandwidth and introduces a level of security through monitoring. VPN and Internet traffic is considered external traffic flow.2. external traffic is traffic that originates from or is destined to the Internet. When traffic is detected in an area of the network where it is unexpected.Traffic Flow Patterns The diagram depicts an activity in which you must identify the flow pattern for each type of traffic. that traffic can be filtered and the source of the traffic investigated. For example.Traffic Flow Patterns The animation depicts the different traffic flows within a LAN and a WAN. select the pattern with highest coverage.1 . it only travels through the local switches and to the destination. Page 2: 1. the network administrator can predict the types and amount of traffic to expect. traffic that should typically remain local to users on the network includes: • • • • File sharing Printing Internal backup and mirroring Intra-campus voice Traffic types which are typically seen on the local network but are also commonly sent across the WAN include: • • • System updates Company email Transaction processing In addition to WAN traffic.1 . Traffic type . or External. If the traffic has more than one flow pattern. By understanding traffic patterns and flows. it is routed through the sending and receiving routers. When a packet is sent to a user on another network (WAN). When a packet is sent to the local-area network (LAN). including external traffic flow.

Intra-campus Voice.Printing.2. Ten. Two. and data flow across the same medium. where voice. video.Internal Backup and Restore Operations.On-line Transaction Processing. Now technology supports a converged network.Applications and Traffic on an Enterprise Network The diagram depicts people working in a call center environment. 1.Internet Traffic.File Sharing. This convergence presents many design and bandwidth management challenges.Off-site Data Backup and Recovery. video.2 . Page 2: When trying to determine how to manage network traffic. New technologies support voice and data on a converged network.2. Three. a packet sniffer can be used to capture traffic for analysis. The caption reads.2 Applications and Traffic on an Enterprise Network Page 1: At one time. . Seven. Enterprise networks must support the business enterprise by allowing traffic from a variety of applications. it is important to understand the type of traffic that is crossing the network as well as the current traffic flow. including: • • • • • • • • • Database transaction processing Mainframe or data center access File and print sharing Authentication Web services Email and other communications VPN services Voice calls and voicemail Video and video conferencing Network management and the control processes required for the underlying operation of the network also need support.Company Email. Eight. If the types of traffic are unknown. Six.One.VPN.System Update. 1. Four. and data each traveled on separate networks. Nine. voice. Five.

1. 1. because some traffic will be local to a particular segment. simply relocating a server or service to another network segment improves network performance.Applications and Traffic on an Enterprise Network The diagram depicts a screen shot of a Packet Sniffer Application window. 1.2.Applications and Traffic on an Enterprise Network Link to Hands-on Lab: Capturing and Analyzing Network Traffic Use a packet capture program to analyze network traffic. This analysis can be used to make decisions on how to manage the traffic more efficiently. This can be done by reducing unnecessary traffic flows or changing flow patterns altogether by moving a server.To determine traffic flow patterns. Click the lab icon to begin. it is important to: • • Capture traffic during peak utilization times to get a good representation of the different traffic types. The packet contains information relating to the In-and-Out Layers of the O S I Reference Model. Perform the capture on different network segments.3 Network Traffic Prioritization .2. The window is showing packet transmission information.2 .2. Sometimes. optimizing the network performance requires major redesign and intervention. Technicians analyze this information based on the source and destination of the traffic as well as the type of traffic being sent. network technicians can determine traffic flows.2 . Page 3: Lab Activity Use a packet capture program to analyze network traffic. Using the information obtained from the packet sniffer. At other times.

Voice and video applications require an uninterrupted stream of data to ensure high quality conversations and images.Sporadic and bursty.High volume uninterrupted video traffic.2. Some data applications are more concerned about time-sensitivity than reliability. does not tolerate delays Video Traffic . as well as their specific characteristics. The acknowledgement process in TCP introduces delays. Therefore.Requires uninterrupted stream of data.Sporadic conversation. as follows. Since UDP does not have mechanisms for retransmitting lost packets.Network Traffic Prioritization The diagram depicts an airport environment with differing types of traffic being generated. Data Traffic Most network applications utilize data traffic. does not tolerate delays Page 2: In addition to understanding the delays of TCP versus UDP. voice and video applications employ User Datagram Protocol (UDP) instead of TCP. Some types of online applications transmit data that is sporadic.3 . 1. which break these streams and degrade the quality of the application. For this reason. it also incurs a delay. Other types. and most data applications can tolerate delays. caused by the networking devices that must process the traffic on its path to the destination. such as data storage applications. transmit high volumes of traffic for a sustained period of time. tolerates delays Mobile Voice Traffic . or latency.Page 1: Not all types of network traffic have the same requirements or behave in the same manner. While the use of acknowledgements makes TCP a more reliable delivery protocol. FTP or Email Traffic . tolerates delays Online or Transaction Delays . data traffic usually employs Transmission Control Protocol (TCP). Voice and Video Traffic Voice traffic and video traffic are different from data traffic. OSI . TCP uses acknowledgments to determine when lost packets must be retransmitted and therefore guarantees delivery.High volume sustained data traffic. it is also necessary to understand the delay. it minimizes delays. delays cause interrupted or dropped conversations V o IP Traffic .

caused by network congestion. is the variation in time of the packets arriving at their destination. and so on.Network Traffic Prioritization The diagram depicts an activity in which you must match the term with its corresponding definition. Red items represent unwanted traffic being filtered from the group. Page 3: 1. so it is placed into the highest priority queue and sent first. For example. such as voice traffic.2. FTP traffic. video traffic. in order of priority. Two. voice traffic has priority over ordinary data. .Network Traffic Prioritization The animation depicts each step in processing traffic using Q o S.Protocol used for time-sensitive traffic. Quality of Service (QoS) is a process used to guarantee a specified data flow. Following the steps in the queue-ing process.Sorts traffic into queues. The queue-ing process is shown as data from different applications traveling toward an interface. based on priority. Example: Voice traffic does not tolerate delays. Traffic in the higher priority queues. Therefore. 1.3 . Two. Terms A: U D P B: Q o S C: jitter D: delay E: queue F: TCP G: voice H: latency Definitions One.2.Data from different applications moving toward output router interface. latency. One.Data classified based on application.Layer 3 devices create more delay than Layer 2 devices due to the number of headers they have to process.Variation in arrival time caused by network congestion.3 . QoS mechanisms sort traffic into queues.Pre-Queue-ing . Three. routers introduce a longer delay than switches.Queue-ing and Scheduling .Classification . and jitter on time-sensitive traffic. such as P 5 or P 6. the packets are sent one at a time. such as P 1 or P 2. is sent before lower priority traffic. It is important to reduce the impact of delay. Jitter.Traffic is placed into queues based on pre-configured priority. Three.

Some companies have even reduced the expense of air travel and hotel accommodations to bring their employees together by using teleconferencing and collaboration tools. A single office space can be set up for shared use by employees who need to spend time in the physical office.Four.3.3. 1.Protocol that retransmits packets. The remote worker using the technology is called a teleworker or telecommuter. Six. also referred to as telecommuting and e-commuting. when employees work from home.553 sq ft) Page 2: Both the employer and the employee benefit from teleworking. Five. Seven. Teleworking provides many advantages and opportunities for both employer and employee. An increasing number of companies encourage their employees to consider teleworking. From the employer perspective.Same meaning as latency. 1.Teleworking The diagram depicts an office building with a sign in front of it that reads: FOR LEASE RETAIL / OFFICE PREMISES 144. . Teleworking.1 Teleworking Page 1: The development of enterprise networks and remote connection technology has changed the way we work. allows employees to use telecommunications technology to work from their homes or other remote locations. the company does not have to provide them with dedicated physical office space. Eight.Type of traffic that is time-sensitive. People from all over the world can work together as if they were in the same physical location.3 Supporting Remote Workers 1.Line of traffic ordered based on priority.Time delay based on packets going through network devices.25 sq m (1.1. This arrangement reduces real estate costs and the associated support services.

Some teleworkers miss the social environment of an office setting and find it difficult to work in physical isolation.3. 1. Telnet . Teleworkers need to be self-directed and disciplined.3.1. However.Teleworking The diagram depicts a woman wearing a telephone headset. by eliminating the daily travel to and from the office. Reduced travel for employees also has a very favorable effect on the environment. Employees can dress casually at home.Employees save time and money. FTP Transfers files between computers. Not all jobs can take advantage of teleworking. Some positions require a physical presence in the office during a set period of time. Working from home allows employees to spend more time with their families. more enterprises are taking advantage of technology to increase the frequency of telecommuting. Other information in the diagram includes the following: Email Delivers a written message to a remote user for reply and response at a later point in time. She is working on her laptop from home.Teleworking The diagram depicts a teleworker working on a laptop outdoors. Page 3: Telecommuters need various tools to work efficiently. Some available teleworker tools include: • • • • • • • Email Chat Desktop and application sharing FTP Telnet VoIP Video conferencing 1. and reduce stress. therefore saving money on business attire. Chat Delivers a written message to a user in real time for reply and response immediately.1. Less airplane and automobile traffic means less pollution.

Tyler. using Yes or No. only the five people in the foreground are physically in the room. Using the enterprise network.Connects and starts a terminal session on a remote device.3. Three. V o IP Allows real time voice communications between users over the Internet. and Bobby are developing a new e-learning course. In the graphic. regardless of their physical location.1. He is responsible for answering the phones. New technology has enabled more sophisticated levels of online collaboration. The other four people displayed on the screens are located in three other locations. it appears as if all participants. Page 4: Application and screen sharing tools have improved. . are sitting across the boardroom table from each other. By combining large video displays and high quality audio in speciallydesigned rooms. She meets with her clients over the phone and uses collaboration software to show them her work.Josh manages the I T Help desk at a small company. Application Sharing Allows multiple users to view the same application simultaneously.Teleworking The diagram depicts an activity in which you must identify scenarios appropriate for telecommuting. and greeting walk-in customers. and it is now possible to integrate both voice and video into these applications. if the scenario represents a telecommuting opportunity. this technology creates an environment in which individuals from remote locations meet as though they were in the same room. Scenarios One. Decide. 1.Carlos is the receptionist at a small publishing company. Four. He is responsible for answering questions over the phone and for providing on-site hardware and software support for all company computers.Teleworking The diagram depicts a group of employees sitting at a boardroom table.Paula. Video Conferencing Allows users to communicate face-to-face over video with participants at multiple locations. Page 5: 1. They all live in different cities and are very self-directed.1.3.Tabitha has a company that develops interactive websites for real estate agents. completing correspondence. Two.

a virtual tunnel is created by linking the source and destination addresses. 1.Virtual Private Networks The animation depicts the VPN encapsulation protocol process. they become part of that network and have access to all services and resources that they would have if they were physically attached to the LAN. When telecommuters are connected to the enterprise network through a VPN.2 .2 .3. All data flow between the source and destination is encrypted and encapsulated using a secure protocol. Between the buildings are a road and a tunnel. VPNs are often described as tunnels.Virtual Private Networks A diagram depicts two buildings. Page 2: When using a VPN. Consider the analogy of an underground tunnel versus an open road way between two points. instead of using Telnet.1.3. therefore. This secure packet is transmitted across the network.3. secure forms of all applications may not be available. The underground tunnel represents the VPN encapsulation and virtual tunnel. use SSH. Anything that uses the underground tunnel to travel between the two points is surrounded and protected from view. 1.2 Virtual Private Networks Page 1: One obstacle that teleworkers must overcome is the fact that most of the tools available for working remotely are not secure. One solution is to always use the secure forms of applications. VPNs are a client/server application. telecommuters must install the VPN client on their computers in order to form a secure connection with the enterprise network. The car in the tunnel represents encrypted traffic. A much easier choice is to encrypt all traffic moving between the remote site and the enterprise network using Virtual Private Networks (VPNs). When it arrives at the receiving end. if they exist. it is de-encapsulated and unencrypted. Using nonsecure tools allows data to be intercepted or altered during transmission. Unfortunately. . The car above ground represents unencrypted traffic. For example.

A simple network with three hosts. including the following: Data encryption Integrity validation Peer authentication Key management 1.4. network traffic. Utilizes many different types of technology. which is short for IP Security. The enterprise network: Provides 99.Provides Internet. Diagram 1 text A large business environment with many users and locations or many systems is referred to as an enterprise. where it is encrypted using IP Sec. and data. The packet travels via S1 to R1. as well as two smaller blocks labeled Enterprise Branch and Teleworker. Diagram 2. H1. Public Switched Telephone Network (PSTN). H2 sends an unencrypted packet to H4. The enterprise network supports mission critical applications. and WAN modules connecting the enterprise with the service providers network. Service Provider Edge . Carries many types of traffic including voice. H2. R1 is connected to the router (R2) over the Internet.99% up time. VPN. Image The diagram depicts the Cisco Enterprise Architecture with three sub-blocks labeled Enterprise Campus.1 Summary Page 1: 1. IP Sec is actually a suite of protocols that provide many services. and diverse business needs.1 .Consists of the campus infrastructure with server farms and network management. Image The diagram depicts an enterprise network. where it is de-crypted and forwarded to H4.4. Uses both LAN and WAN components. Enterprise Edge. R2 is connected to H4. . video. and sent over the Internet to R2.4 Chapter Summary 1. WAN and Internet. More Information Popup One of the most common encapsulation protocols for VPN's is IP Sec. is connected to a router (R1) via a switch (S1). and WAN services.Summary Diagram 1. and H3. Enterprise Edge . Diagram 2 text Enterprise Campus . centralized control. Makes uses of services of ISPs.Consists of the Internet.

Q o S allows some traffic to be given preferential treatment over other traffic. Diagram 4 text Teleworking is the use of technology to replace business travel.5 Chapter Quiz 1. access the intranet.1 Quiz Page 1: Take the chapter quiz to check your knowledge. and video conferencing to make their jobs easier.5.Describes the devices impacted on a portion of a network when a key device or service experiences problems. 1. and other outside individuals. Teleworking has many advantages for the employer.They allow precise configuration of which ports are forwarded to the internal office servers. FTP.Quiz Chapter 1 Quiz: Networking in the Enterprise 1. desktop and application sharing.1 . such as voice and video traffic over data traffic. the employee. Diagram 3 text An intranet is a private network that utilizes TCP/IP and other services to provide private services for company employees. chat.They allow a remote worker to have access to network resources as if they were physically located in the office. Image The diagram depicts a woman that is teleworking. Diagram 3. V o IP.5. it is known as an extranet. Some traffic moves through the enterprise WAN. and the environment.What are two benefits of using VPN? (Choose two. 1. the numbers of jobs suit-ed for telecommuting are increasing. Diagram 4. and other traffic moves external to the enterprise network.Failure Domain . Telnet. VPNs address the security needs of teleworkers by creating an encrypted tunnel between the sites. Image The diagram depicts intranets and extranets. As technology advances. Click the quiz icon to begin. Teleworkers use tools like email. If vendors and customers. . B.) A. Confine network traffic only to the segment where it is required.

B.The network is busiest and the most critical business applications are in use.Match each Cisco Enterprise Architecture to its corresponding definition (Not all definitions will be uses) Cisco Enterprise Architectures Enterprise Campus Enterprise Edge Service Provider Edge Definitions consists of Internet. why is it best for a network engineer to sample traffic during times of peak utilization? A. but not the server. D.The network engineer does not want to confuse traffic from network backups done at night with normal business traffic.Voice and video applications require receipt of all packets regardless of delay. is connected to two Switches.Network segments may have varying traffic patterns exclusive to that segment.C. B.Network traffic should always be monitored on a core device because all network traffic needs to pass through it. providing an accurate sampling of network activities.The network is slowest during this time and the sampling will not interfere with the normal business traffic 3.Network traffic on a single segment is not important because traffic on a local segment does not affect the network traffic as a whole. F.Hosts A and B will be able to reach each other. C. most traffic is localized in a single segment and can be more easily analyzed. if SW1 stops working. D. or the server.Voice and video applications cannot tolerate the delay caused by retransmissions. SW2 has Hosts C. E. 4. VPN.They block unsolicited traffic that does not have the proper tunneling protocol. RTA. C. RTA connects to SW1 and SW2. and WAN modules consists of remote users and branch offices consists of the campus infrastructure with server farms provides Internet.Which two technologies enhance the ability of remote workers to connect securely to internal company . WAN. B.Why do V o IP and video network traffic use UDP instead of TCP? A. SW1 has Hosts A and B connected to it.Network traffic that passes between segments may be reduced if a server accessed primarily by on segment is relocated to that segment.When planning to identify traffic flows and network applications that run on an enterprise network.Hosts A. D.They provide a faster connection to the office by providing direct access to the internal network. D and a server connected to it.What are two resources to analyze multiple network segments when identifying network traffic? (Choose two. C. which statement will be true? A.They encrypt all communications between the remote worker and internal network resources. D. B. ensuring guaranteed segment delivery.) A. 5. E. D.UDP allows for segment receipt and acknowledgement. C. but not hosts C. and the server.The three-way handshake used in UDP speeds up the voice and video streams.Network traffic on a single segment does not consume much bandwidth within that segment and can be overloaded.They reduce malicious attacks by identifying them when they hit the VPN. SW1 and SW2.Hosts A and B will not be able to reach each other or hosts C. D. 2. B. C. D.All hosts will still be able to reach each other.During peak utilization times.This question depicts a network topology as explained below: One Router. 6. and PSTN services 7. Based on this topology. and D will be able to reach each other.

C.HTTP 8. 9.resources? (Choose two.When designing a network based on the Cisco Enterprise Architecture.Match the network types with their corresponding description. B. D.Telnet D.Telnet B. C.VPN servers D.The access layer can be spread across multiple geographical locations.e-mail C. What should the I T administrator do so that the employee can connect to the internal network using the existing VPN infrastructure of the company? A. Network Types LAN WAN intranet extranet Internet Descriptions provides Internet-like services for company employees only global public network that operates using a common set of communication protocols private network that allows access by specified external users like contractors and suppliers private network that connects geographically dispensed sites using public or private services private network controlled by a single organization usually limited to a single campus 11. D.internal web servers B.Configure the VPN client application on the laptop of the remote employee.) A.VPN D.A company has hired a new employee who will be working remotely.FTP B. Which tool can be used to perform the task? A. which two items would be included in the enterprise edge functional component? (Choose two.) A.desktop sharing 10. B.Add the credentials of the user to the DMZ.core layer routers C.A remote I T engineer needs to simultaneously demonstrate how to operate a software application to multiple people.SSH C.Which statement is true about the three-layer hierarchical design mode? A.Smaller networks can use the core layer services offered by their ISP.The distribution layer consists of high-end routers that interconnect geographically dispensed locations.Allow tunnelling within the Intrusion Prevention System (I P S).server farm E. 12.Core and access layer functions can be combined.FTP E.Configure the WAN router to allow incoming connections.intrusion detection system Go To Next Go To Previous .

net/virtuoso/servlet/org.html?level=chapter&css=blackonwhite.netacad.servlet. About   .Theme=ccna3theme.cli. Inc.delivery. RootID=knet‐ lcms_discovery3_en_40.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.Style=ccna3.C CServlet/LMS_ID=CNAMS.Scroll To Top http://curriculum.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.rendering.Language=en. All | Translated by the Cisco Networking Academy.Version=1.

999% up time. Describe the Point-of-Presence for service delivery. fiber-optic.Introduction Enterprise networks contain hundreds of sites and support thousands of users worldwide.Introducing Routing and Switching in the Enterprise 2 Exploring the Enterprise Network Infrastructure 2. and networking devices. .1.0 Chapter Introduction 2. Enterprise networks can have thousands of hosts and hundreds of networking devices.1 Introduction Page 1: 2. After completion of this chapter. Network documentation is crucial for maintaining the required 99. 2. Identify security considerations and equipment at the enterprise edge. End-user workstations. Identify router and switch hardware characteristics and use router C L I configuration and verification commands. A well-managed network allows users to work reliably. such as switches and routers. all of which are interconnected by copper.1 Describing the Current Network 2.0.Search | Glossary Course Index: CCNA Discovery . Various types of documentation show different aspects of the network.1 . you should be able to: Interpret network documentation. Routers and switches provide connectivity.0. security and redundancy while controlling broadcasts and failure domains. All Internet traffic flows through the enterprise edge making security considerations necessary.1 Enterprise Network Documentation Page 1: One of the first tasks for a new network technician is to become familiar with the current network structure. Describe the equipment located In the Network Operations Center. servers. and wireless technologies. must all be documented.

and media. routers. Blueprints can be marked up.1. Always ensure that the current documentation reflects the as-built floor plan and all network topology changes. An as-built diagram documents how a network was actually constructed which may differ from the original plans. Connections between multiple sites may be shown but do not represent actual physical locations. model number. such as PC's. A logical topology map groups hosts by network usage. It shows the way these devices are physically connected to one another. The current floor plans may have changed since the construction of the building. or topology diagrams.1 . function. addresses. It is important to maintain and update physical topology maps to aid future installation and troubleshooting efforts. Host names. the documentation is not always updated. The modified diagram is known as an as-built. . switches. A physical topology map uses icons to document the location of hosts. regardless of physical location. or redlined. Page 2: It is crucial that network documentation remain current and accurate. and security. as well as file.Network infrastructure diagrams.Enterprise Network Documentation The diagram depicts the difference between a physical topology and a logical topology. networking devices. and mail servers. and applications can be recorded on the logical topology map. admin hubs. In addition to being a drawing tool. Enterprise network diagrams may also include control plane information. 2. Clicking a device in the diagram opens an entry form with device data listed. group information. Network documentation is usually accurate at the installation of a network. warranty period. purchase date. Control plane information describes failure domains and defines the interfaces where different network technologies intersect. The physical topology is a map of physical network devices. keep track of the location. many network diagramming tools are linked to a database. As the network grows or changes however. The logical topology is more concerned with the grouping of these devices in regard to their network usage. and status of devices. including manufacturer. to show the changes. This feature allows the network support staff to develop detailed documentation by recording information about hosts and networking devices. web. and more. Network topology maps are frequently based on original floor plans. addressing. Topology diagrams represent either the physical or logical network. Network diagrams are commonly created using graphical drawing software.

The overall security plan must include an IT portion that describes how an organization protects its network and information assets. system. . to minimize the impact on business operations.2. Network maintenance must be scheduled during specific time periods.1. and organizational control measures. Page 3: In addition to network diagrams. several other important types of documentation are used in the enterprise network. usually nights and weekends. Business Security Plan: The Business Security Plan (BSP) includes physical. Service Level Agreement: A Service Level Agreement (SLA) is a contractual agreement between the customer and a service provider or ISP. specifying items such as network availability and service response time.Enterprise Network Documentation The diagram depicts a close up of a person designing a network with pencil and paper. Business Continuity Plan: The Business Continuity Plan (BCP) identifies the steps to be taken to continue business operation in the event of a natural or man-made disaster.1 . Network Maintenance Plan: The Network Maintenance Plan (NMP) ensures business continuity by keeping the network up and running efficiently.

such as O S. The I T security plan can contain policies related to the following: User authentication Permissible software Remote access Intrusion monitoring Incident handling Network Maintenance Plan (N M P) Minimizes downtime by defining hardware and software maintenance procedures.1.1 . Network Documentation A: B C P = Business Continuity Plan B: B S P = Business Security Plan C: N M P = Network Maintenance Plan D: S L A = Service Level Agreements Scenarios . An SLA can include the following: Connection speeds / bandwidth Network uptime Network performance monitoring Problem resolution response time On-call responsibilities Page 4: 2.1. and services Network performance monitoring Service Level Agreement (SLA) Ensures service parameters by defining required service provider level of performance.Enterprise Network Documentation The diagram depicts an activity in which you must identify the network documentation where the information would most likely be found for each scenario. I T support may include the following: Off-site storage of backup data Alternate I T processing centers Redundant communication links Business Security Plan (B S P) Prevents unauthorized access to organizational resources and assets by defining security policies. and SLA. The following are brief descriptions of each: Business Continuity Plan (B C P) Ensures business operations by defining procedures that must take place in the event of a disaster.Enterprise Network Documentation The diagram depicts a filing cabinet with four drawers. I O S. N M P.2. labeled B C P. B S P. The maintenance plan can contain the following: Maintenance windows Scheduled downtime Staff on-call responsibility Equipment and software to be maintained.1 .

and data storage Access layer switches and distribution layer routers.Redundant communication links. The NOC is sometimes referred to as a Data Center.Intrusion monitoring.1. Eight.2 . Six. The NOC usually has: • • • • • Raised floors to allow for cabling and power to run under the floor to the equipment High performance UPS systems and air conditioning equipment to provide a safe operating environment for equipment Fire suppression systems integrated into the ceiling Network monitoring stations. servers.1.Service provider problem response time. Two. often managing both local and wide area networking issues.User authentication. Three. backup systems.O S and I O S upgrade. Seven.Off-site storage of backup data. if it serves as a Main Distribution Facility (MDF) for the building or campus where it is located 2. Four.One.ISP connection bandwidth.Network Operations Center (NOC) Image of a network operation center surrounded by small images with the following labels: Network monitor . Five. 2. Employees in a typical enterprise NOC provide support for both local and remote locations.2 Network Operations Center (NOC) Page 1: Most enterprise networks have a Network Operations Center (NOC) that allows for central management and monitoring of all network resources.Local network scheduled downtime.technician monitoring network Backup Systems Power Conditioning (U P S) Environment Controls Raised Floors Fire Suppression Switches Router Data Storage Server Page 2: . Larger NOCs may be multi-room areas of a building where network equipment and support staff are concentrated.

The lower the RU number the less space a device needs therefore more devices can fit into the rack. A SAN is a high-speed network that interconnects different types of data storage devices over a LAN or WAN. Another important aspect of the enterprise NOC is high-speed. The server farm is frequently considered as a single resource but. The most common rack width is 19 inches (48. When mounting equipment in a rack. a 2U chassis is 3.2 . many NOCs also provide centralized resources such as servers and data storage. Most equipment is designed to fit this width. and a Network Attached Storage (NAS) with a rack of network storage. Another consideration is equipment with many connections. provides two functions: backup and load balancing. They may also be blade servers mounted in a chassis and connected by a high-speed backplane within the chassis. or network attached storage (NAS). Page 3: Equipment in the enterprise NOC is usually mounted in racks.9 cm) high. racks are usually floor-toceiling mounted and may be attached to each other. Equipment must also be attached to a known good ground.4cm). For example.75 inches (4. In large NOCs. creating a server farm. This data storage. like switches.In addition to providing network support and management. A Unit equals 1. A NAS device is typically attached to an Ethernet network and is assigned its own IP address. Servers in the NOC are usually clustered together. in fact. The vertical space that the equipment occupies is measured in Rack Units (RUs).Network Operations Center (NOC) The diagram depicts two images: a Server Farm with a rack of servers.26 cm). If one server fails or becomes overloaded. another server takes over. ensure there is adequate ventilation and access from front and back. . The servers in the farm may be rack-mounted and interconnected by very high-speed switches (Gigabit Ethernet or higher).5 inches (8. groups large numbers of disk drives that are directly attached to the network and can be used by any server. high-capacity data storage.1. A more sophisticated version of NAS is Storage Area Network (SAN). 2. They may need to be positioned near patch panels and close to where the cabling is gathered into cable trays.

for Fast Ethernet over unshielded twisted pair (UTP). Documentation of the cable plan and testing are critical to network operations. Cabling standards specify a maximum distance for all cable types and network technologies. Cable management serves many purposes. Structured cabling creates an organized cabling system that is easily understood by installers. Second.1. which greatly reduces the number of problems experienced. and any other technicians who work with cables. If the cable run is greater than the recommended length problems could occur with data communications. thousands of cables may enter and exit the facility. Page 4: In an enterprise NOC. untangled.3 Telecommunication Room Design and Considerations Page 1: . it presents a neat and organized system that aids in isolating cabling problems. 2. network administrators. both copper and fiber. All cable runs should be documented on the physical network topology diagram. best cabling practices protect the cables from physical damage and EMI.Network Operations Center (NOC) The diagram depicts a rack of equipment. should be tested end-to-end by sending a signal down the cable and measuring loss. 2. especially if the terminations at the ends of the cable are poorly completed.1. the IEEE specifies that. For example.2 .2. using a standard convention that indicates source and destination. All cable runs.2 .1. The cabling should be neat. To assist in troubleshooting: • • • All cables should be labelled at both ends. First. identifying a 1 R U rack mountable component and a 2 R U rack mountable component. and clearly labeled.Network Operations Center (NOC) The diagram depicts a bundle of network cabling on a switch or patch panel. the cable run from switch to host cannot be greater than 100 meters (approximately 328 ft).

or uplinks. Network personnel can also implement port security and other measures on switches. may be copper or fiber-optic. The switches in the IDF usually connect to the switches in the MDF with Gigabit interfaces. also called vertical cabling. and server farms. such as air conditioning and UPS. which is some distance from the NOC. Access Layer devices such as switches and APs are a potential vulnerability in network security. The switches in the IDFs typically have large numbers of Fast Ethernet ports for users to connect at the Access Layer. and differential grounds. The central MDF switches may have enterprise servers and disk drives connected using gigabit copper links. most users connect to a switch in a telecommunications room. Copper Gigabit or Fast Ethernet links are limited to a maximum of 100 meters and should use CAT5e or CAT6 UTP cable. In practice. APs.3 . they are immune to lightning strikes. Fiberoptic links commonly interconnect buildings and because they do not conduct electricity. It contains the Access Layer networking devices and ideally maintains environmental conditions similar to the NOC. routers. however. EMI. Modern networking devices offer capabilities to help prevent these attacks and protect data and user integrity. They house high-speed switches.The NOC is the central nervous system of the enterprise. MDFs are typically larger than IDFs. Users working with wireless technology connect through an access point (AP). and hubs. Fiber-optic links can run much greater distances. The MDF is usually located in the NOC or centrally located within the building. These backbone links. Securing the telecommunications room has become even more important because of the increasing occurrence of identity theft. IDFs contain lower-speed switches. The telecommunications room is also referred to as a wiring closet or intermediate distribution facility (IDF). Users working with wired technology connect to the network through Ethernet switches or hubs.Telecommunication Room Design and Considerations The diagram depicts a network technician undertaking an audit on a rack of equipment. 2. This arrangement creates backbone connections.1. as well as various wireless security measures on APs. Physical and remote access to this equipment should be limited to authorized personnel only. Page 2: Many IDFs connect to a Main Distribution Facility (MDF) using an extended star design. RFI. New privacy legislation results in severe penalties if confidential data from a network falls into the wrong hands. .

In order to support PoE devices such as the IP phone. Power over Ethernet.1.1.Telecommunication Room Design and Considerations The diagram depicts a main distribution facility (MDF) connected in an extended star topology. and surveillance cameras.3 . Only fiber-optic cable is used to connect two other I DF units. Building B and Building C. Panduit and other suppliers produce PoE patch panels that allow non PoE capable switches to participate in PoE environments. MDF POP Routers Gigabit switches Gigabit links to I DF's Servers Disk Storage I DF Fast Ethernet switches Gigabit link to MDF Wireless A P's Page 3: In addition to providing basic network access connectivity. PoE can also be provided by power injectors or PoE patch panels for those switches which do not support PoE. These devices include IP phones. This allows an IP phone. Either fiber-optic or U T P cable is used to connect a number of intermediate distribution facility (I DF) units within Building A. These devices are powered using the IEEE 802. or PoE.3af standard. Legacy switches connect into the PoE patch panel which then connects to the PoE capable device.Telecommunication Room Design and Considerations The diagram depicts a telecommunications room with a Power over Ethernet (P o E) switch distributing P o E to the following devices: Access point IP-based camera IP phone Page 4: . to be located on a desk without the need for a separate power cord or a power outlet. PoE provides power to a device over the same twisted pair cable that carries data. for instance. access points. the connecting switch must have PoE capability. 2.3 . it is becoming more common to provide power to end-user devices directly from the Ethernet switches in the telecommunications room.2.

Switch at center of a star topology. The location of the POP and the point of demarcation vary in different countries.2.Service Delivery at the Point-of-Presence The diagram depicts a WAN. The POP may provide a direct link to one or more ISPs. wide area connections. or the demarc. While they are often located within the MDF of the customer. In an enterprise.1. Two. The service provider establishes the wide area links between these remote sites.2.A switch at the end of the star topology in the same building as the center switch. Six. Five.2.One of the links coming from the center switch of the star topology connecting to another switch in the same building.3 . The Main Office is .Another switch at the end of a cable in a separate building to the center switch.Another link connecting the center switch of the star topology to a switch in another building. Equipment from the service provider up to the point of demarcation is the responsibility of the provider. 2. Four. Eight. they may also be located at the ISP. The demarc provides a boundary that designates responsibility for equipment maintenance and troubleshooting between the service provider (SP) and customer. The remote sites of an enterprise are also interconnected through the POPs. and telephone services (PSTN). the POP provides links to outside services and sites. The POP contains a point of demarcation. All of the POPs of the schools and the Main Office are connected by a T1 link to the central WAN link.1 .1 Service Delivery at the Point-of-Presence Page 1: At the outer edge of the enterprise network is the Point-of-Presence (POP) which provides an entry point for services to the enterprise network. Scenarios One. Three. Externally-provided services coming in through the POP include Internet access.Another switch at the end of the star topology in the same building as the center switch. consisting of four schools and a School District Main Office. which allows internal users the required access to the Internet.2 Supporting the Enterprise Edge 2.Telecommunication Room Design and Considerations The diagram depicts an activity in which you must decide whether the location in each scenario is suitable for an MDF or I DF. 2. Nine. Seven. anything past the demarc point is the responsibility of the customer. Also identify the appropriate cables to connect them.Another link coming from the center switch of the star topology connecting to another switch in the same building. either fiber-optic or U T P.A switch at the end of a cable in a separate building to the center switch.A link connecting the center switch of the star topology to a switch in another building.

Site A. These attacks include F W. The edge is the point of entry for outside attacks and is a point of vulnerability. I D S.connected to a PSTN and the Internet via T 1 link. Attacks at the edge can affect thousands of users. traffic pattern. External network administrators require access for internal maintenance and software installation. T1/E1 or business class.2. For example. An organization can deploy a firewall. Edge devices must be configured to defend against attacks and provide filtering based on website. All buildings in the network are exposed to outside attacks. All of the schools connect to the Internet via the Main Office.3 Connecting the Enterprise Network to External Services Page 1: The network connection services commonly purchased by an enterprise include leased lines. and Site C. to obtain T1/E1 service. and I P S attacks. and security appliances with intrusion detection system (IDS) and intrusion prevention system (IPS) at the edge to protect the network. 2. VPNs also allow remote workers access to internal resources. Physical cabling brings these services to the enterprise using copper wires.2. and ATM. The POP must contain certain pieces of equipment to obtain whichever WAN service is required. Denial of Service (DoS) attacks prevent access to resources for legitimate users inside or outside the network.Security Considerations at the Enterprise Edge The diagram depicts a network of four buildings.2 . IP address. 2. Site B. D M Z. Virtual private networks (VPNs). 2. ACL.2 Security Considerations at the Enterprise Edge Page 1: Large enterprises usually consist of multiple sites that interconnect. the customer may require a punchdown block to terminate the T1/E1 . or fiber-optic cable for higher-speed services. For example. user IDs. All traffic in or out of the organization goes through the edge.2. VPN. and passwords provide that access. Frame Relay. application. H Q which is the edge. Multiple locations may have edge connections at each site connecting the enterprise to other individuals and organizations. affecting productivity for the entire enterprise. Traffic from the Main Office to the Internet travels through a T 3 link. and protocol. as in the case of T1/E1. access control lists (ACLs).

2. De-marc says The point of demarcation can vary depending on the SLA with the service provider. The host is connected to an internal switch (MDF/I DF). Page 2: 2. . or de-marc.2. needed to connect a service from the edge to the internal network. 2. This router interface is the default gateway.circuit. Components D M Z Switch Punchdown block Internal switch D M Z router T 1 circuit CSU/DSU Internal router 2. The internal switch is connected to an internal router.3 . The router provides access to other private networks as well as to the Internet.Connecting the Enterprise Network to External Services The diagram depicts an activity in which you must specify the components.3 . The internal router is connected to a D M Z switch. Without the routing process. The punchdown block is connected to the ISP web server via a T 1 circuit. and end with the end user. packets could not leave the local network. Begin with the component needed to connect to the service provider. as well as a Channel Service Unit / Data Service Unit (CSU/DSU) to provide the proper electrical interface and signaling for the service provider. This equipment may be owned and maintained by the service provider or may be owned and maintained by the customer.Connecting the Enterprise Network to External Services The diagram depicts a connection from an ISP to a host (end user). in order. The CSU/DSU is connected to a punchdown block. The D M Z router is connected to a CSU/DSU.3. Regardless of ownership.1 Router Hardware Page 1: One important device in the Distribution Layer of an enterprise network is a router. All hosts on a local network specify the IP address of the local router interface in their IP configuration. all equipment located within the POP at the customer site is referred to as Customer Premise Equipment (CPE). which is connected to a D M Z router/firewall.3 Reviewing Routing and Switching 2.

each housing a different network topology configuration. the ability to route efficiently and recover from network link failures is critical to delivering packets to their destination. Four computers are connected per switch. some of which maybe geographically separated. The four boxes are labeled Broadcast Containment. For example. and Logical Grouping. and control who gets into or out of the local network The Security box in the diagram displays a distribution router and two directly connected switches. Routers can also act as a translator between different media types and protocols. Security Routers in the Distribution Layer separate and protect certain groups of computers where confidential information resides. providing redundant paths. Although broadcasts are necessary. Routers also serve other beneficial functions: • • • • Provide broadcast containment Connect remote locations Group users logically by application or department Provide enhanced security (using NAT and ACLs) With the enterprise and the ISP. A brief description of each is given. Locations Routers in the Distribution Layer can interconnect local networks at various locations of an organization.1 . too many hosts connected on the same local network generate excessive broadcast traffic and slow down the network. Routers also hide the addresses of internal computers from the outside world to help prevent attacks. Locations. They select an alternate path if a link goes down or traffic is congested. a router can re-encapsulate packets from an Ethernet to a Serial encapsulation. Broadcast Containment Routers in the Distribution Layer limit broadcasts to the local network where they need to be heard.Router Hardware The diagram depicts four boxes. The Location box in the diagram displays two sites labeled A and B. 2. The Broadcast Containment box in the diagram displays one distribution router connected to two switches with four computers directly connected to each switch. Security.Routers play a critical role in networking by interconnecting multiple sites within an enterprise network. and connecting ISPs on the Internet. Routers use the network portion of the destination IP address to route packets to the proper destination.3. each housing a small corporate .

such as departments within a company. With the fixed configuration. Gigabit Ethernet. 2. Page 2: Routers come in many shapes and sizes called form factors. The routers in both these sites have been linked by a virtual link to indicate communication between them. Catalyst 6500 Series. using the controller/interface convention. This router is directly connected to the two switches. Each are connected to the same distribution router. The Cisco networking devices and their market groups are listed below.1 . Network administrators in an enterprise environment should be able to support a variety of routers and switches. Each switch is directly connected to four computers.Hardware types: 800 Series. each having a dedicated network. who have common needs or require access to the same resources. Logical Grouping Routers in the Distribution Layer logically group users.network. The first serial interface on a router uses controller/slot/interface is S0/0/0. The Logical Grouping box in the diagram displays two logical blocks. from a small desktop to a rackmounted or blade model. such as Fast Ethernet. and two slots that can accommodate many different network interface modules.Hardware types: 1800 Series. and Fiber-Optic. Small Office. Router interfaces use the controller/interface or controller/slot/interface conventions. The individual networks have been labeled Accounting and Engineering. 2800 Series. the desired router interfaces are built-in. As an example. a Cisco 1841 router comes with two Fast Ethernet RJ-45 interfaces built-in. Routers can also be categorized as fixed configuration or modular. as well as three enterprise levels at which the device is aimed. Routers come with a variety of different interfaces. 7200 Series Page 3: Two methods exist for connecting a PC to a network device for configuration and monitoring tasks: out-ofband and in-band management. Accounting and Engineering. The second is Fa0/1. the first Fast Ethernet interface on a router is numbered as Fa0/0 (controller 0 and interface 0). Modular routers come with multiple slots that allow a network administrator to change the interfaces on the router.Router Hardware The diagram depicts different types of Cisco networking hardware.3. 3800 Series Head Office / WAN Aggregation .Hardware types: 7600 Series. Teleworker . Serial. For example. Linksys devices Branch Offices and Small to Medium-size Business . .

out-of-band and in-band router configuration.3. These commands are divided into several categories. General Use: • • • show running-config show startup-config show version Routing Related: .2 Basic Router CLI Show Commands Page 1: Here are some of the most commonly used IOS commands to display and verify the operational status of the router and related network functionality. Configuration using in-band management requires: • • At least one network interface on the device to be connected and operational Telnet.3. SSH.Router Hardware The diagram depicts two types of connections for configuration.1 . In-band Router Configuration The connection is accomplished via the Ethernet interface on the router connected to a PC. described below Out-of-band Router Configuration The connection is accomplished by a host connecting to a client through the console port of a router or the router A U X port connected to a modem through the PSTN network to modem and client computers. The second part of this image depicts a router connected to a PC via an IP network. or HTTP to access a Cisco device 2. 2.Out-of-band management is used for initial configuration or when a network connection is unavailable. Configuration using out-of-band management requires: • • Direct connection to console or AUX port Terminal emulation client In-band management is used to monitor and make configuration changes to a network device over a network connection.

DHCP. router uptime system image file name. Full Command Abbreviation Purpose / Information Displayed General Use show running-config sh run Displays current config running in RAM.Basic Router C L I show Commands The diagram depicts a table of the commonly used Show commands for router information display. Routing Related. Must be issued in EXEC mode. and configuration register value. The table headings include Full Command.• • show ip protocols show ip route Interface Related: • • • show interfaces show ip interface brief show protocols Connectivity Related: • • • • • show cdp neighbors show sessions show ssh ping traceroute 2. May be different if running config has not been copied to backup. amount of RAM. Routing Related . Interface Related. show startup-config sh star Displays backup config in NV RAM. and Connectivity Related. and NAT configuration. ROM version.3. passwords. number and type of interfaces installed. show version sh ve Displays I O S version. boot method. routing protocol activated. Abbreviation. Includes host name. listed below from left to right. Must be issued in EXEC mode. interface IP addresses. and Purpose / Information Displayed. NV RAM and flash. The commands are categorized by General Use.2 .

168. Ping (IP or Hostname)PSends five ICMP echo requests to an IP address or host name (if DNS is available) and displays min and max and average time to respond. host name.show ip protocols sh ip pro Displays information for routing protocols configured including timer settings. update intervals. last update next hop. S1. bandwidth. networks known. R2's Fast Ethernet port F a 0 /0 is directly connected to the H2 client.0 /24. and the network address of 192. and I/O statistics. is Router. how they were learned. encapsulation. The network address for this network is 192. R1. The physical topology shows H1 client connected to the switch. admin distance and metric.168. duplex. Show ip interface brief sh ip int br Displays all interfaces with IP address with interface status (up/down/admin down) and line protocol status (up/down) Show protocols sh prot Displays information for routing protocols configured including timer settings. Traceroute (IP or host)TrSends echo request with varying T T L.3. R2's serial port S 0 /0 /0 is in use. capability (R=router). and any static routes (including default) routes configured.0 / 24. and networks advertised. Connectivity Related Show cdp neighbors detail sh cdp ne Displays information on directly connected devices including Device ID (host name). reliability.2 . Page 2: 2. S1. Show sessions sh ses Displays telnet sessions (V T Y) with remote hosts.2620XM) and port I D or remote device. version numbers. Also directly connected to switch. A serial link has been established between R1 and R2. update intervals. version numbers. delay. S=switch). active interfaces. Local interface where device is connected. show ip route sh ip ro Displays routing table information including routing code. The details option provides the IP address of the other device as well as the I O S version. and address. Show ssh sh ssh Displays s s h server connections with remote hosts. The commands used to show router configuration information are listed below with their associated outputs. The routers serial port S 0 /0 is in use and has the D C E clock rate configured.1. platform (eg. active interfaces. . The Fast Ethernet port Fa 0 /0 is in use for this network.3.Basic Router C L I show Commands The diagram depicts the show commands and the outputs to the screen when a command is issued. and networks advertised. interface learned via. Lists routes (hops) in path and time to respond. Displays session number. Interface Related Show interfaces (type#)sh int f 0 /0 Displays one or all interfaces with line (protocol) status.

***show running .0.168.1 255.252 no fair-queue .2 255.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Router boot-start-marker boot-end-marker enable secret 5 $1$jX.255.15.255.168.255.P$R5n..0 duplex auto speed auto interface FastEthernet0/1 no ip address shutdown duplex auto speed auto interface Serial0/0/0 ip address 192.255.config*** Building configuration.. Current configuration : 422 bytes version 12.pyoUSgEgZgJz9otjd1 enable password cisco no aaa new-model resource policy ip subnet-zero ip cef interface FastEthernet0/0 ip address 192.2 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Router ip subnet-zero interface FastEthernet0 no ip address shutdown speed auto interface Serial0 no ip address shutdown no fair-queue interface Serial1 no ip address shutdown ip classless no ip http server line con 0 line aux 0 line vty 0 4 no scheduler allocate end Router# ***show startup-config*** Using 831 out of 245752 bytes version 12.

EARLYDEPLOYMENT RELEASE SOFTWARE (fc1) Synched to technology version 12.0 0.168.0.0.8)T2 TAC Support: http://www. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 ***show ip protocols*** Routing Protocol is "ospf 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 192.15. mask 2 Bridging software.0.2(7r)XM1.cisco. Version 3. with hardware revision 0000 MPC860P processor: part number 5. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 192.0.2 Number of areas in this router is 1.0. X.3 area 0 Routing Information Sources: Gateway Distance Last Update .122-4.0. Version 12. RELEASE SOFTWARE (fc1) ROM: C1700 Software (C1700-Y-M).0 0.0. Processor board ID FOC070701ZH (2882989793).clock rate 64000 interface Serial0/0/1 no ip address shutdown clock rate 125000 ip classless ip http server control-plane line con 0 password cisco login line aux 0 line vty 0 4 password cisco login scheduler allocate 20000 1000 end ***show version*** Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-Y-M). Version 12. EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Router uptime is 3 minutes System returned to ROM by power-on System image file is "flash:C1700-Y-MZ.255 area 0 192. data-base: 0x807D8744 ROM: System Bootstrap.25 software. Compiled Fri 15-Mar-02 20:32 by ealyon Image text-base: 0x80008124.YB.2(4)YB.bin" cisco 1721 (MPC860P) processor (revision 0x100) with 29492K/3276K bytes of memory.168.com/tac Copyright (c) 1986-2002 by cisco Systems.168.15.3 interface(s) 2 Low-speed serial(sync/async) network interface(s) 32K bytes of non-volatile configuration memory. 1 FastEthernet/IEEE 802. Version 12.2(4)YB. Inc.2(6.

3445 (bia 000b.per-user static route.1 110 00:42:45 Distance: (default is 110) ***show ip route*** Codes: C .IS-IS inter area * . rxload 1/255 Encapsulation HDLC. loopback not set Keepalive set (10 sec) Auto-duplex. 0 underruns . reliability 255/255. 0 giants. ia . U . 0 runts.OSPF external type 1. 0 frame. 0 abort 0 packets output. txload 1/255. N2 . BW 100000 Kbit. 100BaseTX/FX ARP type: ARPA. Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec. 0 output buffers swapped out Serial0 is administratively down.192. BW 128 Kbit.periodic downloaded static route Gateway of last resort is not set ***show interfaces*** FastEthernet0 is administratively down. O . ARP Timeout 04:00:00 Last input never. L2 . 0 no buffer Received 0 broadcasts. 0 packets/sec 5 minute output rate 0 bits/sec. 0 no carrier 0 output buffer failures.static.ODR P . 0 bytes. reliability 252/255. 0 interface resets 0 babbles. M .IS-IS level-1.candidate default. output never. 2334 bytes. E2 . output 00:07:54. B .IS-IS.IGRP. 0 packets/sec 5 minute output rate 0 bits/sec.be96. 0 overrun. S . 0 packets/sec 0 packets input. Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec. L1 . DLY 20000 usec. 0 runts.3445) MTU 1500 bytes. address is 000b.IS-IS level-2. 0 late collision.OSPF NSSA external type 2 E1 . output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). E . EX . 0 bytes. 10Mb/s. I . o . 0 underruns 11 output errors. 0 ignored.EIGRP external.OSPF. 0 frame. IA .EIGRP.15.BGP D .be96. 0 CRC. 0 packets/sec 0 packets input.EGP i .mobile.OSPF external type 2. 0 giants.OSPF NSSA external type 1. 0 throttles 0 input errors. loopback not set Keepalive set (10 sec) Last input never. 0 collisions.connected.OSPF inter area N1 .RIP. DLY 100 usec. output hang never Last clearing of "show interface" counters 00:07:57 Input queue: 0/75/0/0 (size/max/drops/flushes). rxload 1/255 Encapsulation ARPA. 0 overrun. 0 bytes Received 0 broadcasts. 0 throttles 0 input errors. 0 CRC.168. txload 1/255. 0 ignored 0 watchdog 0 input packets with dribble condition detected 11 packets output. R . 0 deferred 11 lost carrier. line protocol is down Hardware is PQUICC_FEC. line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes.

0 frame. 0 ignored.Trans Bridge. DLY 20000 usec.Router. 0 bytes. output never.2. 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Serial1 is administratively down. 0 overrun.Source Route Bridge S . T . 0 runts. line protocol is down Serial0 is administratively down. 0 collisions. 0 underruns 0 output errors. r . H . 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Router# ***show ip interfaces brief*** InterfaceIP-AddressOK?MethodStatusProtocol FastEthernet0/0 192.1. 0 CRC. reliability 255/255.168.Host. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes).1YESNVRAMupup BRI0/0unassignedYESNVRAMadministratively down down BRI0/0:1unassignedYESNVRAMadministratively down down BRI0/0:2unassignedYESNVRAMadministratively down down FastEthernet0/1 unassignedYESNVRAMadministratively down down Serial0/0/1unassignedYESNVRAMadministratively down down ***show protocols*** Global values: Internet Protocol routing is enabled FastEthernet0 is administratively down. BW 128 Kbit. Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/32 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 96 kilobits/sec 5 minute input rate 0 bits/sec.1YESNVRAMupup Serial0/0/0192.IGMP. txload 1/255. 0 collisions. line protocol is down Router# ***show cdp neighbors*** Capability Codes: R . 0 interface resets 0 output buffer failures. 0 bytes.168. rxload 1/255 Encapsulation HDLC. 0 no buffer Received 0 broadcasts.Switch. line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes. I . loopback not set Keepalive set (10 sec) Last input never.Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID Router# . 0 packets/sec 5 minute output rate 0 bits/sec. 0 throttles 0 input errors. line protocol is down Serial1 is administratively down. 1 interface resets 0 output buffer failures. 0 giants.0 output errors. 0 abort 0 packets output. B . 0 packets/sec 0 packets input.

show interfaces s 0 /0 /0 5.show ip route 7. Configuration Management: . Six.You are on a call with Cisco tech support and you need to tell them the name of the router I O S system image file.show running-config 9.Your users cannot get to a particular network.Basic Router C L I show Commands The diagram depicts an activity in which you must match the command with the scenario that best describes it. Four. update intervals and what active interfaces and networks are currently being advertised. Commands 1. use the erase startupconfig command and then the reload command.You suspect there is a problem with a serial interface on the router.show protocols 6. You need to know if the router has a route to that network and how it was learned.show version Scenario One.show ip interface brief 4. and I / O statistics.show ip protocols 8. Five.show sessions 2.You have used Telnet to connect to several different routers and wish to see what connections you have open.show cdp neighbors detail 10. You want to see the bandwidth. To clear the router configuration.Page 3: 2.3 Basic Router Configuration Using CLI Page 1: A basic router configuration includes the hostname for identification. NV RAM.3. encapsulation. and the I P address of the remote interface.You suspect there is a problem with the current router configuration and want to see the backup configuration to compare it. and flash in the router.2 . passwords for security. the I O S version the router is running. 2. You want to find out the model number of the router. Verify and save configuration changes using the copy running-config startup-config command. Seven. Two.You are running RIP routing protocols and need to know the timer settings.You need to get a quick list of interfaces on the router with their IP addresses and status. Three.show startup-config 3. You also need to know the amount of RAM. and assignment of IP addresses to interfaces for connectivity. You do not need to see the subnet mask. Eight.You think the serial interface of the router at a remote site has incorrectly configured IP address.3.

• • • • • enable configure terminal copy running-config startup-config erase startup-config reload Global Settings: • • • • hostname banner motd enable password enable secret Line Settings: • • • • line con line aux line vty login and password Interface Settings: • • • • • • interface type/number description ip address no shutdown clock rate encapsulation Routing Settings: • • • router network ip route .

168.0 0.2. [OK] R1# The command show running-config is entered and the output is as follows: R1# show running-config (Note: Some output is omitted) Building configuration.3 .1.0 R1(config-router)# network 192.1.168.4 Hostname R1 Enable secret 5 $drgadgr$dfjladflkj$dfsdfsdfsdf/vsdfgd Enable password cisco Interface fastethernet0/0 Ip address 192.1 255.255.0.. Configuration Commands Router> enable Router# configure terminal Router(config)# hostname R1 R1(config)# banner motd %Unauthorised access prohibited% R1(config)# enable password cisco R1(config)# enable secret class R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# interface fastethernet 0/0 R1(config-if)# ip address 192.2.0 R1(config-if)# no shutdown R1(config-if)# interface serial 0/0/0 R1(config-if)# ip address 192.1 255.168.255.0.0..255.168.423: %SYS-5-CONFIG_I: Configured by console from console R1# copy running-config startup-config Destination filename [startup-config]? Building configuration.0 R1(config-router)# exit R1(config)# ip route 0.255. Current configuration: 1177 bytes Version 12.2.3.0 R1(config-if)# clockrate 64000 R1(config-if)# no shutdown R1(config-if)# description WAN link to R2 R1(config-if)# encapsulation ppp R1(config-if)# router rip R1(config-router)# version 2 R1(config-router)# network 192.2.255.Basic Router Configuration Using CLI The diagram depicts the general commands that are entered to configure the router.0..0 192.0 Duplex auto Speed auto Interface serial0/0/0 Description WAN link to R2 .2 R1(config)# end R1# Aug 9 16:09:25. The commands are listed below as they would be entered into the C L I.1 255.255..168.168.1.

168.2. This means that there are many more switches in an organization than routers.2. Switches come in many form factors: • Small standalone models sit on a desk or mount on a wall. The main function of switches is to connect hosts such as end user workstations.1. 2.168. access points and routers.255. IP phones.3.1 255. servers.0 192.255.2.0 0.2 Banner motd %Unauthorised access prohibited% Line con 0 Password cisco login line aux 0 Line vty 0 4 Password cisco Login Page 2: Packet Tracer Activity Practice basic router configuration and verification commands.Ip address 192.168.0 Ip route 0.4 Switch Hardware Page 1: Although all three layers of the hierarchical design model contain switches and routers.Basic Router Configuration Using CLI Link to Packet Tracer Exploration: Basic Router Configuration Using C L I Practice basic router configuration and verification commands. the Access Layer generally has more switches.3 . web cameras.0 Encapsulation ppp Router rip Version 2 Network 192. Click the Packet Tracer icon to begin.0.0 Network 182. 2.168.0. .0.0.3.

Data Center Access Devices: Catalyst 4948 Large-Sized . Also listed at each organization size density is the Hierarchical Design model reference. the first Fast Ethernet port on a switch is numbered as Fa0/1 (controller 0 and port 1). which would require a different port. For example. using the controller/port convention. The first port on a switch that uses controller/slot/port is Fa0/0/1. Some high-end switches have modular ports that can be changed if needed. from 100 MB to 10 GB. Catalyst 2960 Medium-Sized .Data Center Access Devices: Blade switches Medium-Sized. Gigabit ports are designated as Gi0/1.Wiring Closet Devices: Catalyst 4500.• • Integrated routers include a switch built into the chassis that is rack mounted.4 .Wiring Closet Devices: Catalyst 3560.3. Gi0/2 etc. Listed below is the Organization Size and the switching devices at each level. Catalyst 3560-E. 2. An IDF switch typically needs both RJ-45 Fast Ethernet ports for device connectivity and at least one Gigabit Ethernet port (copper or fiber) to uplink to the MDF switch. Catalyst 3750. The second is Fa0/2. Catalyst 6500 Small Business .Wiring Closet Devices: Catalyst Express 500. An enterprise switch in an MDF connects other switches from IDFs using Gigabit fiber or copper cable.Switch Hardware The diagram depicts a graph plotting the Hierarchical Design Model against Organization Size Density. Like routers.Distribution Core Devices: Catalyst 4500 Large Organization .Data Center Access Devices: Catalyst 6500 Small to Medium Sized . switch ports are also designated using the controller/port or controller/slot/port conventions. . Small Business . it might be necessary to switch from multimode fiber to single mode fiber. High-end switches mount into a rack and are often a chassis and blade design to allow more blades to be added as the number of users increases. Catalyst 3750=E Large-Sized .Distribution Core Devices: Catalyst 6500 Page 2: High-end enterprise and service provider switches support ports of varying speeds. For example.

2.5 Basic Switch CLI Commands Page 1: Switches make use of common IOS commands for configuration.3. In an enterprise environment where hundreds or thousands of users need switch connections.3. There are also two 10 GB fiber-optic ports used as up links to other local network segments. as follows: General Use: • • • show running-config show startup-config show version Interface / Port Related: • • • • show interfaces show ip interface brief show port-security show mac-address-table Connectivity Related: • • • • show cdp neighbors show sessions show ssh ping . These commands can be divided into several categories. a switch with a 1RU height and 48-ports has a higher port density than a 1RU 24-port switch.Switch Hardware The diagram depicts a switch.Port density on a switch is an important factor. The switch is a 48-port managed device with ports capable of operating at speeds of 10 /100 /1000 Mbps. 2.4 . to check for connectivity and to display current switch status.

2620XM). ping (ip or hostname)PSends 5 ICMP echo requests to an IP address or host name (if DNS is available) and displays min and max and average time to respond. DHCP and NAT configuration. The table headings include Full Command. security violation count. host name. May be different if running config has not been copied to backup. and I / O statistics. Must be issued in EXEC mode. Connectivity Related show cdp neighbors (detail)sh cdp ne Displays information on directly connected devices including Device ID (host name). and Purpose / Information Displayed. Local interface where device is connected. show startup-configsh starDisplays backup config in NV RAM. The commands are categorized by General Use. whereas the first port on a switch would be referenced as fa 0 /1. encapsulation. show s s h sh s s h Displays s s h server connections with remote hosts.Basic Switch C L I Commands The diagram depicts a table of the basic switch commands. capability (R=router). delay.3. show sessionssh sesDisplays telnet sessions (V T Y) with remote hosts. Full CommandAbbreviationPurpose/Information Displayed General Use show running-configsh runDisplays current config running in RAM. and address. number and type of interfaces installed. and configuration register value. and Connectivity Related. listed below from left to right. while switch interfaces start at 1. ROM version. Abbreviation. Note that router interfaces start numbering at 0. NV RAM and flash. Displays session number. 2. passwords. show versionsh veDisplays I O S version. and port ID or remote device. how learned (dynamic or static) the port number and the V LAN the port is in. show mac-address-table sh mac-a Displays all MAC addresses the switch has learned. duplex. platform (eg. traceroute (ip or hostname)TrSends echo request with varying T T L. boot method. Lists routes (hops) in path and time to respond. routing protocol activated. reliability. For example. S=switch). Includes hostname. a fast Ethernet interface on a router would start at fa 0 /0. interface IP addresses. bandwidth. show ip interface briefsh ip int br Displays all interfaces with IP address with interface status (up/down/admin down) and line protocol status (up/down) show port-security sh por Show any ports where security has been activated along with max address allowed.• traceroute The same in-band and out-of-band management techniques that apply to routers also applies to switch configuration. Interface/Port Related show interfaces (type#)sh int f 0 /0 Displays one or all interfaces with line (protocol) status. Interface/Port Related. The details option provides the I P address of the other device as well as the I O S version. Must be issued in EXEC mode.5 . Page 2: . router uptime system image file name. amount of RAM. and action to take (usually shutdown). current count.

0 / 24. R2's serial port S 0 /0 /0 is in use.168.2 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Router ip subnet-zero interface FastEthernet0 no ip address shutdown speed auto interface Serial0 no ip address shutdown no fair-queue interface Serial1 no ip address shutdown ip classless no ip http server line con 0 line aux 0 line vty 0 4 no scheduler allocate end Router# ***show startup-config*** Using 831 out of 245752 bytes version 12. The network address for this network is 192.1.P$R5n.168.pyoUSgEgZgJz9otjd1 enable password cisco no aaa new-model resource policy ip subnet-zero ip cef interface FastEthernet0/0 .. R1. The Fast Ethernet port Fa 0 /0 is in use for this network.0 / 24. Current configuration : 422 bytes version 12.3.5 . R2s Fast Ethernet port Fa 0 /0 is directly connected to the PC2 client.3. R1s serial port S 0 /0 is in use and has the D C E clock rate configured. ***show running . Also directly connected to S1 is Router. A serial link has been established between R1 and R2. The commands used to show router configuration information are listed below with their associated outputs. The physical topology has PC1 client connected to the switch..4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Router boot-start-marker boot-end-marker enable secret 5 $1$jX.config*** Building configuration.Basic Switch C L I Commands The diagram depicts the show commands and the outputs to the screen when a command is issued. S1.2. and the network address of 192.

Version 3. Version 12.0.8)T2 TAC Support: http://www. Version 12.255. 1 FastEthernet/IEEE 802.2(4)YB.2(7r)XM1.168.2 255.15. Compiled Fri 15-Mar-02 20:32 by ealyon Image text-base: 0x80008124.cisco. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 .255.bin" cisco 1721 (MPC860P) processor (revision 0x100) with 29492K/3276K bytes of memory.2(6.0 duplex auto speed auto interface FastEthernet0/1 no ip address shutdown duplex auto speed auto interface Serial0/0/0 ip address 192.255.ip address 192. Version 12.3 interface(s) 2 Low-speed serial(sync/async) network interface(s) 32K bytes of non-volatile configuration memory. data-base: 0x807D8744 ROM: System Bootstrap. X. EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Router uptime is 3 minutes System returned to ROM by power-on System image file is "flash:C1700-Y-MZ. EARLYDEPLOYMENT RELEASE SOFTWARE (fc1) Synched to technology version 12.122-4.com/tac Copyright (c) 1986-2002 by cisco Systems.25 software.0.1 255. with hardware revision 0000 MPC860P processor: part number 5.252 no fair-queue clock rate 64000 interface Serial0/0/1 no ip address shutdown clock rate 125000 ip classless ip http server control-plane line con 0 password cisco login line aux 0 line vty 0 4 password cisco login scheduler allocate 20000 1000 end ***show version*** Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-Y-M).YB. Inc.255. RELEASE SOFTWARE (fc1) ROM: C1700 Software (C1700-Y-M).2(4)YB.168. Processor board ID FOC070701ZH (2882989793).0. mask 2 Bridging software.

0 collisions. 0 CRC. 0 interface resets 0 babbles. rxload 1/255 Encapsulation HDLC. 0 runts. 0 runts. 0 CRC.Gateway of last resort is not set ***show interfaces*** FastEthernet0 is administratively down. 0 no buffer Received 0 broadcasts. address is 000b. txload 1/255. line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes. 0 bytes. 0 frame. 0 ignored. Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec. 0 abort 0 packets output. 2334 bytes. 0 bytes Received 0 broadcasts. line protocol is down Hardware is PQUICC_FEC. rxload 1/255 Encapsulation HDLC. BW 128 Kbit. DLY 20000 usec. ARP Timeout 04:00:00 Last input never. output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). 1 interface resets 0 output buffer failures. output never. BW 128 Kbit. reliability 255/255.be96. reliability 252/255. output hang never . rxload 1/255 Encapsulation ARPA. 0 late collision. DLY 100 usec. reliability 255/255. 0 bytes. 0 overrun. output hang never Last clearing of "show interface" counters 00:07:57 Input queue: 0/75/0/0 (size/max/drops/flushes). BW 100000 Kbit. 0 output buffers swapped out Serial0 is administratively down. 0 giants.3445 (bia 000b. 0 deferred 11 lost carrier. 0 underruns 11 output errors.3445) MTU 1500 bytes. 0 packets/sec 0 packets input. loopback not set Keepalive set (10 sec) Auto-duplex. 100BaseTX/FX ARP type: ARPA. DLY 20000 usec.be96. 0 packets/sec 5 minute output rate 0 bits/sec. 0 no carrier 0 output buffer failures. 0 frame. 0 overrun. output 00:07:54. 0 ignored 0 watchdog 0 input packets with dribble condition detected 11 packets output. line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes. 0 underruns 0 output errors. 0 packets/sec 0 packets input. loopback not set Keepalive set (10 sec) Last input never. txload 1/255. 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Serial1 is administratively down. 0 throttles 0 input errors. 0 collisions. loopback not set Keepalive set (10 sec) Last input never. 0 packets/sec 5 minute output rate 0 bits/sec. 0 throttles 0 input errors. txload 1/255. output never. 0 giants. 10Mb/s. Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec.

0 giants. 0 interface resets 0 output buffer failures. 0 overrun.29c4. 0 underruns 0 output errors.935dDynamicFa0/3 Total MAC addresses for this criterion: 11 ***show ip interface brief*** InterfaceIP-AddressOK?MethodStatusProtocol FastEthernet0/1unassignedYESmanualupup FastEthernet0/2unassignedYESmanualupup FastEthernet0/3unassignedYESmanualdowndown FastEthernet0/4unassignedYESmanualdowndown FastEthernet0/5unassignedYESmanualdowndown FastEthernet0/6unassignedYESmanualdowndown FastEthernet0/7unassignedYESmanualdowndown FastEthernet0/8unassignedYESmanualdowndown FastEthernet0/9unassignedYESmanualdowndown . 0 collisions. Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/32 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 96 kilobits/sec 5 minute input rate 0 bits/sec.e1c8DynamicFa0/2 10014. 0 frame. 0 CRC. 0 ignored.0744DynamicFa0/1 10014.ccccStaticCPU All0100.2480StaticCPU All0100.a841DynamicFa0/1 1000c.2999.0ccc.cccdStaticCPU All0100. 0 packets/sec 0 packets input. 0 no buffer Received 0 broadcasts.9e26DynamicFa0/3 1000c.ddddStatic CPU 1000b. 0 bytes.Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes). 0 packets/sec 5 minute output rate 0 bits/sec.763f.e1c9DynamicFa0/3 10016.0cdd.758eDynamicFa0/2 1000c.6a46.6a46. 0 abort 0 packets output. 0 runts.29ff.6954.be02.0ccc. 0 throttles 0 input errors. 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Router# ***show port-security*** S1# show port-security Secure PortMax Secure AddressCurrent Address Security Violation Security Action Total addresses in system(excluding one mac per port) Max addresses limit in system (excluding one mac per port) ***show mac-address-table*** MAC Address Table VLANMAC AddressType Ports All0014. 0 bytes.

IGMP. T . I .Source Route Bridge S .Trans Bridge. B . use the erase startup-config command and then the reload command. Configuration Management: • • • • • • enable configure terminal copy running-config startup-config erase startup-config delete flash:vlan.FastEthernet0/10unassignedYESmanualdowndown FastEthernet0/11unassignedYESmanualdowndown FastEthernet0/12unassignedYESmanualdowndown FastEthernet0/13unassignedYESmanualdowndown FastEthernet0/14unassignedYESmanualdowndown FastEthernet0/15unassignedYESmanualdowndown FastEthernet0/16unassignedYESmanualdowndown FastEthernet0/17unassignedYESmanualdowndown FastEthernet0/18unassignedYESmanualdowndown FastEthernet0/19unassignedYESmanualdowndown FastEthernet0/20unassignedYESmanualdowndown FastEthernet0/21unassignedYESmanualdowndown FastEthernet0/22unassignedYESmanualdowndown FastEthernet0/23unassignedYESmanualdowndown FastEthernet0/24unassignedYESmanualdowndown GigabitEthernet1/1unassignedYESmanualdowndown GigabitEthernet1/2unassignedYESmanualdowndown Vlan1unassignedYESmanualadministratively downdown ***show cdp neighbors*** Capability Codes: R . To clear the switch configuration. passwords for security.Host.Router. In-band access requires the switch to have an IP address.Switch.dat.dat reload Global Settings: .Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID Router# Page 3: A basic switch configuration includes the hostname for identification. It may also be necessary to erase any VLAN information using the command delete flash:vlan. and assignment of IP addresses for connectivity. Verify and save the switch configuration using the copy running-config startup-config command. H . r .

0 .5 .Basic Switch C L I Commands The diagram depicts the basic commands issued from the C L I to the switch used to configure it for network traffic. Switch(config)# hostname S1 S1(config)#banner motd %Unauthorised access prohibited% S1(config)# enable password cisco S1(config)# enable secret class S1(config)#line con 0 S1(config-line)#password cisco S1(config-line)# login S1(config-line)# line vty 0 4 S1(config0line)#password cisco S1(config-line)# login S1(config-line)# interface vlan 1 S1(config-if)# ip address 192. The configuration command statements and the output from the show running-config command are as follows.• • • • • hostname banner motd enable password enable secret ip default-gateway Line Settings: • • • line con line vty login and password Interface Settings: • • • • interface type/number (vlan1) ip address speed / duplex switchport port-security 2. Configuration Commands ***some output has been omitted*** Switch> enable Switch# configure terminal Enter configuration commands.255. one per line.3.1.225.5 255.168.

1 S1(config)# interface f0/2 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# interface f0/3 S1(config-if)# speed 10 S1(config-if)# duplex half S1(config)# end Configured from console by console S1# S1# copy running-config startup-config Destination filenane [startup-config]? Building configuration.1 Banner motd ^CUnauthorized access prohibited^C ! line con 0 password cisco login line vty 0 4 password cisco login .1..1.168.. Current configuration : 1374 bytes ! Hostname S1 ! enable secret 5 $1$Yp!J$GKRD7WVFS.1..5 255.ShOSf2I5Pam/ enable password cisco ! interface FastEthernet0/1 ! interface FastEthernet0/2 switchport mode access switchport port-security interface FastEthernet0/3 speed 10 duplex half interface FastEthernet0/24 ! Interface Vlan1 Ip address 192.255.0 ! Ip default-gateway 192..255.168.S1(config-if)# no shutdown S1(config-if)# ip default-gateway 192.168. [ok] S1# The command "show running-config" is typed and output of this command is listed below: ***some output is omitted*** show running-config S1#show running-config (**output omitted**) Building configuration.

3.Basic Switch C L I Commands Link to Packet Tracer Exploration: Basic Switch Configuration Using C L I Configure a switch in a switching environment. Building B. Building A is connected to Building B via fiber-optic cable. 2.4. and Building C.5 . Building A. Page 5: Lab Activity Connect and configure a multi-router network. Click the Packet Tracer icon to begin.4 Chapter Summary 2. Image The diagram depicts a network with three buildings.Basic Switch C L I Commands Link to Hands-on Lab: Configuring Basic Routing and Switching Connect and configure a multi-router network.4.Summary Diagram 1.1 .5 . 2. .1 Summary Page 1: 2.3. 2.line vty 5 15 login end Page 4: Packet Tracer Activity Configure a switch in a switching environment.

Building A has an MDF which is connected to two switches (I DF-A2. Network documentation includes the Business Continuity plan. Routers and switches use in-band and out-of-band management. End-users connect to the network via Access Layer switches and wireless A P's in the IDF. Building B has an I DF (I DF-B1) with three hosts connected. The POP provides a direct link to an I S P and connects remote sites.5. Diagram 3 text Access Layer switches provide connectivity to end users. 2. Network Maintenance plan. Diagram 1 text Network infrastructure diagrams document devices in a network. The POP contains a de-marc line of responsibility. Diagram 3. Business Security plan. VPN. Diagram 2. These attacks include F W. A C L. The enterprise NOC manages and monitors all network resources. I DF-A1) via fiber-optic or U T P Cable. Image The diagram depicts a network of four buildings. and Service Level Agreements. and I P S attacks. I DF-A2 has 3 hosts connected. I DF-A1 has four hosts connected. Services are brought to the enterprise by copper wires or fiber-optic cable. Image The diagram depicts a 48 port 10 /100 /1000 Cisco Gigabit Ethernet switch. The network is exposed to outside attacks. HQ. between the service provider and customer. D M Z.Building A is connected to Building C via fiber optic cable. Routers can control broadcasts. Building C has an I DF (I DF-C1) with three hosts connected. Diagram 2 text The enterprise edge provides Internet access and service for users inside the organization. and Site C. Edge devices provide security against attacks.5 Chapter Quiz 2. Distribution Layer routers move packets between locations and the Internet. I D S. which has had the two 10 Gigabit fiber-optic uplink ports removed from the switch. .1 Quiz Page 1: Take the chapter quiz to check your knowledge. Click the quiz icon to begin. Site B. P o E provides power to devices over the same U T P cable that carries data. Site A.

Match each term to its correct description. (Not all options are used. there were hundreds of requests for the website home page. what might the network administrator conclude? A. B. the network administrator issues the show version command on a router.It is normal web surfing activity.Quiz Chapter 2 Quiz: Exploring the Enterprise Network Infrastructure 1. What information can be found using this command? A.Create a blueprint of the facility.differences between the backup configuration and the current running configuration D. and flash memory installed on the router B.What information can be found by using the command show mac-address-table on a Cisco Catalyst switch? A.The IP addresses of directly connected network devices D.The port the switch will use to forward frames to a host C.the amount of NV RAM. All of the requests originated from the same IP address.The MAC addresses of the ports on the Catalyst switch B.bandwidth.While trouble shooting a network problem.It is likely that someone attempted a D o S attack. 6. a network engineer wishes to integrate this information into a single document for analysis.1 .Take a photograph of the facility and annotate it with the network application data.The mapping between MAC address and IP address for network hosts 3.The link to the website does not have enough capacity and needs to be increased. and the priority of this traffic. Given this information. How can this be accomplished? A. C. the traffic generated by these applications. encapsulation. C.Create a logical topology map of the network and annotate it with the network application data. DRAM. The next day the administrator checked the web server logs and noticed that during the same hour that the site failed to load.5.The web server was turned off and not able to service requests.Create a physical topology map of the network and annotate it with the network application data. including network cabling and telecommunication rooms and annotate it with the network application data.) Terms POP VPN DoS CPE DMZ demarc Descriptions maliciously prevents access to network resources by legitimate users boundary that designates responsibility for equipment maintenance and troubleshooting physical link to outside networks at the enterprise edge equipment located at the customer facilityallows remote workers to access the internal network securely allows remote workers to access the internal network securely 2. and I/O statistics on the interfaces C.After gathering a thorough list of network applications. D. B. D.2.fiber-optic .One evening a network administrator attempted to access a recently deployed website and received a "page not found" error. 5.the version of the routing protocols running on the router 4.What type of media typically connects a MDF switch to an IDF switch in another building? A.

Which three devices can receive power over the same twisted pair Ethernet cable that carries data? (Choose three) A.IP Phone E. The analyst decides to start at the core router to identify and document the Cisco network devices attached to the core.unshielded twisted pair D.Match the hardware characteristics to the hardware type.rendering.show version B.C CServlet/LMS_ID=CNAMS.Language=en.FTP D.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them .laptops 8.show running-config E. RootID=knet‐ lcms_discovery3_en_40.show ip route C.Telnet 10.web camera D. Identify if each characteristic relates to a router or a switch.network switches F.S S H C.Theme=ccna3theme.wireless access point B.servlet.coaxial-cable C. Which command executed on the core router provides the required information? A.show tech-support D.shielded twisted pair 7.netacad.B. (Three characteristics relate to a router and three characteristics relate to a switch.ARP B.Version=1.delivery.Which two protocols can be used to access a Cisco router for in-band management? (Choose two) A.SMTP E.show C D P neighbors detail Go To Next Go To Previous Scroll To Top http://curriculum.) Hardware Characteristics define broadcast domains connect IP Phones and access points to the network enhance security with ACL's interconnect networks appear more commonly at the access layer connect hosts to the network Hardware Type router switch 9.monitors C.Style=ccna3.cli.A network analyst is documenting the existing network at ABC Corporation.net/virtuoso/servlet/org.

Inc. About   .e/hybrid/theme_onepage/main. All | Translated by the Cisco Networking Academy.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.

Introducing Routing and Switching in the Enterprise 3 Switching in an Enterprise Network 3.1. Virtual LAN's logically segment networks and contain broadcasts to improve network security and performance. Spanning Tree Protocol is used in a hierarchical network to prevent switching loops. 3.0.1 Switching and Network Segmentation Page 1: . Describe and configure V LAN's on a Cisco switch. Describe and configure trunking and Inter-V LAN routing.0 Chapter Introduction 3. Virtual Trunking Protocol is used to simplify the configuration and management of V LAN's in a complex enterprise level switched network. Explain how Spanning Tree Protocol prevents switching loops.0.1 Introduction Page 1: 3. Distribution.Introduction Enterprise networks rely on switches in the Access. you should be able to: Compare the types of switches used in an enterprise network. Maintain V LAN's in an enterprise network.1 Describing Enterprise Level Switching 3.1 . Switches configured with trunking enable V LAN's to span multiple geographic locations. After completion of this chapter.Search | Glossary Course Index: CCNA Discovery . and Core Layers to provide network segmentation and high-speed connectivity.

regardless of how it is used.8c01. As a unicast frame enters a port. manage. a switch connects to one or more other switches to create. looking for an entry that matches the address. 3. A switch moves traffic based on MAC addresses. the network design of most enterprises relies heavily on switches. using both the source MAC addresses of incoming frames and the port number through which the frame entered the switch. removal of an entry is called aging out.3333 Page 2: The switch deletes entries from the MAC address table if they are not used within a certain period of time. A switch is a very adaptable Layer 2 device.Switching and Network Segmentation The diagram depicts a switch that is connected to four PC's and builds a MAC address table from information gathered from these PC's.2222 H4 Port Number: F A 0 /4 MAC Address: 260d. called content addressable memory (CAM). The switch recreates this table every time it is activated. MAC Address Table H1 Port Number: F A 0 /1 MAC Address: 260d. and maintain redundant links and VLAN connectivity. Switches are cheaper per port than routers and provide fast forwarding of frames at wire speed. .1111 H3 Port Number: F A 0 /3 MAC Address: 260d.Although both routers and switches are used to create an enterprise network.8c01.8c01. The name given to this period of time is the aging timer.1.1 . the switch finds the source MAC address in the frame. In a more complex role. A switch processes all types of traffic in the same way. In its simplest role. Each switch maintains a MAC address table in highspeed memory.8c01. it replaces a hub as the central point of connection for multiple hosts. It then searches the MAC table. The PC's are labeled H1 to H4.0000 H2 Port Number: F A 0 /2 MAC Address: 260d.

All devices that receive this broadcast make up the broadcast domain.1. As more switches are connected together. The F A 0 /1 port aging timer expired and the switch says. Next. use a feature called microsegmentation to reduce the size of collision domains to a single switch port. speed and throughput of the network are critical. the switch resets the aging timer. If a switch receives a broadcast frame. high availability. The switch. is connected to H1 on F A 0 /1. The size of broadcast and collision domains affect the flow of traffic. the switch floods the frame out every active port except the port upon which it was received.Switching and Network Segmentation This animation depicts a MAC address table and the aging process on one port. the switch floods it out every active interface. is connected to four hosts labeled H1 to H4. As it passes through the switch. S1 is connected to S2. H1 sends a packet to H2. In general. 3. the switch checks the table for the destination MAC address. The more devices participating in a collision domain. If the source MAC address already exists. is connected to four hosts labeled H5 to H8. and H3 on F A 0 /3. the switch forwards the frame out the appropriate port number.1 . I will remove the MAC address from my table. The switch. H1 sends another packet.Switching and Network Segmentation The switch.1 . . however. just as it does for an unknown destination MAC address. the size of the broadcast domain increases. If an entry exists. Hubs create large collision domains. Switches. I already have this MAC entry for port F A 0 /1. S2. S1.If the source MAC address is not in the table. Page 3: In an enterprise. Collision domains create a similar problem. I will reset the aging timer on the port. the switch says. H2 on F A 0/ 2.1. larger broadcast and collision domains impact these mission-critical variables. As it passes through the switch. S1. the switch adds a MAC address and port number entry and sets the aging timer. I will add the MAC address and start the aging timer. the aging timer resets and the switch says. If the entry does not exist. I do not have a MAC address in the table for this port. the more collisions occur. 3. I have not heard from the host of F A 0 /1 and the aging timer has expired.

The network segment has been divided. Asymmetric switches are common in the enterprise environment. or segmented.Switching and Network Segmentation The diagram depicts the difference between a shared segment that has hosts connected to a hub. so the packet is forwarded to all ports except the port on which the packet originally traveled. or microsegment. When two connected hosts communicate with each other. however. creating four traffic paths within the switch.FFFF. It is a broadcast. between the ports. Page 4: When a host connects to a switch port. and microsegmentation with hosts connected to a switch. If necessary a switch stores information in memory to provide a buffer between ports of different speeds. so the packet is forwarded to all ports except the port on which the packet originally traveled. Many switches. it sees it is a broadcast.1 .1. the switch consults the switching table and establishes a virtual connection. utilizing four different network segments of two hosts each. In the shared segment scenario. Multiple virtual circuits are active at the same time. . or uplink ports. In the microsegmentation scenario. Switches that have ports of all the same speeds are termed symmetric. Microsegmentation improves bandwidth utilization by reducing collisions and by allowing multiple simultaneous connections. have two or more high-speed ports. All traffic is visible on the network segment. the switch creates a dedicated connection.H1 sends a packet to destination MAC address: FFFF. Switches can support either symmetric or asymmetric switching. connect to areas that have a higher demand for bandwidth. When S2 receives the packet that S1 has broadcast. When S1 receives the packet. the traffic on a shared segment is shown as a hub with eight hosts all sharing the same network media. the traffic on multiple paths is shown as a switch with eight hosts connected. These highspeed.FFFF. Typically. these areas include: • • • Connections to other switches Links to servers or server farms Connections to other networks Connections between ports of different speeds use asymmetric switching. it looks for the destination MAC address. 3. The switch maintains the virtual circuit (VC) until the session terminates.

One. Host 0B is connected to port F A 3. Port F A 9 is connected to a hub. and host 0D is connected to port F A 7. nothing is added or learned. All the other ports have blank entries. and information in the switch MAC table. If the source MAC address is not in the table. Length: blank. with the exception of the origin port. The switch is connected to four hosts. The switch will only add a new MAC address to the MAC table based on the source MAC address. Answer the questions using the information provided below. . the address will be added. If the source MAC address is already in the table. A switch will drop a frame if the destination and source devices are both connected to the same port and the switch has the destination MAC address in the MAC table.You will select the port numbers to indicate where. Host 0A is connected to port F A 1. A frame is flooded to all ports. Help Popup This activity quizzes you on your knowledge of how a frame is forwarded on a switch.1 . Destination MAC: 0D. the switch will forward the frame. The activity is dynamic and it is possible to create new practice problems.Then you will indicate how the switch will handle the frame. Three. You are given the physical topology and the MAC address table of the switch. if any. In this activity. Source MAC: 0A. The MAC table for the switch is as follows: F A 3 is connected to 0B.Your goal is to determine how the switch will handle this frame given the MAC addresses table shown. flooded to all ports or dropped. The computer-generated activities will have a source and destination pair using one of the addresses shown on the topology. F A 7 is connected to 0D. Additional Help: FF is a broadcast MAC address and is forwarded to all ports.Switching and Network Segmentation The diagram depicts an activity in which you must determine how the switch forwards a frame based on the Source MAC and Destination MAC addresses. The hub is connected to host 0E and host 0F.Page 5: 3. For example. You are also given a frame that consists of a source and destination MAC address. Two.1. only if the switch does not have the destination MAC within the MAC table. End of frame: blank. Information about the frame: Preamble: blank. except the origin. Host 0C is connected to port F A 5. Encapsulate: blank. F A 9 is connected to 0E. this occurs on the single port connected to the hub with two host devices. Determine how the switch forwards a frame based on the Source MAC and Destination MAC addresses and information in the switch MAC table. An example is presented below.

Layer 3 Routers are software-based and use microprocessors to execute routing based on IP addresses. which of the following statements are true? A. Frame is a unicast frame but it will be dropped at the switch. A Layer 2 switch limits the forwarding of traffic to within a single network segment or subnet. C. the Data Link Layer. The router then switches the packet to the correct output interface. Switch adds the source MAC address to the MAC table. 3. They forward traffic at wire-speeds. Each device uses a different technique for processing and forwarding traffic. using the internal circuits that physically connect each incoming port to every other port. the router uses software to find the destination IP address and select the best path toward the destination network. Layer 3 routing allows traffic to be forwarded between different networks and subnets.2 Multilayer Switching Page 1: Traditionally. 3. Frame is a unicast frame and will be flooded to all ports.One.1. B. E. Frame is a unicast frame and will be sent to specific ports only.2 . As a packet enters a router interface.When the switch forwards the frame. Layer 2 Switching Hardware-based switching Wire-speed performance High-speed scalability Low latency Uses MAC address Low cost . D. The forwarding process uses the MAC address and the existence of the destination MAC address in the MAC table. Layer 2 Layer 2 switches are hardware-based.Multilayer Switching The diagram depicts the O S I stack with the router attached to Layer 3. networks have been composed of separate Layer 2 and Layer 3 devices. Frame is a broadcast frame and will be forwarded to all ports. the Network Layer. and the switch attached to Layer 2.Where will the switch forward the frame? (Choices: F A 1 to F A 12) Two.1.

. Store and Forward In this type of switching.Multilayer Switching The diagram depicts a stack of Cisco 2960 switches. or cache. because they find the routing information in memory.Layer 3 Routing Software based packet forwarding Higher latency Higher per interface cost Uses IP address Security QoS Page 2: Layer 3 switching. Multilayer switches often save. The frame and packet forwarding functions use the same ASIC circuitry. Layer 3 switching occurs in special application-specific integrated circuit (ASIC) hardware. The two methods are store and forward and cut-through switching.1. The CRC value is located within the frame check sequence (FCS) field of an Ethernet frame.3 Types of Switching Page 1: When switching was first introcuded. or multilayer switching. Subsequent packets do not have to execute a routing lookup. the entire frame is read and stored in memory before being sent to the destination device. source and destination routing information from the first packet of a conversation. Each of these methods has distinct advantages as well as some disadvantages. which are Layer 3 switches. If the calculated CRC value is the same as the CRC field value in the frame.2 . 3. The switch does not forward frames if the CRC values do not match. 3. the switch forwards the frame out the destination port. This caching feature adds to the high performance of these devices. combines hardware-based switching and hardware-based routing in the same device. The switch checks the integrity of the bits in the frame by recalculating the cyclic redundancy check (CRC) value. and a stack of Cisco 3560 switches. A multilayer switch combines the features of a Layer 2 switch and a Layer 3 router. which are Layer 2 switches. a switch could support one of two major methods to forward a frame from one port to another.1.

Two of the hosts are labeled Source and Destination. the switch reads the first 64 bytes of the frame before it begins to forward it out the destination port. Due to the latency incurred by the store and forward method.3 . such as environments that have a high probability of EMI. Page 2: Cut-through Switching The other major method of switching is cut-through switching. This method of switching works best in a stable network with few errors. The diagram depicts a switch connected to three hosts and a server. The frame is forwarded to the Destination host. The C R C value is correct. Smaller frames are usually the result of a collision and are called runts. it introduces the highest amount of latency. Cut-through switching subdivides into two other methods: fast-forward and fragment-free. I am recalculating the C R C value. The switch says. The switch thinks. In both of these methods the switch forwards the frame before all of it is received. This method has the lowest latency but also forwards collision fragments and damaged frames. In fragment-free switching. The shortest valid Ethernet frame is 64 bytes. it is typically only used in environments where errors are likely to occur.Types of Switching This diagram depicts the store-and-forward switching process and the validation of C R C. Checking the first 64 bytes ensures that the switch does not forward collision fragments. The Source host sends a frame to the Destination host.1. 3. .Although this method keeps damaged frames from being switched to other network segments. Because the switch does not calculate or check the CRC value. damaged frames can be switched. I will forward the frame. Fast-forward is the fastest method of switching. Incoming frame C R C value: 435869123 Recalculated C R C value: 435869123 These values are identical. The switch forwards the frames out the destination port as soon as it reads the destination MAC address.

The fragment-free switching method works best in an environment where many collisions occur. When the switch receives the packet. I am receiving a frame. 3.Types of Switching This animation depicts two types of switching methods of forwarding a frame. such as multilayer switching. it thinks. without the issue of errors. Additionally. One host sends a frame to another host via the switch. In this situation.Types of Switching The diagram depicts store-and-forward and cut-through switching. I will check the first 64 bytes of the frame to ensure this is a valid Ethernet frame. fast-forward switching would be the preferred method. One host sends a frame to another host via the switch. the switch reverts back to fast-forward mode. 3. it thinks. many of the higher end features.3 . the switch has forwarded an unacceptable number of errors.1. require the use of the store-and-forward method. This is a valid frame. switches are able to store and process the frames almost as quickly as cut-through switching. In a properly constructed switched network.3 . I will forward it based on the destination MAC address. collisions are not a problem.Store and forward has the highest latency and fast-forward has the lowest. it recognized the errors and stores an error counter in memory. Once the switch completes the check. If the number of errors exceeds the threshold value. the switch modifies itself to perform store and forward switching. I am receiving a frame. therefore. When the switch receives the packet. most Cisco LAN switches rely on the store-and-forward method for switching. Even though the switch does not check for errors before forwarding the frame. This is known as Adaptive Cut-through switching. Fragment-free The switch is connected to three hosts and a server. If the number of errors drops back below the threshold. Fast-forward and Fragmentfree. There are also some newer Layer 2 and Layer 3 switches that can adapt their switching method to changing network conditions. Fast-forward The switch is connected to three hosts and a server. Page 3: Today. it thinks. This is because with newer technology and faster processing times. I will forward it immediately based on the destination MAC address. The switch is performing store-and- . It compares the number of errors found to a predefined threshold value. Fragment-free latency is in the middle of these other methods.1. These switches begin by forwarding traffic using the fast-forward method to achieve the lowest latency possible.

4 . and v t y access) with a minimum of six nonrepeating characters. therefore only limited or no security measures are applied. Monitor Access and Traffic Monitor all traffic passing through a switch to ensure that it complies with company policies. Change passwords on a regular basis. Switches are internal to the organization. since it uses advanced encryption techniques. SSH encrypts the entire login session.1. Network security often focuses on routers and blocking traffic from the outside.4 Switch Security Page 1: Keep your network secure. This method checks for errors. including password transmission.1. It provides strong authentication and secure communication over insecure channels. Additionally. regardless of the switching method used. If the switch detects malicious traffic or unauthorized access.forward switching when the number of errors is increasing.Switch Security The diagram depicts a stack of switches labeled with various security measures. Enable S S H for Secure Remote V T Y Access S S H is a client server protocol used to log into another device over a network. Secure Passwords Configure all passwords (user mode. take action according to the security . record the MAC address of all devices connecting to a specific switch port and all login attempts on the switch. Physical Security Switches are a critical link in the network. Use the enable secret command for privileged level password protection. This method does not check for errors. Encrypt all passwords in the display of the running configuration file using the I O S command: service password-encryption. Apply the following basic security features to switches to ensure that only authorized people access the devices: • • • • • • • • Physically secure the device Use secure passwords Enable SSH access Monitor access and traffic Disable http access Disable unused ports Enable port security Disable Telnet 3. Never use words found in a dictionary. 3. and designed to allow ease of connectivity. Secure them physically by mounting them on a rack and installing the rack in a secure room. privilege mode. The switch is performing cut-through switching when the errors are decreasing. Limit access to authorized network staff. A brief description is given for each security measure.

1 Redundancy in a Switched Network Page 1: Modern enterprises rely more and more on their networks for their very existence. Network downtime translates into potentially disastrous loss of business. This includes usernames. The command to disable http access is no ip http server. Disable Unused Ports Disable all unused ports on the switch to prevent unknown PCs or wireless access points from connecting to an available port on the switch. and customer confidence.2.policy of the organization.2 Preventing Switching Loops 3. Click the lab icon to begin. Page 2: Lab Activity Enable basic switch security. income. Disable Telnet A Telnet connection sends data over the public network in clear text. If a device with a different MAC address plugs into the port. 3. The specific switch port associates with the MAC addresses allowing only traffic from those devices. Enter the MAC addresses manually or have the switch learn them dynamically.Switch Security Link to Hands-on Lab: Applying Basic Switch Security Enable basic switch security. Disable Telnet access to all networking devices by not configuring a password for any V T Y sessions at login. and data. The network is the lifeline of many organizations. 3. Accomplish this by issuing a shutdown command on the interface. Disable http Access Disable http access so that no-one enters the switch and modifies the configuration via the web. the switch automatically disables the port. passwords.1. Enable Port Security Port security restricts access to a switch port to a specific list of MAC addresses. .4 .

is connected by dual links to the switch. S2 is connected to a router labeled R1 and two PC's labeled H2 and H4. S3. or two doors to exit a building. The server that is connected to S1 sends a broadcast message out to S1. that are connected to a switch. The Wiring Closet has two switches labeled S1 and S5. There are redundant links between all six switches. 3. Network engineers are often required to balance the cost of redundancy with the need for network availability. or a critical port on a switch causes network downtime.1 .2. 3. S5 is linked to S6. Broadcast storms use up all of the available bandwidth and can prevent network connections from being established as well as causing existing network connections to be dropped. the broadcast nature of Ethernet traffic creates switching loops. labeled H1 and H3. S1 receives the .The failure of a single network link. Page 2: Redundancy refers to having two different pathways to a particular destination. providing complete redundancy of all links and devices in a network becomes very expensive.Redundancy in a Switched Network The animation depicts the development of a broadcast storm.Redundancy in a Switched Network The diagram depicts three separate blocks. The router has a serial link in use. a single device. These are also redundant links. Switches S4 and S8 are linked to seven servers located within the server farm. S2. Redundancy is accomplished by installing duplicate equipment and network links for critical areas. two bridges to cross a river. Sometimes. and S7. and Server Farm. S2 is linked to S3. Housed within this block are four switches.2. however. For example. S1 sends the message out to all ports except the originating port that sent the message. S3 and S7 are linked to S4 and S8 in the Server Farm. S1. The switch. Redundant links in a switched network reduce congestion and support high availability and load balancing. The diagram depicts a server and two PC's. S2 receives the message and sends it to all connected clients. The broadcast frames go around and around in all directions. S6. causing a broadcast storm. which is labeled Backbone with Redundant Links.1 . can cause problems. another is still available. including S1 on both links. Connecting switches together. Redundancy is required in the network design in order to maintain a high degree of reliability and eliminate any single point of failure. S6 is linked to S7. labeled S2. each labeled Wiring Closet. S1 is linked to S2. Backbone with Redundant Links. The two switches in the wiring closet are directly linked to the next block. If one way is blocked. Examples of redundancy in non-networking environments include two roads into a town. Achieve redundancy in switches by connecting them with multiple links. located inside the block.

S1. such as multiple frame transmissions and MAC database instability. the H2 client sends a message to S2. Multiple Frame Transmission In the first scenario. S1 is connected by dual links to the switch. The diagram depicts a server and two PCs. S2 sends the message out to all connected devices. Unicast frames sometimes produce problems. then every switch floods the frame out all ports. The dual links between S1 and S2 mean that the intended client receives two of the same message. including S2. S2 says. S2 is connected to a router. the frame could be sent back to the initial switch. MAC Database Instability It is possible for switches in a redundant network to learn the wrong information about the location of a host.2. connected to a switch. Multiple Frame Transmissions If a host sends a unicast frame to a destination host and the destination MAC address is not included in any of the connected switch MAC tables. Page 3: Broadcast storms are not the only problem created by redundant links in a switched network. the server connected to S1 sends a message to client H4 on the other side of S2. wasted CPU time. MAC Database Instability In the second scenario. In a looped network.message and sends it back to the hosts that are directly connected to it. Eventually the destination host receives multiple copies of the frame. I do not see the server in my MAC table. labeled H1 and H3. S1 . S2.Redundancy in a Switched Network The animation depicts two problem scenarios that a unicast frame creates in a looped environment when multiple frames are transmitted or there is instability in the MAC database of a switch. labeled R1. labeled H2 and H4. The process repeats. This causes three problems: wasted bandwidth. This is known as Multiple Frame Transmission. and potential duplication of transaction traffic. If a loop exists. except the originating port. 3. I will send this frame out all active ports.1 . one switch may associate the destination MAC address with two separate ports. creating multiple copies of the frame on the network. This is commonly known as a broadcast storm. and to two PC's. This causes confusion and suboptimal of frame forwarding.

STP is relatively self-sufficient and requires little configuration. 3.1 . they check the switched network for the existence of loops.Redundancy in a Switched Network Link to Packet Tracer Exploration: Disabling Redundant Links to Avoid Switching Loops Disable redundant links to avoid switching loops in the network provided.2 Spanning Tree Protocol (STP) Page 1: Spanning Tree Protocol (STP) provides a mechanism for disabling redundant links in a switched network. Four switches arranged in a square topology with computers connected to two of the switches.looks in its MAC table for the MAC address for client H4.2 .2. There are dual links between the four switches. I will update my MAC table with information for the originating server. Page 4: Packet Tracer Activity Disable redundant links to avoid switching loops in the network provided. . the switching loop is evident.Spanning Tree Protocol (S T P) The diagram depicts the difference between using and not using S T P. STP is an open standard protocol. indicating the flow of data from switch 1 to switch 2 to switch 3. Switches detecting a potential loop block some of the connecting ports. No S T P When the configuration has no S T P in use. and then switch 4. Two messages propagate forward to S2 and back to the two clients connected to S1. STP provides the redundancy required for reliability without creating switching loops. 3. but does not find an entry. Click the Packet Tracer icon to begin. When switches are first powered up with STP enabled. used in a switched environment to create a loop-free logical topology. S2 forwards the message to client H4. 3. S2 realizes the message is destined for the client H4 and says.2. while leaving other ports active to forward frames.2.

2. Protocol Identifier: Always 0 Version: Always 0 Message Type: Identifies the type of BPDU (configuration or topology change notification) the frame contains Flags: Used to handle changes in the topology Root ID: Contains the bridge ID of the root bridge Contains the same value after convergence as all BPDU's in the bridged network Root Path Cost: The cumulative cost of all links leading to the Root Bridge Bridge ID: The B I D of the bridge that created the current BPDU .2 . Page 2: STP defines a tree that spans all the switches in an extended star switched network. Information for each field is available. BPDUs contain information such as: • • • • • Identity of the source switch Identity of the source port Cumulative cost of path to root bridge Value of aging timers Value of the hello timer 3.Spanning Tree Protocol (S T P) The diagram depicts a table of Bridge Protocol Data Unit (BPDU) Structure and the composition of the specific components of the BPDU. The link ceases to exist. the term bridge is frequently used to refer to a switch. the Root Bridge is the primary switch or focal point in the STP topology. if the forwarding path becomes unavailable In STP terminology. To prevent switching loops. The root bridge communicates with the other switches using Bridge Protocol Data Units (BPDUs). the link between two switches is blocked by removing access to the port. STP: • • • Forces certain interfaces into a standby or blocked state Leaves other interfaces in a forwarding state Reconfigures the network by activating the appropriate standby path. BPDUs are frames that multicast every 2 seconds to all other switches. thereby eliminating the loop.With S T P When S T P is implemented. For example. Switches are constantly checking the network to ensure that there are no loops and that all ports function as required.

it changes to learning mode. When a switch powers on.2 . and then to forwarding mode. indicates that the administrator has shut down the switch port. disabled. learning. If the port can forward frames. 3. As the port cycles through these states.Port ID: Contains a unique value for every port Contains the value 0x8001 in Port 1 / 1. so that it receives BPDUs from neighbor switches. it first goes into a blocking state to immediately prevent the formation of a loop. A fifth state. and forwarding. whereas Port 1 / 2 contains 0x8002. It then changes to listening mode. Access ports do not create loops in a switched network and always transition to forwarding if they have a host attached.Spanning Tree Protocol (S T P) The diagram depicts a Layer 2 switch with the switch port transitioning through the states of S T P. The states are listed below with a description of each state. It can take as long as 50 seconds for a port to cycle through all of these states and be ready to forward frames. each port cycles through a series of four states: blocking.2. etcetera Message Age: Records the time since the Root Bridge originally generated the information from which the current BPD is derived Max Age: Maximum time that a BPDU is saved Influences the bridge table aging timer during the topology change notification process Hello Time: Time between periodic configuration BPDU's Forward Delay: The time spent in the Listening and Learning state Influences timers during the topology change notification process Page 3: As a switch powers on. Trunking ports potentially create a looped network and transition to either a forwarding or blocking state. listening. the LEDs on the switch change from flashing orange to steady green. Blocking: Steady amber Receive BPDU Discard data frames Does not learn addresses Takes up to 20 seconds to change to listening state . After processing this information the switch determines which ports can forward frames without creating a loop.

The bridge priority value plus the MAC address creates the BID.returns to the blocking state If no loops . to determine which ports to block and which ports to put into forwarding state.Listening: Blinking Amber Listens for BPDU Does not forward frames Does learn MAC addresses Determine if switch has more than one trunking port that might create a loop If loop . and it is elected based on the bridge ID (BID). The root bridge sends out BPDUs containing network topology information to all other switches. or Forwarding. Four. also called forward delay Learning: Blinking Amber Processes BPDU Learns MAC addresses from traffic received Does not forward frames Takes 15 seconds to transition to forwarding Forwarding: Blinking Green Processes BPDU Learns MAC addresses Forwards frames Page 4: 3. called a root bridge or root switch. .Spanning Tree Protocol (S T P) Associate the processes with one of the following spanning tree processes: Blocking.returns to learning state Takes 15 seconds to transition to learning state. Learning. Six.Does not forward frames.Does not learn MAC addresses.Processes BPDU. There is only one root bridge on each network. Listening. STP uses this focal point. the switches in the network determine a switch that is the focal point in that network.Learns MAC addresses.Discards frames. One. Seven.2 .2.Forwards frames.Receives BPDU.3 Root Bridges Page 1: For STP to function. 3.2. Three. This information allows the network to reconfigure itself in the event of a failure. Two. Five.

S1 stops the advertisement of its root ID and accepts the root ID of S2. For example. the switch with the lowest MAC address becomes the root bridge. Since switches typically use the same default priority value. Page 2: The root bridge is based on the lowest BID value. If a switch has a MAC address of AA-11-BB-22-CC-33. Designated Port A designated port is a port that forwards traffic toward the root bridge but does not connect to the least cost path. if S2 advertises a root ID that is a lower number than S1. the BID for that switch would be: 32768: AA-11-BB-22-CC-33. As each switch powers on. Root Port The port that provides the least cost path back to the root bridge becomes the root port. and sends out BPDUs containing its BID. The next six bytes are the MAC address derived from the backplane/supervisor. 3. STP designates three types of ports: root ports. designated ports. it assumes that it is the root bridge. S2 is now the root bridge. and blocked ports.768. Blocked Port .3 .2.Bridge priority has a default value of 32.Root Bridges The diagram depicts the bridge ID (B I D) of eight bytes. Switches calculate the least cost path using the bandwidth cost of each link required to reach the root bridge. The B I D is broken down into a Bridge Priority of 2 bytes with a range of 0-65535 and a default of 32768.

If the root switch goes to the lowest MAC address. S2. The switches are labeled S1. and has the lowest priority .Root Bridges The diagram depicts four switches arranged in a square topology with all switches connected to each other. has been designated as the root port.3 . The second interface for S2. A blocked port situated at the extreme edge of the network might cause traffic to take a longer route to get to the destination than if the switch is centrally located. S3 has been labeled the root bridge.2. 1 / 1. To set priority: S3(config)#spanning-tree vlan 1 priority 4096 To restore priority to default: S3(config)#no spanning-tree vlan 1 priority 3. 1 / 2. S1 is connected to S2. and this switch is the Root Bridge. and S3 back to S1. To specify the root bridge.3 . The interface 1 / 2 has been assigned the designated port. Page 3: Before configuring STP. and S4. S2. The interface for S3.A blocked port is a port that does not forward traffic. is also a designated port. S3. The bridge priority command is used to configure the bridge priority. the BID of the chosen switch is configured with the lowest priority value. The default value is 32768.2. but values are in increments of 4096. S2 to S3.Root Bridges The diagram depicts three switches. forwarding might not be optimal. has been assigned the root port. The interface for S2. 1 / 1. S1. The interface for S1. and S3. 1 / 1. and its interface 1 / 2 has been blocked. A centrally-located switch works best as the root bridge. has been assigned the designated port. 3. the network technician plans and evaluates the network in order to select the best switch to become the root of the spanning tree. The range for the priority is from 0 to 65535.

2. STP recalculates by: • • • Changing some blocked ports to forwarding ports Changing some forwarding ports to blocked ports Forming a new STP tree to maintain the loop-free integrity of the network STP is not instantaneous. STP sends BPDUs throughout the switched network at 2-second intervals. If a link failure occurs. Frequent STP recalculations negatively impact uptime. When a link goes down. while S1 has a priority number of 32768. no user data passes through the recalculating ports. STP continues to listen to these BPDUs to ensure that no links fail and no new loops appear. Click the lab icon to begin. 3. STP detects the failure and recalculates the best paths across the network.Root Bridges Link to Hands-on Lab: Building a Switched Network with Redundant Links Configure the B ID on a switch to control which one becomes the root bridge. This calculation and transition period takes about 30 to 50 seconds on each switch. and blocked ports.4 Spanning Tree in a Hierarchical Network Page 1: After establishing the root bridge. 3.3 . Observe the spanning tree and traffic flow patterns as different switches are configured as root. During this recalculation. and S4 has a priority number of 8192. Observe the spanning tree and traffic flow patterns as different switches are configured as root. Some user applications time out during the recalculation period. Page 4: Lab Activity Configure the BID on a switch to control which one becomes the root bridge. . which can result in lost productivity and revenue. designated ports.number of 4096. S2 has a priority number of 32768. root ports.2.

H1. Page 3: Several enhancements to STP minimize the downtime incurred during an STP recalculation. It would be difficult to imagine the number of transactions lost during that timeframe.2." Switch 1 announces. A faulty power supply causes the device to reboot unexpectedly. it is important to check the switches for stability and configuration changes." The server that is directly connected to Switch 3 sends a message and it travels from Switch 3 to Switch 4 to Switch 1 and then to the client H1. PortFast STP PortFast causes an access port to enter the forwarding state immediately. "My blocked port is now ready to forward traffic.4 . announces. The server tries to send another message. enterprise server is connected to a switch port. "I need a new root port.3. The link between Switch 2 and Switch 3 goes down.4 .2. 3." Switch 4 announces. instead of waiting for STP to converge." Switch 2 is assigned as the Root Bridge and announces. Switch 3. In an unstable network.Spanning Tree in Hierarchical Network The animation depicts the recalculation of spanning tree. In a stable network. "I can still see connectivity to all the switches. the server is down for 50 seconds. and the switch that it is directly connected to the server. Now all four switches become busy recalculating the STP. this time bypassing the broken link through Switch 2. "My root port remains the same. The message reaches H1. Four switches are connected in a square topology arrangement with a client connected to one switch. One of the most common causes of frequent STP recalculations is a faulty power supply or power feed to a switch. Page 2: A high volume. and a server connected to another switch. The server sends a message to the client. STP recalculations are infrequent. bypassing the listening and learning states. Using PortFast on access ports that are connected to a single workstation or server allows those devices to connect to the network immediately. indicating that the man is waiting an undetermined amount of time for the process to be complete. we will call Switch 1.Spanning Tree in Hierarchical Network The diagram depicts a man sitting in front of his laptop computer with a timer next to the laptop. . If that port recalculates because of STP. which passes through three of the switches to get to H1. we will call Switch 3.

all of these features require configuration.Displays root ID. The root port transitions to the forwarding state immediately without going through the listening and learning states. whereas the message sent without PortFast configured has taken about 45 seconds to complete. show spanning-tree . and port states show spanning-tree summary . UplinkFast.Displays the status and configuration of the root bridge show spanning-tree detail . It quickly restores backbone connectivity.Spanning Tree in Hierarchical Network The animation depicts the benefits of PortFast. therefore. and BackboneFast are Cisco proprietary. where multiple switches connect. The diagram is indicating that the time taken to send a message with PortFast configured is about 15 seconds. 3.2. S T P with PortFast configured. bridge ID. they can not be used if the network includes switches from other vendors. as it would do with normal STP procedures. Page 4: There are several useful commands used to verify spanning tree operation. There are two scenarios.Displays detailed port information . BackboneFast BackboneFast provides fast convergence after a spanning tree topology change occurs. and S T P without PortFast configured.UplinkFast STP UplinkFast accelerates the choice of a new root port when a link or switch fails or when STP reconfigures itself. PortFast.Displays a summary of port states show spanning-tree root . In addition. BackboneFast is used at the Distribution and Core Layers.4 .

2. recovery time of 1 to 2 minutes was acceptable.2. Layer 3 switching and advanced routing protocols provide a faster alternative path to the destination. ***show spanning-tree*** ***show spanning-tree root*** ***show spanning-tree interface*** ***show spanning-tree summary*** ***show spanning-tree detail*** ***show spanning-tree blockedports*** Page 5: Lab Activity Use various show commands to verify STP operation.Spanning Tree in Hierarchical Network Link to Hands-on Lab: Verifying S TP with show Commands Use various show commands to verify S T P operation.4 .show spanning-tree interface . . Today.1D Spanning Tree Protocol (STP). the S T P protocol must be configured. 3.4 . Click the lab icon to begin. For the output of these commands. such as voice and video.Displays blocked ports 3.Displays STP interface status and configuration show spanning-tree blockedports .Spanning Tree in Hierarchical Network The diagram depicts the outputs for the commands listed below.5 Rapid Spanning Tree Protocol (RSTP) Page 1: When IEEE developed the original 802. requires that switched networks converge quickly to keep up with the new technology.2. The need to carry delay-sensitive traffic. 3.

3. Reconfiguration of the spanning tree by RSTP occurs in less than 1 second. The discarding state is similar to three of the original STP states: blocking. indicating that the switch is listening/learning. RSTP reduces the number of port states to three: discarding. point-to-point connection between switches to achieve the highest reconfiguration speed.1 Virtual LAN Page 1: Hosts and servers that are connected to Layer 2 switches are part of the same network segment. Unlike PortFast. the blinking green light flashes and forwarding begins. In the R S T P scenario. Next. All ports that are not discarding are part of the active topology and will immediately transition to the forwarding state. RSTP is not proprietary. 3.Rapid Spanning Tree Protocol (RSTP). RSTP requires a full-duplex. UplinkFast. This arrangement poses two significant problems: .3. at first the light on the front of the switch is amber. defined in IEEE 802. significantly speeds the recalculation of the spanning tree.3 Configuring VLANs 3. RSTP eliminates the requirements for features such as PortFast and UplinkFast. and disabled. indicating the switch is blocking. the light begins blinking amber. Finally. learning and forwarding.1w. RSTP also introduces the concept of active topology. The process takes approximately 50 seconds. the time taken from the amber-blocking phase to the blinking green forwarding phase is one second. as compared to 50 seconds in STP. To speed up the recalculation process. listening. and BackboneFast.2. RSTP can revert to STP to provide services for legacy equipment. In the S T P scenario.5 .Rapid Spanning Tree Protocol (R S T P) The animation depicts the difference between Spanning Tree Protocol (S T P) and Rapid Spanning Tree Protocol (R S T P) implementations.

each student is given a red card. a broadcast goes out only to the red card group. The switch on Floor 1 is connected to three clients. even though both the red card group and the blue card group are physically located within the same school. In the second group. or logical. or by applications. Every device that is attached to a switch can forward and receive frames from every other device on that switch. one each on Floor 1. As the number of devices connected to a switch increases. As a network design best practice. and one client from Floor 1. virtual local area networks (VLANs) are created to contain broadcasts and group hosts together in communities of interest. and Floor 3. broadcast traffic is contained to the area of the network in which it is required. . without regard to physical location of the users. one client from Floor 2. which consumes unnecessary bandwidth. members of the accounting department may be the only users who need to access the accounting server. The switch on Floor 3 is connected to three servers. The students are now logically separated into two virtual groups. The switch on Floor 2 is connected to three clients. and one client from Floor 1. one client from Floor 2. network can be shown in the following example: The students in a school are divided into two groups.• • Switches flood broadcasts out all ports. A VLAN is a logical broadcast domain that can span multiple physical LAN segments. In a switched network. or VLANs. It allows an administrator to group together stations by logical function. As an example. In the first group. The Accounting V LAN comprises one server from Floor 3. The Marketing V LAN comprises one server from Floor 3. There are business reasons why certain hosts access each other while others do not.1 .3. and one client from Floor 1. 3. The Engineering V LAN comprises one server from Floor 3. Floor 2.Virtual LAN The diagram depicts a router is connected to three switches. more broadcast traffic is generated and more bandwidth is wasted. one client from Floor 2. each student is given a blue card. Using this logical grouping. Page 2: The difference between a physical network and a virtual. The principal announces that students with red cards can only speak to other students with red cards and that students with blue cards can only speak to other students with blue cards. for identification. by project teams.

and one client from Floor 1. The switch on Floor 2 is connected to three clients. Administrators assign membership in a VLAN either statically or dynamically. one client from Floor 2.3. and one client from Floor 1. When packets travel from the router to the switches. A router is connected to three switches. 3. port fa0/3 may be assigned to VLAN 20. The Marketing V LAN comprises one server from Floor 3. they are contained within the VLAN. and one client from Floor 1. . Devices located on one VLAN are not visible to devices located on another VLAN.1 . A VLAN spans one or more switches. they are switched and traverse to the destined V LAN. one client from Floor 2. Static VLAN membership requires an administrator to manually assign each switch port to a specific VLAN. The switch on Floor 1 is connected to three clients. one each on Floor 1. Broadcasts do not forward between VLANs. or the applications that the device most frequently uses. Any device that plugs into port fa0/3 automatically becomes a member of VLAN 20.Virtual LAN The animation depicts V LAN broadcast traffic. In a switched network. one client from Floor 2. MAC address. and Floor 3. A VLAN groups devices. Floor 2. A VLAN has two major functions: • • A VLAN contains broadcasts. As an example. IP address. The Accounting V LAN comprises one server from Floor 3. which allows host devices to behave as if they were on the same network segment. The switch on Floor 3 is connected to three servers. Page 3: Each VLAN functions as a separate LAN. Traffic requires a Layer 3 device to move between VLANs. a device can be assigned to a VLAN based on its location. The Engineering V LAN comprises one server from Floor 3.This example also shows another feature of VLANs.

the VMPS searches the database for a match of the MAC address and temporarily assigns that port to the appropriate VLAN.1 . and changes are automated and do not require intervention from the administrator. When a device plugs into a switch port. A new host connects to the LAN. "00:07:B3:11:12:13 is in my database. In dynamic VLAN. It sends out a packet that says. Users working on a device plugged into a switch port have no knowledge that they are members of a VLAN. The VMPS contains a database that maps MAC addresses to VLAN assignments. V LAN 8. "I am assigning this port to V LAN 18. however.This type of VLAN membership is the easiest to configure and is also the most popular. moving a host from one VLAN to another requires either the switch port to be manually reconfigured to the new VLAN or the workstation cable to be plugged into a different switchport on the new VLAN. and V LAN 5 shows each associated host and port used.1 . Page 4: Dynamic VLAN membership requires a VLAN management policy server (VMPS). V LAN 12. The switch says. V LAN 1. For example. adds." The packet reaches the V LAN management server which says. 3." The packet is returned to the switch port that the requesting host is connected to.3. Assign that port to V LAN 18. Note: Not all Catalyst switches support the use of VMPSs. Membership in a specific VLAN is totally transparent to the users. moves and changes." Page 5: .3. it requires the most administrative support for adds.Virtual LAN This image depicts two switches connected via a trunk. Selecting each of the four port-based V LAN buttons.Virtual LAN The animation depicts the process of a host joining a dynamic V LAN. moves. 3. Dynamic VLAN membership requires more organization and configuration but creates a structure with much more flexibility than static VLAN membership. "00:07:B3:11:12:13 is requesting membership in a V LAN.

3. Some switches support approximately 1000 VLANs.Virtual LAN The diagram depicts an activity in which you must decide which problems are solved by implementing a V LAN. The man working at the workstation says. but worries that voice traffic will be unusable due to the large amount of data on the network. VLAN1 is the management VLAN. Additionally. When accessing the switch remotely.3. such as Cisco Discovery Protocol (CDP) traffic and VLAN Trunking Protocol (VTP) traffic. The Network administrator is concerned about response time on the collaboration server. Page 2: Use the following commands to create a VLAN using global configuration mode: .2 Configuring a Virtual LAN Page 1: Whether VLANs are created statically or dynamically. (Yes or No) Three. When a VLAN is created.Configuring a Virtual LAN The diagram depicts of a switch with a workstation connected to one of the ports. and Public relations departments collaborate on different parts of the project.3. (Yes or No) Four. (Yes or No) 3. others support more than 4000.The company plans on installing a V o IP system. the maximum number of VLANs depends on the type of switch and the IOS. with other networking devices.During the execution of a large project. it is assigned a number and a name. Answer yes or no. except for VLAN1. An administrator will use the IP address of the management VLAN to configure the switch remotely. Naming a VLAN is considered a network management best practice. By default.3. I am going to configure V LAN's. the network administrator can configure and maintain all VLAN configurations. The port that the workstation is connected to is labeled V LAN 1 Management V LAN.Users in the warehouse are accessing records in the payroll department. Management has asked you to isolate the payroll department from the rest of the network.1 . One. These broadcasts slow down network performance in the graphics department. The VLAN number is any number from the range available on the switch.3. Sales. (Yes or No) Two. the management VLAN is used to exchange information. members of the Marketing.2 .Staff in the sales department continually join the network and then leave. This causes quite a bit of broadcast traffic as machines try to discover each other.

Switch(config)#vlan vlan_number Switch(config-vlan)#name vlan_name Switch(config-vlan)#exit

Assign ports to be members of the VLAN. By default, all ports are initially members of VLAN1. Assign ports one at a time or as a range.

Use the following commands to assign individual ports to VLANs:

Switch(config)#interface fa0/port_number Switch(config-if)#switchport access vlan vlan_number Switch(config-if)# exit

Use the following commands to assign a range ports to VLANs:

Switch(config)#interface range fa0/start_of_range - end_of_range Switch(config-if)#switchport access vlan vlan_number Switch(config-if)#exit

3.3.2 - Configuring a Virtual LAN The diagram depicts of man sitting at a workstation configuring a V LAN. The following is the command output. Switch(config)# configure terminal Switch(config)# V LAN 27 Switch(config-V LAN)# name accounting Switch(config-V LAN)# exit Switch(config)# interface F A 0 /13 Switch(config-if)# switchport access V LAN 27 Switch(config-if)# exit Switch(config)# V LAN 28 Switch(config-V LAN) # name engineering Switch(config-V LAN) # exit Switch(config)# interface F A 0 /6-12 Switch(config-if)# switchport access V LAN 28 Switch(config-if)# end Switch # show V LAN The command shows the setup of the V LAN. The headings for the show command are V LAN, Name,

Status, and Ports. Examine the setup further in the Hands-on Lab, Configuring, Verifying, and Troubleshooting V LAN's.

Page 3: To verify, maintain, and troubleshoot VLANs, it is important to understand the key show commands that are available in the Cisco IOS.

The following commands are used to verify and maintain VLANs:

show vlan

• •

Displays a detailed list of all of the VLAN numbers and names currently active on the switch, along with the ports associated with each one Displays STP statistics if configured on a per VLAN basis

show vlan brief

Displays a summarized list showing only the active VLANs and the ports associated with each one

show vlan id id_number

Displays information pertaining to a specific VLAN, based on ID number

show vlan name vlan_name

Displays information pertaining to a specific VLAN, based on name

3.3.2 - Configuring a Virtual LAN The diagram depicts command output, as follows. The show V LAN command gives the following information: V LAN, Name, Status, and Ports. The show V LAN ID command gives the following information: V LAN, Name, Status, and Ports, as well as the V LAN, Type, S A I D, M T U, Parent, Ring No, BridgeNo, Stp, BrdgMode, Tran1, and Tran2. The show V LAN brief command gives the following information: V LAN, Name, Status, and Ports. The show V LAN Name command gives the following information: V LAN, Type, S A I D, M T U, Parent, Ring No, NoBridgeNo, Stp, BrdgMode, and Tran 1. Examine the output further in the Hands-on-Lab, Configuring, Verifying, and Troubleshooting V LAN's.

Page 4: In an organization, employees are frequently added, removed, or moved to a different department or project. This constant movement requires VLAN maintenance, including removal or reassignment to different VLANs.

The removal of VLANs and the reassignment of ports to different VLANs are two separate and distinct functions. When a port is disassociated from a specific VLAN, it returns to VLAN1. When a VLAN is removed, any associated ports are deactivated because they are no longer associated with any VLAN.

To delete a VLAN:

Switch(config)#no vlan vlan_number

To disassociate a port from a specific VLAN:

Switch(config)#interface fa0/port_number Switch(config-if)#no switchport access vlan vlan_number

3.3.2 - Configuring a Virtual LAN The animation depicts a man sitting at a workstation. The man says I am deleting V LAN 27. I am also disassociating port 8 from V LAN 28. Switch(config) # interface F A 0 /8 Switch(config-if)# no switchport access V LAN 28

Switch(config-if)# exit Switch(config)# no V LAN 27 Switch(config)# end Switch # show V LAN The output shows the V LAN, Name, Status, and Ports.

Page 5: Lab Activity

Configure, verify, and troubleshoot VLAN configuration on a Cisco switch.

Click the Lab icon to begin.

3.3.2 - Configuring a Virtual LAN Link to Hands-on-Lab: Configuring, Verifying, and Troubleshooting V LAN's Configure, verify, and troubleshoot V LAN configuration on a Cisco switch.

3.3.3 Identifying VLANs Page 1: Devices connected to a VLAN only communicate with other devices in the same VLAN, regardless of whether those devices are on the same switch or different switches.

A switch associates each port with a specific VLAN number. As a frame enters that port, the switch inserts the VLAN ID (VID) into the Ethernet frame. The addition of the VLAN ID number into the Ethernet frame is called frame tagging. The most commonly used frame tagging standard is IEEE 802.1Q.

3.3.3 - Identifying V LANs The animation depicts V LAN interaction. Two switches are connected together. Client H1 on V LAN 2 says, I have to send a message to H3. It then sends the message to H3, also on V LAN 2. H1 on V LAN 2 says, I have to send a message to H6. H6 is on V LAN 3. H1 and H6 are unable to communicate because they are on different V LAN's. Traffic cannot move between V LAN's without the assistance of a router.

Page 2: The 802.1Q standard, sometimes abbreviated to dot1q, inserts a 4-byte tag field into the Ethernet frame. This tag sits between the source address and the type/length field.

Ethernet frames have a minimum size of 64 bytes and a maximum size of 1518 bytes, however a tagged Ethernet frame can be up to 1522 bytes in size.

Frames contain fields such as:

• • • •

The destination and source MAC address The length of the frame The payload data The frame check sequence (FCS)

The FCS field provides error checking to ensure the integrity of all of the bits within the frame.

This tag field increases the minimum Ethernet frame from 64 to 68 bytes. The maximum size increases from 1518 to 1522 bytes. The switch recalculates the FCS because the number of bits in the frame has been modified.

If an 802.1Q-compliant port is connected to another 802.1Q-compliant port, the VLAN tagging information passes between them.

If the connecting port is not 802.1Q-compliant, the VLAN tag is removed before the frame is placed on the media.

If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is ignored, and the packet is switched at Layer 2 as a standard Ethernet frame. This allows for the placement of Layer 2 intermediate devices, such as other switches or bridges, along the 802.1Q trunk path. To process an 802.1Q tagged frame, a device must allow an MTU of 1522 or higher.

3.3.3 - Identifying V LANs The diagram depicts the insertion of a 802.1q tag into a frame. After the insertion the frame receives a new FCS value. A brief description of the fields is given. TPID The Tag Protocol Identifier is a 16-bit field. It is set to a value of 0x8100 in order to identify the frame as an IEEE 802.1 Q tagged frame. PRIORITY It is known as user priority. This 3-bit field refers to the IEEE 802.1Q priority. The field indicates the frame priority level used for the prioritization of traffic. The field can represent 8 levels (0 through 7). C F ID The Canonical Format Indicator is a 1-bit field. If the value of this field is 1, the MAC address is in no canonical format. If the value is 0, the MAC address is in canonical format. V ID The V LAN Identifier is a 12-bit field. It uniquely identifies the V LAN to which the frame belongs. The field has a value between 0 and 4095.

Page 3:

3.3.3 - Identifying V LAN's The diagram depicts an activity in which you must decide whether to deliver each inbound frame to the destination host based on the port configurations. Select Delivered or Not Delivered based on the size of the frame, the V LAN #, and the trunking protocols.

3.4 Trunking and Inter-VLAN Routing
3.4.1 Trunk Ports Page 1: A VLAN has three major functions:

• • •

Limits the size of broadcast domains Improves network performance Provides a level of security

To take full advantage of the benefits of VLANs, they are extended across multiple switches.

Switch ports can be configured for two different roles. A port is classified as either an access port or a trunk port.

Access Port

An access port belongs to only one VLAN. Typically, single devices such as PCs or servers connect to this type of port. If a hub connects multiple PCs to the single access port, each device connected to the hub is a member of the same VLAN.

Trunk Port

A trunk port is a point-to-point link between the switch and another networking device. Trunks carry the traffic of multiple VLANs over a single link and allow VLANs to reach across an entire network. Trunk ports are necessary to carry the traffic from multiple VLANs between devices when connecting either two switches together, a switch to a router, or a host NIC that supports 802.1Q trunking.

3.4.1 - Trunk Ports The diagram depicts the use of Trunk Ports and Access Ports in a network. There are three V LAN's, which are connected via Access Ports to two Switches. The switches are then linked to each other and the Router via Trunk Port. Network One Router (R1) Two Switches (S1, S2) Three V LAN's (V LAN 100, V LAN 200, V LAN 300) R1 connects to S1 via Trunk Port R1 connects to S2 via Trunk Port S1 connects to S2 via Trunk Port V LAN100 has two Hosts (H1, H2), and one Server, which are connected to S1 via Access Ports. V LAN 200 has two Hosts (H3, H4), which are all connected to S1 via Access Ports. V LAN 300 has one Host (H5), which is connected to S1 via Access Port. V LAN 300 has two Hosts (H6, H7), and one Server, which are connected to S2 via Access Ports.

Page 2: Without trunk ports, each VLAN requires a separate connection between switches. For example, an enterprise with 100 VLANs requires 100 connecting links. This type of arrangement does not scale well and is very expensive. Trunk links provide a solution to this problem by transporting traffic from multiple VLANs on the same link.

When multiple VLANs travel on the same link, they need VLAN identification. A trunk port supports frame tagging. Frame tagging adds VLAN information to the frame.

IEEE 802.1Q is the standardized and approved method of frame tagging. Cisco developed a proprietary frame tagging protocol called Inter-Switch Link (ISL). Higher-end switches, such as the Catalyst 6500 series, still support both tagging protocols; however, most LAN switches, such as the 2960, support only 802.1Q.

3.4.1 - Trunk Ports The animation depicts the traffic flow when Trunking or No Trunking is used between switches. No Trunking Two Switches (S1, S2) Three V LAN's (V LAN 1, V LAN 2, V LAN 3) Six Hosts (H1, H2, H3, H4, H5, H6) V LAN 1 has H5, H3 V LAN 2, has H6, H2 V LAN 3 has H1, H4 S1 is connected to S2 via three links (All V LAN's have a separate link.) S1 has H1, H5, H6 connected S2 has H2, H3, H4 connected H5 (V LAN 1), H6 V LAN 2, H1 (V LAN 3) send information to H3(V LAN 1), H 2 (V LAN 2), H4 (V LAN 3). As each V LAN has its own link from S1 to S2 the information is sent on the corresponding V LAN's link from S1 to S2. Trunking Two Switches (S1, S2). Three V LAN's (V LAN 1, V LAN 2, V LAN 3). Six Hosts (H1, H2, H3, H4, H5, H6). V LAN 1 has H5, H3. V LAN 2 has H6, H2. V LAN 3 has H1, H4. S1 is connected to S2 via trunk (All V LAN's share a link.). S1 has H1, H5, H6 connected. S2 has H2, H3, H4 connected. H5 (V LAN 1), H6 (V LAN 2, H1 (V LAN 3) send information to H 3 (V LAN 1), H2 (V LAN 2), H4 (V LAN 3). As each V LAN shares the trunk, the information is sent one after another across the link from S1 to S2.

Page 3: Switch ports are access ports by default. To configure a switch port as a trunk port, use the following commands:

Switch(config)#interface fa0/port_number

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk encapsulation {dot1q | isl | negotiate}

Switches that support both 802.1Q and ISL require the last configuration statement. The 2960 switch does not require that statement because it only supports 802.1Q.

The negotiate parameter is the default mode on many Cisco switches. This parameter automatically detects the encapsulation type of the neighbor switch.

3.4.1 - Trunk Ports The diagram depicts two switches, S1 and S2, connected via trunk link. S1 is showing a screen shot of the Command Line. The text displayed is as follows: Switch (config)# interface F A 0 /24 Switch (config-if)# switchport mode trunk Switch (config-if)# switchport trunk encapsulation dot 1 q

Page 4: Newer switches have the capability to detect the type of link configured at the other end. Based on the attached device, the link configures itself as either a trunk port or an access port.

Switch(config-if)#switchport mode dynamic {desirable | auto}

In desirable mode, the port becomes a trunk port if the other end is set to either trunk, desirable, or auto.

In auto mode, the port becomes a trunk port if the other end is set to either trunk or desirable.

To return a trunk port to an access port, issue either of the following commands:

1 . Both switches are showing a screen capture of the Command Line.2 Extending VLANs across Switches Page 1: .1 .Trunk Ports The diagram depicts two switches. connected via a trunk link.4.4. 3. 3.Trunk Ports Link to Hands-on Lab: Creating V LAN's and Assigning Ports Create V LANs and assign them individual ports. The text displayed is as follows: S1 S1 (config) # interface F A 0/1 S1 (config-if)# switchport mode dynamic desirable S2 S2 (config) # interface F A 0/1 S2 (config-if) # switchport mode dynamic desirable Page 5: Lab Activity Create VLANs and assign them individual ports. Click the lab icon to begin.4. S1 and S2.Switch(config)#interface fa0/port_number Switch(config-if)#no switchport mode trunk or Switch(config-if)#switchport mode access 3.

1Q on both ends allows traffic that has a 4-byte tag field added to the frame.Trunking enables VLANs to forward traffic between switches using only a single port.2 . Traffic with no VLAN ID is called untagged.2 . VTP. On Cisco Catalyst switches.4. use the following command to assign the native VLAN ID on a physical interface: Switch(config-if)#dot1q native vlan vlan-id 3. Untagged traffic minimizes the delays associated with inspection of the VLAN ID tag. Examples of untagged traffic are Cisco Discovery Protocol (CDP).1Q trunk port will become members of the native VLAN. Some traffic however. Ensure that the native VLAN for an 802. If they are different. There are two switches. and certain types of voice traffic.1Q configured link without VLAN ID. Page 2: To accommodate untagged traffic. 3. needs to cross the 802. When a switch receives a tagged frame on a trunk port. spanning-tree loops might result. The switch forwards the frame only if the access port is a member of the same VLAN as the tagged frame. a special VLAN called a native VLAN is available. labeled S1 and S2. S1 is connected to S2 via Trunk Ports. Untagged frames received on the 802. This frame tag contains the VLAN ID. it removes the tag before sending it out an access port.Extending V LANs across Switches The diagram depicts a network with a single V LAN. A trunk link configured with 802. VLAN 1 is the native VLAN by default.1Q trunk.4.1Q trunk is the same on both ends of the trunk line. Tagging is removed and the F C S recalculated at the access port of the destination switch. each with one host labeled Source and Destination.Extending V LAN's across Switches The animation illustrates the insertion of tags and the calculation of a new F C S as the frame is sent from one switch to another over a trunk port. On an 802. Any VLAN can be configured as the native VLAN. The source host is .

H1 and H2 are both on V LAN 3 (Native). Traffic is untagged. only members of the same VLAN can communicate. A Layer 3 device provides connectivity between different VLANs.connected to S1 via an Access Port.Inter-V LAN Routing The diagram depicts the use of a Layer 3 device.4. S1 is showing a screen shot of the command line: S1 (config-if)# dot 1 q native V LAN V LAN 3 Page 3: Lab Activity Configure trunk ports to connect switches and verify connectivity across the trunk link.2 .4. It is a member of the native V LAN. a router. V LAN 1 can communicate with V LAN 200 if each has dedicated connection to the router. 3. to establish communication between multiple V LAN's.3 Inter-VLAN Routing Page 1: Although VLANs extend to span multiple switches. One method of accomplishing the inter-VLAN routing requires a separate interface connection to the Layer 3 device for each VLAN. each with its own link to the router. V LAN 1 and V LAN 200. S2 says. There is a caption. V LAN 3 is the native V LAN. S1 says. which reads. Do not tag traffic.3 .4. 3. The Source Host is going to send information to the Destination Host. Click the lab icon to begin. This arrangement enables the network administrator to strictly control the type of traffic that flows from one VLAN to another. There are two V LAN's. The destination Host is connected to S2 via an Access Port. 3.Extending V LAN's across Switches Link to Hands-on Lab: Configuring a Trunk Port to Connect Switches Configure trunk ports to connect switches and verify connectivity across the trunk link. .

V LAN 1 has one Host. . S1 has two hosts attached (H1. Switch • Configure the switch interface as an 802.Inter-V LAN Routing The diagram depicts the use of a subinterface to establish communication between multiple V LANs. H1 is on V LAN 1. R1 is connected to S1 via single link. H2 is on V LAN 200. each represented by a different colored circle. One Switch (S1). To support inter-VLAN communication using subinterfaces requires configuration on both the switch and the router. H2). Subinterfaces logically divide one physical interface into multiple logical pathways. There are three V LAN's. V LAN 200).Network One Router (R1). V LAN 15.1Q trunk link. S1 has two V LANs (V LAN 1.1Q encapsulation.4. Configure one pathway or subinterface for each VLAN. and V LAN 35.3 . One Switch (S1). V LAN 1. Router • • • Select a router interface with a minimum of a 100Mbps FastEthernet Configure subinterfaces that support 802. Configure one subinterface for each VLAN. V LAN 35). V LAN 15. Page 2: Another method for providing connectivity between different VLANs requires a feature called subinterfaces. S1 has three V LAN's (V LAN 1. S1 is connected to R1 via two links (one for each V LAN). All three V LAN's connect to the router via a single link (subinterface). A subinterface allows each VLAN to have its own logical pathway and default gateway into the router. 3. Network One Router (R1).

and V LAN 35.1 for V LAN 1. the frame retains its 4-byte VLAN tag. the router strips the tag from the frame and returns the frame to its original Ethernet format. Switch(config)#interface fa0/2 . Configure a trunk port on the switch. The router locates the destination IP address and does a routing table lookup. each represented by a different colored circle. F A 0 / 0. V LAN 15. and F A 0/0. One Switch (S1). All three V LAN's connect to the Router via a single link (subinterface). R1 is connected to S1 via a single link.15 for V LAN 15. Network One Router (R1). using three subinterfaces: F A 0 / 0. 3. If the outbound interface is not 802. F A 0 / 0. V LAN 1. V LAN 35). This type of configuration is often referred to as a router-on-a-stick.3 .1Q-compatible. S1 has three V LAN's (V LAN 1. the router forwards the traffic back down to the source switch using the subinterface parameters of the destination VLAN ID.1Q-compatible.V LAN 15 has two Hosts V LAN 35 has one Host Page 3: The host from the sending VLAN forwards traffic to the router using the default gateway. use the following steps: 1. If the exit interface of the router is 802.35 for V LAN 35. A subinterface is used to establish communication between multiple V LANs. V LAN 15. There are three V LAN's. The link has been divided up into three logical pathways (one per V LAN).4. If the destination VLAN is on the same switch as the source VLAN.Inter-V LAN Routing The animation depicts inter-V LAN routing. The subinterface for the VLAN specifies the default gateway for all hosts in that VLAN. V LAN 1 has one Host V LAN 15 has two Hosts V LAN 35 has one Host Page 4: To configure inter-VLAN routing.

1Q encapsulation. configure one subinterface with an IP address and subnet mask for each VLAN.255. configure a FastEthernet interface with no IP address or subnet mask. Router(config)#interface fa0/0.168.10 Router(config-subif)#encapsulation dot1q 10 Router(config-subif)#ip address 192.255. Switch#show trunk Router#show ip interfaces .Switch(config-if)#switchport mode trunk 2. On the router. Router(config)#interface fa0/1 Router(config-if)#no ip address Router(config-if)#no shutdown 3. Use the following commands to verify the inter-VLAN routing configuration and functionality.10.0 4. Each subinterface has an 802. On the router.1 255.

each represented by a different colored circle. One Switch (S1). V LAN 1 has one Host V LAN 15 has two Hosts V LAN 35 has one Host The diagram shows a screen shot of both the Switch and Routers Command line.1 255.35 for V LAN 35.1.35 encapsulation dot1q 35 Ip address 10. F A 0 / 1.3 . V LAN 15. R1 is connected to S1 via single link F A 0 /1.4.15 for V LAN 15.20.1 255.255. There are three V LAN's.255.15. F A 0 / 1.Inter-V LAN Routing The diagram depicts the use of a subinterface to establish communication between multiple V LAN's.0 No shutdown ! interface FastEthernet 0 / 1.255.1 255.20. using three subinterfaces: F A 0 / 1.255.255.0 no shutdown ! ---output omitted--S1 ---output omitted--- . V LAN 35). Network One Router (R1).1 Encapsulation dot1q 1 native Ip address 10.20.15 encapsulation dot1q 15 Ip address 10. All three V LAN's connect to the router via a single link (subinterface).15. V LAN 1. and V LAN 35.0 no shutdown ! interface FastEthernet 0 / 1.Router#show ip interfaces brief Router#show ip route 3. displaying the Inter-V LAN Routing Configuration output R1 ---output omitted--exclamation mark interface FastEthernet 0 / 1 no Ip address duplex auto speed auto no shutdown ! interface FastEthernet 0 / 1. S1 has three V LAN's (V LAN 1. V LAN 15.255.1 for V LAN1.

interface FastEthernet 0 / 1 switchport mode trunk no Ip address no shutdown ! interface FastEthernet 0 / 2 no Ip address no shutdown ! interface FastEthernet 0 / 3 no Ip address no shutdown ! interface FastEthernet 0 / 4 no Ip address no shutdown ! interface FastEthernet 0 / 5 no Ip address no shutdown ! interface FastEthernet 0 / 6 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 7 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 8 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 9 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 10 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 11 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 12 switchport access V LAN 15 no Ip address no shutdown ! .

interface FastEthernet0 / 13 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 14 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 15 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 16 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 17 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 18 no Ip address no shutdown ! interface FastEthernet 0 / 19 no Ip address no shutdown ! interface FastEthernet 0 / 20 no Ip address no shutdown ! interface FastEthernet 0 / 21 no ip address no shutdown ! interface FastEthernet 0 / 22 no Ip address ! interface FastEthernet 0 / 23 no Ip address ! interface FastEthernet 0 / 24 no Ip address ! Page 5: Lab Activity .

3. Any change to the VLAN structure requires further manual configuration.5. A secondary version of this lab is also available. 3. One incorrectly keyed number causes inconsistencies in connectivity throughout the entire network. Routers do not forward VTP updates.3 . There is a link to a secondary version of this lab on this page. The network has five switches connected in a series. centralized management of the VLAN structure becomes crucial. Click the lab icon to begin.4. To resolve this issue. VTP ensures that VLAN configuration is consistently maintained across the network and reduces the task of VLAN management and monitoring.5 1. If there is no automated way to manage an enterprise network with hundreds of VLANs. Cisco created VTP to automate many of the VLAN configuration functions.Inter-V LAN Routing Link to Hands-on Lab: Configuring Inter-V LAN Routing Configure inter-V LAN routing. VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that provides a method for the distribution and management of the VLAN database from a centralized server in a network segment.1 VLAN Trunking Protocol (VTP) Page 1: As networks grow in size and complexity. .5 Maintaining VLANs on an Enterprise Network 3. manual configuration of each VLAN on each switch is necessary. Without VTP Without VTP configured.Maintaining V LAN's on the Enterprise Network This animation depicts the difference between managing switches using VTP and not using V T P management. and rename V LANs. the network administrator must manually add.Configure inter-VLAN routing. 3. delete.

to provide backup and redundancy. and rename V LAN's on the first switch only. delete. Each domain has a unique name. It is a good practice to have at least two switches configured as servers on a network. modifies. . This process occurs with each switch connected. All switches under a common administration are part of a domain. Page 2: VTP is a client/server messaging protocol that adds. client. each switch advertises messages on its trunk ports. Two different versions of VTP exist: Version 1 and Version 2. and deletes V LAN's and V LAN configuration parameters for the entire domain Saves V LAN configuration information in the switches NV RAM Sends VTP out to all trunk ports Client Does not create of modify or delete V LAN information Modifies its own database with any V LAN changes sent from the server Sends VTP message out all trunk ports Page 3: With VTP. 3. or rename the V LAN's. VTP switches only share VTP messages with other switches in the same domain. These advertisement frames are sent to a multicast address so that all neighbor devices receive the frames. All switches must be configured with the same version. server. delete. known VLANs. and transparent. and transparent. configuration revision number. client. Then the first switch sends a message to the other switches further down the link to automatically add. and parameters for each VLAN. deletes.5 1. Messages include the management domain. VTP has three modes: server. the network administrator must manually add. Version 1 is the default and it is not compatible with Version 2. all switches are servers. The information pertaining to each VTP mode is listed below: Transparent Forwards VTP advertisements Ignores information in the VTP message Does not modify its database when receiving updates Does not send out an update that indicates a change of its own V LAN database Server Creates. and renames VLANs in a single VTP domain. By default.With VTP With VTP configured.Maintaining V LANs on the Enterprise Network The diagram depicts three VTP modes of switches.

5 1. information overwriting the legitimate VLAN information on all of the other switches. this results in new. Summary Advertisements Catalyst switches issue summary advertisements every 5 minutes or whenever a change to the VLAN database occurs. A problem situation can occur related to the revision number if someone inserts a switch with a higher revision number into the network. make sure the new switch is configured in client or transparent mode. As changes occur. when adding a switch and there is already a server switch. the configuration revision number increases by one. If VLANs are added. Page 4: VTP messages come in three varieties: summary advertisements. but incorrect. . Another way to protect against this critical situation.483. The switches are labeled Server. Since a switch is a server by default. the switch updates its VLAN database with this new information. and advertisement requests.Each VTP switch saves a VLAN database in NVRAM that contains a revision number. If a VTP receives an update message that has a higher revision number than the one stored in the database. or changed. They are all linked together. the server increments the configuration revision number and issues a summary advertisement. The revision number continues to increment until it reaches 2. Rebooting the switch also resets the revision number to zero. The VTP configuration revision number begins at zero. 3. and Client.Maintaining V LAN's on the Enterprise Network The diagram depicts three switches configured in a triangular configuration. Summary advertisements contain the current VTP domain name and the configuration revision number.147. the counter resets back to zero. subset advertisements.648. When it reaches that point. deleted. Client. In addition. is to configure a VTP password to validate the switch. Updates to the V LAN database are sent from the server switch to both client switches through the network as revision number 5.

it compares the VTP domain name to its own VTP domain name. Mode: server. Revision # 1. I will send more information. I must request more information. Name: null. Configuration Revision Name = 2 The Client notes. they require more than one subset advertisement. Each device has specific information attached. If there are several VLANs. Advertisement Requests Catalyst switches use advertisement requests to ask for VLAN information.3 to the Client. Name: cisco. as follows. Three switches are linked in a triangular configuration. The Server notes. Mode: client. V LAN'S: 1 The Server notes. If it is lower or equal. Client and Transparent. The Server then sends a Subset Advertisement of V LANs = 1. VTP Domain Name = Cisco.When a switch receives a summary advertisement packet.2. My revision number is lower than the summary advertisement. V LAN's: 1 Server VTP domain. I received an advertisement request. V LAN's: null Client VTP domain. . The switch receives a VTP summary advertisement with a higher configuration revision number than its own. The Client then sends an Advertisement Request back to the Server.Maintaining V LAN's on the Enterprise Network The animation depicts how switches exchange VTP information. an advertisement request is sent. the switch ignores the packet. If the revision number is higher. The Server sends a Summary Advertisement to both the Client and Transparent switches. Mode:transparent. Advertisement requests are required if the switch has been reset or the VTP domain name has been changed. Subset Advertisements A subset advertisement follows the summary advertisement. 3. I must change my revision number and send a summary advertisement.5 1. A subset advertisement contains a list of VLAN information. The subset advertisement contains the new VLAN information based on the summary advertisement. the switch compares the configuration revision number to its own number. Transparent VTP domain. The switches are labeled Server. Revision # 1. Revision # 1. Two new V LANs have been added. If the domain name is the same. Name: cisco.

Uses VTP advertisements to update V LAN database.Ignores VTP advertisements.Default mode for Cisco switches. Six. Characteristics One. Five. Four. When adding a new switch to an existing VTP domain. 3.Maintaining V LAN's on the Enterprise Network The diagram depicts an activity in which you must select the characteristics of the server. If a switch in server mode issues an update with a higher revision number than the number currently in place. client. VTP Server Mode. Modes VTP Client Mode. Page 5: 3.Can create. all switches will modify their databases to match the new switch. 3. Two.2 .2 Configuring VTP Page 1: Switches are servers by default.5 1. and transparent VTP modes. Step 3: Reboot the switch. VTP Transparent Mode.Issues advertisement requests. . The steps listed below are used to add a new switch to an existing VTP domain. I have updated my V LAN information and configuration revision number. Three. modify or delete V LAN information for the entire domain.5. use the following steps: Step 1: Configure VTP off-line (version 1) Step 2: Verify the VTP configuration.V LAN's are local only.Configuring VTP The diagram depicts a terminal window with a console session in progress to a switch.The Client notes.5.

2 . Click the Packet Tracer icon to begin.5. Switch(config)# vtp domain domain name Switch(config)# vtp mode server | client | transparent Switch(config)# vtp password password Switch(config)# end Switch # copy running-config startup-config Step 2. 3. Switch # show vtp status2 VTP version 3 Configuration Revision64 Maximum V LAN'S supported locally8 Number of existing V LAN'S Server VTP Operating ModeCisco VTP Domain NameDisabled VTP Pruning modeDisabled VTP V2 ModeDisabled VTP Traps GenerationOmitted MDS DigestOmitted Configuration last modified byOmitted Local Updater ID isOmitted Step 3 Switch # reload Switch # show vtp password Switch # show vtp counters Page 2: Packet TracerActivity Build and test a VTP domain. Page 3: Packet Tracer Activity .Step 1.Configuring VTP Link to Packet Tracer Exploration: Configuring a VTP Domain Build and test a VTP domain.

5. Wireless is. A VLAN environment is ideal for traffic that is sensitive to time delays. enable a separate voice VLAN on the switch.5.V LAN Support for IP Telephony and Wireless The diagram depicts a woman sitting in front of her laptop with a video call and an IP telephone communication in progress. one for voice and one for data. Packets traveling to and from the PC and the IP phone share the same physical link to the switch and the same switch port.Configuring VTP Link to Packet Tracer Exploration: Adding a Switch to a VTP Domain Add a new switch into an existing VTP domain.2 . An IP phone usually has two ports. Page 2: Wireless is another type of traffic that benefits from VLANs. Voice traffic must be given priority over normal data traffic to avoid jerky or jittery conversations. To segment the voice traffic. A compromise to the integrity of the wireless VLAN has no effect on any other VLAN within the organization. Traffic from one VLAN will not impact traffic from another VLAN. by nature.3 .5.Add a new switch into an existing VTP domain. 3. Providing a dedicated VLAN for voice traffic prevents voice traffic from having to compete with data for available bandwidth. such as voice. 3. 3.3 VLAN Support for IP Telephony and Wireless Page 1: The main purpose of VLANs is to separate traffic into logical groups. . VLANs created for wireless traffic isolate some of the problems that may occur. very insecure and prone to attacks by hackers. Click the Packet Tracer icon to begin.

VLANs provide security. 3. Guest accounts provide anyone. Guest accounts are either included in the wireless VLAN or reside in a VLAN of their own.5. Create separate VLANs that would isolate voice and wireless traffic. conserve bandwidth. Directly connected to S1 are the following devices: V LAN 18 . many organizations provide guest access to their wireless network. e-mail. and wired clients. within a limited range. Page 3: Packet Tracer Activity Build an enterprise-class LAN with voice. at the top of a star topology with two switches. V LAN 35 Wireless.V LAN Support for IP Telephony and Wireless The diagram depicts a router.V LAN Support for IP Telephony and Wireless Link to Packet Tracer Exploration: Configuring Wireless and Voice V LAN's Build an enterprise-class LAN with voice.5. wireless. Users have to authenticate to gain entry into the internal network from the wireless network.VOICE.Most wireless deployments place the user in a VLAN on the outside of the firewall for added security.3 . Click the Packet Tracer icon to begin. and SSH. labeled R1. All of these features combine to improve network performance. ftp.DATA. and localize traffic on an enterprise network. V LAN 17 .4 VLAN Best Practices Page 1: When carefully planned and designed. Create separate V LAN'S that would isolate voice and wireless traffic. temporary wireless services such as web access. wireless. V LAN 17 . 3. and wired clients. Directly connected to S2 are the following devices: V LAN 18 .VOICE. labeled S1 and S2.DATA. In addition. Some best practices for configuring VLANs in an enterprise network are: .5.3 . 3. V LAN 35 Wireless.

4 . data. Information about each method is given below. are not the answer to every problem. however. VLANs isolate certain types of traffic for reasons of security. they can overly complicate a network. If VLANs are not correctly implemented. and protocol traffic V LAN Trunking Protocol Standardizes the V LAN configuration across the enterprise Provides for easy V LAN management and maintenance Reduces the time required for V LAN administration and maintenance VTP Domains Minimizes misconfiguration Propagates and synchronizes V LAN information across member switches Provides extra security when combined with a VTP password . dedicated V LAN to keep management traffic separate from user. 3. which increases the cost of implementation and introduces an increased level of latency into the network. the management V LAN and the native V LAN are V LAN 1 Do not use V LAN 1 for in-band management traffic Select a different.• • • • • • Organizing server placement Disabling unused ports Configuring the management VLAN as a number other than 1 Using VLAN Trunking Protocol Configuring VTP Domains Reboot any new switch entering an established network VLANs.5.V LAN Best Practice The diagram depicts the six best practice methods for setting up V LAN'S. To move traffic between VLANs requires a Layer 3 device. Server Placement Ensure all servers required by a particular group are members of the same V LAN Unused Ports Disable unused ports Put unused ports in an unused V LAN Stop unauthorized access by not granting connectivity or by placing a device into an unused V LAN Management V LAN By default. resulting in inconsistent connectivity and slow network performance.

The diagram also shows how using Store-and-Forward Switching is a better solution because there will be a decrease in the number of errors.1 .Summary Diagram 1.6 Chapter Summary 3. One port has been blocked by S T P to eliminate the loop. Image The diagram depicts the use of Store-and-Forward and Cut-Through Switching. Diagram 1 text Switches use microsegmentation to create single port collision domains Layer 3 switching takes place in special A S I C hardware.6. The last switch connects to first. Switches forward traffic using store-and-forward or cut-through techniques. Click the Packet Tracer icon to begin. Image The diagram depicts a network where there are four looped switches.6.Set the new switch to transparent mode then switch it back to client or server. .1 Summary Page 1: 3. Page 2: Packet Tracer Activity Plan and build a switched network to meet client specifications.VTP Revision Number Ensure that any new switch added to the network has a revision number of zero Reset the revision number by either of the following: One. 3.Change the domain name to something else.V LAN Best Practice Link to Packet Tracer Exploration: Planning and Building an Enterprise Network Plan and build a switched network to meet client specifications. Two.5. 3. Change it back. Diagram 2.4 . Basic security features should be applied to switches to ensure that only authorized personnel access the devices.

such as consistent VTP domain name and revision number control increase network efficiency. A server issues a VTP update by having a higher revision number than the other switches. Frame tagging applies the V LAN I D to the Ethernet frame so the switch can identify the source V LAN. Diagram 4 text An access port connects a device to a switch and is a member of one V LAN. Diagram 5 text V LAN Trunking Protocol provides a method for the centralized control. A router interface is configured using subinterfaces to support multiple V LAN's. V LAN's are suit-ed for time sensitive traffic such as voice. IEEE 802. and forwards tagged frames from multiple V LAN's. Diagram 3 text A V LAN is a collection of hosts that are on the same local area network even though they may be physically separated from each other. Image The diagram depicts the use of a subinterface to establish communication between multiple V LAN's. 3. V LAN 1 is the management V LAN by default. There are three different colored ovals which represent three V LAN's.1 Q is the open standard frame tagging protocol that inserts a 4-byte tag into the Ethernet frame. Best practices. Switches are either servers. Spanning Tree recalculation can take up to 50 seconds to complete during which time the network has limited functionality. The V LAN's are spread over three floors. Rapid Spanning Tree has evolved to shorten the convergence time. Image The diagram depicts a building with a network on three floors.Diagram 2 text Spanning Tree Protocol shuts down redundant links to prevent switching loops. or transparent. Each circle represents a different V LAN. Untagged frames are forwarded using the native V LAN. All three V LAN's connect to the router via a single link (subinterface) on the F A 0 / 0 Interface. A root bridge is at the top of the spanning tree and it is elected based on the lowest bridge I D. There are three V LAN's each represented by a different colored circle. Image The diagram depicts a network shown with three different colored circles. distribution. and maintenance of the enterprise V LAN database. A Layer 3 device is required to move traffic between different V LAN's. Diagram 5. clients. Diagram 4. Diagram 3. A trunk port connects two switches or a switch and a router.7 Chapter Quiz .

0 C.a repeater 2.1. SW_1 is connected to two hosts.This question refers to a network topology.40.3.Quiz Chapter 3 Quiz: Switching in an Enterprise Network 1.0 R_1(config-if)# no shutdown .1 255.168.a switch B. Use this topology to answer the question.168.All ports are placed in learning state until convergence has occurred.255. D.a CSU/DSU F.User data is forwarded while BPDU's are exchanged to recompute the topology.a router D.1 255.255.The switch recomputes the Spanning Tree topology after the network recovers. 3.255. E.168.1 255.0 R_1(config-if)# no shutdown R_1(config-if)# interface v lan 40 R_1(config-if)# ip address 192.255.30. R_1(config)# interface v lan 30 R_1(config-if)# switchport mode trunkdot1q R_1(config-if)# interface v lan 40 R_1(config-if)# switchport mode trunkdot1q B.What happens when there is a topology change on a network that utilizes S T P? (Choose two) A.a server with a special NIC E.User traffic is disrupted until recalculation is complete B.Which devices can be connected to a V LAN trunk? (Choose three.1 .7. R_1(config)# interface v lan 30 R_1(config-if)# ip address 192. 3. C.a hub C. Network Topology Router R1's F A 0 /0 is connected to Switch SW_1.255.) A. One host is on V LAN 30 and one host is on V LAN 40.255. R_1(config)# interface fastethernet 0/0 R_1(config-if)# mode trunkdot1q 30 40 R_1(config-if)# ip address 192. Which set of commands should be used for configure the router to provide communication between the two hosts connected to the switch? A.7.1 Quiz Page 1: Take the chapter quiz to check your knowledge.A delay of up to 50 seconds is incurred for convergence of the new spanning tree topology. Click the quiz icon to begin.

The switches in the network topology are interconnected by trunked links and are configured with the VTP modes shown.3 R_1(config-if)# encapsulationdot1q 30 R_1(config-if)# ip address 192.40. while routers are used in WAN's.D.Switch4 will not receive the update. B.30.Switch 1 will not add the V LAN to its V LAN database and will pass the updates to Switch 2.Match the switching method to the description. Network Topology This network topology consists of four switches connected to one another in a row. 5.255.Switch3 will pass the VTP update to Switch 4.) routing table corruption switching loops broadcast storms routing loops corrupt forwarding information base 7. Which three actions will occur? (Choose three.1 255. C. Switch 3 is functioning in transparent mode.255.0 R_1(config-if)# interface fastethernet 0/0.Which two problems are caused by redundant links in a switched network? (Choose two.1 255.0 4.Layer 3 switches are used in LAN's.) A.Switch3 will add the V LAN to its V LAN database.255. while routers use IP addresses for forwarding.4 R_1(config-if)#encapsulationdot1q 40 R_1(config-if)#ip address 192. 8. R_1(config)# interface fastethernet 0/0 R_1(config-if)# no shutdown R_1(config-if)# interface fastethernet 0/0. Switch 1 is functioning in server mode. D.Layer 3 switches use A S I C'S for routing .168. (Not all options are used.Layer 3 switches never perform routing lookups. while routers are software based. D. Use this topology to answer the question.Switch2 will add the V LAN to its V LAN database and pass the update to Switch 3. A new V LAN is added to Switch1.What two criteria does S T P use to elect the route bridge in a redundantly switched network? (Choose .255. while routers must always perform them. Switch 2 is functioning in client mode. C.Switch4 will add the V LAN to its V LAN database. E.168. Switch 4 is functioning in server mode.) Switching Methods store and forward fragment-free multilayer cut-through adaptive cut-through fast-forward Descriptions recalculates the C R C value subdivides into two other methods low cost latency but may forward collision fragments reads the first 64 bytes of the frame before forwarding compares the number of errors found to a threshold value 6.This question refers to a network topology. B.How do Layer 3 switches differ from traditional routers? A. F.Layer 3 switches forward packets based on MAC address only.

by centralizing departmental staff and network resources together in a single physical area B. when does R S T P allow ports to move to the forwarding state? A.16. Dist-2# show vtp status VTP version : 2 Configuration Revision: 11 Maximum V LAN's supported locally : 250 Number of existing V LAN's: 10 VTP Operating Mode : Server VTP Domain Name : MYCORP VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MDS digest: 0x0B 0xA5 0xDF 0xA7 0x52 0xBD 0x93 0x4D Configuration last modified by 172. Given the output generated by the VTP server switch Dist-2.two.bridge priority C. Access1(config)# vtp mode client Access1(config)# vtp domain MYCORP Access1(config)# vtp version 2 Access1(config)# vtp password ITrustYou .on interface V11 (lowest number V LAN interface 4) Dist-2# show vtp password VTP Password: ITrustYou Dist-2# A.Access 1 is a new switch that is to be connected as a VTP client to the network once it has been configured.0. which series of configuration commands would successfully introduce the client switch into the VTP domain? Use the output below to answer this question.by allowing organization flexibility grouping users together by function instead of physical location C.22.by eliminating the need for routing traffic in large networks 11.by allowing logical separation of voice and other critical traffic from the rest of the data traffic D.in 30 seconds D.In what two ways does the use of V LAN's benefit an organization? (Choose two.amount of switch RAM B.switching speed D.32 at 3-1-93 03:56:18 Local updater ID is 172. Access1(config)# vtp mode client Access1(config)# vtp domain mycorp Access1(config)# vtp password ITrustYou B.switch MAC address F.16.number of switch ports E.in 90 seconds 10.) A.in 50 second E.in two seconds C.by reducing network management costs by replacing many Layer 2 devices with a few Layer 3 devices F.0.Following a link failure.) A.by reducing the number of broadcast domains in an enterprise network E.in less than a second B.switch location 9.

every three seconds D. The packet destination address is 192.multiple designated ports per segment E.1. C.224 RA(config-subif)# exit A. Access1(config)# vtp mode client Access1(config)# vtp domain Mycorp Access1(config)# vtp version 2 Access1(config)# vtp password ITrustYou 12.one root port per non-route bridge D.every four seconds 14.255.every second B.168.every two seconds C.255.1 RA(config-subif)# encapsulation dot1q 1 RA(config-subif)# ip address 192.168.) A.255.The router will forward the packet out interface FastEthernet 0 /1.one designated port per network 13.94 255.62 255.2.1.3.The router will drop the packet because no network that includes the destination address is attached to the router.1.224 RA(config-if)# interface fastethernet 0/1.2 RA(config-subif)# encapsulation dot1q 2 RA(config-subif)# ip address 192.all non-designated ports forwarding B. E. B.255. What will the router do with the packet? Use the output below to answer this question.255.The router will forward the packet out interface FastEthernet 0 /1.A router is configured to connect to a trunked uplink as shown.126 255. Go To Next Go To Previous Scroll To Top .C.224 RA(config-if)# interface fastethernet 0/1.one root bridge per network C. RA(config)# interface fastethernet 0/1 RA(config-if)# no shutdown RA(config-if)# interface fastethernet 0/1. D.1.3 RA(config-subif)# encapsulation dot1q 3 RA(config-subif)# ip address 192.168.How often are spanning-tree BPDU's sent by default? A. Access1(config)# vtp mode client Access1(config)# vtp domain mycorp Access1(config)# vtp password ITrustYou D. A packet is received on the FastEthernet 0/ 1 physical interface from V LAN 1.1.255.85.The router will forward the packet out interface FastEthernet 0 /1.168.What elements will exist in a converged switched network running spanning tree? (Choose two.The router will ignore the packet because the source and destination are on the same broadcast domain.

Theme=ccna3theme.Version=1.delivery.Style=ccna3.net/virtuoso/servlet/org. All | Translated by the Cisco Networking Academy. RootID=knet‐ lcms_discovery3_en_40.cli. Inc.rendering. About   .http://curriculum.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.C CServlet/LMS_ID=CNAMS.servlet.netacad.Language=en.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.html?level=chapter&css=blackonwhite.

0.Introduction Well-designed enterprise networks with many locations and users employ a logical addressing hierarchy. a single broadcast domain is acceptable. After completion of this chapter.0. Configure and verify both static and dynamic NAT.Search | Glossary Course Index: CCNA Discovery . .1 Introduction Page 1: 4.1 Flat and Hierarchical Networks Page 1: Implementing switches reduces the number of collisions that occur within a local network. Plan a network using classless routing and C I D R. In a single broadcast domain. The use of classless addresses and Variable Length Subnet Masks (VLSM) facilitates network scalability. However. In small networks. every device is in the same network and receives each broadcast.1 . having an all-switched network often creates a single broadcast domain.1. Classless routing and Classless Inter-Domain routing (C I D R) address the problem of route summarization. 4.0 Chapter Introduction 4. Private addressing and Network Address Translation (NAT) preserve IP version 4 addresses.1 Using a Hierarchical IP Network Address Scheme 4. providing flexibility and security in network design. or flat network. you should be able to: Analyze the features and benefits of a hierarchical IP addressing structure.Introducing Routing and Switching in the Enterprise 4 Addressing in an Enterprise Network 4. Plan and implement a VLSM IP addressing scheme.

With large numbers of hosts. Implementing a hierarchical network using routers is another solution. Creating VLANs provides one solution to a large. 4. do not work properly. so do the number of broadcasts sent and received.2 Hierarchical Network Addressing Page 1: Enterprise networks are large.1. Next. a flat network becomes less efficient. The animation begins with an image of a flat network showing three switches directly connected to each other. flat network. Broadcast packets take up a lot of bandwidth. the topology changes to a hierarchical model with the switched network (Access Layer) connecting to a router at the Distribution Layer. The flat network topology represents one large broadcast domain. A hierarchical addressing structure logically groups networks into smaller subnetworks. and benefit from a hierarchical network design and address structure. . In enterprise networks with many geographically separate locations. with five computers directly connected to each switch. This hierarchical network represents three separate broadcast domains. Although the network still functions. a hierarchical network design and address structure simplifies network management and troubleshooting and also improves scalability and routing performance. The Distribution Layer router connects to the Core Layer router. such as route summarization. Each VLAN is its own broadcast domain.1. It is possible to have a hierarchical network without hierarchical addressing. As the number of hosts increases in a switched network. the effectiveness of the network design decreases and certain routing protocol features. 4. causing traffic delays and timeouts.1 .Flat Hierarchical Networks The animation depicts the difference between a flat network and a hierarchical network topology. An effective hierarchical address scheme consists of a classful network address in the Core Layer that is subdivided into successively smaller subnets in the Distribution and Access Layers. which in turn connects to the network cloud.

X.2 .0. if an organization uses a 10.0.22. The scenarios use the same topology.4.1 . a logical grouping of networks exists.1 .0. In the non-hierarchical addressing scheme.96 /27. as follows: Connection to cloud: 10.1 .1 .Hierarchical Network Addressing The diagram depicts two scenarios representing non-hierarchical and hierarchical addressing.1. they might use an addressing scheme such as 10.0 network for the enterprise. each network has non-related IP addresses.0 /24 LAN 1: 10 . This addressing scheme allows for: • • • 255 different geographical locations 255 buildings in each location 254 hosts within each building . Note that the subnet masks are now included in the addressing. which connects to a Core Layer router.100. 4.0 LAN 2: 10. which in turn connects to the network cloud.168.3 Using Subnetting to Structure the Network Page 1: There are many reasons to divide the network into subnets.1.1 .Y.64 /27 LAN 3: 10 .8. including: • • • • • • Physical location Logical grouping Security Application requirements Broadcast containment Hierarchical network design For example.32 /27 LAN 2: 10 .1. In the hierarchical addressing scheme. Switched LAN's at the Access Layer connect to a Distribution Layer router.0 LAN 1: 192.5.1 .0. where X represents a geographical location and Y represents a building or floor within that location.0.5. Only the addressing scheme changes.0 LAN 3: 172.1 .0 Core to Distribution Layer: 192.168. as follows: Connection to cloud: 192.168.0 /16 Core to Distribution Layer: 10 .16.1 .1.

Page 2: 4.1. Five.0 or a slash notation of /8 Class B addresses use a default mask of 255.3 .1.0.0.Location. Two Access Layer LAN's (switched) are shown connected to another switch. The subnet mask indicates whether hosts are in the same network.Security. One. Two. Four.Using Sub-netting to Structure the Network The diagram depicts an activity in which you must indicate whether a hierarchical addressing scheme using subnets should be used to structure the network. 4. There are two sites labeled Site A and Site B depicted.A small business that has 10 employees uses a 12 port switch to connect to a router to access the ISP. The LAN's are labeled Engineering and Accounting.Logical Grouping.0. The router offers security features.Broadcast Containment. Three. The subnet mask is a 32-bit value that distinguishes between the network bits and the host bits.An organization has five locations in different states. All sites need to be connected. Answer yes or no to the scenarios below.2. A red line between the Distribution Layer router and the Access Layer switches marks the point of broadcast containment. with a serial link between them.255.0 or /16 .2 Using VLSM 4. A red line between the Access Layer switch and the Distribution Layer router marks the security demarcation point. One computer will connect to the switch and other users will access the Linksys via wireless. One. The demarcation line is between this switch and the Distribution Layer router. Two.1 Subnet Mask Page 1: To use subnetting to create a hierarchical design.A large organization wants to break up some of their larger LAN's to limit broadcasts and improve network performance. it is crucial to have a clear understanding of the structure of the subnet mask.Using Sub-netting to Structure the Network The diagram depicts four boxes describing reasons to divide a network into subnets.3 . Three. They do not want to purchase additional IP addresses from their ISP. • • Class A addresses use a default subnet mask of 255.A home user purchases a Linksys WRT300N with integrated router. Four. It consists of a string of 1s followed by a string of 0s.An organization has been assigned a single IP address and wants to break up the addresses into smaller chunks to be used by different departments within the organization. and wireless access point. 4-port switch.4. They have been assigned five IP addresses by their ISP but wish to separate users at each location based on the type of application they use at each location. The 1 bits represent the network portion and the 0 bits represent the host portion.

00000000.00000000 Slash Notation: /12 Number of host bits: 20 Hosts Possible.00000000 Slash Notation: /8 Number of host bits: 24 Hosts Possible. subnet masks vary in length.0.0. NOTE: The number of usable hosts is calculated by taking the number 2 to the power of the number of host bits available and then subtracting 2.128. 4.11000000.11110000.0 . 2 to the power of n minus 2: 4194302 Dotted Decimal Subnet Mask: 255.1 .248.00000000.252.11100000.00000000 Slash Notation: /11 Number of host bits: 21 Hosts Possible.192.00000000 Slash Notation: /9 Number of host bits: 23 Hosts Possible.2.240.00000000.0.0. In an enterprise network.0 Binary Subnet Mask: 11111111.00000000.0. it is not efficient to have the same subnet mask length for all subnets created.10000000. 2 to the power of n minus 2: 524286 Dotted Decimal Subnet Mask: 255. Dotted Decimal Subnet Mask: 255.00000000.00000000 Slash Notation: /10 Number of host bits: 22 Hosts Possible.255. therefore. LAN segments often contain varying numbers of hosts.0 Binary Subnet Mask: 11111111.00000000> Slash Notation: /13 Number of host bits: 19 Hosts Possible.11111000.0 or /24 The /x refers to the number of bits in the subnet mask that comprise the network portion of the address.255.Subnet Mask The diagram depicts a chart labeled Subnet Mask Notation and Number of Possible Hosts.0 Binary Subnet Mask: 11111111.0.0.0 Binary Subnet Mask: 11111111.0.• Class C addresses use a default mask of 255. 2 to the power of n minus 2: 2097150 Dotted Decimal Subnet Mask: 255.224. 2 to the power of n minus 2: 16777214 Dotted Decimal Subnet Mask: 255.00000000. 2 to the power of n minus 2: 1048574 Dotted Decimal Subnet Mask: 255.0 Binary Subnet Mask: 11111111.00000000.0 Binary Subnet Mask: 11111111. 2 to the power of n minus 2: 8388606 Dotted Decimal Subnet Mask: 255.

11111110.255.11000000.11111100.Binary Subnet Mask: 11111111.255. 2 to the power of n minus 2: 2046 Dotted Decimal Subnet Mask: 255.00000000.11110000.0 Binary Subnet Mask: 11111111. 2 to the power of n minus 2: 8190 Dotted Decimal Subnet Mask: 255.255.00000000 Slash Notation: /14 Number of host bits: 18 Hosts Possible.00000000 Slash Notation: /17 Number of host bits: 15 Hosts Possible.192. 2 to the power of n minus 2: 262142 Dotted Decimal Subnet Mask: 255.00000000 Slash Notation: /22 Number of host bits: 10 Hosts Possible.0 Binary Subnet Mask: 11111111. 2 to the power of n minus 2: 32766 Dotted Decimal Subnet Mask: 255.255. 2 to the power of n minus 2: 65534 Dotted Decimal Subnet Mask: 255. 2 to the power of n minus 2: 1022 Dotted Decimal Subnet Mask: 255.0 11111111.10000000.00000000 Slash Notation: /16 Number of host bits: 16 Hosts Possible.11111111.254.255.00000000 Slash Notation: /23 .00000000 Slash Notation: /18 Number of host bits: 14 Hosts Possible.255.11111111.252.254. 2 to the power of n minus 2: 16382 Dotted Decimal Subnet Mask: 255.00000000.0 Binary Subnet Mask: 11111111.11111110.11111111.00000000 Slash Notation: /21 Number of host bits: 11 Hosts Possible.11111000.00000000 Slash Notation: /15 Number of host bits: 17 Hosts Possible.11111100.248.00000000 Slash Notation: /19 Number of host bits: 13 Hosts Possible.11111111.11111111.255. 2 to the power of n minus 2: 131070 Dotted Decimal Subnet Mask: 255.128.224. 2 to the power of n minus 2: 4094 Dotted Decimal Subnet Mask: 255.00000000.11111111.11111111.240.0 Binary Subnet Mask: 11111111.0 Binary Subnet Mask: 11111111.0.0 Binary Subnet Mask: 11111111.0 11111111.255.0.0 Binary Subnet Mask: 11111111.00000000 Slash Notation: /20 Number of host bits: 12 Hosts Possible.11100000.11111111.

255.11111111.11111111.11111111.240 Binary Subnet Mask: 11111111. and number of hosts possible for the following subnet masks.255.255.255.252 Binary Subnet Mask: 11111111.11110000 Slash Notation: /28 Number of host bits: 4 Hosts Possible.Number of host bits: 9 Hosts Possible.11111000 Slash Notation: /29 Number of host bits: 3 Hosts Possible. .11111111.11111111.255.255. 2 to the power of n minus 2: 14 Dotted Decimal Subnet Mask: 255.255.255.255.2.11000000 Slash Notation: /26 Number of host bits: 6 Hosts Possible. 2 to the power of n minus 2: 510 Dotted Decimal Subnet Mask: 255.255.11111111.11111111.255.Subnet Mask The diagram depicts an activity in which you must determine the slash notation.255. A.11111111.255.255. 2 to the power of n minus 2: 254 Dotted Decimal Subnet Mask: 255.255.224.10000000 Slash Notation: /25 Number of host bits: 7 Hosts Possible.192 Binary Subnet Mask: 11111111.255.248.1 .255.128 Binary Subnet Mask: 11111111.248 Binary Subnet Mask: 11111111. 2 to the power of n minus 2: 2 Page 2: 4. 2 to the power of n minus 2: 126 Dotted Decimal Subnet Mask: 255.255.255.00000000 Slash Notation: /24 Number of host bits: 8 Hosts Possible.252.11111111.11111111.255. 2 to the power of n minus 2: 30 Dotted Decimal Subnet Mask: 255. B.255. C.255.11100000 Slash Notation: /27 Number of host bits: 5 Hosts Possible. 2 to the power of n minus 2: 62 Dotted Decimal Subnet Mask: 255.255.11111111.11111100 Slash Notation: /30 Number of host bits: 2 Hosts Possible.11111111.11111111.11111111.224 Binary Subnet Mask: 11111111.0 Binary Subnet Mask: 11111111. 2 to the power of n minus 2: 6 Dotted Decimal Subnet Mask: 255. number of host bits.

128. This is done to determine if the two addresses are on the same local network.0.0. so the switch sends the message to H2.255.0. 11000000.D.255. or /24. M.44 and subnet mask of 255.255. G.224. H2 is on the same network.1.Calculating Subnets Using Binary Representation The animation depicts the process of anding the IP address and Subnet Mask to determine whether the destination Host is on the same network. There are two hosts. with the IP address of 192. needs to send a message to H2. assume that H1.248.00000000 Network . F.192.10101000. The IP Address. The network is determined by comparing the IP address to the Subnet Mask.252.255. it determines its network address and the destination network address by applying its subnet mask to both its IPv4 address and to the destination IPv4 address.00000001.0. N. H1 and H2.00101100 Subnet Mask .0.0. I.255.255.66 and a subnet mask of 255. which means the network bits end on the octet boundary. Both hosts have the same network bits of 192.255. L. as well as the corresponding binary equivalent.255. J.1. If they do not match.255. In this instance.255.240. H. 11111111.255.255. If the resulting networks are the same.255. The subnet mask is a 32 bit value used to distinguish between the network bits and the host bits of the IP address. 4.255. H1 sends H2 a message.255.255.0. are listed below.255.255.168.00000000 . the third octet.10101000.255.128. the packet is sent to the default gateway.255. both hosts have a default subnet mask of 255.2 .255.255.0.240.168.255. or a different network.0.0.11111111.255.1.255. the packet can be delivered locally. The 1s indicate the number of network bits and the 0s indicate the number of host bits within the IP address.255.0. E.44. with the IP address of 192.255.2.255.192.1. H1 Configuration IP Address .2.255.168. For example. 4.255.255.254.255. and therefore are on the same network.192.00000001. Subnet Mask. 11000000.168.255. connected to a switch. The network bits are compared between the source and destination.1.192. The subnet mask is made up of a string of 1s followed by a string of 0s.168. The switch checks to see if H2 is on the same network as H1.11111111.0. K.255.0.2 Calculating Subnets Using Binary Representation Page 1: When one host needs to communicate with another.255. and Network Address for each configuration.

and the corresponding binary equivalent are listed below.1.16 Last Octet (00010000) H1 is on subnetwork 192.00010101 Subnet Mask . 11111111.00011001 Subnet Mask: 255. This means out of 32 bits. 11000000.16. For example. .11111111.168.13.255. with the IP address of 192.00000000 The animation concludes by highlighting that both H1 and H2 are on the same network: 192. If H1.66.00000000 Network 192.168. subnet.168.248. the value of the network ID is 192.2.11111000 Subnet: 192.24 Page 3: 4.24. 11111111. or /29.13.21 /29.13.13.13.10101000.255. 4.168.255. the network portion of the two hosts must be compared to determine if the two are on the same local network.168.1.255.168.16. whereas H2 has a network value of 192.11111111.25/29. The subnet is determined by comparing the last octet of both the IP address and subnet mask. The IP address subnet mask.13. In this instance.13.13. In this case.21/29 address needed to communicate with another host.11111000 Subnet: 192.11111111.13. with the address of 192.13.255. The network bits take up all of the first three octets and extend into the fourth octet.11111111.Calculating Subnets Using Binary Representation The diagram depicts an activity in which you must determine whether the two hosts are on the same network.168.24 Last Octet (00011000) H2 is on subnetwork 192.255. Page 2: While it is fairly easy to see the network and host portion of an IP address when the subnet mask ends on the network boundary.168.248.255.000000001.21 with a subnet mask of 255.10101000. H1 has a network value of 192. 29 of them make up the network portion. H1 has an IP address of 192.Calculating Subnets Using Binary Representation The diagram illustrates the process of comparing the IP address and subnet mask of two hosts to determine if they reside on the same subnet.2. H1 and H2.01000010 Subnet Mask .00001101.255.168. There are two hosts. H2.168.168.0.25/29. H1 Configuration IP Address: 192. the process of determining the network bits is the same even when the network portion does not take up the entire octet. 11000000.16 H2 Configuration IP Address: 192. H1 and H2 are not on the same network and require the use of a router to communicate.13.10101000.13. 11000000.168.168.2 . 11000000.00001101.2 .255.0.00000001.168.248.1.192.0. 11111111.255.10101000.H2 Configuration IP Address .11111111.11111111.168.

240 Slash Format: /28 Host: Host 2 IP Address: 10. much information can be determined by looking at only an IP address and slash notation (/x) subnet mask.255.255.1.3 Basic Subnetting Process Page 1: Using a hierarchical addressing scheme.0 Slash Format: /24 Host: Host 1 IP Address: 192.74 Subnet Mask: 255.19.255. an IP address of 192.255.72 Subnet Mask: 255.48 Subnet Mask: 255.255.255.16.255.255.128.255.255.255.168.68 Subnet Mask: 255.19 Subnet Mask: 255.128.248 Slash Format: /29 Host: Host 2 IP Address: 192.16.3.0 Slash Format: /24 Host: Host 2 IP Address: 172.14 Subnet Mask: 255.168.14.14.255. .240 Slash Format: /28 Host: Host 1 IP Address: 192.255.Host: Host 1 IP Address: 172.2.224 Slash Format: /27 Host: Host 2 IP Address: 192.35 Subnet Mask: 255.19. For example.192.5.5.168.75 /26 shows the following information: Decimal subnet mask • The /26 translates to a subnet mask of 255.168.79 Subnet Mask: 255.168.3.255.255.255.224 Slash Format: /27 Host: Host 1 IP Address: 10.248 Slash Format: /29 4.255.255.

the first usable host address within the .1. This creates 4 subnets (2^2 = 4).1. the broadcast address is .64 subnet is .127.168.168.1.2. 4.168.168. Therefore.64. In this cast. First usable host address • A host cannot have all 0s within the host bits. Number of usable hosts per subnet • Six bits are left on the host side creating 62 hosts per subnet (2^6 = 64 .1 to 192. the value of the network address is given.1.Number of subnets created • Assuming we started with the default /24 subnet mask.1.3 . we borrowed 2 additional host bits for the network. 128 starts the network address of the next subnet.2 = 62). because that represents the network address of the subnet.168. In this example.63 Subnet: 1 . Network address • Using the subnet mask to determine the placement of network bits.0 /26 Host range: 192.62 Broadcast address: 192.65 Broadcast address • A host cannot have all 1s within the host bits because that represents the broadcast address of the subnet.Basic Subnetting Process Subnet: 0 Network address: 192. the value is 192.

4 Variable Length Subnet Masks (VLSM) Page 1: Basic subnetting is sufficient for smaller networks but does not provide the flexibility needed in larger enterprise networks.65 to 192.1.168.168.1.168.1. 4.168.168.1.168.128 /26 Host range: 192.1.168.168.168.192 /26 Host range: 192.1.Basic Subnetting Process Link to Hands-on Lab: Designing and Applying an IP Addressing Scheme Design and apply an IP addressing subnet scheme for a given topology.191 Subnet: 3 Network address: 192.1.3 .168.1.126 Broadcast address: 192. It also allows for hierarchal IP addressing which allows routers to take advantage of route summarization.168.255 Page 2: Lab Activity Design and apply an IP addressing subnet scheme for a given topology.127 Subnet: 2 Network address: 192.1.1. 4.1.190 Broadcast address: 192.1.129 to 192. . Click the lab icon to begin. Variable Length Subnet Masks (VLSM) provide for efficient use of address space. Smaller routing tables require less CPU time for routing lookups.2.193 to 192.Network address: 192.2.168. Route summarization reduces the size of routing tables in distribution and core routers.254 Broadcast address: 192.64 /26 Host range: 192.

Benefits of VLSM: • • • • • • Allows efficient use of address space Allows the use of multiple subnet mask lengths Breaks up an address block into smaller blocks Allows for route summarization Provides more flexibility in network design Supports hierarchical enterprise networks 4.20.0 Subnet Number: 0 Subnet Address: 192.168.20.20.192 /30). The following tables give a list of available subnets.168. R3 network address: 192. and R4. R1 is connected to R2 via Serial link (Subnet Address: 192.0 /27 Subnet Number: 1 Subnet Address: 192.20.20.168. R2 network address: 192.4 .64 /27.196 /30).168. LAN network addresses R1 network address: 192.20. R4 network address: 192. Not all routing protocols support VLSM. EIGRP.20.VLSM is the concept of subnetting a subnet.20.200 /30).32 /27. such as RIPv1.Variable Length Subnet Masks (VLSM) The diagram depicts the use of VLSM to break up a subnet into smaller portions for use on serial links.0 /27. R3. With the advent of private addressing. R3 is connected to R4 via Serial link (Subnet Address: 192.96 /27. A router with a subnet mask assigned to its interface assumes that all packets within that same class have the same subnet mask assigned. Classful routing protocols.168. It was initially developed to maximize addressing efficiency. do not include a subnet mask field with a routing update.168. There are four routers. Subnets of 192.20.2. R2 is connected to R3 via Serial link (Subnet Address: 192. Classless routing protocols include RIPv2.20. Classless routing protocols support the use of VLSM because the subnet mask is sent with all routing update packets.168. and a list of Variable Length Subnets for the above network.20.168. R2. R1.64 /27 .168.168. and OSPF. the primary advantage of VLSM now is organization and summarization.32 /27 Subnet Number: 2 Subnet Address: 192.168.

0.0.168.0.168.192 /30 Subnet Number: 1 Subnet Address: 192.0.168. each capable of addressing 16.208 /30 Subnet Number: 5 Subnet Address: 192. 10.168.168.168.212 /30 Subnet Number: 6 Subnet Address: 192.0.Subnet Number: 3 Subnet Address: 192.20.0.0/16 .160 /27 Subnet Number: 6 Subnet Address: 192.20.168.96 /27 Subnet Number: 4 Subnet Address: 192.220 /30 Page 2: VLSM allows the use of different masks for each subnet.20.168.168.168.20.20.196 /30 Subnet Number: 2 Subnet Address: 192.0/16 10.255.20.200 /30 Subnet Number: 3 Subnet Address: 192.1.20. For example.20. network 10.20.224 /27 Subnets of 192.204 /30 Subnet Number: 4 Subnet Address: 192.20.20.0/16 10. further division of those subnets creates sub-subnets.20.128 /27 Subnet Number: 5 Subnet Address: 192.192 Subnet Number: 0 Subnet Address: 192.0/16 up to 10.192 /27 Subnet Number: 7 Subnet Address: 192.2.0/8 with a subnet mask of /16 subdivides into 256 subnets.20.168.382 hosts.216 /30 Subnet Number: 7 Subnet Address: 192.168.0. After a network address is subnetted.20.168.168.

0.0.0.3. Each one of these new subnets is capable of addressing 14 hosts. and R7. 10. Step 1 10. Each one of these new subnets is capable of addressing 254 hosts.3.0 /16 Step 2 Any of the /16 subnets can be subnetted further.1.3.3.0 /16 R3 network address: 10.0 /16 has been subnetted using the /24 mask.1.0.0/16.1. R2.0/24 up to 10. and R5. R4.2. R3.0 /16 R5 network address: 10.0/24 Applying a subnet mask of /28 to any one of these /24 subnets.0 /16 R4 network address: 10.0 /8.3.1. results in a subdivision of 16 subnets.0/28 10.0. R1 through R5 appear the same as in the .1.0.0.0.0/28. and R5. 10. There are five routers labeled R1.1. R3.1.3. which show how to apply VLSM to a network given the IP address 10.16/28 10.Applying a subnet mask of /24 to any one of these /16 subnets.4 .0.32/28 up to 10.1.0/24 10.0/24 10.2. which have been connected in a star topology.255. results in a subdivision of 256 subnets.3.Variable Length Subnet Masks (VLSM) The diagram depicts three steps.3.2.0 /8 has been subnetted using the subnet mask /16. 0.0. R5.1. R3.4.240/28 4. R1 is in the middle of the topology and is connected to R2. such as 10.1. R6.1. R4. R2 network address: 10.1. such as 10. In this example. R2. R4. There are seven routers labeled R1.

S1 is connected to R6 and R7.3.2.0.0. R3. 400 G. R4 is connected to S1.3.2.0 /16 Step 3 In this example 10.0.4.0 /24 R7 network address: 10.2. S1 is connected to R6 and R7. 12 H.3. R7 is connected to S3 and S4.0 /24 R5 network address: 10.2. There are six switches labeled S1.4 . R2 network address: 10. 25 B. R3.0 /16 R6 network address: 10. R2 network address: 10.3. S4. R6 is connected to S2.0 /24 R7 network address: 10.64 /28 R5 network address: 10. R1 is connected to R2. R5.3. There are three switches labeledS1. and R5.0 /16 R3 network address: 10.4.3. 45 F.2. and R8.3.2. R8 is connected to S5 and S6.1.0. R6.2. R4. and S6.3. 100 C.0 /16 R4 network address: 10. R4 is connected to S1.0. There are eight routers labeled R1.3.2. R2. R6 is connected to S2.2. R4.0 /16 R4 network address: 10.32 /28 S5 network address: 10.Variable Length Subnet Masks (VLSM) The diagram depicts an activity in which you must determine the slash format of the subnet mask necessary to accommodate the required number of hosts. 5 E.3. S4 is connected to R8. S2. R7 is connected to S3.2.0 /24 S3 network address: 10.3.0.previous star topology.0. and S3. Number of Hosts A. S2. 1000 D.0 /16 R6 network address: 10.16 /28 S4 network address: 10.1.0 /24 has been subnetted using the /28 mask. S3. S5.48 /28 S6 network address: 10.0.1. 2 .0 /16 Page 3: 4. R7.1.0 /16 R3 network address: 10.

a network has the following requirements: • • • • • Atlanta HQ = 58 host addresses Perth HQ = 26 host addresses Sydney HQ = 10 host addresses Corpus HQ = 10 host addresses WAN links = 2 host addresses (each) A subnet of /26 is required to accommodate the largest network segment of 58 hosts.Implementing VLSM Addressing The diagram depicts WAN links and network addressing inefficiencies. and S4. but creates only four subnets. each with three hosts attached. Perth HQ is attached to S3. As a practice example. Network Inefficiencies Table Contents Headquarters: Atlanta HQ Actual Requirements: 58 host addresses Total Wasted Addresses: 4 addresses Headquarters: Perth HQ Actual Requirements: 26 host addresses Total Wasted Addresses: 36 addresses Headquarters: Sydney HQ Actual Requirements: 10 host addresses Total Wasted Addresses: 52 addresses Headquarters: Corpus HQ Actual Requirements: 10 host addresses Total Wasted Addresses: 52 addresses Headquarters: WAN Links Actual Requirements: 2 host addresses (each) Total Wasted Addresses: 60 addresses . The network has not had a VLSM addressing scheme applied. 4. Corpus HQ is attached to S4. Atlanta HQ is connected to Sydney HQ via Serial link. labeled S1. labeled Atlanta HQ.2. Sydney HQ is attached to S2. There are four switches. This is not enough to address each of the required seven LAN/WAN segments. Headquarters. Perth HQ. A VLSM addressing scheme resolves this problem. and Corpus HQ. S3.2. Using a basic subnetting scheme is not only wasteful. There are four routers. Sydney HQ is attached to Corpus HQ via Serial link.4. S2. Actual Requirements.5 Implementing VLSM Addressing Page 1: Designing an IP addressing scheme with VLSM takes practice and planning. A table with the head-ers. Sydney HQ is attached to Perth HQ via Serial link. Atlanta HQ is connected to S1. Sydney HQ. and Total Wasted Addresses is also included in the diagram.5 .

Borrow 2 bits to use /26.168.0 Address range: .168.Page 2: When implementing a VLSM subnetting scheme. always allow for some growth in the number of hosts when planning subnet requirements. Atlanta HQ.2 Name/Required addresses: WAN 2 .0 192.168. This creates four subnets: 192.192 Name/Required addresses: Atlanta HQ .15. requires 58 hosts.15. Step 2 The largest LAN.168.28.15.5 . Name/Required addresses: Perth HQ . 4. Name/Required addresses: WAN 2 . The three point-to-point WAN links require two addresses each.62 Broadcast address: . Name/Required addresses: Corpus HQ . Subnet address: 192.15.10.15.2.2 Step 3 Perth HQ LAN requires 28 host addresses. Name/Required addresses: WAN 3 . Name/Required addresses: Atlanta HQ .64 /26 Borrow one more bit to create an address block of /27 This creates two subnets: 192.1 to . Step 1 List the network requirements from largest to smallest.58.168.10 Name/Required addresses: Corpus HQ .15.168.2 Name/Required addresses: WAN 3 .64 192.28 Name/Required addresses: Sydney HQ .15.Implementing VLSM Addressing The diagram depicts five steps that are used to calculate and apply a VLSM addressing scheme.10.15.96 .58.168.63 Network/Prefix: 192.2.15.168.128 192. Use the next available address of 192.64 192.2.0 /26 Name/Required addresses: Perth HQ . Name/Required addresses: Sydney HQ .10 Name/Required addresses: WAN 1 .2. Name/Required addresses: WAN 1 .168.

168. Name/Required addresses: WAN 3 . Step 5 Three point-to-point WAN links require two addresses each.168.168.15. Name/Required addresses: WAN 1 .111 Network/Prefix: 192. Subnet address: 192. Subnet address: 192.95 Network/Prefix: 192.10.65 to .64 /27 Name/Required addresses: Sydney HQ .15.2. Subnet address: 192. Use the next available address of 192. Name/Required addresses: Atlanta HQ . one for Corpus HQ.168.64 /27 for Perth HQ.112 /28 Name/Required addresses: WAN 1 .128 /28 Borrow 2 more bits with a /30 mask.63 Network/Prefix: 192.96 Address range: .96 /28 Name/Required addresses: Corpus HQ .95 Network/Prefix: 192.10.Use 192. Name/Required addresses: WAN 2 . Subnet address: 192.63 Network/Prefix: 192. Subnet address: 192.168.15. Name/Required addresses: Atlanta HQ .2.168.168.15.15.10.0 /26 Name/Required addresses: Perth HQ .110 Broadcast address: .96 192. Use the next available address 192.97 to .28.168.1 to .64 /27 Name/Required addresses: Sydney HQ .126 Broadcast address: .168.15.2.0 Address range: .15.96 /27 Borrow another bit to extend the mask to /28.168.64 Address range: .168.62 Broadcast address: .2.15.0 /26 Name/Required addresses: Perth HQ .168.168.2.64 Address range: . Name/Required addresses: WAN 3 .168. one for Sydney HQ.58. . Subnet address: 192. Step 4 Sydney HQ and Corpus HQ LAN's require ten host addresses each.62 Broadcast address: .94 Broadcast address: .168.15.1 to . Name/Required addresses: Corpus HQ .127 Network/prefix: 192.15.15.168.112 Use both subnets.15.113 to . Name/Required addresses: WAN 2 .94 Broadcast address: .15.15.0 Address range: .15.65 to .2.112 Address range: .168.15.58.15.28.10. This creates two subnets: 192.

15. Subnet address: 192.2.15. one for each WAN.15.133 to .126 Broadcast address: .138.168.97 to .168.15.112 /28 Name/Required addresses: WAN 1 .15.110 Broadcast address: .94 Broadcast address: .62 Broadcast address: .131 Network/Prefix: 192.2.15.15.15.168.128 /30 Name/Required addresses: WAN 2 .127 Network/Prefix: 192.15.137 to . VLSM Chart One method uses a VLSM chart to identify which blocks of addresses are available and which ones are already assigned.65 to .136 Address range: .58.15.136 Use all three subnets.168.111 Network/Prefix: 192.0 Address range: . Subnet address: 192.64 Address range: . Subnet address: 192.96 Address range: .15.15.95 Network/Prefix: 192.28.15.168.2 Subnet Address: 192.96 /28 Name/Required addresses: Corpus HQ .15.1 to .63 Network/Prefix: 192.168.128 192.168.136 /30 Page 3: Multiple tools exist to assist with address planning.129 to .168.168.139 Network/Prefix: 192.112 Address range: .113 to . .168.135 Network/Prefix: 192.64 /27 Name/Required addresses: Sydney HQ .132 /30 Name/Required addresses: WAN 3 .168. Broadcast address: .168.10.10.130 Broadcast address: .168. Subnet address: 192.132 192.168.128 Address range: .134 Broadcast address: . Subnet address: 192.168.0 /26 Name/Required addresses: Perth HQ .15.15. Subnet address: 192.132 Address range: . Name/Required addresses: Atlanta HQ .15.168.168.This creates three subnets: 192.

128 /26 Hosts: 62 Range: .1.1.168.Implementing VLSM Addressing The diagram depicts an activity in which you must create an addressing scheme for the given requirements in each of the following three scenarios.168. labeled P1 through P6.227 P6 Network Address: Unused.224 /30 Hosts: 2 Range: .0 /24.VLSM Circle Another method uses a circle approach.225 to . It also helps to avoid assigning address ranges that overlap.2.1.66.1.192 /28 Hosts: 14 Range: .16. These methods prevent assigning addresses that are already allocated.129 to .127 P2 Network Address: 192.168.1 to . Page 4: 4.168.2. . broken into six variable length subnets.Implementing VLSM Addressing The diagram depicts a pie chart divided into six different piece. 4.207 P4 Network Address: 192.193 to . The circle is cut into increasingly smaller segments. representing the smaller subnets.168.208 /28 Hosts: 14 Range: . representing the network address 192.191 P3 Network Address: 192.5 .0 /24 The first subnet is given.0 /25 Hosts: 126 Range: .209 to .1.168. P1 Network Address: 192.5 . Scenario One IP Address: 172.223 P5 Network Address: 192.1.

127 Page 5: Lab Activity .0 Host Range: .62 Broadcast: . Host Requirements: 60.5.1 to . Subnet 2 requires 55 Hosts. Subnet 6 requires 2 Hosts. Subnet 1.6. Subnet 2 requires 30 Hosts.126 Broadcast: . Subnet 5 requires 6 Hosts. Host Requirements: 100.168.30 Broadcast: .33. Host Requirements: 25.0 Host Range: . Subnet 1.0 /24 The first subnet is given. Subnet 5 requires 2 Hosts.16. /Slash: /27. Subnet 4 requires 12 Hosts.19. Subnet 3 requires 25 Hosts.168.33.19. /Slash: /25 # of hosts: 126 Subnet: 10.31 Scenario Two I P Address: 192. Subnet 3 requires 25 Hosts. # of hosts: 30 Subnet: 172. Subnet 1.0 Host Range: . /Slash: /26 # of hosts: 62 Subnet: 192. Subnet 4 requires 12 Hosts.5.0 /24 The first subnet is given. Subnet 6 requires 2 Hosts. Subnet 5 requires 2 Hosts.63 Scenario Three I P Address: 10.1 to . Subnet 6 requires 2 Hosts. Subnet 4 requires 10 Hosts.Subnet 2 requires 25 Hosts. Subnet 3 requires 30 Hosts.1 to .

255. 4. Classful addresses consist of the three major classes of IP addresses and an associated default subnet mask: • • • Class A (255. many companies purchased multiple Class C addresses in order to obtain enough addresses to satisfy their network requirements.0 or /24) A company with a Class A network address has over 16 million host addresses available. only 254 hosts.Classful and Classless Routing The diagram depicts two separate tables describing the number of networks and hosts per network for each class.1 Classful and Classless Routing Page 1: Technology such as VLSM enables the classful IPv4 addressing system to evolve into a classless system.2.255. As a result.3 Using Classless Routing and CIDR 4.000 hosts. and with a Class C.5 .0.0. over 65.0 or /16) Class C (255. 4. Click the lab icon to begin. Table 1 . with a Class B network address.255. Classless addressing has made the exponential growth of the Internet possible.1 .3.Use VLSM to provide the IP addressing for a given topology. purchasing multiple Class C addresses has used up the Class C address space more quickly than originally planned. Since there is a limited number of Class A and Class B addresses in circulation.0 or /8) Class B (255.3.0.Implementing VLSM Addressing Link to Hands-on Lab: Calculating a VLSM Addressing Scheme Use VLSM to provide the IP addressing for a given topology. 4.

do not include the subnet mask in routing updates. determines whether the major network is a Class A.0. Each major network has a default subnet mask of 255.255.0 respectively.255. Third Octet: Network.348. Number of Possible Networks: 2. 255. First Octet Range: 192 to 223. Classful routing protocols. B.0 or /8. First Octet: Network.0.0. Subnet Mask: 255. Table 2 Address Class: Class A.0. Class C First Octet: Network. the value of the first octet. Number of Possible Networks: 128 (2 are reserved). First Octet Range: 0 to 127. Address Class: Class C. Second Octet: Network.0. . Number of Hosts per Network: 254. or C. Since the subnet mask is not included.097.255. Fourth Octet: Host.255.214. Number of Hosts per Network: 65. Number of Possible Networks: 16. First Octet: Network. Class B.0 or /24. Third Octet: Host.255.777.0 or /16.0. Second Octet: Host.255. Page 2: In classful IP addresses. or 255. Address Class: Class B. Subnet Mask: 255.0. the receiving router makes certain assumptions. or the first three bits.Class A. Second Octet: Network.534.152. such as RIPv1.0. First Octet Range: 128 to 191. Fourth Octet: Host Subnet Mask: 255. Third Octet: Host. Fourth Octet: Host. Number of Hosts per Network: 16.

The network address of the serial connection 192.1.Classful and Classless Routing The diagram depicts classful routing updates between two routers. R1. CIDR uses IPv4 address space more efficiently and for network address aggregation or summarizing.1. In this case.0. if a router sends an update about a subnetted network. When R2 sends an update to R3.1.0 /16. adopts the subnet mask of the configured interface and applies it to the advertised network. R3. the network address is 172. such as 172. Therefore.0 routing updates from R1.255. to a router whose connecting interface is on the same major network as that in the update. the receiving router assumes the subnet mask of 255.0.16. in the example.0.0. 4.255.0/24 then: • • The sending router advertises the full network address but without a subnet mask.3.1.0 /24. the address advertised is 172. R2 is connected via F A 0 /0 to a switch on the network 172.0/24: • • The sending router advertises the major classful network address only. the Internet Engineering Task Force (IETF) developed Classless Inter-Domain Routing (CIDR). Router.16. R1 is connected via F A 0 /0 to a switch on the network 172.16.16. If the router sends an update about a subnetted network.3. R2 applies its serial 0 /0 /0 /24 mask to the 172. to a router whose connecting interface is in a different major network. with a configured interface of 172. The receiving router assumes the default subnet mask for this network.16.0 /24. In this case. Page 3: With the rapid depletion of IPv4 addresses.2. The receiving router.0.0 /24.1.Using a classful protocol.16.0 network.0 applies to the 172.16. . R3 is connected via F A 0 /0 to a switch on the network 10.1.0/24.0/24. not the subnetted address.1. such as 192. R2. is connected from its S 0 /0 /0 port via serial connection to S 0 /0 /0 port of the router.16.0. When R1 sends an update to R2. such as 172. R3 applies the classful /16 mask to the 172. such as 172.1.16.1 .16.16.0/24. R2 is connected from its S 0 /0 / 1 port via serial connection to S 0 /0 / 1 port of the router.255.16. The default subnet mask for a class B address is 255.0 /24.2.2.168.1.0. which reduces the size of routing tables.0 routing update from R2.168. The network address of the serial connection 172.

Its network address is 172.16. The ISP network address is 172. In a classless protocol.0.1. Its network address is 172.0/24 then: • The sending router advertises all subnetworks with subnet mask information.2. This is also known as the network prefix. ISPs also use exterior gateway protocols (EGPs) such as Border Gateway Protocol (BGP). such as 172. ISPs assign blocks of IP addresses to a network based on the requirements of the customer. and IS-IS. Company 1 has 1000 employees.1.1. to a router whose connecting interface is in a different major network. if a router sends an update about a network.16. The difference between the classful routing protocols and classless routing protocols is that the classless routing protocols include subnet mask information with the network address information in the routing updates. EIGRP.0/24 then: .0.0/24. to a router whose connecting interface is on the same major network as that in the update. ISPs are no longer limited to using prefix lengths of /8.0 /23 (510 Hosts).1 . ranging from a few hosts to hundreds or thousands of hosts.16. It is connected via router (Company 2) which is connected to the same ISP as Company 1. If the router sends an update about a subnetted network. such as 172.16.Classful and Classless Routing The diagram depicts an example of classless subnet masks used by two companies.0 /16 (65.0. Classless routing protocols are necessary when the mask cannot be assumed or determined by the value of the first octet. such as 192.20.0 /22 (1022 Hosts).16. With CIDR and VLSM.3. 4. /16 or /24. or prefix length.168. The class of the address no longer determines the network address. Company 2 has 500 employees. To CIDRcompliant routers. such as RIPv2 or EIGRP or static routing. address class is meaningless.The use of CIDR requires a classless routing protocol. OSPF.16. such as 172. It is connected via router (Company 1) which is connected to an ISP. The network subnet mask determines the network portion of the address. Page 4: Classless routing protocols that can support VLSM and CIDR include interior gateway protocols (IGPs) RIPv2.534 Hosts).

Route summarization groups contiguous subnets or networks using a single address.2.0 /22 information.16.1. R2 is connected from its S 0 /0 /1 port via serial connection to S0 /0 /1 port of router. This process is often referred to as summarizing on a network boundary. summarizes all of the subnets and advertises the major classful network along with the summarized subnet mask information.0 /24. A VLSM addressing scheme allows for route summarization.3.0. R3.16. the process of summarizing can be disabled.0 /24. and my 172.• • The sending router. Route summarization is also known as route aggregation and occurs at a network boundary on a boundary router. R3 is connected via F A 0 /0 to a switch on the network 10.0 /24.0 /24. The network address of the serial connection is 192. the sending router advertises all subnetworks with subnet mask information.16. Summarization decreases the number of entries in routing updates and lowers the number of entries in local routing tables. 172.0.16. R1 connected via F A 0 /1 to another switch with the network address 172.16.0 /24 and 172. While most classless routing protocols enable summarization on the network boundary by default. R2 is connected via F A 0 /0 to a switch on the network 172.1 .1.0 route. R2. When summarization is disabled. Supernetting joins multiple smaller contiguous networks together.0.2 CIDR and Route Summarization Page 1: The rapid growth of the Internet has caused the number of routes to networks around the world to increase dramatically.1. Route summarization is synonymous with the term supernetting.0 /16.16. It also reduces bandwidth utilization for routing updates and results in faster routing table lookups.0 /24. R1.168. which reduces the number of routes advertised.0 /24. R2 sends a summary route to R3 with the 172.3. and will send it to R3. R1 says I must advertise out my route information.16.16. When R2 receives the update.0 /24. This growth results in heavy loads on Internet routers. it says I will summarize all routes from R1. is connected from its S 0 /0 /0 port via serial connection to S 0/ 0 /0 port of router. Supernetting is the opposite of subnetting. . R1 is connected via F A 0 / 0 to a switch on the network 172. by default.2.3.3.1. R1 sends an update packet to all networks which it is directly connected to 172. The network address of the serial connection 172. 4.16.0. 4.Classful and Classless Routing The animation depicts an example of how a classless routing protocol is summarized when advertised to other networks. Router.

56.55. Router. Page 2: A border router advertises all of the known networks within an enterprise to the ISP. For example. For a Class B address. this represents a supernet. 4.168.0 /24.168. It is easier to perform summarization if the addressing scheme is hierarchical. The connection between the third and fourth routers is the summary route 192. If every enterprise followed this pattern. is associated with the network 192.3. Router. An example is 172.0 /24 respectively.5.3. 192.168.168. this represents a subnet.51.168.3.2 .168. R2 is connected to R4 via a serial link with the network address 192. R3. the routing table of the ISP would be huge.0 /24 to 192. R1.C I D R and Route Summarization The diagram depicts route summarization between multiple networks.0 /21.48. The addresses of their links to the third router are 192.0 /22.57.0 /24. 192.56.If the network bits are greater than the default value for that class.0 /24.168.168. any network prefix value greater than /16 is a subnet.50.52.0 /22.0/26. Using route summarization.168.0 /24 and 192. if they are contiguous. which connects to a fourth router within an ISP cloud.168.168.0 /20.48. Assign similar networks to the same enterprise so that grouping them using CIDR is possible. R2.16. R3 is connected to R4 via a serial link with the network address 192.168.48.4. If there are eight different networks. is associated with the networks 192.0 /24.168. For a Class B address.54. is associated with the networks 192.0 /24.0 /24 and 192.63. any network prefix less than /16 represents a supernet.168.49.0 /24. An example is 172. a router groups the networks together. 4. 192. the router would have to advertise all eight.168.0 /24. R1 is connected to router R4 via a serial link with the network address 192. and 192. even though you can dial individual employee extensions directly. a company has a single listing in the phone book for their main office.168.52. Two routers are connected to a third router. Summary Route .0/14. and 192.168.16. Router. If the network bits are less than the default value for the class value.0 /24 and 192.4.0 /24.6.0.0 /22. When the networks associated with each router are advertised to the next hop router.168.C I D R and Route Summarization The diagram depicts an example of route summarization.0 /24. R4 is connected to an ISP via serial connection with the network address of 192.0 /24 respectively. and advertises them as one large group. 192.168. one summarized network address is sent rather than multiple individual network addresses.2 .7. The networks connected to the first two routers are 192.168.53.

This process is performed in three steps. 0/24. An example is /14 or 255. Page 3: 4.All of these four networks have the first 22 bits in common: 192. D.252.0 /22 or 192.100. B. E.3 Calculating Route Summarization Page 1: To calculate a route summary requires summarizing networks into a single address.17.0 /16.192.252. C.2 .192 /26.0.4.4.C I D R and Route Summarization The diagram depicts an activity in which you must determine if the IP address with the C I D R information is a Subnet or a Route Summary. G.0 = 11000000 10101000 000001 00 00000000 192.168.0.168.10.0.0.172. Step 1 List the networks in binary format.3.24.172.0 /14.0. based on the IP address provided.168.0. 4. Step 3 .168. This number represents the network prefix or subnet mask for the summarized route.4. Step 2 Count the number of left-most matching bits to determine the mask for the summary route.168. A.0 /23.17.128.7.172.10.0 255.3.5.168.6.168.0.192.0 = 11000000 10101000 000001 10 00000000 192.0 = 11000000 10101000 000001 11 00000000 These four networks are advertised as 192.0.0 /24.0 = 11000000 10101000 000001 01 00000000 192.0 /12.168.4.255. F.24.

0 /22.0.16. Group 1 192. 172.0.0 /24 192.010101100.20.00010100.192.Calculating Route Summarization The diagram depicts the steps in the summarization process.0 /16 172.17. Step 1 List the IP addresses you want to summarize.192. The number of matching bits equals 14.00010101.4.168. Step 3 Copy the matching bits and add zero bits to determine the network address.20.00000000.0 /24 192. b.4.00000000 172.00000000.00000000 Step 2 The first 14 bits of each of these addresses are the same.0.3.0 /16 . it may not be possible to summarize routes.3.00010111.Calculating Route Summarization The diagram depicts an activity in which you must select the best summary route for each of the contiguous address groups shown. If the network addresses do not have common bits from left to right. Group 2 172. If a contiguous hierarchical addressing scheme is not used.23.00010110.010101100.3.168.192.0.168.00000000.1.00000000.2.010101100. c.0 /24 192. a summary mask cannot be applied. d.0.168. A quicker method is to use the lowest network value.22. Copy the matching bits and then add 0 bits to the end.168.010101100.00000000 172.21.168.0.010101100. Select the answer that represents a summarization of each group of networks.0 /22.0.00000000 172.0 /26.192.0.0 /26.3 .00000000.Determine the summarized network address.0.1.00000000 Page 2: 4.00010100.3 .168. 172.0 /24 Which of the following addresses does Group 1 summarize to? a.168. 4.

10.5.0.5.0 /17 Group 3 10.10.172.0 /27 10. It is important to control the summarization so that routers do not advertise misleading networks.3.1 92 /27 10.3.3.2 24 /27 Which of the following addresses does Group 3 summarize to? a.3.3.5.0 /24 d.16.0.0 /15 d.3.3.3. 4.3.3. 4.5.4 Discontiguous Subnets Page 1: Either an administrator configures route summarization manually or certain routing protocols perform the same function automatically.10. RIPv1 and EIGRP are examples of routing protocols that perform automatic summarization.1 60 /27 10.0.3 2 /27 10.3.5.3.0.0 /25 c.5.Calculating Route Summarization Link to Hands-on Lab: Calculating Route Summarization Determine summarized routes to reduce the number of entries in routing tables.Which of the following addresses does Group 2 summarize to? a.172.1 28 /27 10.5.9 6 /27 10.10.5.5.172.6 4 /27 10.16.17.3 .17.5.5.5.0 /28 b. Click the lab icon to begin.0 /15 b.0 /26 Page 3: Lab Activity Determine summarized routes to reduce the number of entries in routing tables.172.0 /17 c.3.3. .

168.3. 192. The following traffic and routing patterns help to identify this situation: • • • • One router does not have any routes to the LANs attached to another router. Page 2: Even after careful planning. although the subnets are separated on several network segments.8 /30. S4. R2 is connected from its S 0 /0 /1 port to S 0 /0 /1 port of router. The network address of the serial connection is 172.168.0 /24. The three routers also connect to each other via serial interfaces configured using another major network. A middle router has two equal-cost paths to a major network.100. 192.100. an administrator can: • • • • Modify the addressing scheme. if possible Use a classless routing protocol. is connected from its S 0 /0 port which is addressed 172.0.100. the middle router receives advertisements about the same network from two different directions. S1.3.3. This scenario is called a discontiguous network.168.16. R1. it is still possible to have a situation in which a discontiguous network exists.0/24. on the network.5 via serial connection to S 0 /0 . R1. 4.2.4 . S3. R1 is connected via F A 0 /1 to switch. A router appears to be receiving only half of the traffic. on the network.Discontiguous Subnets The diagram depicts an example of a discontiguous network. R2. R2 is connected via F A 0 /0 to switch.100.Suppose that three routers each connect to Ethernet interfaces with addresses using subnets from a Class C network. As a result. R3 is connected via F A 0 /1 to switch.3.16.0 /26. R3 is connected via F A 0 /0 to switch. such as 192.4 .16. Router. To avoid this condition. A middle router is load balancing traffic destined for any subnet of a major network.4 /30.168. R3. The network address of the serial connection is 172.Discontiguous Subnets The animation depicts the effects of discontiguous networks. 192.3. on the network. such as RIPv2 or OSPF Turn automatic summarization off Manually summarize at the classful boundary 4.64 /26. Router. S2.16. Discontiguous networks cause unreliable or suboptimal routing.3. even though it is configured to advertise them. 192. is connected from its S 0 /0 /0 port to S 0 /0 /0 port of router.128 /26.168. Classful routing results in each router advertising the major Class C network without a subnet mask. on the network. such as 172.

3.168.3. R3 is connected via F A 0 /0 to a switch on the network.10. H1.3. R2 Routing Table Gateway of last resort is not set. C: 172.168. Click the lab icon to begin. R2 is connected via F A 0 /0 to a switch on the network. connected to the switch that is connected to R2.16.8 is directly connected.2.0 /24.3.128 /26 network. 00:00:18. 4.168. C: 192.2.3. connected to the switch that comes from the F A 0 /1 port of R3.16.16. which is addressed 172. 00:00:05.100. 2 subnets. H1 says. 192.100.port of router. H1 sends out its packets. R: 192. Serial 0 /0.130. which are propagated through the network and dropped at R1.100. Serial 0 /1 [120 / 1] via 172.3.5.4 is directly connected. There is a host.100. 192.3.100. 192. R2. follow these basic guidelines: . R3.168. I am sending a message to 192.0. The network address of the serial connection is 172.16.64 /26. There is also a host H2. 4.4 /30.10. R3 is connected via F A 0 /1 to a switch on the network.0 /26. The network address of the serial connection is 172.168.16.128 /26.4 .0 /30 is subnetted.3.168.8 /30.16.168.16.3. Its address is 192.16. R2 is connected from its S 0 /1 port via serial connection to S 0 /1 port of router.130. Serial 0 /1.168. 172.Discontiguous Subnets Link to Hands-on Lab: Configuring a LAN with Discontiguous Subnets Configure a LAN with discontiguous networks to view the results. Serial 0 /0. R1 is connected via F A 0 /1 to a switch on the network.5 Subnetting and Addressing Best Practices Page 1: Properly implementing a VLSM addressing scheme is essential for creating a hierarchical network.0 /24 is directly connected. C: 172. Page 3: Lab Activity Configure a LAN with discontiguous networks to view the results. but forwarded by R3 to H2 on the 192. FastEthernet 0 /0.0 /24 [120 / 1] via 172.100. When creating a VLSM addressing scheme.100. 192.168.

4.0 /24 Router 10.1 6.1.Subnetting and Addressing Best Practices The diagram depicts an example of a hierarchical addressing scheme created using best practices. Disable auto-summarization if necessary.0.4.1.1.4.3.0 /16 is connected to networks: 10.4.0 /24 10.0 /24 10. Avoid discontiguous subnets where possible.0.2.64 /28 Router 10.3. Use the same routing protocol throughout the network.48 /28 10. Plan for summarization using hierarchical network design and contiguous addressing design.6 4.0 /16 is connected to networks: 10.2.1.3.0 /24 10. The core router is connected to four routers with /16 networks.1.2.0 /24 10.5 .2. These then connect to complex networks using the best practice hierarchical addressing schemes.0.0. Use VLSM to maximize address efficiency.0 /24 10.3.• • • • • • • • • • • • Use newer routing protocols that support VLSM and discontiguous subnets. Assign VLSM ranges based on requirements from the largest to the smallest.1. Allow for future growth when planning for the number of subnets and hosts supported.3.0.4.0 /24 Router 10.1 Private IP Address Space Page 1: .2.4.0 /24 10.1.16 /28 10.2. Use /30 ranges for WAN links. 4.32 /28 10.0.0 /20 4.0 /16 is connected to networks: 10.3.0 /24 10.0 /24 10.0 /16 is connected to networks: 10.3 2. Avoid intermixing private network address ranges in the same internetwork.3.4.5.3.2. Keep the router IOS up-to-date to support the use of subnet zero.2.4 Using NAT and PAT 4. Router 10.0 /20 10.6. Summarize at network boundaries.0.0 /20 10.2.4.0.4 8.0 /20 10.

RFC 1918 governs the use of the private address spacing.172. • • • Class A: 10. apply the same hierarchical design principles that are associated with VLSM. Page 2: When implementing a private addressing scheme for the internal network.255. they are frequently routed in the internal network.1.16. The first cloud has a switch and three computers connected.255 Class C: 192.255.0 . Problems associated with discontiguous networks still occur when using private addresses.0.4. B.0 Class C Private Network addresses.0 . and C. carefully design the addressing scheme.255 Using private addressing has these benefits: • • • It alleviates the high cost associated with the purchase of public addresses for each host.31. 4. Although private addresses are not routed on the Internet.0.0.16.0 . they never appear on the Internet.Private IP Address Space The diagram depicts the use of private network addressing for Classes A.0.In addition to VLSM and CIDR. Each edge router is connected to one of three other routers that form the Internet cloud. The third cloud has two switches and seven computers connected.0 Class B Private Network addresses. It provides a level of security.0.192. The second cloud has three switches and 10 computers connected.255.168. Private addresses are available for anyone to use in their enterprise networks because private addresses route internally.10. Three network clouds each have a dedicated router. The first cloud has 192. The second cloud has 10.0 Class A Private Network addresses and the third cloud has 172.255.255 Class B: 172.1 . therefore. because users from other networks or organizations cannot see the internal addresses. It allows thousands of internal employees to use a few public addresses.168.168. the use of private addressing and Network Address Translation (NAT) further improved the scalability of the IPv4 address space.0. .0.

0.Private IP Address Space The diagram depicts the use of private addresses using VLSM showing four routers connected in a star topology configuration. R1 is also connected to R4 on network address 10. 4.165. E. use valid boundaries and hierarchical IP addressing best practices for effective use of address summarization.165.3.168.202.209.2.0 /16.165. The local boundary router configured with NAT connects to the ISP.226.3. Page 3: 4.2 NAT at the Enterprise Edge Page 1: Many organizations want the benefits of private addressing while connecting to the Internet. Internal private addresses translate to different public addresses each time.35. F.192.30.4.1 . A.2.168. Using NAT on boundary routers improves security.130.5.1. This hides the actual address of hosts and servers in the enterprise.1 .Be sure that the addresses are properly distributed according to the concepts of VLSM.4. R1 is connected to R2 via the network address 10.0 /16. NAT changes the private IP source address inside each packet to a publicly registered IP address before sending it out onto the Internet.201.0. C. D. R1 is directly connected to a network cloud with the network address 10.5.209. and the boundary router at each of these locations performs NAT. G.21.10.192.209. Most routers that . Organizations create huge LANs and WANs with private addressing and connect to the Internet using Network Address Translation (NAT).4.0. B. Also. 4.0.0 /16.200.0.0 /8.168.172. Small to medium organizations connect to their ISPs through a single connection. R1 is also connected to R3 via the network address 10.11. NAT translates internal private addresses into one or more public addresses for routing onto the Internet.3. Larger organizations may have multiple ISP connections.16.Private IP Address Space The diagram depicts an activity in which you must determine if the IP address is public or private.

labeled H1 and H3.3 Static and Dynamic NAT Page 1: NAT can be configured statically or dynamically. Static NAT and Dynamic NAT.1.106 which is part of the Inside Global Addressing scheme. 4.226. directly connected. . Static NAT maps a single inside local address to a single global. R1 is the border router for this network. Router.106.168. Dynamic NAT uses an available pool of Internet public addresses and assigns them to inside local addresses. 4.165. Connected to the switch are two computers. S1. H1 is the source and has the IP address 192.1. After the translation the address for H1 is translated to the public address 209. Dynamic NAT assigns the first available IP address in the pool of public addresses to an inside device. That host uses the assigned global IP address throughout the length of the session.4.4.168. Once the session ends.202.4.implement NAT also block packets coming from outside the private network unless they are a response to a request from an inside host.200. or public address. The address for H1 before the translation is the private address 192. The public address assigned to the organization is called the inside global address.NAT at the Enterprise Edge The diagram depicts the configuration of NAT at the border router connected to the ISP router. the outside global address returns to the pool for use by another host. Examples include Web and FTP servers accessible to the public. Static NAT ensures that outside devices consistently reach an internal device. The address that one internal host uses to connect to another internal host is the inside local address. The NAT router manages the translations between the inside local addresses and the inside global addresses by maintaining a table that lists each address pair. and a switch. This mapping ensures that a particular inside local address always associates with the same public address. On the other side of the cloud is the destination H2 with an IP address 209. The inside global address is sometimes used as the address of the external interface of the border router. R1. 4.2 . This network is part of the Outside Global Addressing scheme. It is connected via a serial link to the ISP router (cloud).165.129.3 .Static and Dynamic NAT The animation depicts the addressing configuration using two processes.

H1 and H2 have been configured with the private IP addresses 192.200. R1 references its NAT Table and sees that the Inside Global address 209.168. H3 sends a message out to R1 using the source IP address 209.200.165.226 maps to the Inside Local address 192.168.225.168.165. H3 responds to H2 using the Inside Global public IP 209. 2.200.202. This will become the outside interface. Determine which interfaces source the internal traffic. • • • • • List any servers that require a permanent outside address. H3 connects via a serial link in the cloud to router R1.2. which becomes the new source address. the original requester. In the Static NAT process. Static NAT is configured manually and remains permanently in the table. R1 has a switch directly connected. Page 2: When configuring either static or dynamic NAT.Host H3.1.200.168.19 and the destination IP address for H3.168.1. which is 209.19 to a public address 209.165.1.168. R1 maps the Inside Local address of 192.130.165. Configure the inside and outside interfaces.19 respectively. R1 references its NAT Table and changes the Inside Local Source IP address of 192.2. within a cloud.130. R1 references its NAT Table and changes the destination IP to the Inside Local address of 192. Two computers H1 and H2 are connected to the switch.165. Map the inside. has been configured with a public IP address 200.165.200. The web server responds with a destination IP address of H3.168.226.2.165.202.165. When H2 receives the response and the session is complete.224 /27. Determine the public IP address that outside users should use to access the inside device/server.165.200.165.200.18 and 192. H2 sends a message to R1 using the source IP address 192.225.200 to the Inside Global address 209.202. Configuring Dynamic NAT . Also connected to R1 is the web server with the private IP address 192. These will become the inside interfaces. Configuring Static NAT 1. Determine which interface sends traffic to the Internet. the NAT entry is removed from the NAT Table of R1. which is derived from its pool of public IP's 209. In the Dynamic NAT process.1.130 and a source address of the inside local address (web server) 192.202.168.2.19. Determine which internal hosts require translation. Determine the range of public addresses available. or private address to the public address.226. Administrators tend to use addresses from either the beginning or end of the range for static NAT.2.200 (web server).168. 209.130 and the destination IP address 209. which is the Inside Global address of R1.200.

255.1 255. Dynamic NAT maps multiple private addresses to multiple public addresses.130 interface fastethernet 0 /0 IP address 172. An important part of configuring dynamic NAT is the use of the standard access control list (ACL).31.0 IP nat outside Dynamic NAT R1# show running-config (*** output omitted ***) access-list 1 permit 172.31. The standard ACL is used to specify the range of hosts that require translation.202.4. In the Static Nat scenario. Create an access control list (ACL) to identify hosts that require translation.255 . Static NAT output: R1# show running-config (*** output omitted ***) IP nat inside source static 172. a man is sitting at his desk in front of a computer.1.255. This is done in the form of a permit or deny statement. The man says.165.0 0.232. Link the access list with the address pool. 3. The ACL can range from a single line to several permit and deny statements. a subnet or just a specific host. Assign interfaces as either inside or outside.255.Static and Dynamic NAT The diagram depicts sample configurations of two scenarios using Static NAT and the Dynamic NAT. a man is sitting at his desk in front of a computer. 2.225. The man says.3 ." In the dynamic NAT scenario.0.252. 4.31. The ACL can include an entire network. Static NAT maps a single private address to a specific public address.165.14 209. Identify the pool of public IP addresses available for use.182 255.0.0 IP nat inside interface serial 0 /0 /0 IP address 209.232.202. 4.

4.0 IP nat outside Page 3: Lab Activity Configure and verify static NAT.4.165.IP nat pool pub .202.255.0 IP nat inside source list 1 pool pub .Static and Dynamic NAT Link to Hands-on Lab: Configuring and Verifying Dynamic NAT Configure and verify dynamic NAT.225. 4.165. Click the lab icon to begin.Static and Dynamic NAT Link to Hands-on Lab: Configuring and Verifying Static NAT Configure and verify static NAT. 4.3 .202.0 IP nat inside interface serial 0 /0 /0 IP address 209. Page 4: Lab Activity Configure and verify dynamic NAT.1 255.31.4.182 255.255.ADDR 209.ADDR interface fastethernet 0 /0 IP address 172.3 .202.4.4 Using PAT .165.255. Click the lab icon to begin.255.140 netmask 255.202.255.131 209.

168. H1 and H2. R1 references the request of H2.130:80.165.2.165.202.165.130 using the destination port number of 80. as follows: Inside Local address is 192.2.201.201.202.000 ports are available. Although each host translates into the same global IP address. PAT dynamically translates multiple inside local addresses to a single public address.165. the gateway router translates the local source address and port number combination to a single global IP address and a unique port number above 1024.2:4177.202.201.2.168.165.4 . The outside global address is 209. a router is unlikely to run out of addresses.18 and the source port number is 4177.168. 4. Since over 64.165. H1 sends an http message. The destination IP address is 209. A web server within a network cloud is connected via serial link to router R1.202.165. and the Outside Local address is 209.18 and the inside global address is 209.19:3012.130:80 and the outside local address is 209. and the Inside Global address is 209. A table in the router contains a list of the internal IP address and port number combinations that are translated to the external address.19 and source port number of 3012. H2 sends a HTTP message with the source IP port address of 192.202.165.130:80.2.2. also referred to as NAT Overload. it uses an IP address and port number combination to keep track of each individual conversation. .4.Page 1: One of the more popular variations of dynamic NAT is known as Port Address Translation (PAT). When a source host sends a message to a destination host. the port number associated with the conversation is unique.168.2:3012.165.130:80. In PAT. Outside Global address is 209. Both enterprise and home networks take advantage of PAT functionality. The inside local address is 192. The source IP port address is 192. The destination IP address is 209. The unique public address consists of the serial interface IP address plus a port number.201.130 and the destination port number is 80. R1 is connected to a switch which is connected to two computers.Using PAT The animation depicts the PAT process. The Inside Global address adds a port number following the address as 209. PAT is built into integrated routers and is enabled by default.

show ip nat translations This command displays active translations. including the number of addresses used and the number of hits and misses. However. PAT translates to a single address. If the translation is not used. show ip nat statistics This command displays translation statistics. 4. it ages out after a period of time. and the range of addresses defined.0 0.4.Using PAT The diagram displays a configuration output example of Dynamic PAT and an example of output seen when verifying PAT. A dynamic NAT entry requires some action from the host to a destination on the outside of the network.232. The following command translates the inside addresses to the IP address of the serial interface: ip nat inside source list 1 interface serial 0/0/0 overload Verfiy NAT and PAT functionality with the following commands. instead of translating to a pool of addresses.0.4 . Static NAT entries remain in the table permanently. a simple ping or trace creates an entry in the NAT table.0. the global address pool.31.255 IP nat inside source list 1 interface serial 0 /0 /0 overload interface fastethernet 0 /0 .Page 2: Configuring PAT requires the same basic steps and commands as configuring NAT. If configured correctly. The output also includes the access list that specifies internal addresses. Dynamic PAT The output from the show running-config command is listed below: R1# show running-config (*** output omitted ***) access-list 1 permit 172.

0 IP nat inside interface serial 0 /0 /0 IP Address 209.255.255.202. total addresses 10.202. 0 extended) Outside interfaces: Serial 0 /0 /0 Inside interfaces: FastEthernet 0 /0 Hits: 47 Misses: 0 Expired translations: 5 Dynamic mappings: --Inside Source [Id: 1] access-list 1 pool pub-addr refcount 4 pool pub-addr: netmask 255.31.232.165.165.202. misses 0 Page 3: Lab Activity Configure and verify PAT.31.182 255.165.202.165.252.1:51 209.465. .65.IP address 172.202.2:53 209.202. the output on router R1 is seen as follows: R1# show IP nat translation ProInside GlobalInside Local ---209.3:80209.0 IP nat outside A man sitting at a desk in front of a computer says.165.31.255.1 255.255. Click the lab icon to begin.14 ICMP 209.202.130172.140 type generic. I have to configure PAT since we are converting all of our private addresses into one public address.31. When the Verifying PAT button is selected.165.131:1028172.0 start 209.1:512209.232.131:1067172.202.255.165.3:1028 Outside Global Outside Global -----209.165.202.2:1067 TCP 209.252.165.202.202. allocated 2 (20%).202.31.3:80 R1# sho IP nat statistics Total active translations: 0 (0 static.255.1:512 UDP 209.232.165.202. 0 dynamic.2:53209.165.131 end 209.131:512172.

With C I D R. Diagram 2 text With basic or standard subnetting. 4.5. Diagram 3. A hierarchical addressing structure logically groups networks into smaller sub-networks. Route summarization. Variable Length Subnet Masking (VLSM) enables routers to use route summarization to reduce the size of routing tables. The use of classful routing protocols can create the issue of discontiguous networks.Using PAT Link to Hands-on Lab: Configuring and verifying PAT Configure and verify PAT. Diagram 3 text Classful IP addressing determines the subnet mask of a network address by the value of the first octet. When implementing VLSM.5 Chapter Summary 4. Diagram 2. the network address is not determined by the class of the address. Image The diagram depicts a hierarchical network with three separate LAN's are connected to routers which converge to a single router before connecting to the network cloud.0 /24 that has been subnetted using the /28 mask. or supernetting are done at network boundaries on a boundary router. ensure room for growth in the number of subnets and hosts available. A subnet can be further subnetted.1 Summary Page 1: 4. Image . Diagram 1 text A single broadcast domain is a non-hierarchical or flat network. A hierarchical network design simplifies network management and improves scalability and performance.Summary Diagram 1.4 . Image The diagram depicts how known networks are summarized into a summary route. Diagram 4.5. Instead it is determined by the prefix length. Route summarization groups contiguous subnets using a single address and shorter mask to reduce the number of routes advertised. Variable Length Subnet Masking (VLSM) enables different masks for each subnet. VLSM requires classless routing protocols.4.1 . creating sub-subnets.3.2.4. route aggregation. Image The diagram depicts a network 10. each subnet is the same size and has the same number of hosts.

Dynamic NAT uses an available pool of public addresses and assigns them to inside local addresses.0 3.201.200.6.The diagram depicts how routers use NAT translation to forward packets.200.32 C.0 209.48. 4. Using VLSM.209. Static NAT maps a single inside local address to a single inside global (public) address.209.203.0 /20 B.What is the best route summarization for the following list of networks? Networks 209.172.1 Quiz Page 1: Take the chapter quiz to check your knowledge.0 B.0 /22 C.0.32.65.6 Chapter Quiz 4.48. the last subnet will be divided into eight smaller subnetworks.172.0 A.0 209. each having two usable host addresses? A.209. to which network does the host belong? A.Given a host with the IP address 172.13 and a default subnet mask.48.65.0 /20 D.32.32.A Class C network address has been subnetted into eight subnetworks.202. NAT translates private addresses into public addresses that route into the Internet.172. Diagram 4 text Private addresses are used and routed internally./27 C.201.200.48.48.32. What bit mask must be used to create eight smaller subnetworks.6.65.172./26 B. Click the quiz icon to begin. PAT translates multiple local addresses to a single global IP address.0 209. but are not routed on the Internet.1 .201.48.32.0 D.48.Quiz Chapter 4 Quiz: Addressing in an Enterprise Network 1.0 /21 2.32. 4.209.48./28 .

17/28.100.30.255.168.255.1 /24 and Router 2's IP: 192.18 D.16.224 F.1. B.1.168.31.255.240.255.19.157.172.IP address: 192.168. Router 2 connects to the ISP via a serial link using Router 2's IP 10.Determine which characteristics correspond to the associated NAT techniques.Dynamic NAT allows hosts to receive the same global address each time external access is required.172.21.243.22. Default Gateway: 192.1.172.168. Router 1 connects to Router 2 via a serial link through Router 1's IP: 192. Subnet Mask: 255.255.20.IP address: 192.255.168.18 6.1 F.100. Subnet Mask: 255.IP address: 192. What is a valid configuration for Host A? To answer this question refer to the network topology described below.128. Subnet Mask: 255.18 /28.248.172. and one switch.16.16 B.IP address: 192.100.100.2 /24.168.16.16.100.100.168.255.Which address is a valid subnet if a 26 bit mask is used for subnetting? A.255.IP address: 192. A.5 /30. There will be two characteristics per NAT technique. Subnet Mask: 255.100. Default Gateway: 10.100. Characteristics provides one-to-one fixed mappings of local and global addresses assigns the translated addresses of IP hosts from a pool of public addresses can map multiple addresses to a single address of the external interface assigns unique source port numbers of an inside global address on a session-by-session basis allows external hosts to establish sessions with an internal host defines translations on a host-to-host basis NAT Techniques Dynamic NAT NAT with Overload Static NAT 8.PAT uses the word overload at the end of the access-list statement to share a single registered address.Which address is an inside global address? To answer this question refer to the network topology described below.100.A network technician is trying to determine the correct IP address configuration for Host A.96 E.240.172.240.168.255.100.32 C.D. named Router 1 and Router 2./29 E.168.1. Default Gateway: 192.240.30.255. Router 1 connects to Switch through Router 1's IP 192.168. Host A is connected to Switch.2 B. Network Topology The network consists of two routers named RTR1 and RTR2.172.100. 7.5 E. . Default Gateway: 192.16. D.1.1.What is true regarding the differences between NAT and PAT? A. Subnet Mask: 255.47. Default Gateway: 192.IP address: 192.43.192. and Switch's IP 192.252 5./30 F.255./31 4. Subnet Mask: 255.PAT uses unique source port numbers to distinguish between translations. RTR1 is connected to RTR2 via a serial link through RTR1's S 0 /0 and RTR2's S 0 /0 with the network IP address of 10. C.168.16.Static NAT allows an unregistered address to map to multiple registered addresses. Default Gateway: 192.255.1.16. named Switch.10.17 C.64 D.1.168.248. and two switches.168.1 /30. Network Topology The network consists of two routers.16.

209. D.4.6:23 Outside global .10. .209.5.8 D.NAT overlapping configuration 10.1:1098 Inside local..6 B. B. This switch is connected to a host depicted by a man sitting at a computer.4.1 D. . Pro.10.. .13.5 /24.10.209.10..209. A.4.10.tcp Inside global.20.NAT static configuration B.. This switch is connected to a server with an IP network address of 10.5.209.168.3 9.5..1...1 /24.186.1:1098 Outside local.20.A subnet mask is used to identify the network portion of an IP address.20.30 netmask 255.6:23 Outside global .How many addresses will be available for dynamic NAT translation when a router is configured with the following commands? Commands Router(config)# ip nat pool TAME 10..4. .24.209.0.10.What is the purpose of a subnet mask in a network? A.255.186. C..10 . .A subnet mask is used to separate the 48-bit address into the OUI and the vendor serial number. Which type of NAT translation is being performed? Use the output below to answer this question.13.3:1989 Outside local.168.209.6:23 Pro. .7:21 Outside global .tcp Inside global.10.3 /24..tcp Inside global.192.192.5. 11.1:1345 Inside local.3.1.24. .192.10.The command show ip nat translations has been issued.2.RTR1 is connected to a switch via RTR1's F a 0 /0 with the network IP address of 10.10.10. . . .5 C.7:21 A.0.7 C.2.10.1.NAT overloading configuration D..9 E.4.3.10.0.. RTR2 is connected to the Internet via RTR2's S 0 /0 with the network IP: address of 209.168.1 B.. .0 /24.10.6:23 Pro.5.A subnet mask is necessary when a default gateway is not specified.5.A subnet mask is required only when bits are borrowed on a network.20. RTR2 is connected to a switch via RTR2's Fa 0 /0 with the network IP address of 10.24 10.NAT simple configuration C.224 Router(config)# ip nat inside source list 9 pool TAME A.3..4.2:1345 Outside local.255..1:1989 Inside local.30. .

Language=en.cli.rendering.Style=ccna3. About   . All | Translated by the Cisco Networking Academy.C CServlet/LMS_ID=CNAMS.Theme=ccna3theme. Inc.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main. RootID=knet‐ lcms_discovery3_en_40.servlet.Go To Next Go To Previous Scroll To Top http://curriculum.netacad.delivery.Version=1.net/virtuoso/servlet/org.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.

0.Introduction Workers today collaborate. Configure a network using RIP v2. and interact within large companies with complex networks. 5. After completion of this chapter. Routing protocols continually exchange information on the best path through the network.1. you should be able to: Compare and contrast a flat network and a hierarchical routed topology.1 Managing Enterprise Networks 5.Introducing Routing and Switching in the Enterprise 5 Routing with a Distance Vector Protocol 5. Describe and plan a network using EIGRP.1 Enterprise Networks Page 1: Hierarchical enterprise networks facilitate the flow of information. Information flows between mobile workers and branch offices.0 Chapter Introduction 5. Design and configure a network using EIGRP . Data moves through the enterprise hierarchy based on the IP address of the remote network. Network engineers design enterprise networks to provide reliable high-speed communication channels between remote sites. communicate. These branch offices connect to corporate offices in cities and countries around the world.0.Search | Glossary Course Index: CCNA Discovery . The organization must create a hierarchy to meet the different network requirements of each part of the company.1 .1 Introduction Page 1: 5. .

these networks could not function.1 . server farms. maximize available bandwidth.1. as well as connections to corporate offices. Use packet filtering to deny certain types of packets.2 Enterprise Topologies . To ensure this. "My data connection is very fast!" Another worker sitting at her workstation is thinking.Enterprise Networks The diagram depicts a corporate network where routers are used to control traffic flows between end users.1. Communication between different levels of the hierarchy requires a combination of LAN and WAN technologies. Enterprise networks provide a high level of reliability and services.1. Routers forward traffic and prevent broadcasts from clogging the main channels to crucial services. in secured server farms or on storage area networks. which all connect to the internet in a hierarchical topology. One worker sitting at his workstation thinks to himself. a DMZ may be required to house the various servers. such as connections for mobile workers and branch offices. As the company grows or adds e-commerce operations.1 . The structure expands into many different departments that are spread across the lower part of the hierarchy. and two DMZ's. Also shown is a NOC. Deploy Quality of Service (QoS) to ensure critical data receives priority treatment. allowing only the required traffic to pass through the network. "The quality of this V o IP call is really good!" A sinister-looking character trying to access the network via the Internet thinks to himself. Without it. network professionals: • • • Design networks to provide redundant links to use in case a primary data path fails. DMZ's.Enterprise Networks The diagram depicts several enterprise networks and some of the features they may have. a SAN. 5. Page 2: Traffic control is essential in an enterprise network. They control the flow of traffic between LANs. and protect the network from attacks. "Why can I not get into this network?" 5. and the Internet. 5.Crucial information and services typically reside near the top of the hierarchy.

Mesh Topologies Each additional link provides an alternate pathway for data and adds reliability to the network. each branch office can connect to a center hub in its own area. of the star. Star topologies are scalable. which could be the corporate headquarters or head office.Enterprise Topologies The diagram depicts the development of an extended star topology. Each additional link adds cost and overhead. All crucial services and technical staff can be located in one place. With the addition of links. whose networks are also organized in a star topology.Page 1: Choosing the right physical topology allows a company to expand its networked services without losing reliability and efficiency. In this way. Page 2: The star and extended star topologies create a single point of failure. The star and mesh topologies are normally deployed in enterprise environments. with smaller stars radiating out from the main branch offices.1. Star Topology One popular physical topology is the star. . Adding a new branch office simply requires one more connection to the central point of the star. The routers at the Head Office are connected in star topology to a core router. 5. A star topology provides centralized control of the network.2 . which then connects back to the main central point at the central office. the topology becomes a mesh of interconnected nodes. Mesh topologies eliminate this problem. The center of the star corresponds to the top of the hierarchy. If an office adds several branches to its territory. One of the routers on the edge of the topology connects to Branch 1 and Branch 2. or hub. This creates an extended star topology for the network. Network designers base their topology decisions upon the enterprise requirements for performance and reliability. a simple star can grow into an extended star. Branch offices at multiple locations connect to the center. It also adds to the complexity of managing the network.

Enterprise Topologies The diagram depicts the development of a full mesh topology. As a result. The edge routers of the star topology begin to interconnect. This topology meets uptime and reliability requirements for critical areas like server farms and SANs.2 . Router. 5. This topology has become a full mesh topology. Page 3: The Internet is an excellent example of a meshed network. Enterprise networks face some of the same issues as the Internet. Each node in a full mesh topology connects to every other node in the enterprise. but it is also the most expensive to implement.2 . . Devices on the Internet are not under the control of any one individual or organization. Links in various areas of the network go down occasionally and this network is able to adapt to constant changes.1. the network requires a full mesh. This is the most failure-proof topology. while minimizing additional expenses. Therefore.Partial Mesh Adding redundant links only to a specific area of an enterprise creates a partial mesh. Therefore. with some links going down and others coming online. Redundant connections balance the traffic and ensure that there is a reliable path to the destination. connects to four routers. R5. A large meshed network topology with the Internet at its core is displayed.Enterprise Topologies The diagram depicts a constantly changing network environment. it is essential to place the mesh where it provides the most benefit. R1 to R4. processes are put in place that allow devices to adapt to these constantly changing conditions and reroute traffic as appropriate. until each of the routers has a connection to all of the other routers. in a star topology. 5. Full Mesh When no downtime is acceptable. creating a partial mesh.1. Page 4: Lab Activity Interconnect network nodes with redundant links to provide reliability at minimal cost. the topology of the Internet is constantly changing. The other areas of the network are still vulnerable to failures.

Routers maintain information about directly connected.I S-I S level-2 .BGP D . Finding the best path to the destination becomes very difficult in an enterprise network.OSPF.I S-I S level-1.I S-I S.OSPF external type 2 lower case I . because a router can have many sources of information from which to build its routing table. This switch is also connected to the F A 0 /0 interface of a router. L2 . 5. R . The exit interface is the physical path that the router uses to move the data closer to the destination. The router is then connected to a second router via a serial link from its S0/0/0 port with the address 192.Mobile. L1 .4.EIGRP external. B . I . and F A 0/1 with the network address 192.168. static. the following output is given: R1 # show IP route Codes: C .Click the lab icon to begin.OSPF external type 1.IGRP. O . lower case s u .Enterprise Topologies Link to Hands-on Lab: Designing and Creating a Redundant Network 5.0 /24.I S-I S summary. IA .0 /24.RIP.connected.OSPF NSSA external type 1.1.Static and Dynamic Routing The diagram depicts a small network.3 Static and Dynamic Routing Page 1: The physical topology of an enterprise network provides the structure for forwarding data.2 /24.168. S . The table also attaches a number to each route that represents the trustworthiness or accuracy of the source of the routing information.1. which has the address 192. A routing table is a data file that exists in RAM and stores information about directly connected and remote networks.168. The second router is connected to two hosts via F A 0 /0 with the network address 192. Routing provides the mechanism that makes it work.EIGRP. EX .3. The routing table associates each network with either an exit interface or a next hop. This value is the administrative distance. When the show IP route command is entered on the first router. A host is connected to a switch with the network address of 192.static.2 .1. The next hop is an interface on a connected router that moves the data closer to the final destination. E2 .1.2.OSPF inter-area N1 .2. 5. M .168.0 /24. and dynamic routes.OSPF NSSA external type 2 E1 . N2 .168.3 .1 /24 to the S0/0/0 port of the second router.

0 0:0 0:2 6.4. The metric is the value used to calculate the cost to reach the destination.168. The network address and subnet mask of the interface. interface Serial0/0/0 in the first routing table entry is highlighted. The routing table designates directly connected networks with a C.2.I S-I S inter-area. manually entered. R192.candidate default. C192.periodic downloaded static route Gateway of last resort is not set.2. Administrative Distance and Hop Count In the above output. along with the exit interface or the IP address .0 /24 [120 /1] via 192. The administrative distance represents the accuracy or trustworthiness of the metric used for cost calculations.2. A static route includes the network address and subnet mask of the destination network.ODR. Routing Information Source In the above output. network address 192. This is the administrative distance and metric associated with the route. appear in the routing table as a directly connected network.1.per-user static route lower case o . This indicates how the route was learned.3. Next Hop In the above output.168.168. Serial0/0/0.168. P . Exit Interface In the above output.lower case IA . This is the exit interface on the router used to move information closer to the final destination.4.0 /24 in the first routing table entry is highlighted.2. The information forwarded to this interface moves closer to its final destination. C192. FastEthernet0 /0. This is the address and subnet mask of the destination network. Page 2: Directly Connected Routes A directly connected network attaches to a router interface.168. Static Routes Static routes are routes that a network administrator manually configures. This is the address of the interface on the next router.2. the R in the first routing table entry is highlighted.2. Configuring the interface with an IP address and subnet mask allows the interface to become a host on the attached network. [120 /1] in the first routing table entry and [1 /0] in the fourth routing table entry are highlighted. along with the interface type and number. S192.168. or learned from a dynamic routing protocol. IP address 192. Serial0/0/0. Routes might be directly connected.0 /24 is directly connected.0 /24 is directly connected.2 in the fourth routing table entry is highlighted. * . Destination Network Address and Subnet Mask In the above output. U .0 /24 [1 /0] via 192.168.168.

16.3. The first router is connected to a third router from its S0/0/0 port with the address 192.16.168. R1 # show IP route Gateway of last resort is not set 172.16. This switch is connected to the F A 0 /0 port of a router with the address 172. 00:00:07.168. Static routes are more stable and reliable than routes learned dynamically which results in a lower administrative distance compared to the dynamic routes. with the address 172.0 /24 [120 /1] via 172.3.2.2.168. The switch is connected to host.16.168. H3.2.16.2.16.16.2 Connected C172.168. Dynamic routing protocols enable routers to share information about the reachability and status of remote networks through network discovery.2. Serial0/0/0 .16. This third router is connected to a switch on its F A 0 /0 port with the address 192.16. 00:00:07. R for RIP and D for EIGRP. 3 subnets R172. 00:00:07.0 is directly connected.2.16. FastEthernet0/0 R192.3 . They are assigned the administrative distance of the protocol.1.168.1.3. The routing table designates static routes with an S.16.16. The switch is then connected to host. For example.1. FastEthernet0/0 Static S192. R1 is then connected to a switch from its F A 0 /0 port with the address 172.1 /24.2. Routes learned through a dynamic routing protocol are identified by the protocol used.16.1 /24.1.1 /24. Serial0/0/0 R192. Dynamic Routes Dynamic routing protocols also add remote networks to the routing table.2.0/16 is subnetted.1.0 /24 [120 /1] via 172.0 /24 [120 /1] via 172.1.2 Dynamic R172. Each protocol sends and receives data packets while locating other routers and updating and maintaining routing tables.0 is directly connected.168.2 /24 to the S0/0/0 port of router.0 /24.0 /24 [120 /1] via 172.2. Serial0/0/0 C172.1.2.16.1.1.0 is directly connected.2.2.2. H1. R1.2.0/14 [1 /0] via 172.16.1 /24.0 /14 [1 /0] via 172.2.16. Serial0/0/0 C172.2.16. 5. 00:00:07.0 is directly connected. Serial0/0/0 S192. Serial0/0/0 C172. The router is connected via a serial connection from its port S0/0/1 with the address 172.0.16.Static and Dynamic Routing The diagram depicts a host labeled H2 that is connected to a switch with the network address 172.1 /24.2.2 /24 to the third routers S0/0/1 port with the address 192.of the next hop router.

Static routes are also used to and from the stub network.Page 3: Packet Tracer Activity Investigate a fully-converged network with connected. specific enterprise routers may also require static routes. Static routing addresses specific network needs. static. In this situation. The ISP router (cloud) connects to the enterprise router via a static route. 5. a static route can be used to control the traffic flow. Depending on the physical topology. Limiting traffic to a single point of entrance/exit creates a stub network. packet filtering. and processing resources to provide NAT/PAT.3 . small branch offices have only one possible path to reach the rest of the network. and Dynamic Routing Page 4: Typically. and other services.3 . In some enterprise networks. 5. Static. Static routing provides forwarding services without the overhead associated with most dynamic routing protocols. one of which is connected to a stub network. Click the Packet Tracer icon to begin. therefore static routing is beneficial Based on their placement and function. stable paths to the ISP. Border routers use static routes to provide secure.Static and Dynamic Routing Link to Packet Tracer Exploration: Investigating Connected. memory. It is not necessary to burden the stub router with routing updates and increased overhead by running a dynamic routing protocol. . The enterprise edge router also connects to three internal routers.1. both static and dynamic routes are employed in an enterprise network.Static and Dynamic Routing The diagram depicts the topology of a small enterprise network. Other routers within the enterprise use either static routing or dynamic routing protocols as necessary to meet their needs.1. Page 5: Routers in an enterprise network use bandwidth. and dynamic routing.

A simple typographical error in a static route can result in network downtime and packet loss. Dynamic Routing: User CPU. Dynamic Routing: Generally independent of the network size. A hacker could intercept a dynamic routing update to gain information about a network. 5.1. Resource Usage.Static and Dynamic Routing The diagram depicts a table with the following routing information: Configuration Complexity.1. Static Routing: Administrator intervention required. Dynamic Routing: Less secure.3 .4 Configuring Static Routes Page 1: The global command for configuring most static routes is ip route.Static routing provides more security than dynamic routing. who must manually enter routing information. Predictability. static routing is impractical for general use in a large enterprise environment. Static Routing: More secure. Static Routing: No extra resources needs. the network may experience routing errors and problems during manual reconfiguration. The command is: Router(config)#ip route [network-address] [subnet mask] [address of next hop OR exit interface] . However. Scaling. Static Routing: Route to destination is always the same. When a static route changes. Dynamic Routing: Automatically adapts to topology changes. Static Routing: Suitable for simple topologies. Dynamic Routing: Route depends on the current topology. the subnet mask. Dynamic Routing: Suitable for simple and complex topologies. because no routing updates are required. link bandwidth. static routing is not without problems. Static Routing: Increase with network size. Security. and the path used to reach it. Topology Changes. followed by the destination network. memory. It requires time and accuracy from the network administrator. 5. For these reasons.

Static routes configured with exit interfaces require a single routing table lookup.0 /24. with the address 192. which is then connected to host H2 on the address 192. R1 is connected via its S0/0/0 port with the address 192.2. these two parameters behave very differently.168.3. which is connected to router R1 on the 192.168.4 . Exit Interface R1 (config) #IP route 192. If an exit interface is disabled.5. static routes configured with exit interfaces are ideal for point-to-point connections like those between a border router and the ISP.168. Before a router forwards any packet.0 192. The network between H1 and R1 is 192. 5. static routes disappear from the routing table.Configuring Static Routes The diagram depicts a static route configuration.8.0 /24. Static routes configured with the next-hop parameter must reference the routing table twice to determine the exit interface.168. A host is connected to a switch.255.1 to the S0/0/1 port of R2 with the address 192.0 255.2. R2.168.2.168. the routing table process determines which exit interface to use.168.Using the next-hop address or the exit interface forwards traffic to the proper destination. This is called a recursive lookup. with the address 192.0 network. H1.2 /24.168. which is also connected to a host on the 192.2.168.0 network. A host.168.1.168. In an enterprise network. R1. .3.2.Configuring Static Routes The diagram depicts a static route configuration.4 .168.1.1 /24 to router. It matches the next hop IP address of the static route to entries in its routing table to determine which interface to use.3.1. R2 is connected to a switch. and the network between R2 and H2 is 192. R1 is connected via its S0/0/0 port with the address 192. In a recursive loopkup: • • The router matches the destination IP address of a packet to the static route. R2 is connected to a switch.0 255.1. However.255. is connected to a switch that is connected to router.1.3. The routing table reinstalls the routes when the interface is re-enabled.168.3. 5.255.2 Page 2: Static routes configured with a next hop interface require two steps to determine the exit interface.0 S0/0/0 Next Hop Address R1 (config) #IP route 192.2.255.

1.5.168.168. When it finds the static route within the routing table. The routing table for R1. S 192.4.3.2.2.0 /24 is directly connected.0 /24 is directly connected.2.0 /24 is directly connected. Serial0/0/0 S 192.0 /24 [120 /1] via 192.3.168.1. Serial0/0/0 C 192. it then recycles through the routing table until it finds which port is connected via the 192.168. Serial0/0/0 S 192. When the packet reaches R1.0 /24 is directly connected to Serial0/0/0. Serial0/0/0 In the animation. Enterprise networks encounter the same problem.2. 00:00:05.168.00010000.168. Page 3: Summarizing several static routes as a single entry reduces the size of the routing table and makes the lookup process more efficient.4 .4.16.3. When it finds the static route within the routing table.The routing table for R1.168.00000000 Route that can be summarized: 172.2.1. When the packet reaches R1. Without summary routes. H1 sends a packet to H2.0 /24 [120 /1] via 192. when the static route is set as a Next Hop Interface Route.0 /24 [1 /0] via 192.168. routing tables within Internet core routers become unmanageable. when the static route is set as an Exit Interface Route. All of the static routes use the same exit interface or next-hop IP address.3.000001|00.168. is as follows: R 192. A single static route summarizes multiple static routes if: • • The destination networks summarize into a single network address.4. 5.2.2 In the animation.0 network. Serial0/0/0 C 192. It then knows what port the packet is to be sent out of and forwards it to H2 via that port.0 /24 is directly connected.2. FastEthernet0 /0 C 192.2. FastEthernet0 /0 C 192.168. S 192. H1 sends a packet to H2.0 /24 is directly connected.0 . R1 searches its routing table. 00:00:26.168. is as follows: R 192.168.0 /24 [1 /0] via 192. as follows: Route that can be summarized: 172. R1 searches its routing table.168.0 Summary Boundary /22 10101100. This process is called route summarization.Configuring Static Routes The diagram depicts a table containing summary route information.168.2.16.2. Summary static routes are an indispensable solution for managing routing table size.168.

252.00000000 Route that can be summarized: 172.000001|01. A feature called floating static routes can be used to provide this backup service.00000000 To summarize into one route: Router (config) # IP route 172.0 Summary Boundary /22 10101100.16.16. For that reason.Configuring Static Routes Link to Packet Tracer Exploration: Configuring Static Routes Page 5: Depending on the WAN services used in the enterprise.Summary Boundary /22 10101100. static routes provide a backup service when the primary WAN link fails.0 serial0/0/1 Page 4: Packet Tracer Activity Create static routes.00000000 Route that can be summarized: 172.252.0 255.4.00010000.16.00010000. To create a floating static route. a static route has a lower administrative distance than the route learned from a dynamic routing protocol.255.0 Summary Boundary /22 10101100.7.6.000001|10. The floating static route entry appears in the routing table only if the dynamic information is lost.4.00000000 Summary Boundary /22 Subnet Mask 11111111.00010000.255.00000000 The above routes can be summarized to one route as follows: 172.4 . 5.00010000. add an administrative distance value to the end of the ip route command: .16.0 Subnet Mask: 255.000001|00.0 Summary Boundary /22 10101100. a floating static route does not display in the routing table. By default.111111|00.000001|11.1.11111111. Click the Packet Tracer icon to begin. A floating static route has a higher administrative distance than the route learned from a dynamic routing protocol.

5 Default Routes Page 1: Routing tables cannot contain routes to every possible Internet site. As long as a better match does not exist.201.4 . As routing tables grow in size. The network address for this connection is 1 0. R2 is connected via 10.40. default routes funnel Internet traffic out of the network.168. The network address and subnet mask are both specified as 0. the table installs the floating static route.0.0 /27. It is common for default routes to point to the next router in the path toward the ISP. R1 sends a packet to 209. they require more RAM and processing power.255.1 200 The administrative distance specified must be greater than the AD assigned to the dynamic routing protocol.2 0. R1 sends another packet to 209. The router uses the primary route as long as it is active. R1 is connected via 10.0. R3 is connected to the network cloud on the network 209. then onto R3 before going on to the network cloud. It checks its routing table and sends the packet via R2.165.10. the router uses the default static route.1. In a complex enterprise. The command uses either the next-hop address or the exit interface parameters.20.2 /30 of R3.168. The packet is routed via R4.165.0 /27.Configuring Static Routes Four routers are connected in a ring. specifies a gateway to use when the routing table does not contain a path to a destination.0.Backup Floating Static Route IP route 209.2 0. R3 is connected to R4. The routing table of R1 is then updated with the backup floating static route. 5.20.201. The command to create a default route is similar to the command used to create either an ordinary or a floating static route.9. and then to R3 before going on to the network cloud.30.2 0.20.2 R1 . making it a quad zero route.255. The link between R1 and R4 then fails.1 /30 to 10.2 /30 of R2.255.165.224 10. The zeroes indicate to the router that no bits need to match in order to use this route.2 0.1 /30 to 10.201.2 150 In the animation.0 255.0 255.0/27 [120/2] via 10. R1 routing table R1 209.0 /27 using the dynamic route within its routing table.Router(config)#ip route 192. If the primary route is down.165.0 192. A special type of static route.201.1. 5.201.165. .0 /30.2 0. called a default route.2 0.255.4.10.10.

0.16. Serial0/0/0 C172.16.2. Click the Packet Tracer icon to begin.0. Serial0/0/0 Page 2: Packet Tracer Activity Configure a default route to forward traffic from the enterprise routers to the ISP.Default Routes The diagram depicts H1 connected to switch S1.2 Routing Using the RIP Protocol 5.0 to network 0. the border router can send a default route to the other routers as part of a dynamic routing update.0.0.0 172. This information appears in the routing tables of all routers.0 0.0 s0/0/0 R1 (config) # end R1 # show IP route [output omitted] Gateway of last resort is 0.0.0 /0 is directly connected. This is the stub network with the network address 172.3.Default Routes Link to Packet Tracer Exploration: Configuring Default Routes 5.0 is directly connected. 5.1. R1 (config) # IP route 0. sends the traffic to the ISP. FastEthernet0/0 S0.0.3. the link from R2 to R1 is a static route. 5. the stub router. This route identifies the last stop within the enterprise as the Gateway of Last Resort for packets that cannot be matched.5 .2.0. which is connected to F A 0 /0 of router. If the enterprise uses a dynamic routing protocol.0.0 /24 is subnetted.0.The final default route.5 . R1.1.0.1 Distance Vector Routing Protocols Page 1: .0 /24. located on the border router.16.0 is directly connected. 2 subnets C172.0. is connected to S0/0/0 of router R2 on the network. R1.16. The link from R1 to R2 is a default route.

Dynamic routing protocols are classified into two major categories: distance vector protocols and link-state protocols. They can run on older. some routers may not have the most current information about the network.3. distance vector protocols use a metric to determine the best route.0 /24. Routers running distance vector routing protocols share network information with directly connected neighbors. Its knowledge comes through information from directly connected neighbors.Distance Vector Routing Protocol The diagram depicts two routers labeled R1 and R2 that are linked by a serial link. . A router running a distance vector protocol does not know the entire path to a destination. Like all routing protocols. or vector.2. It can be reached via S0/0/0 and through R2.16. 5. This limits the scalability of the protocols and causes issues such as routing loops. Routers using distance vector protocols broadcast or multicast their entire routing table to their neighbors at regular intervals. 172.16. or hops. Distance vector protocols calculate the best route based on the distance from a router to a network. until all routers in the enterprise learn the information. between the router and the destination. At any given moment. which is the number of routers. it calculates and advertises the route with the lowest metric. This method of moving routing information through large networks is slow.1 . The neighbor routers then advertise the information to their neighbors. Page 2: Distance vector protocols usually require less complicated configurations and management than link-state protocols. An example of a metric used is hop count. For R1. R2 has a network connected and configured with the network address 172. If a router learns more than one route to a destination. less powerful routers and require lower amounts of memory and processing.0 /24 is one hop away (distance). The following two equations are stated in the diagram: Distance = How Far Vector = Direction There is an arrow pointing in the direction of R2. it only knows the distance to the remote network and the direction.3.

2 . 5.16. There is a network connected to F A 0 /0 of R1. a router configured with interfaces as the gateways for the 172. with the network address 172.0 Class B network with RIPv1.0.0/24 and 172. RIPng. For example.0. and from the IPv6 version. the newest version of RIP was specifically designed to support IPv6. RIPv1 is a classful routing protocol. as follows: Advantages Simple implementation and maintenance Low resource requirements Disadvantages Slow convergence Limited scalability Routing loops 5. 5.2 Routing Information Protocol (RIP) Page 1: Routing Information Protocol (RIP) was the first IP distance vector routing protocol to be standardized in a RFC (RFC1058 in 1988). This means packets with an actual destination subnet address of 172.16.1 .16.16.16. It automatically summarizes subnets to the classful boundary and does not send subnet mask information in the update.2. Therefore RIPv1 does not support VLSM and CIDR.Distance Vector Routing Protocol The diagram depicts the advantages and disadvantages of distance vector routing protocols.16.0 /24. or applies the default subnet mask based on the address class. the subnets of the networks that RIPv1 advertises should not be discontiguous if correct routing is to occur. whereas EIGRP is actually a distance vector protocol with advanced capabilities. Due to this limitation.1.4. RIPng. Two routers are connected via serial link on network 172.0 could mistakenly be forwarded to the advertising router and therefore not arrive at the correct destination subnet.3. The first version of RIP is now often called RIPv1 to distinguish it from the later improved version.16.2. RIPv2.2.0. A router configured with RIPv1 either uses the subnet mask configured on a local interface.0 network in its routing table. Another router receiving this update will therefore list the 172.0/24 subnets will advertise only the 172.RIP versions 1 and 2 are true distance vector protocols. The following commands are an attempt to configure RIP v1 to advertise subnets: . By default RIPv1 broadcasts its routing updates out all active interfaces every 30 seconds.Routing Information Protocol (RIP) The diagram depicts a small network.4.1.

with the network address 192. whereas RIPv1 does not.16. Devices that are not configured for RIPv2 discard multicasts at the Data Link Layer. RIPv2 also has the ability to turn off automatic summarization of routes. There is a network connected to F A 0 /0 of R1.1 255. Multicasts take up less network bandwidth than broadcasts.1.255.0.16.R1 (config) # router rip R1 (config-router) # network 172. Two routers are connected via serial link on network 192. 192. RIP v2 multicasts its updates to 224.2.0 Actual configuration showing summarized network to be advertised R1 # show running-config [output omitted] ! interface FastEthernet0/0 IP address 172.16. RIPv2 has an authentication mechanism.255.16. not separate subnets Page 2: RIP v2 has many of the features of RIPv1.255. .16.168.168. This requires all devices on a broadcast network like Ethernet to process the data.Routing Information Protocol (RIP) The diagram depicts a small network.0. 5. Two networks are also connected to F A 0 /0 and F A 0 /1 of R2.0 Note: Summarized network Class B advertised.168.1.1 255.255.4.1.0. A subnet mask field is included in v2 updates. RIPv2 is a classless routing protocol that supports VLSM and CIDR.2. RIP v1 broadcasts these updates to 255.0.0 /24.4.255. Both versions of RIP send their entire routing table out all participating interfaces in updates.0 ! [output omitted] ! Router rip Network 172. Encrypting routing information hides the content of the routing table from any routers that do not possess the password or authentication data.0 ! [output omitted] ! interface Serial0/0/0 IP address 172.0 and 192. which allows the use of discontiguous networks. Invalid information can also end up in the routing table due to poor configuration or a malfunctioning router.2 .3. It also includes important enhancements.0.4.9.255.255. Attackers often introduce invalid updates to trick a router into sending data to the wrong destination or to seriously degrade network performance.0 R1 (config-router) # network 172.168.

Attention is drawn to the lines that show the two versions of RIP being used.168. marked with three asterisks.4.168.168.0 metric 1 Aug 30 04:37:11:115: RIP: sending v2 update to 224.0.255.255 via Serial 0/0/0 (192.1) Aug 30 04:37:11:115: RIP: build update entries Aug 30 04:37:11:115: 192.1) Page 3: Although RIPv2 provides many enhancements.255.2. split horizon.0. The startup router then sends a triggered update out all RIP-enabled interfaces containing its own routing table. metric 1.0. it replaces the existing entry even if the metric is not better. each RIP-configured interface sends out a request message. the routing table replaces the existing entry if the new entry has a better hop count.0. One is multicast. tag 0 R1 # # # # Aug 30 04:37:11:115: RIP: sending V1 update to 255. *** Aug 30 04:37:11:115: RIP sending V2 updates to 224.0 /24 via 0. RIPv2 shares many of the features found in RIPv1.9 via Serial 0/0/0 (192. RIP-enabled neighbors send a response message that includes known network entries. poisoned reverse.1. This message requests that all RIP neighbors send their complete routing tables. tag 0 Aug 30 04:37:11:115: 192. it is not an entirely different protocol.0. RIP neighbors are informed of any new routes. If the route is already in the table and the entry comes from the same source.2.168. and holddowns to avoid loops Updates using UDP port 520 Administrative distance of 120 Message header containing up to 25 routes without authentication When a router starts up.1) Aug 30 04:37:11:115: RIP building update entries Aug 30 04:37:11:115: network 192. RIP version 1. The receiving router evaluates each route entry based on the following criteria: • • • If a route entry is new.0. the receiving router installs the route in the routing table.0. # # #. If the route is already in the table and the entry comes from a different source. ***.1. RIP version 2. such as: • • • • • • • • Hop-count metric 15-hop maximum TTL equals 16 hops Default 30-second update interval Route poisoning. The other is broadcast. .The diagram contains the console output of R1.0 /24 via 0.168. marked with three number signs.2.0.0.168. metric 1.9 via FastEthernet 0/0 (192.0.

whereas another part may be staying with RIPv1. RIPv1 and RIPv2 are completely compatible. By default. For example.2. hold down 180.0. and forwards based on that hop count to network required. On response to the request message.0. R1 has its Fast Ethernet port in use and configured with the network address 10.5.Key-chain *** Fastethernet0 /02 (send)2 (recv) *** Serial0/0/012 (send)2 (recv) Automatic network summarization is in effect Maximum path: 4 Routing for Network . The command show IP protocols is executed and the output of this command is given below. Overriding the global RIP configuration with interface-specific behavior allows routers to support both versions of RIP. Within an enterprise.0.0. use the following interface configuration commands: ip rip send version <1 | 2 | 1 2> ip rip receive version <1 | 2 | 1 2> 5.Routing Information Protocol (RIP) The diagram depicts the same network as previously described in Diagram 2 of this section. All three routers send requests out of all ports to all hosts connected on the network. Items of interest in this diagram are marked with three asterisks. R3 has its fast Ethernet port in use and is assigned the network address 10.0. RIPv1 sends version 1 updates. but receives both versions 1 and 2. receive version 2.2. it may be necessary to use both versions of RIP. To customize the global configuration of an interface.0. The routers are directly connected to each other through serial links. If a network must use both versions of RIP. next due in 16 seconds Invalid after 180 seconds. R2. By default.Routing Information Protocol (RIP) The diagram depicts three routers labeled R1.Recv. The routers take note of the source I P address and the hop count metric used to get to the destination networks. The serial link between R1 and R2 is on the network address 10. *** Interface.Send. Triggered.0.4. and R3. Page 4: As long as routers send and process the correct versions of routing updates.3.2. the router recalculates the hop count looking at the shortest path to the intended destination. RIPv2 sends and receives only version 2 updates. the network administrator configures RIPv2 to send and receive both versions 1 and 2.RIP. R1 # show IP protocols Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds. part of the network may be migrating to RIPv2. The serial link between R2 and R3 is on the network address 10.2 .1. flushed after 240 Redistributing: rip Default version control: sending version 2.2 .0.

poison reverse. 5. Four. Uses route poisoning. Set the clock rate where necessary on serial links. Two. Three.0 Routing Information Sources GatewayDistanceLast Update 192. Eight. Nine. Supports VLSM. split horizon. and holddowns to avoid loops. Six.3 Configuring RIPv2 Page 1: Before configuring RIPv2.1.168. One. Seven. configure RIPv2.2.212000:00:03 Distance: default 120 Page 5: 5. After the basic configurations are complete.0 192. Automatic route summarization.Routing Information Protocol (RIP) The diagram depicts an activity in which you must decide whether the characteristics listed below are applicable to RIP v1.2. Hop-count metric. Administrative distance of 120.192.2. Broadcast updates. Default 30 second update interval.168.2. No authentication.168. The basic RIPv2 configuration consists of three commands: Router(config)#router rip • Enables the routing protocol Router(config)#version 2 • Specifies the version . or both.2 . Sends subnet mask in routing updates. RIP v2. assign IP addresses and masks to all interfaces that participate in routing. Five.

0 /30.0 /24.0. The RIP configuration statements for each router are as follows: Router R1 R1 (config) # router rip R1 (config-router) # version 2 R1 (config-router) # network 192.0.10.0 /24.0. 5.0 /24.168. R2 has a network connected to its Fast Ethernet port and this network address is 172.10.1 0.0. and R3.0 R2 (config-router) # network 10. R2 connects to R3 via serial ports with the network address 10.10.4 /30.0 Router R3 R3 (config) # router rip R3 (config-router) # version 2 R3 (config-router) # network 10.2 0.2 0. 10.10.0.2 0. R1.0 R1 (config-router) # network 10. RIPv2 propagates a default route to its neighbor routers as part of its routing updates.27.10.0 Page 2: .168.0 Router R2 R2 (config) # router rip R2 (config-router) # version 2 R2 (config-router) # network 172.0 /24. The serial interface of R1 is connected by serial link to R2 on network address 10.Router(config-router)#network [network address] • Identify each directly connected network that should be advertised by RIP By default.0. R3 has all three of its Fast Ethernet ports in use with network addresses: 10.2. and 10.30. create the default route and then add redistribute static to the RIPv2 configuration. R2.0 /24.0.1 0.20. R1 has a single network connected and the network address for this network is 192. RIPv2 updates can be configured to be authenticated.Configuring RIP v2 The diagram depicts three routers named.27. To accomplish this.20. RIPv2 will summarize each network to be advertised to its classful boundary as the graphic shows.3 .

100." Since this is RIP v2 and automatic summarization is disabled.2.4 .Problems with RIP The diagram depicts three routers arranged in a triangular topology.Configuring RIP v2 Link to Hands-on Lab: Configuring RIP v2 with VLSM and Default Route Propagation 5.1. or C network.3 . The two serial links to R2 show incoming messages from R1 and R3 to R2 as RIP updates.4 Problems with RIP Page 1: Various performance and security issues arise when using RIP. "172. The RIP update from R1 says. add the no auto-summary command to the RIPv2 configuration.0 /16 assigned.1. 1 hop.30. some of which are not directly connected to each other. The first issue concerns routing table accuracy. At the top of the triangle is router R2 with a switch directly connected. These updates advertise the two directly connected networks that are connected to switches on both R1 and R3. This means that RIP recognizes subnets as a single Class A. Click the lab icon to begin. and the network address of 10. The two serial ports of R2 are in use and are connected by serial link to R1 and R3. with RIPv2 the automatic summarization feature can be disabled. B. Router(config-router)#no auto-summary 5. each router advertises the 24-bit subnet instead of the summarized Class B network 172. Unlike RIPv1.0 /24. "172.30. which creates discontiguous subnets.1. . This is done to ensure a more accurate routing table. To accomplish this.0.2. Both versions of RIP automatically summarize subnets on the classful boundary. RIPv2 will report all subnets with subnet mask information.2. 1 hop. 5.0 /16.Lab Activity Configuring RIPv2 with VLSM addressing scheme and a default route." The RIP update from R3 says.0 /24. Enterprise networks typically use classless IP addressing and a variety of subnets.30. When disabled.

2. Page 3: A network running RIP needs time to converge. The RIP updates from all routers pass between the link between R1 and R3.4 . R2 to R3. For example. 5. These updates may not be needed on all portions of a network. Routing loops negatively affect network performance. which produces unnecessary traffic. When the number of interfaces advertising RIP routes is limited. and R3. RIP contains several features designed to combat this impact.Page 2: Another issue to consider is the broadcast nature of RIP updates. and R3 to R1. Router(config-router)#passive-interface interface-type interface-number In complex enterprise networks running more than one routing protocol. The routing update could also be intercepted by any device. The interfaces connecting the link between R1 and R2 are set to be passive. the passive-interface command defines which routers learn RIP routes. issued in interface mode. RIP immediately begins to send advertisements out all interfaces that belong to that network. and R3 and R2. infinity occurs when the hop count is 16. Erroneous network information may cause routing updates and traffic to loop endlessly as they count to infinity. security and traffic control increase. disables routing updates on specified interfaces. These features are often used in combination: • Poisoned reverse . Some routers may contain incorrect routes in their routing tables until all routers have updated and have the same view of the network. The passive-interface command. an Ethernet LAN interface passes these updates to every device on its network segment.Problems with RIP The diagram depicts three routers labeled R1. In the RIP routing protocol. As soon as the RIP configuration lists a network command for a given network. This makes the network less secure. R2. They are arranged in a triangular configuration with serial links from R1 to R2. so no routing table updates are sent between R1 and R2.

Because RIP defines infinity as 16 hops.4.0.0 goes down on R3 Before R3 can send updates to R2.0. R1 sends data packet to 10.9.0.0 S0/0/0 1 R3 Routing Table Network Interface Hop 10.2.1.0.3.0. 5. with the following column head-ers: Network.1.0 S0/0/0 0 Routing Loop Network 10.0. The F A 0 /0 port of R3 has the network address 10.0.0.0 goes down on R3 Before R3 can send updates to R3.4.0.0 F A 0 /0 2 10. R2. Interface.0.• • • Split horizon Holddown timer Triggered updates Poisoned reverse sets the metric for a route to 16.0. If a network is down.4.9 S0/0/0 1 10. making it unreachable.0 S0/0/0 2 R2 Routing Table Network Interface Hop 10.2.9 S0/0/0 0 10. with the network address 10. The second serial connection of R2 is linked to R3 by serial port with the network address 10.9. is connected to a LAN. R2 sends update to R3 R2 sends an update to R2 R2 sends and update to R1 R1 sends an update to R2 R2 sends an update to R3 .3.0 network Packet bounces between R2 and R3 because of incorrect routing table information Count to Infinity Network 10. R2 sends an update to R3.0 F A 0 /0 0 10.1.0. any network further away than 15 hops is unreachable.4.2. The routing tables for each router are listed below.4 .3.2.9.0. This feature prevents the routing protocol from sending information via poisoned routes.0 S0/0/0 0 10.0 S0/0/0 0 10.4. and R3 that are linked via serial link with network address 10.0.1.0.4. R1 Routing Table Network Interface Hop 10.0 connected to a LAN.9 S0/0/0 0 10.0.4.0.0.0 F A 0/0 1 10. and Hop.2.0.0 S0/0/0 1 10. R1 F A 0 /0. a router changes the metric for that route to 16 so that all other routers see it as unreachable.Problems with RIP The diagram depicts three routers labeled R1.3.

1. However. effectively poisoning the route.4 . The holddown timer refuses to accept route updates with a higher metric to the same destination network for a period after a route goes down. The default can be changed.3.168. 5.0.168. during the holddown period. but also add to convergence time. RIP sends an immediate update.4.2. network address 192. exceeds 16 hops Page 4: The anti-loop features of RIP add stability to the protocol. called a triggered update. the router installs the route in the routing table and immediately begins to use it. When multiple routers advertise the same network routes to each other. This update places the route in holddown status while RIP attempts to locate an alternate route with a better metric. It advertises the failed route by increasing the metric to 16.0 and 192. the original route comes back up or the router receives route information with a lower metric.2. If.3.0 just received. When a route fails. any holddown period increases the convergence time and has a negative impact on network performance.R3 sends an update to R2 R2 sends an update to R1 R1 sends an update to R2 R2 sends an update to R3 R1 sends an update to R2 R2 sends an update to R1 R1 sends an update to R2 R2 sends an update to R3 R3 sends an update to R2 R2 sends an update to R1 Network 10.0. network address 192. The holddown timer stabilizes routes.168.1. R1 has a network connected to its Fast Ethernet interface.168.0.0. They are linked by serial link with the network address 192. Only send Update for 192.0 . Split horizon dictates that a router receiving routing information on an interface cannot send an update about that same network back out the same interface. The default holddown time is 180 seconds.168. Split Horizon Update to networks 192. R2 has a network connected to its Fast Ethernet interface.Problems with RIP The diagram depicts two routers labeled R1 and R2. Instead. Split horizon prevents the formation of loops. routing loops may form. RIP does not wait for the next periodic update.2.0 is unreachable. six times the regular update period.168.

5 Verifying RIP Page 1: RIPv2 is a simple protocol to configure.Hold-down Timer Network 192. The show ip protocols and show ip route commands are important for verification and troubleshooting on any routing protocol.2. R2 will not update its routing table because the hold down timer has not expired.2.168. errors and inconsistencies can occur on any network. 5. Click the Packet Tracer icon to begin. However. R2 starts a holddown timer. The following commands specifically verify and troubleshoot RIP: • • show ip rip database: Lists all the routes known by RIP debug ip rip or debug ip rip {events}: Displays RIP routing updates as sent and received in real time The output of this debug command displays the source address and interface of each update.Problems with RIP Link to Packet Tracer Exploration: Routing Between Discontiguous Networks 5.0 goes down.0 as still reachable but at a higher metric than what R2 has. There are many show commands to assist the technician in verifying a RIP configuration and troubleshooting RIP functionality.2.2. as well as the version and the metric.4 . R1 sends an update to R2 showing network 192. .168. Page 5: Packet Tracer Activity Route between discontiguous networks with RIP.

16.2.9 via Serial 0/0/0 (172. Aug 30 04:37:11:115: RIP: build update entries.0 metric 1. Page 2: Packet Tracer Activity Troubleshoot and correct RIPv2 problems.0.0. Aug 30 04:37:11:115: RIP: received v1 update from 172.2.0. Aug 30 04:37:11:115: 172.16.5.0.Do not use the debug commands more than necessary. Aug 30 04:37:11:115: subnet 172.5 .2.0 in 1 hop. Aug 30 04:37:11:115: subnet 172. The man says.1.0 /24 via 0.3. .1.0. Aug 30 04:37:11:115: 192.0 metric 1.255 via Serial0/0/0.168.16.1.1.168. Aug 30 04:37:11:115:RIP: sending v2 update to 224.1).0.1.0 /24 via 0.Verifying RIP The diagram depicts a man sitting in front of his computer at his desk.16.255.16. The show running-config command provides a convenient method of verifying that all commands were entered correctly. "I want to view the rip updates as they happen.2.0. Aug 30 04:37:11:115: RIP sending v1 update to 255.0. Aug 30 04:37:11:115:172. Click the Packet Tracer icon to begin.0 in 1 hop. Aug 30 04:37:1 1:115:192. Aug 30 04:37:11:115: subnet 192.0 metric 2.16. tag 0. Aug 30 04:37:11:115: RIP building update entries.16.168." The debug IP rip command is issued and displays the output below: Aug 30 04:37:11:115: RIP sending v1 update to 255.255.2 on Serial0/0/0.0 in 1 hops. which slows network performance. Aug 30 04:37:11:115: subnet 172.255 via F A 0 /0.1.2 on Serial0/0/0. Debugging consumes bandwidth and processing power. Aug 30 04:37:11:115: RIP: build update entries.2.255. Aug 30 04:37:11:115: 172.0 metric 1.0 /24 via 0.0 in 1 hops.0 metric 1. 5.16. Aug 30 04:37:11:115: RIP: received v2 update from 172. The ping command can be used to test for end-to-end connectivity.255.16.

3.3. which wastes valuable bandwidth. the simple hop count metric used by RIP is not an accurate way to determine the best path in complex networks. even when no network changes have occurred. Routers must accept these updates and process them to see if they contain updated route information. Routing loops can develop due to slow convergence time. The router where the packet was discarded sends a message back to the sending host that says. 5.3. These characteristics limit the usefulness of the RIP routing protocol within the enterprise environment. the RIP limitation of 15 hops can mark distant networks as unreachable.2 Enhanced Interior Gateway Routing Protocol (EIGRP) Page 1: . Additionally. RIP issues periodic updates of its routing table. As a result. "Destination unreachable.Verifying RIP Link to Packet Tracer Exploration: Troubleshoot RIP v2 5.Limitations of RIP The diagram depicts two hosts connected to each other via a chain of 17 routers.2. routers may not have an accurate picture of the network.1 Limitations of RIP Page 1: The RIP distance vector routing protocol is easy to configure and requires minimal amounts of router resources in order to function.5. the maximum hop count. Updates passed from router to router take time to reach all areas of the network." 5. it is discarded and not forwarded to the next router.5 . The first host sends a packets to the second host.3 Routing Using the EIGRP Protocol 5. However.1 . which consumes bandwidth. When the hop count on the packet reaches 15.

and provide faster convergence in complex enterprise networks. the underlying features and options are complex.Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts a list of EIGRP characteristics. The lower number reflects the increased reliability of EIGRP and the increased accuracy of the metric. the administrative distance of EIGRP is 90. Cisco developed EIGRP as a proprietary distance vector routing protocol. DUAL synchronizes all affected routers simultaneously. while employing many advanced features. EIGRP contains many features that are not found in any other routing protocols. multi-protocol networks that employ primarily Cisco devices. whereas the administrative distance of RIP is 120.3. 5. Networking professionals required a protocol that would support VLSM and CIDR. The Diffusing Update Algorithm (DUAL) used by EIGRP guarantees loop-free operation while it calculates routes. If a router learns routes to the same destination from both RIP and EIGRP. EIGRP uses a different method than RIP for calculating the best route. it chooses the EIGRP route over the route learned through RIP.2 . It has enhanced capabilities that address many of the limitations of other distance vector protocols. To achieve these goals. When a change occurs in the network topology. scale easily. All of these factors makes EIGRP an excellent choice for large. This metric is more accurate than hop count in determining the distance to a destination network. EIGRP shares some of features of RIP. The metric used is a composite metric that primarily considers bandwidth and delay. Although configuring EIGRP is relatively simple.The limitations of RIP led to the development of more advanced protocols. For these reasons. EIGRP characteristics Supports VLSM and classless routing Uses a composite metric Uses the DUAL algorithm to prevent routing loops Uses bounded updates for fast convergence Maintains multiple tables Forms neighbor adjacencies Maintains successor and feasible successor routes Accommodates equal and unequal cost load balancing Uses multiple packet types for stability and fast convergence Supports multiple network layer protocols Uses RTP for Layer 4 support Page 2: The two main goals of EIGRP are to provide a loop-free routing environment and rapid convergence. .

Because the information used to calculate these routes is not as reliable as the metric of EIGRP. not to all routers in the area. Route Source: Internal EIGRP. Administrative Distance: 0. Route Source: RIP. Route Source: OSPF. Administrative Distance: 20.EIGRP tags routes learned from another routing protocol as external. Its maximum hop count of 255 supports large networks.2 . Route Source: Internal BGP. Administrative Distance: 115. . Route Source: External BGP. such as IP and IPX. Unlike other distance vector protocols. Administrative Distance: 1. The EIGRP routing table reports routes learned both inside and outside the local system. Route Source: Static. EIGRP can display more than one routing table because it can collect and maintain routing information for a variety of routed protocols. Route Source: IGRP. 5. Administrative Distance: 120. EIGRP does not send complete tables in its updates. Route Source: EIGRP summary route. Administrative Distance: 200. Administrative Distance: 110. Page 3: EIGRP is a good choice for complex enterprise networks that are composed primarily of Cisco routers. Administrative Distance: 5. it attaches a higher administrative distance to the routes.3. Administrative Distance: 100. as follows: Route Source: Connected. Administrative Distance: 90.Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts a table with administrative distance information for each route source. These are called bounded updates because they reflect specific parameters. Administrative Distance: 170. EIGRP multicasts partial updates about specific changes to only those routers that need the information. Route Source: I S-I S. Route Source: External EIGRP.

0.1.3.0 /24F A 0 /0 C10.4.0. R1 Routing Table C10. 5.3.0 /24S0/0/0 R2 Routing Table D10.0.3 EIGRP Terminology and Tables . R3 is connected via F A 0 /0 to network 10.4.0 /24 S0/0/0 D10.0 via port F A 0 /0.0 is down.4. both bounded updates and hello packets save bandwidth while keeping network information fresh. Page 4: 5.0.0.0 /24S0/0/1 C10.2.Instead of sending periodic routing updates.3.3.0.0.0.Maximum limit of 255 hops Ten.1.0 /24S0/0/1 R3 Routing Table D10.1.0.0.0 /24S0/0/0 D10.2.Only version 2 supports VLSM and classless routing Six.2.Broadcast or multicasts updates every 30 seconds Five.Uses a composite metric Seven.0 /24S0/0/1 C10. One.0.Maintains multiple tables Nine. EIGRP sends small hello packets to maintain knowledge of its neighbors.0 /24F A 0 /0 EIGRP sends a bounded update to alert neighbors that 10.Forms neighbor adjacencies 5.0.3.Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts an activity in which you must decide if the following features belong to RIP or EIGRP.0 /24S0/0/0 C10.0.Maximum limit of 15 hops Three. R1 is also connected via S0/0/0 to S0/0/0 port of R2 on network 10.Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts router.Sends hello packets Eight.Uses only the hop count metric Two.0.3.1.Has an administrative distance of 120 Four.0 /24S0/0/1 D10.0. Since they are limited in size.4.0.0. R1.2. R2 is connected via S0/0/1 to router the S0/0/1 port of R3 on network 10.0 /24S0/0/0 C10.3.2 . connected to network 10.0 /24S0/0/1 D10.2 .0.1. Hello packets continue to maintain neighbor relationships.0.0.

" When the timer expires." Page 2: Topology table The topology table lists all routes learned from each EIGRP neighbor. EIGRP maintains three interconnected tables: • • • Neighbor table Topology table Routing table Neighbor Table The neighbor table lists information about directly connected neighbor routers. the timer expires and DUAL recalculates the topology. EIGRP maintains multiple tables. 5. "My neighbor has not sent a hello for 15 seconds.Page 1: To store network information from the updates and support rapid convergence.EIGRP Terminology and Tables The diagram depicts a router. . Hello packets are sent at regular intervals between EIGRP neighbors to maintain adjacency. DUAL needs to recalculate routes I learned from R3. The hold time is the length of time that a router treats a neighbor as reachable. DUAL takes the information from the neighbor and topology tables and calculates the lowest cost routes to each network. R3 is no longer my neighbor. Since fast convergence depends on accurate neighbor information.3 . "R3 must be down. R2 thinks. When a neighbor sends a hello packet. it advertises a hold time. R3 Ethernet network is on interface F A 0/0. this table is crucial to EIGRP operation.3. R1. R1 is also connected via S0/0/0 to the S0/0/0 port of R2. Ethernet network on interface F A 0/0. R2 is connected via S0/0/1 to router the S0/0/1 port of R3. R3 stops sending Hello packets to R2. If a hello packet is not received within the hold time. My hold timer has expired. EIGRP records the address of a newly discovered neighbor and the interface that connects to it. EIGRP routers keep route and topology information readily available in RAM so that they can react quickly to changes. R2 thinks.

10.reply Status.10. 1 successors.The topology table identifies up to four primary loop-free routes for any one destination. If a primary route fails.Reply. Destination Network. lower case r .9) Codes: P .Passive. A .10. U . FD is 20512000 via Connected. FD is 20512000 via Connected. Address of the destination network. Serial0/0/0 via 192. 1 successors. The distance to the destination as reported by a neighbor.10 (21024000 /10511872).168. It load balances using successor routes that are both equal cost and unequal cost. 1 successors.EIGRP Terminology and Tables The diagram depicts the output of various recorded routes and a brief description of each field.10. R 2# show IP EIGRP topology IP-EIGRP Topology Table for AS (1) /ID(192. Feasible Distance. Serial0/0/0/1 P 192. FD is 20514560 via 172. appear in the topology table but not in the routing table. These successor routes appear in the routing table.10 (20514560 /28160). FD is 21024000 via 192. called feasible successors. This backup occurs as long as the feasible successor has a lower reported distance than the feasible distance of the current successor distance to the destination. R .3.16.10.Query.168. or sends packets to a destination using more than one path.168. 2 successors.10. lower case s .3.8/30. EIGRP load balances. This feature avoids overloading any one route with packets.1.10 (21026560 /10514432). Serial0/0/1 P 192. Reported Distance. Serial0/0/1 via 172. 1 successors.168.Active.Update.168.0 /30.16.168. . a feasible successor becomes a successor route.1 (21024000 /20512000). Q .1.10.16.168. Serial0/0/1 P 192. 1 successors.3.0 /24.2.sia Status P 172. The lowest calculated metric to the destination. Serial0/0/1 P 192. FD is 28160 via Connected. FD is 20514560 via 192.10 (21536000/11023872).0 /24.168.16. FastEthernet0/0 P 172. Serial0/0/1 Route Status Whether the route is stable and ready for use (passive) or being recalculated by DUAL (active).1 (20514560 /28160).3.0 /24. Backup routes.3 . 5.4 /30.168. Serial0/0/0 via 192.

16.2.168. R2 is connected to network 192. and to R1 S0/0/1 via S0/0/1 on network 192. Number of equal cost paths with the lowest metric to the destination. R1 is connected via S/0/0/0 with the address 172.0 /24 via port F A 0 /0 with the address 172.16.1 /24.0 /24 is variably subnetted. 3 subnets.1.2 /30. IP address of the next hop interface for the feasible successor. Page 3: Routing Table Whereas the topology table contains information about many possible paths to a network destination.1.0 /24 via port F A 0 /0 with the address 192. R2 is connected via port S0/0/1 with the address 192.9 /30 to S0/0/1 of R3 with the address 192. Interface that the traffic uses to exit the router towards that destination.Number of Successors. The distance to the destination as reported by a neighbor. as displayed by the show IP route command. Next hop Address or Feasible Successor. The EIGRP routing tables for these three routers.3. because they did not originate from EIGRP routers within the same AS.10. 2 masks .10.168.2. The calculate metric to the destination via the feasible successor route.3 .1.16. follows: R1 192.168.4 /30.1 /30 to port S0/0/0 of R2 with the address 172. Next hop Address of Successor.1 /24. R3 is connected to network 192. the routing table displays only the best paths called the successor routes.10 /30.1 /24.3. EIGRP tags dynamic or static routes learned from other routing protocols or from outside the EIGRP network as D EX or external. Feasible Distance of Feasible Successor.168.168.EIGRP Terminology and Tables The diagram depicts R1 connected to network 172. IP address of the next hop interface.168.168.1. Reported Distance of the Feasible Successor.10. Outbound Interfaces. 5.3. EIGRP displays information about routes in two ways: • • The routing table designates routes learned through EIGRP with a D.0 /24 via port F A 0 /0 with the address 192.168.16.10.

168.3 .EIGRP Terminology and Tables The diagram depicts an activity in which you must determine which EIGRP table.168.168.10.1. .168. Two.State that DUAL has calculated the route. 3 subnets.16.1.10. FasthEthernet0/0 R3 192.1. Four. 0 0:4:2 3.8 /30 [90 /21514560] via 172.Amount of time since an adjacency was established.2.168.0 /30 is directly connected.IP address of neighbor devices.0 /24 is directly connected.1.4 EIGRP Neighbors and Adjacencies Page 1: Before EIGRP can exchange packets between routers.6. Serial0/0/0 172. 3 masks D172.16. 2 masks D192.2.0 /24 [170/20514560] via 172.16. Serial0/0/0 C192.168. Serial0/0/1 D172.3. Seven. 00:1 3:4 6.168.3.10.0.168.0 /24 is directly connected.10.3.0 /24 is a summary.16.168. EIGRP neighbors are other routers running EIGRP on shared. 2 subnets.0 /30 is directly connected. Serial0/0/0 C172. Serial0/0/0 Page 4: 5.16.10.16.3. or Routing. Null0 C172.5.10.8 /30 is directly connected.The route was learned from an external routing process.16.10. 00:2 4:1 0. Three.10. 00:1 4:4 8.10.3.168.10. Serial0/0/1 172.3.Interface connected to neighbor device.168.168.3. Five.0 /24 is a summary.3. FasthEthernet0/0 D EX 192.4 /30 is directly connected. Serial0/0/0 C192.2. 5. Serial0/0/1 C192. Topology.10. Null0 C192. Eight.10.8 /30 [90 /21024000] via 172.168.168.0. Serial0/0/0 C192.Next hop address for the feasible successor.0 /24 is variably subnetted.8 /30 is directly connected. FasthEthernet0/0 C172. Six.168.1. Neighbor.168. 00:040 :2 2. Serial0/0/1 D192.168. 3 masks D192. would be the most appropriate to find the specified information.3.16. 0 0:0 2:1 1.168.The successors advertised distance.16.The administrative distance associated with the route. Null0 C192. One.0 /16 is variably subnetted.16.0 /24 is variably subnetted. 00:04:22. 00:0 4:2 3.0 /24 is directly connected.5.0 /24 [170 /21026560] via 192.0 /24 [90 /21024000] via 172. 00:1 3:4 4.0. Serial0/0/0 D192. directly connected networks. it must first discover its neighbors.10.10.1.168.0 /24 [90 /20514560] via 192.16.0 /24 [90 /21026560] via 172.2. 3 subnets. 00:0 4:2 2. Serial0/0/0 D192.0 /16 is a summary.0 /16 [90 /20514560] via 192. 2 subnets.16.D192.1. 00:1 9:0 0.168. Serial0/0/1 D EX 192. 2 masks D192. Serial0/0/0 R2 192.4 /30 is directly connected.2.0/16 is variably subnetted.0.

On IP networks. Hello Interval: 5 seconds. DUAL re-evaluates the topology and refreshes the routing table. the multicast address is 224. Generally.544 Mbps. and R3 connected in a triangular topology. R2. Default Hold Time: 15 seconds. By default. Bandwidth: Greater than 1. Page 2: When a neighbor adjacency is established. The hold time is the period that EIGRP waits to receive a hello packet. A table contains the following information regarding hello intervals and default hold times based on link bandwidth and type.0. the neighbor and its routes are reachable. A sequence number records the number of the last received hello from each neighbor and time-stamps the time that the packet arrived.544 Mbps . Example Link: T1. Neighbors learn about new routes. Bandwidth: 1.10.EIGRP Neighbors and Adjacencies The diagram depicts R1. and rediscovered routes through exchange of these packets: • Acknowledgement . Ethernet. hello packets are multicast every 5 seconds on links greater than a T1 and every 60 seconds on T1 or slower links. EIGRP uses various types of packets to exchange and update routing table information. An EIGRP router assumes that as long as it is receiving hello packets from a neighbor.3. The hello packet contains information about the router interfaces and the interface addresses. Example Link: Multipoint Frame Relay. 5. unreachable routes.0. Information discovered through the hello protocol provides the information for the neighbor table. the hold time is three times the duration of the hello interval. Default Hold Time: 180 seconds.EIGRP routers use hello packets to discover neighbors and establish adjacencies with neighbor routers. Routers sends hello packet to each other. Hello Interval: 60 seconds. When the hold time expires and EIGRP declares the route as down.4 .

it is moved to the routing table and placed in a passive state. R2 sends an update to R1. Update If new neighbor found .EIGRP Neighbors and Adjacencies The diagram depicts R1.10 Unreliable transfer method Page 3: An acknowledgement packet indicates the receipt of an update. R3 sends a query to R2 and R2 sends a reply to R3. reply Query To request specific info about a neighbor or multicast looking for new successor Can be multicast or unicast Reply Response to a query Always a unicast Hello Discover and verify neighbors Discover timer values Multicast address: 224. R1 sends an ack to R2. Information on each type of packet is detailed below.0.• • • Update Query Reply When a route is lost.0. Acknowledgement packets are small hello packets without any data. These types of packets are always unicast.4 . it moves to an active state and DUAL searches for a new route to the destination. and R3 connected in a triangular topology. query.multicast Acknowledgement Unicast hello packets with no data Response to reliable packet transfer. . request.unicast To indicate routing change . When a route is found.3. These various packets help DUAL gather the information it requires to calculate the best route to the destination network. 5. R2. update. R3 sends a hello to R1. or reply packet.

Reliable RTP requires an acknowledgement packet from the receiver to the sender. RTP guarantees delivery and receipt of EIGRP packets for all Network Layer protocols. similar to TCP and UDP. EIGRP operates independently of the Network Layer. 5. all of which show neighbor adjacency information. R2. Each Network Layer protocol works through a Protocol Dependent Module (PDM) responsible for the specific routing task. RTP can be used as both a reliable and best effort transport protocol. hello and acknowledgement packets are sent best effort and do not require an acknowledgement. That neighbor then updates its topology table. . and reply packets are sent reliably. The network remains unreachable Page 4: As a routing protocol. complex networks may use a variety of Network Layer protocols. RTP uses both unicast and multicast packets. The information contained in each reply packet helps DUAL to locate a successor route to the destination network. For example.0. and reply packets use the TCP-like service. Because large. R1 and R3 acknowledge the request and then reply that there is no other known route. Update. even if the reply states that no information on the destination is available. and Neighbor Table-IP.EIGRP Neighbors and Adjacencies The diagram depicts a Neighbor Table with three different network protocols supported by EIGRP: Apple Talk. R2 sends an update alerting its neighbors that a network is down.4 . and R3 are connected in a triangular topology.3.4 . Replies are always unicast.3. R1 and R2 respond with an acknowledgment.An update packet sends information about the network topology to its neighbor. R2 sends a request asking for another route to the network that is down. a router running IP.10. and AppleTalk has three neighbor tables. the router must send a query packet to each neighbor. 5. Acknowledgements and hello packets use the UDP-like service. Neighbor Table . Cisco designed Reliable Transport Protocol (RTP) as a proprietary Layer 4 protocol. IPX. Several updates are often required to send all the topology information to the new neighbor. this protocol makes EIGRP flexible and scalable. and three routing tables.0. Each PDM maintains three tables. R1.EIGRP Neighbors and Adjacencies The diagram depicts the basic operation of DUAL. Neighbors must send replies. EIGRP packet types use either a connection-oriented service similar to TCP or a connectionless service similar to UDP. Update. query. three topology tables. Multicast EIGRP packets use the reserved multicast address of 224. Whenever DUAL places a route in the active state. query. Queries can be multicast or unicast.IPX.

and Routing Table-IP. Types of EIGRP Packets. Five. Three. All of these tables show successor routes. C.EIGRP Neighbors and Adjacencies The diagram depicts an activity in which you must match the EIGRP packet type with the appropriate definition.Used to give DUAL information about the destination network. .The diagram also shows Topology Table-Apple Talk. The composite metric formula consists of K values: K1 through K5. Routing Table-IPX. K4. all of which list every router to every destination. and K5 are set to 0.Unicasts information about the network to a new neighbor. The value of 1 designates that bandwidth and delay have equal weight in the composite metric calculation. 5. Two. Page 5: 5.Indicates receipt of a packet when RTP is used.Hello Packet. D. E.Query Packet. K1 and K3 are set to 1. B. A.Sent to neighbors when DUAL places route in active state.3. Four.Update Packet. but is not a routing metric.5 EIGRP Metrics and Convergence Page 1: EIGRP uses a composite metric value to determine the best path to a destination. By default. Definitions One. K2. This metric is determined from the following values: • • • • Bandwidth Delay Reliability Load Maximum Transmission Unit (MTU) is another value included in routing updates.Acknowledgement Packet. Topology Table-IPX. Lastly the diagram shows Routing Table-Apple Talk. and Topology-IP.Used to form neighbor adjacencies.Reply Packet.3.4 .

it could interfere with convergence as it struggles to cope with the traffic load.16. the EIGRP path selection.168.10.0 /24 via port F A 0 /0 with the address 172.168. This metric reflects the bandwidth of a T1 connection. DLY 20000 usec. line protocol is up Hardware is Power QUICC Serial Internet address is 172.1 /24.10 /30.1 30 MTU 1500 bytes.168.0 /30. with the address 192.16.9 /30 to S0/0/1 of R3 with the address 192.3.16.1. BW 1544 K bit.16.3. 5. R1 # show IP protocol Routing Protocol is "EIGRP 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set .168.3. BW 1544 Kbit.EIGRP Metrics and Convergence The diagram depicts R1 connected to network 172. Highlighted in the console output from the show interfaces command is a line.0 /24 via port F A 0 /0 with the address 192.16. rx load 1 /255 The show IP protocols command displays information about the EIGRP routing protocol process. Bandwidth influences the metric calculation and.16 /28 via port F A 0 /0 with the address 172.16. line protocol is up Hardware is Power QUICC Serial Internet address is 192.16. BW 64 Kbit. reliability 255 /255. reliability 255 /255. DLY 20000 usec.6 /30 to the S0/0/1 port of S1. R2 is connected via port S0/0/1 with the address 192.10. which is one of the metrics used by EIGRP to determine best path to a destination.2.168. as a result.1/30 to port S0/0/0 of R2 with the address 172. R3 is connected via S0/0/1 with the address 192. tx load 1 /255. for interface S0/0/1. Sometimes the bandwidth value may not reflect the actual physical bandwidth of the interface.1.2.Bandwidth The bandwidth metric is a static value and is displayed in kbps. R3 is connected to network 192.1 /24.5/30/ R2 is connected to the ISP on the network 10.10.1. R1 is connected via S/0/0/0 with the address 172. This depicts the difference in bandwidth.1. R1 # show int s0/0/0 Serial0/0/0 is up.1. tx load 1/255.2 /30. for interface S0/0/0 and a line. rx load 1 /255 R1 # show Int s0/0/1 Serial0/0/1 is up.3.168.1.5/30 MTU 1500 bytes.168. R2 is connected to network 172. Most serial interfaces use the default bandwidth value of 1544 kbps.5 .10. EIGRP metric weights are highlighted in the output.17 /24. BW 64 K bit. If a 56 kbps link is advertised with a 1544 kbps value.10.

Changing the delay value associated with a specific interface alters the metric but does not physically affect the network. A lower load value is more desirable than a higher value. The delay metric is a static value that is based on the type of exit interface. K5=O EIGRP maximum hopcount 100.EIGRP Metrics and Convergence The diagram depicts a table of delays for various media. The delay metric does not represent the actual amount of time packets take to reach the destination. Reliability measures how often the link has experienced errors.000 microseconds for Serial interfaces and 100 microseconds for Fast Ethernet interfaces. depending on the link conditions.Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1. K4=0. As an example. Media: 100M ATM Delay: 100 microseconds Media: Fast Ethernet Delay: 100 microseconds Media: FDDI Delay: 100 microseconds Media: IHSSI Delay: 20.3. and 255/255 would be a link that is 100 percent utilized. 1/255 would be a minimally loaded link.000 microseconds . More Information Popup IGRP uses these scaled values to determine the total metric cost to the network: metric = [K1 * bandwidth + (K2 * bandwidth) / (256 minus load) + K3 * delay] * [K5 / (reliability + K4)] Page 2: The other metrics used by EIGRP to calculate the cost of a link are delay. and load. Load reflects the amount of traffic using the link. reliability. The default value is 20. A reliability of 255/255 represents a 100 percent reliable link. 5. K3=1. K2=0. It has a value of between 0 and 255. reliability updates automatically. Unlike delay.5 .

000 microseconds Media: 512K Delay: 20.000 microseconds Media: 56K Delay: 20. Advertised distance is the best metric reported by a neighbor. DUAL uses these values to determine successors and feasible successors. depending on the actual topology. The loop-free route with the lowest feasible distance becomes a successor. A feasible successor is a route with an advertised distance that is less than the feasible distance of a successor.EIGRP Metrics and Convergence The diagram depicts R1 is connected to R2 with a serial link that has a cost of 10. R2 is connected to . 5.000 microseconds Media: Internal BGP Delay: 200 microseconds Page 3: The EIGRP topology table uses metrics to maintain values for feasible distance (FD) and advertised distance (AD).3.000 microseconds Media: DSO Delay: 20. and queries are sent to find a new successor. There can be multiple successors for a destination. DUAL keeps feasible successors in the topology table and promotes the best one to the routing table as a successor route if the original .Media: 16M Token Ring Delay: 630 microseconds Media: Ethernet Delay: 1000 microseconds Media: T1 (Serial Default) Delay: 20. Feasible distance is the best EIGRP metric along the path to the destination from the router. or reported distance (RD).5 . DUAL converges quickly after a change in the topology. If no feasible successor exists. the original route moves into active mode.

1. 5. Advertised Distance (AD) or Reported Distance (RD) The distance (metric) towards a destination as advertised by an upstream neighbor. R5 is also connected to R3 with a cost 2. 2.0 /24 [90 /3014400] via 192.168.10. R2 is connected to R4 and has a cost of 1. R4 is connected to Network Z. with a serial link that has a cost of 10. In the entry below. R5 is connected to R4 with a cost of 1.What is the successor router from R5 to get to network A? Via R3 or Via R4 Six. 3. Feasible Distance (FD) The minimum distance (metric) along a path from the router to a destination network. FD = 20. R1 is connected to R2. In italics: The neighbor routers distance. and has an AD of 6. R3 is connected to Network Z with a serial link. One.4 Implementing EIGRP . Network A is connected to R1 and has a cost of 1.EIGRP Metrics and Convergence The diagram depicts an activity in which you must examine the network diagram and answer questions about the feasible distance (FD). or 6 5. 3.10. the best path to the 192.10. FD = 15. More Information Popup In an EIGRP routing table entry.What is the feasible distance to network B from R4 via R5? 1. advertised distance (AD).3. or 6 Two. The following is a description of the network. 5. 3. 00:00:31.168.1.168. or 6 Four.What is the advertised distance to network A from R5 via R4? 2.5 . or 4 Three.168. R3 is connected to R2 with a cost of 2. R1 is also connected to R3 with a Fast Ethernet connection. 192. the word via precedes the address of the successor. Serial0/0/1 Page 4: 5.What is the advertised distance to network A from R5 via R3? 1. 5. AD = 5. and the successor route for specified routes. AD = 5. with a cost of 14. 5. R1 EIGRP Topology Table R2 is successor to Network Z.0 /24 network is through the next-hop interface of the successor. and that the feasible distance is 3014400: D 192. Lastly R1 is connected to R4.Network Z with a serial link.What is the feasible distance to network A from R5 via R3? 1. FD = 15. R3 is feasible successor to Network Z. AD = 6. with a serial link and has an AD of 5. R4 is successor to Network Z.10.What is the feasible distance to network A from R5 via R4? 2. or 6 Five. 2. Network B is connected to R2. R3 is also connected to R4 with a cost of 2. 2. and has an AD of 5. The feasible distance is the metric listed after the administrative distance of 90.

This AS parameter can be assigned any 16-bit value and identifies all of the routers belonging to a single company or organization.5. Enabling the EIGRP process requires an autonomous system parameter.1 .4.1 Configuring EIGRP Page 1: Basic EIGRP is relatively simple to configure. This AS number is locally significant only and is not the same as the autonomous system number issued and controlled by the Internet Assigned Numbers Authority (IANA). 5. use two steps: Step 1 Enable the EIGRP routing process.4. The network command tells EIGRP which networks and interfaces participate in the EIGRP process. Step 2 Include network statements for each network to be advertised. It has many similarities to RIPv2. The following are the commands issued to configure EIGRP. Step 1 R1 (config) # router EIGRP <1-65535> Autonomous System number R1 (config) # router EIGRP 1 . The AS number in the command must match on all routers that work within the EIGRP routing process. it actually functions as a process ID. To begin the EIGRP routing process.Configuring EIGRP The diagram depicts eight routers configured in two diamond topologies linked by one router to each diamond. Although EIGRP refers to the parameter as an autonomous system number.

1 . Two additional commands complete the typical basic EIGRP configuration.0.0. Add eigrp log-neighbor-changes command to view changes in neighbor adjacencies. R1 Router R1 (config) # router EIGRP 1 R1 (config-router) # network 172.4. This feature helps the administrator monitor the stability of the EIGRP network.0. include a wildcard mask after the network number.0.10.0. The following are the EIGRP configuration commands for each router. and arranged in a triangular topology. Page 2: To configure EIGRP to advertise only certain subnets.0 More Information Popup The process ID references an instance of the EIGRP protocol running in a router.255.255. If there were two instances of EIGRP running on the same router at the same time. On serial links that do not match the default EIGRP bandwidth of 1.168.0 R1 (config-router) # network 192.3 .16. the process ID.0 R2 (config-router) # network 192. would separate and identify each individual process. add the bandwidth command followed by the actual speed of the link expressed in kbps. Even if the subnet mask is used. To determine the wildcard mask. 5.158.8. the show running-config command displays the wildcard mask in its output.255.0 0. Some versions of the Cisco IOS allow the subnet mask to be specified instead of using the wildcard mask. or instance number.0 R1 (config-router) # exit R2 Router R2 (config) # router EIGRP 1 R2 (config-router) # network 10.Configuring EIGRP The diagram depicts three routers connected to each other by serial links. subtract the subnet mask from 255.0.Step 2 R1 (config-router) # network 172.544 Mbps.16. Inaccurate bandwidth interferes with choosing the best route.

168. Once neighbor authentication is configured. it is possible to enable authentication within the EIGRP configuration.Console message displayed upon neighbor discovery: *Mar 1 07:05:56.0 Console message displayed upon neighbor discovery: 192. Specifies the name of the keychain and enters the configuration mode for the keychain. the router authenticates the source of all routing updates before accepting them.10.1. This means routers with different or conflicting route information can affect and possibly corrupt the routing tables.5 (Serial 0 /0) is up new adjacency 192. Key Creation To create the key perform the following commands: key chain name-of-chain • • Global configuration command.16.0 R3 (config-router) # network 192.10.1 (Serial 0/0/0) is up: new adjacency R3 Router R3 (config) # router EIGRP 1 R3 (config-router) # network 192.457: **Dual -5-N B R CHANGE: IP -EIGRP(0)1 Neighbor 172. key key-id .168.168. The configuration of EIGRP authentication consists of two steps: creating the key and enabling authentication to use the key.10. To prevent this. any router configured with EIGRP and the correct autonomous system number can enter the EIGRP network.3.168. EIGRP allows an administrator to manage the keys though a keychain. EIGRP authentication requires the use of a pre-shared key.9 (Serial 0 /1) is up new adjacency Page 3: Once EIGRP is enabled.

To configure the optional parameters.• Identifies the key number and enters the configuration mode for that key-id.4.168. They are connected via serial link with the network address 192. Name-of-chain parameter specifies the keychain that was previously configured.1 .2. ip authentication key-chain eigrp AS name-of-chain • AS specifies the autonomous system of the EIGPR configuration.0 /24.168. R1 has a network connected to its Fast Ethernet port. R1 and R2. Each router has the show running-config command issued and the output is listed which includes MD5 authentication. More Information Popup Optional parameters can be configured as part of the keychain. . This must be configured to match on all EIGRP routers. key-string text • Identifies the key string or password. and the lifetime of the key or end date of the key.1.3. You will encounter the output of this command with EIGRP implemented in future labs. Enabling Authentication The key is used to enable MD5 authentication for EIGRP with the following interface configuration commands: ip authentication mode eigrp md5 • Specifies that MD5 authentication is required for the exchange of EIGRP packets. Optional parameters include the date when the key is required. R2 has a network connected to its Fast Ethernet port with the network address 192. 5.0 /24.Configuring EIGRP The diagram depicts two routers.168. network address 192.0 /24.

EIGRP installs a Null0 summary route in the routing table for each parent route. updates include subnet information. but a summary for advertising purposes.Configuring EIGRP Link to Hands-on Lab: Implementing EIGRP 5. As a result. Click the lab icon to begin. A best path or successor route is associated with the summary route. EIGRP creates only one entry in the routing table for the summary route. When default summarization is disabled. If the packet matches the summary route but does not match one of the child routes.you must be in the key configuration mode.4. In an enterprise network. The summary route is called the parent route and the subnet routes are called the child routes.4. 5. it forwards out the correct interface.1 . accept-lifetime start-time {infinite | end-time | duration seconds} Specifies when the key is accepted for received packets Start time is generally shown in hh:mm:ss month date years send-lifetime start-time {infinite | end-time | duration seconds} Specifies when the key can be used for sending packets Page 4: Lab Activity Configure EIGRP with MD5 authentication. it is discarded. The routing table installs entries for each of the subnets and also an entry for the summary route. The Null0 interface indicates that this is not an actual path. EIGRP automatically summarizes subnetted networks on the classful boundary. The only way that all routers can find the best routes for each individual subnet is for neighbors to send subnet information.2 EIGRP Route Summarization Page 1: Like RIP. the path chosen to reach the summary route may not be the best choice for the traffic that is trying to reach each individual subnet. If a packet matches one of the child routes. all traffic destined for the subnets travels across that one path. .

10. the administrator determines which subnets on which interfaces are advertised as summary routes. The serial link between R2 and R3 on network address 192.4. Use the no auto-summary command to disable the default summarization. R2. R1. R1 # show IP route Gateway of last resort is not set 192. As an example.1.168.168.1.1. All three routers have networks connected to their FastEthernet ports and the network addresses for these networks are as follows.0 /24 is a summary. 0 0:4 4:5 5.3.0 /24 [90 /2172416] via 192.2. Serial 0/0/0 C 172.EIGRP Route Summarization The diagram depicts three routers.8/30 [90 /3523840] via 192.168. FastEthernet 0/0 D 172.16. 4 subnets and 3 masks D 172.0 /24 is variably subnetted 3 subnets and 2 masks D 192.0 /24 and 192. Serial 0/0/0 S 192. 5.2.168.168.16.3.2.0/16 is variably subnetted.168.0 /24. all subnets are advertised. An administrator may have a situation in which some of the subnets need to be summarized and some do not.0/16 is a summary. The decision to summarize depends on the placement of the subnets. The serial link between R1 and R3 is on network address 192.16. 172.0.10.10.16.10.168.1.10.0 /30 at 64Kbps.6. .16.0 /24. Consideration of the overall network performance and traffic patterns determines if auto summarization is appropriate.0 /24 [90 /40514560] via 172. 0 0:4 5:0 9.3.168.16.0. Using this feature.2 .4 /30 at 1544Kbps.168.16. four contiguous subnets terminating on the same router are good candidates for summarization. The line with "Null0" is highlighted as an example of a summary route. Manual summarization provides a more precise control of EIGRP routes.10.4/30 is directly connected. 0 0:4 5:0 9. The serial link between R1 and R2 is on network address 172. and R3 in a triangular topology with serial links between all three router serial ports.0 /24 is directly connected.0 /24 is directly connected to Serial 0/0/0 D 192.10. 0 0:4 4:5 6.16. Turning off the summarization produces larger updates and larger tables.8 /30 at 1024Kbps. Null0 C 172. 0 0:4 6:1 0. Serial 0/0/1 172.10.Using default summarization results in smaller routing tables. The show IP route command is issued and the corresponding output is displayed. Serial 0/0/1 Page 2: With auto summarization disabled.168. 172.16.6. Null0 C 192.

0 /22 R3 to R2 = 192.252.168.255.0/22 is a summary. A manually summarized route appears in the routing table as an EIGRP route sourced from a logical.3.168.168.0 /24 F A 0 /3: 192.168.168.1.0. 5.2 . R2. not physical. labeled R1.252.168.0 255.0 /24 The output to the screen for route summarization by individual interfaces is as below: R3 (config)# interface serial 0/0/0 R3 (config-if) # IP summary-address EIGRP 1 192.0 /24 F A 0 /2: 192.2.0.168.EIGRP Route Summarization The diagram depicts three routers.0 /24 F A 0 /1: 192.168. R3 has both of its Serial Interfaces connected to R1 and R2.2 .4.EIGRP Route Summarization Link to Packet Tracer Exploration: Configuring EIGRP and EIGRP Summary Routes Page 4: Lab Activity .0 Page 3: Packet Tracer Activity Configure and verify EIGRP and EIGRP summary routes.255.0 255.0. The network addresses for these links are as follows: R3 to R1 = 192.4.0 R3 (config-if) # interface serial 0/0/1 R3 (config-if) # IP summary-address EIGRP 192.168. interface: D 192.Manual summarization is done on a per-interface basis and gives the network administrator complete control.0.0 /22 R3 has the following four FastEthernet ports connected to networks: F A 0 /0: 192.0. Click the Packet Tracer icon to begin. Null0 5. and R3.0.

Click the lab icon to begin.3 Verifying EIGRP Operation Page 1: Although EIGRP is a relatively simple protocol to configure. it employs sophisticated technologies to overcome the limitations of distance vector routing protocols.EIGRP Route Summarization Link to Hands-on Lab: EIGRP Configuring Automatic and Manual Route Summarization and Discontiguous Subnets 5. 5.Configure automatic and manual route summarization with EIGRP. It is important to understand these technologies in order to properly verify and troubleshoot a network configuration that utilizes EIGRP. Some of the verification commands available include: show ip protocols • • Verifies that EIGRP is advertising the correct networks Displays the autonomous system number and administrative distance show ip route • • • Verifies that the EIGRP routes are in the routing table Designates EIGRP routes with a D or a D EX Has a default administrative distance of 90 for internal routes show ip eigrp neighbors detail • • Verifies the adjacencies EIGRP forms Displays the IP addresses and interfaces of neighbor routers .4.2 .4.

16.10. EIGRP cannot work without forming adjacencies. 5. therefore this should be verified prior to any other troubleshooting efforts. The network addresses are as follows: 172. labeled R1.They are configured in a triangular topology with serial links between all three router serial ports.168.1.3 . It is a 1544 kbps link.2.Verifying EIGRP Operation The diagram depicts three routers.3. The serial link between R1 and R2 uses the network address 172. the commands listed below will reflect the addition of EIGRP.0 /24 192.4 /30.10.4.0 /24 The commands listed below will be available for output testing in future labs. R2. It is a 64 kbps link.8/30. Once EIGRP has been implemented. It is a 1024 kbps link. ***show IP protocols*** ***show IP EIGRP topology*** ***show IP route*** .16.16.168.show ip eigrp topology • • Displays successors and all feasible successors Displays feasible distance and reported distance show ip eigrp interfaces detail • Verifies the interfaces using EIGRP show ip eigrp traffic • Displays the number and types of EIGRP packets sent and received One of the primary uses of these show commands is to verify the successful formation of EIGRP adjacencies and the successful exchange of EIGRP packets between routers. The serial link between R1 and R3 is on network address 192.0 /30. All three routers have networks connected to FastEthernet ports.168.1. and R3. The serial link between R2 and R3 uses the network address 192.0 /24 172.

Debug EIGRP packet.***show IP EIGRP interface detail*** ***show IP EIGRP neighbors detail*** ***show IP EIGRP traffic*** Page 2: If adjacencies appear normal but problems still exist. The output of these two commands can be examined in detail when the EIGRP protocol is implemented in future labs. particularly when debugging a very complex protocol like EIGRP.Verifying EIGRP Operation The diagram depicts the output for the commands. debug EIGRP packet and debug EIGRP fsm. . Command. or deleted by EIGRP Debugging operations use large amounts of bandwidth and router processing power.3 . A.4. the use of these commands can also degrade network performance. debug eigrp packet • displays transmission and receipt of all EIGRP packets debug eigrp fsm • displays feasible successor activity to determine whether routes are discovered. however.3 . installed. an administrator should begin troubleshooting using debug commands to view real-time information on the EIGRP activities occurring on a router. Page 3: 5.4. 5. These commands provide details that can pinpoint the source of a lost EIGRP route or missing adjacency.Verifying EIGRP Operation The diagram depicts an activity in which you must match the output requirements with the appropriate command.

Verifying EIGRP Operation Link to Packet Tracer Exploration: Verifying and Troubleshooting EIGRP Operation 5. E.Debug EIGRP fsm. Five.Verifies the interface that are using EIGRP.4.Show IP EIGRP traffic.Shows feasible successor activity.Debug IP EIGRP neighbors details. One.B. D.Show the number and types of EIGRP packets sent and received. C.4.Verifies adjacencies. Three. Two.Show IP EIGRP interfaces details. several considerations limit its use: • • • • • • • Does not work in a multi-vendor environment because it is a Cisco proprietary protocol Works best with a flat network design Must share the same autonomous system among routers and cannot be subdivided into groups Can create very large routing tables. which requires large update packets and large amounts of bandwidth Uses more memory and processor power than RIP Works inefficiently when left on the default settings Requires administrators with advanced technical knowledge of the protocol and the network .Show transmission and receipt of EIGRP packets.Show IP EIGRP topology.Displays successful and feasible successors. 5. Page 4: Packet Tracer Activity Explore the various EIGRP verification and troubleshooting commands.3 . Six.4 Issues and Limitations of EIGRP Page 1: Although EIGRP is a powerful and sophisticated routing protocol. Click the Packet Tracer icon to begin. Four. Output Requirements. F.

RIP is a distance vector routing protocol. Diagram 2. and troubleshooting. Image The diagram depicts a list of E I G R P features. 5. Situated on the outside of these corporate networks are single tele-commuters.RIPv1 broadcasts the entire routing table to connected routers every 30 seconds.Summary Diagram 1. Diagram 3.4 . while using additional features typically associated with link-state routing protocols. Different topologies exist in enterprise networks including star. "What can I do to make EIGRP run better?" 5.Issues and Limitations of EIGRP The diagram depicts several network environments geographically located around the city and across the world.1 .EIGRP offers the best of distance vector routing. A network administrator is sitting on the outside of this large network of networks and he is asking himself the question. 4. and distance between routes.5. and automate the tasks of providing the best route to a destination.Dynamic routing protocols are classified as either distance vector or link state. Image The diagram depicts hop count. and mesh. Dynamic routes are learned and exchanged through routing protocols. monitoring. . 6. A default route forwards information that has no route in the routing table.RIP v2 multicasts its routing table. Diagram 1 text Enterprise networks are hierarchical in order to facilitate the flow of information.1 Summary Page 1: 5. Networks use both static and dynamic routing to move information.5. 5.Distance vector routing protocols are prone to the formation of routing loops. Static routes are manually configured and enhance network security and reduce the burden on routers.4. 2. 3. Diagram 2 text 1. These separate networks form part of the larger network shown as a cloud to which they are all connected. Successful implementation of the many features of EIGRP requires careful configuration. including bounded updates and neighbor adjacencies. extended star.5 Chapter Summary 5.RIP is very easy to configure and manage but does not scale well and is slow to converge. Image The diagram depicts a static route topology.

is connected to stub network LAN2 with a metric of One.Three . Routing loops are prevented by using the DUAL algorithm.Critical Thinking The diagram depicts an activity in which you must answer questions regarding routing based on an EIGRP network topology diagram.Four Question Two. R2. RIP v2 multicasts its routing table to 224. EIGRP supports both equal and unequal cost load balancing. Questions: Question One. The following connections are present: Router R1. R4 and R5 are connected in an EIGRP routing environment. which are process IDs.Two C. Router R2 is connected to Router R3 with a metric of Two. however this feature can be turned off.0. Diagram 4. Router R3 is connected to Router R5 with a metric of One.Three D. EIGRP automatically summarizes routes.5.0.Diagram 3 text EIGRP is a Cisco proprietary distance vector routing protocol with many advanced features.2 Critical Thinking Page 1: 5.Two B. EIGRP is easy to configure but difficult to maintain and optimize. What is the advertised distance to LAN1 from R2 via R4? A. 5.2 . Image The diagram depicts an EIGRP network. Diagram 4 text EIGRP uses autonomous systems. Router R3 is connected to Router R4 with a metric of One. topology. It is fast to converge and uses a composite metric for more reliable routing information EIGRP multicasts only partial bounded updates using less bandwidth. and instead done manually for better control of routing. Router R4 is connected to Router R5 with a metric of Three. Router R1 is connected to Router R2 with a metric of Three. EIGRP uses multiple packet types to maintain the neighbor.5. Network Topology: Five routers. What is the feasible distance to LAN2 from R3 via R2? A.One B. EIGRP maintains information on both successors and feasible successors allowing it to rapidly recover if a route goes down. and routing tables. R1. Router R2 is connected to Router R4 with a metric of One. R3. Router R4 is connected to stub network LAN1 with a metric of One.9 every 30 seconds.

Two C.6.R3 .Eight Question Four. .Four C.Four Question Five.R1 B.R4 .Only RIP v1 provides authentication in its updates. D.This route is the successor.1 Quiz Page 1: Take the chapter quiz to check your knowledge.R1 Question Six. D.R1 D.R2 .Only RIP v2 sends subnet mask information with its routing updates.Five E.R2 . B.This route is placed in the routing table.R2 .Six E. What is the feasible distance to LAN2 from R5 via R4? A.1 . What is the best route to take to reach LAN2 from R5? A.6.Seven F. 5.Only RIP v1 uses spilt horizon to prevent routing loops.R2 . Click the quiz icon to begin.R3 .This route is placed in the neighbor table.R3 .R2 .This route is used as the feasible successor.6 Chapter Quiz 5.Five D.One B.Three D. C.Four D.C.R4 .Quiz Chapter 5 Quiz: Routing with a Distance Vector Protocol 1.R4 .Three B. B. 5. What is the advertised distance to LAN1 from R5 via R4? A.Only RIP v2 uses 16 hops as the metric value for infinite distance.Six Question Three.R1 C.How do RIP v1 and RIP v2 differ? A.R1? A. C. Which statement is true about the path to LAN2 from R5 via R4 .

a protocol independent transport layer to guarantee delivery of routing information. Serial0 R192.0 is 2.168. E .0 cannot be reached as indicated by the 'C' label.ODR Gateway of last resort is not set R192.According to the router output from the show ip route command.EIGRP uses RTP.3. D.2.2. IA .) labb#show ip route Codes: C .0 is 192.EIGRP has no hop count limit because it is based on path cost. E. o .3.2.the feasible successor route in the topology table C. D.EIGRP supports VLSM and CIDR. which of the following statements are true? (Choose two.EIGRP.4.0 is the default value of 16. Serial0 R192.5.candidate default. how does DUAL flag the route that has failed? .168.OSPF external type 1.168.The devices on network 192. 00:00:24.1. L1 . 00:00:03.The total path cost to network 192.0/24 [120/1] via 192. U .168.168.EGP i .168.180 seconds E. Serial1 R192.240 seconds 3.0/24 [120/1] via 192.8. EX .the primary designated route in the topology table E.2.static.5. Serial1 A. R . which of the following would be used as a replacement? A.168.6. external.150 seconds D.0/24 [120/2] via 192.168.0 is 24. O . L2 . N2 .per-user static route. B.8. C.168.RouterA and RouterB are exchanging RIP v2 updates.EIGRP is a link-state protocol which has faster convergence than distance-vector protocols.I S-I S level-1.0/24 [120/1] via 192.0/24 is directly connected.I S-I S.5.168. 00:00:24.168. how many second will RouterB wait before it marks the routes served by RouterA as invalid? A.connected.If EIGRP routing is employed and the successor route to a destination becomes unreachable or unreliable.) A.EIGRP supports a higher hop count. M .The logical address of the next router for network 192. B.168. I . E2 .OSPF external type 2.RIP.the backup designated router in the routing table 6.If an EIGRP route goes down and a feasible successor is not found in the topology table.1.168.The hop count to a device on network 192. B . Assuming default timer settings.3.1.OSPF NSSA external type 2 E1 . Serial0 R192. S .EIGRP requires less memory and CPU time.0/24 is directly connected.4.120 seconds C. Ethernet0 C192. Serial1 C192. * . Serial0 C192.the route flagged as active in the topology table B.EIGRP.0/24 is directly connected. E.the default gateway in the neighbor table D.5.OSPF. 5.168.BGP D .168. F.168.90 seconds B.168.What are three advantages of using EIGRP instead of RIP v1? (Choose three. 00:00:24. 00:00:03.0/24 [120/1] via 192.8.5.7.The metric to network 192. RouterB has not received an update from RouterA in the prescribed time.3.1.I S-I S level-2.Mobile.OPSF inter area N1 OSPF NSSA external true 1.2.1.168. 4. C.IGRP.168.

0.CPU utilization is lower with static routes. What route will show in the routing table? A.router eigrp 75 .255.0.A summary route pointing to an Ethernet interface.neighbor table and routing table C. C.1.Static routing keeps the network scalable. E.It is link-state routing protocol.0.0 router eigrp 75 network 10.0 no auto-summary Which command set would summarize the 10.Neighbor routers can save overhead by sharing the DUAL database. B.What is the advantage of routers forming adjacencies when using EIGRP? (Choose three.New routers and their routes can quickly be discovered by neighbor routers.Changes in network topology can quickly be shared with neighbor routers. E.0 255.router eigrp 75 ip summary-address S0/1 10.down E.recomputed B. 9.Examine the following router configuration: interface Serial0/0 ip address 10. D.Administration of the configuration is easier. B.) A.A summary route pointing to the Loopback0 interface.255.A summary route pointing to the Null0 interface. 12.0.0 B.0 interface Serial0/1 ip address 10.255.255.successor 7. F.passive C.neighbor table and topology table D.Neighbor routers can quickly take over for a router that is in passive mode. 11.active D.A router can quickly discover when a neighbor router is no longer available.A. E.Which of the following tables does DUAL use to calculate the lowest cost routes to each destination? A.2 255.2 255.A summary route pointing to a Serial0 interface.11. B.The static route configuration is less prone to errors. D.It supports CIDR.What are two advantaged of static routing over dynamic routing? (Choose two. B.unreachable F.You have configured EIGRP route summarization on a serial interface to summarize routes learned from an ethernet interface.255. D.0/16 network when it is sent out interface S0/1? A.) A.It uses link-state advertisements. 10.It is a classful routing protocol.routing table and topology table B. C.0. D.Static routing is more secure because routers do not advertise routes.It is a distance-vector routing protocol.10. C.What are two attributes of EIGRP? (Choose two.10.) A.1.A router can share routing loads with neighbor routers.10. C.neighbor table and adjacency table 8.

0.0.rendering.255.ip summary-address 10.0.Version=1.delivery.0 255. RootID=knet‐ lcms_discovery3_en_40.html?level=chapter&css=blackonwhite.Style=ccna3.0.0 Go To Next Go To Previous Scroll To Top http://curriculum. All | Translated by the Cisco Networking Academy.interface S0/1 ip summary-address eigrp 75 10.0.interface S0/1 ip summary-address eigrp 10.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.0 255.net/virtuoso/servlet/org.0 255.10.10.255.0 S0/1 C. About   .0.netacad.servlet.0 D.C CServlet/LMS_ID=CNAMS.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.Language=en.Theme=ccna3theme.10. Inc.255.cli.

1 Routing Using the OSPF Protocol 6. Network engineers configure a hierarchical design for OSPF to access the Internet. you should be able to: Describe and plan a network using OSPF Design and configure a network using single-area OSPF Work with multi-protocol environments 6. Link-state routing protocols such as OSPF are ideally suited to the needs of enterprise networks.0 Chapter Introduction 6.1 Introduction Page 1: 6.1 Link-State Protocol Operation Page 1: Enterprise networks and ISPs use link-state protocols because of their hierarchical design and ability to scale for large networks.Introducing Routing and Switching in the Enterprise 6 Routing with a Link-State Protocol 6.0.Search | Glossary Course Index: CCNA Discovery .1.Introduction Enterprise networks need a reliable and scalable routing protocol to maintain communications. After completion of this chapter. Network technicians configure and verify OSPF to support basic routing functionality and authentication.1 .0. Distance vector routing protocols are usually not the right choice for a complex enterprise network. and select the best path. . and for improved routing efficiency.

Working with multiple areas allows the network administrator to selectively enable route summarization and to isolate routing issues within a single area.16.Link-state Protocol Operation This animation depicts two scenarios of routers converging when using each type of routing protocol operation: Distance Vector and Link-State. Distance Vector R1 decides to send a message regarding its routes from its routing table. R3 forwards its routing table to all connected routes. such as a link going down. R1. OSPF is a classless interior gateway protocol (IGP). developed by the Internet Engineering Task Force (IETF) to support IP traffic. In addition.Open Shortest Path First (OSPF) is an example of a link-state routing protocol. OSPF performs a full update every 30 minutes. which are referred to as areas. Link-State R1 is notified that the link to 172. Link-state routing protocols. R3. do not send frequent periodic updates of the entire routing table.3. R3 forwards its routing table to all R3 routes and back to R2. 6. The link update message of R1 is passed on to R2. a link-state protocol sends an update only when a change in the topology occurs. such as OSPF.0 /24 is down. Page 2: Link-state routing protocols like OSPF work well for larger hierarchical networks where fast convergence is important. and R4. R2 then makes amendments to its own routing table and forwards a copy of its routing table to R3 and R4. R2 sits at the center of the network. Compared with distance vector protocols. Instead. and R4 are directly connected to R2 via serial links.1. Distance Vector protocols periodically pass the entire routing table. It divides the network into different sections.1 . after the network converges. R2 receives the routing table information of R1 and sends a copy of an amended version of its own routing table to R1. The message passes to all R1 routes. R3. link-state routing protocols: • • • • Requires more complex network planning and configuration Requires increased router resources Requires more memory for storing multiple tables Requires more CPU and processing power for the complex routing calculations . OSPF is an open standard routing protocol. The physical topology includes four routers. This division allows for greater scalability. The Link-State protocol passes updates when a link changes state.

6. A link with higher bandwidth results in a lower cost. Five. and R3. The link between R1 and R3 is a T1. 1.544 Mbps. Two. The lowest cost route to a destination is the most desirable path. the packet goes out of R1. but with no details about the network as a whole. Next. OSPF does not automatically summarize at major network boundaries.1 .Link-state Protocol Operation The diagram depicts an activity in which you must indicate whether the characteristic describes RIP or OSPF. lower than RIP. It chooses this path to H2 because OSPF chooses the shortest path based on bandwidth. Cisco's implementation of OSPF uses bandwidth to determine the cost of a link. Additionally. the animation shows the OSPF packet reaching the destination first. to R3.With the high performance of routers available today.Provides fast convergence. or accuracy.Works well for larger hierarchical networks.Appropriate for smaller simpler networks. R2 has a directly connected network with the address 172.1.Link-state Protocol Operation The animation depicts three routers connected in a triangular design with serial links between R1. R1 and R2 are connected via a 56 kbps link.16.Periodically sends the entire routing table to all directly connected neighbors. R1 then forwards the update to R2. When comparing the OSPF and RIP packets.1. Four. Routers running RIP receive updates from their immediate neighbors. The administrative distance of OSPF is 110.544 Mbps. One.0 /24 represented by H1. R2 and R3 are connected via a T1. because of the trustworthiness. and to the destination host of H2. Instead of going to R2 this time. H1 sends an OSPF packet out to R1. link. these requirements are usually not a problem. R2. Three.16. This map allows them to quickly determine loop-free alternate paths in the case of a network link failure. Since the packet is using OSPF. Page 3: 6. the packet goes to R3. as it uses the fastest links to the intended host.1 . RIP chooses the shortest path from H1 to H2 based on hop count.1. R1 has a directly connected network with the address 172.Generates a map of the network from the viewpoint of the router. This cost metric is used by OSPF to determine the best path. The router trusts a metric based on bandwidth more than one based on hop count to establish the shortest path. then R2. link. 1. The RIP update traverses the network until it reaches H2 connected to R2.1. Routers running OSPF generate a complete map of the network from their own viewpoint. however. H1 sends a RIP packet out to R1.0 /24. represented by H2. . of the metric.

If there are multiple paths to the network.000.000 bps = 48 T110 to the power of 8 /544. therefore will be treated equally even though they are very different.Link cost metric used to determine hest path.1.000 / bandwidth of link in bps The configured bandwidth on an interface provides the bandwidth value for the equation. and the average cost that associated OSPF uses when calculating the cost of a link.2 . Seven. 6.000 bps = 1 Ethernet10 to the power of 8 /10. 6. Interface Type 10 to the power of 8 /bps = Cost Fast Ethernet and faster10 to the power of 8 /100.000 bps = 1562 56Kbps10 to the power of 8 /56.Requires more router system resources. The metric for a particular destination network is the sum of all link costs in the path.1. The following table has the headers Interface Type and 10 to the power of 8 / bps = Cost.Six.OSPF Metrics and Convergence The diagram depicts a table of interface type.2 OSPF Metrics and Convergence Page 1: OSPF bases the cost metric for an individual link on its bandwidth or speed.000.048. Using this equation presents a problem with link speeds 100 Mbps or greater. The equation used to calculate the cost of an OSPF link is: Cost = 100.000 bps = 64 128Kbps10 to the power of 8 /128.000 bps = 781 64Kbps10 to the power of 8 /64. Determine the bandwidth of an interface using the show interfaces command.000 bps = 10 E110 to the power of 8 /2. configure the interface cost value manually with the ip ospf cost command.Hop count metric is used to determine best path.000 bps = 1785 Page 2: . such as Fast Ethernet and Gigabit Ethernet. Regardless of the difference in speed between these two links.000.Fairly simple to configure Eight. To compensate for this. the path with the lowest overall cost is the preferred path and is placed in the routing table. Nine. they both calculate to a value of 1.

also called Dijkstra's Algorithm. The link cost between R1 and R2 is 20. Path from R2 to R1 to R4 to R3 has a cost of 50. Path from R3 to R1 to R2 has a cost of 25 (Least Cost Path). Path from R2 to R1 to R3 to R4 has a cost of 35 (Least Cost Path). The link cost between R1 and R3 is 5. All three routers have networks connected to them. The SPF tree and path for each network from R3. The SPF tree and path for each network from R2. or map of the network. Destination Network B: Path from R1 to R3 has a cost of 5 (Least Cost Path). and C respectively. Convergence occurs when all routers: • • • Receive information about every destination on the network Process this information with the SPF algorithm Update their routing tables 6. Destination Network A. Path from R2 to R1 to R4 has a cost of 20. R3. It is directly connected. Destination Network A: Path from R1 to R2 has a cost of 20 (Least Cost Path). The link cost between R1 and R4 is 20. . Starting from the root.1.OSPF routers within a single area advertise information about the status of their links to their neighbors. The router installs the shortest path to each network in the routing table. it uses the SPF algorithm. Each router running the algorithm identifies itself as the root of its own SPF tree. Messages called Link State Advertisements (LSAs) are used to advertise this status information. Path from R2 to R1 to R3 has a cost of 25 (Least Cost Path). labeled network A.OSPF Metrics and Convergence The diagram depicts R1 directly connected to three routers. Path from R1 to R4 to R3 has a cost of 25. therefore. The OSPF link-state or topology database stores the SPF tree information. the SPF tree identifies the shortest path to each destination and the total cost of each path. Once an OSPF router receives LSAs describing all of the links within an area. Destination Network C: Path from R1 to R3 to R4 has a cost of 15 (Least Cost Path). B. Path from R3 to R4 to R1 to R2 has a cost of 50.2 . it has a cost of 0 (Least Cost Path). and R4. to generate a topological tree. Destination Network C. Destination Network A. The SPF tree and path for each network from R1. R2. Destination Network B. Path from R1 to R4 has a cost of 20. The link cost between R3 and R4 is 10.

R4. R5 is connected to R5 via an E1 link. Path from R4 to R1 to R3 has a cost 25. R3 is connected to R4 via a FastEthernet link. therefore. R1 is connected to R5 via a T1 link. The following is a description of the scenario: Five routers are arranged in a pentagon type format where R1 is directly connected to all other routers. R5. Destination Network C. R4 is connected to R1 via an E1 link. therefore. R3 is directly connected to R1 and R4. which is the LAN directly connected to R1. Ethernet = 10. while traversing in an OSPF network using the associated link cost. Path from R3 to R4 has a cost of 10 (Least Cost Path). . R5 is directly connected to R4. R2 is connected to R5 via a T1 link. R5 is connected to R2 via a T1 link. R3 is connected to R1 via an Ethernet link. R2. and destined for H2. It is directly connected. The SPF tree and path for each network from R4. R4 is connected to R3 via a FastEthernet link. R2. Link Type and OSPF Cost. which is the LAN directly connected to R5. R5 is connected to R4 via an E1 link.OSPF Metrics and Convergence The diagram depicts an activity in which you must use the following scenario to identify the path that packets will take when originating at H1. It is directly connected. R2 is directly connected to R1 and R5. Path from R4 to R1 to R2 has a cost of 40. and is also connected to a LAN with host H2. Destination Network C. Destination Network A. R4 is directly connected to R3. Included in this activity is a table listing the Interface Link Type and the associated OSPF cost. Fast Ethernet = 1. R1 is connected to R3 via an Ethernet link. R1 is connected to R2 via an Ethernet link. R1. Page 3: 6. Arrange four routers in order according to the Least Cost Path from first router to second router to third router to fourth router. R5 is connected to R1 via a T1 link. R1. R3.1.2 . it has a cost of 0 (Least Cost Path). Path from R4 to R3 to R1 to R2 has a cost of 35 (Least Cost Path). R1 is connected to R4 via an E1 link.Destination Network B. and is also connected to a LAN with host H1. Destination Network B. Path from R3 to R2 to R4 has a cost of 25. R2 is connected to R1 via an Ethernet link. Path from R4 to R3 has a cost 10 (Least Cost Path). and R5. it has a cost of 0 (Least Cost Path).

all settings must match. The router receives an initial hello packet from its neighbor. • • • • • • Init 2-Way Exstart Exchange Loading Full The OSPF Hello protocol is used to initially establish and maintain adjacencies. State and Definitions.3 . The routers establish a master-slave relationship and choose the initial sequence number for . T1 = 64. it lists the sending router ID in its own hello packet as an acknowledgment.5.0. with other connected OSPF routers. The information explains the changes that a router goes through before becoming fully adjacent. and network type. Routers reach a FULL state of adjacency when they have synchronized views on their link-state database. State. as well as the authentication type and authentication data if configured. dead interval.OSPF Neighbors and Adjacencies The diagram depicts a table with the column headings. The router records neighbor adjacencies discovered in an OSPF adjacencies database.E1 = 48. 6. an exchange of link-state updates begins. At this state. Adjacency is an advanced form of neighborship between routers that are willing to exchange routing information. Exstart. This state is attained when the router receiving the hello packet sees its own Router ID within the neighbor field of the hello packet. When routers initiate an adjacency with neighbors.Definition. Init. The settings include the hello interval.1. The router goes through several state changes before becoming fully adjacent with its neighbor.0. 6. But how does a router know when a neighboring router fails? OSPF routers establish and maintain neighbor relationships.Bi-directional communication is established in that each router has seen the hello packet from each other. link state updates are sent when network changes occur. a router decides whether to become fully adjacent with this neighbor.1. For any two routers to form an adjacency.3 OSPF Neighbors and Adjacencies Page 1: With OSPF. The hello protocol sends very small hello packets to directly connected OSPF routers on the multicast address of 224. or adjacencies. The packets are sent every 10 seconds on Ethernet and broadcast links and every 30 seconds for non-broadcast links. 2-way. When a router receives a hello packet from a neighbor. Router settings are also included in the hello packets.

a router will only achieve a full state with a designated router (DR) and a backup designated router (BDR). Between two routers. The DBD describes the contents of the entire link-state database. All the router and network LSA's are exchanged and the router databases are fully synchronized. The DR (R2) and BDR (R3) receive the LSA from R1.OSPF Neighbors and Adjacencies This animation depicts the role of the designated router. If the DR fails.0.0. The only exception to this is the 2-way state. In a broadcast environment. the router with the higher router ID becomes the master and starts the exchange. A switch at the center of a star topology has five routers directly connected. and processing overhead on all routers. When a link fails. . the router with the highest router ID is elected the DR. unnecessary traffic flow. Page 2: Full is the normal state for an OSPF router.0. The second highest is elected as the BDR. and R1.3 . respectively. this is an indication of a problem such as mismatched settings. Like the DR. routers send link-state request packets for more specific information. Any router not elected as the DR or BDR is known as a DROther. R2 and R3 are also labeled DR and BDR. Based on the information provided by the DBD's. 6.6.6 and receives all updates that are sent to the DR. OSPF routers exchange database descriptions (DBD) packets that contain link-state advertisement (LSA) headers only. The BDR ensures that there is no single point of failure. the BDR listens to 224. Page 3: Within a local network. the BDR immediately takes over as DR. On broadcast network segments there is only one DR and BDR.1. Full. using multicast 224. this process also ensures that all routers receive the same information at the same time from a single source. Exchange.5.0. Each DBD packet has a sequence number which can be incremented only by the master. and a new BDR is elected. The DR forwards LSA's containing the route information provided by R1 to all other routers. R5. All other neighbors will be viewed in the 2-way state. All other routers must have a connection to the DR and BDR. using the multicast address 224. Loading. The purpose of the DR and BDR is to reduces the number of updates sent. labeled R1 through R5. The neighbor provides the requested link-state information in link-state update packets.adjacency formation. In addition to reducing the number of updates sent across the network. R1 forwards all route information to the DR and BDR using an LSA.0. This is accomplished by requiring all routers to accept updates from the DR only. The DR is responsible for distributing the change to all other OSPF routers.0. R4. the router with information about the link sends the information to the DR. The DR (R2) sends out LSA to routers R3 (BDR). If a router is stuck in another state. R1 forms an adjacency with the DR and BDR only.

If the priority value is changed on a router. "My priority is the default value of 1.OSPF Neighbors and Adjacencies The diagram depicts a switch at the center of a star topology with four routers. the highest IP address on any active physical interface The router ID can be viewed using the following show commands: show ip protocols. the highest configured IP address on any loopback interface 3." . and R4 directly connected.The router ID is an IP address that is determined by: 1. or show ip ospf interface commands. 6. In some cases. The value configured with the router-id command 2. A value of 0 signifies that the router is ineligible to be DR or BDR. The highest value that can be set for router priority is 255. an administrator may want specific routers to be the DR and BDR." R4 says." R2 says. OSPF routers have a priority value of 1. R2. "My priority is 0.3 . If no value is set with the router-id command. I am the BDR. R3. I am the DR. regardless of highest router ID.1. I am a DR other. If no loopback interface is configured. R1. I am the DR other. "My priority is 10. R1 says. I will not participate in the election." R3 says. the highest priority setting will win the election for DR. An administrator can force the DR and BDR election by configuring a priority using the interface configuration command: ip ospf priority number By default. show ip ospf. "My priority is 5. These might be routers with more processing power or lighter traffic load.

such as Ethernet. On NBMA networks. it is generally recommended that the administrator choose the DR and BDR by configuring the priority . Link types identified by OSPF include: Broadcast Networks • Ethernet Point-to-point (PPP) Networks • • Serial T1/E1 Non-Broadcast Multi-Access (NBMA) Networks • • Frame Relay ATM On broadcast multi-access networks. by definition. the number of neighbor relationships can become large. there can only be two routers on the link. and therefore a DR election is required.Page 4: Not all link types require a DR and BDR. On point-to-point networks. the establishment of full adjacencies is not an issue because. The DR election is not necessary and does not apply. OSPF can run in two modes: • Simulated broadcast environment: An administrator can define the network type as broadcast and the network simulates a broadcast model by electing a DR and a BDR. In this environment.

S0: 10.10.1. The following is a description of the topology.1 0. RTC. Point to Point.165. Lo0: 192.1.1 9.1 /30. Router RTE.1. E1: 10. S0: 10. Point-to-multipoint environment: In this environment.2 /30.1.1 0.1 /24.1 0.1.1.OSPF Neighbors and Adjacencies The diagram depicts three examples of network topology. This environment also requires that neighboring routers are statically defined. and the designated router for each network.5 /32.1 /24. E0: 10. E1: 10. 6.2 /24. Broadcast Multi-Access.1 3. Non-Broadcast Multi-Access The broadcast cloud lies at the center of four routers.168. each non-broadcast network is treated as a collection of point-to-point links and a DR is not elected. Neighboring routers are also statically defined using the neighbor command in the OSPF configuration mode. Page 5: 6. RTD.1 6. Routers RTB.1 6. . E0: 10. Each topology is described below: Broadcast Multi-Access A switch is at the center of four routers.OSPF Neighbors and Adjacencies The diagram depicts an activity in which you must determine the router ID for each router. Point-to-Point Two routers labeled R1 and R2 are directly connected through a serial link from S0/0/0 on R1 and S0/0/0 on R2.1. Both routers have networks connected to their FastEthernet ports of F A 0 /0. and Non-Broadcast Multi-Access. RTA.10. Lo0: 192. S0: 209. This ensures that the DR and BDR have full connectivity to all other neighboring routers.3 .3 .1. and RTE are all connected to the same network segment.1 3. The IP addresses for each router interface are as follows: Router RTA.168. E0: 10. Router RTB.4 /24. Router RTC.1 /24. which are directly connected to the broadcast cloud by serial links.1. Router RTF is connected via a serial link to router RTB.1 /27.• of the router.201. which are directly connected to the switch. Router RTD.1.3 /24.3 /32. E0: 10.1.

RTA Two. Summarization also isolates changes and unstable.1.1 9.168. . Match the host name and the router ID. when there is a change in the topology. When using summarization.0. A. Router RTF. D. OSPF has a two-layer hierarchical design.0. Match the network ID to the Host name. exists at the top and all other areas are located at the next level. or flapping. also called the backbone area.192.RTF Part 2 For each network. These other areas can be assigned any number.1.4 OSPF Areas Page 1: All OSPF networks begin with Area 0. 6. Network ID's. As the network is expanded.10.1. Summarization of network information usually occurs between areas.201. C. The operation of OSPF within an area is different from operation between that area and the backbone area. up to 65.535.209. All non-backbone areas must directly connect to area 0.201. links to a specific area in the routing domain.10.165.0.RTB Three. E. B. S0: 209.1 /32. only those routers in the affected area receive the LSA and run the SPF algorithm.1 6. Area 0.1.RTE Six. also referred to as the backbone area.1 0.10. other areas can be created that are adjacent to Area 0.Lo0 .1. select the router that will be elected as the designated router.RTC Four.RTD Five.0.165. This helps to decrease the size of routing tables in the backbone.10. Part 1 Use the information above to determine the IP address that will be used as the router ID for each of the following routers. Host names One.10.1 3.9. This group of areas creates an OSPF Autonomous System (AS).2 /27.

2 Implementing Single-Area OSPF 6.Area 51 Three. The second step identifies the networks to advertise. Area 51 has four routers.4 . Area 0.2.OSPF Areas The diagram depicts an activity in which you must match the term to the best description. labeled A.Router between Area 0 and another A S E. 6. Step 1: Enable OSPF . Area 1 has four routers and a boundary router.Backbone area B. such as EIGRP.A BR Four. Area 51.1. one belonging to the Area 0 and one belonging to Area 51.Router between Area 0 and another OSPF area D.Non-backbone area C.AS 6. it requires only two steps.Area 0 Six. BR routers. Terms. A router that connects an area to a different routing protocol. and the area encompassing the EIGRP router. BR is sitting on the boundary of Area 0 and 51.Formula that helps determine the best path Descriptions One. SBR which then links to the EIGRP router in the separate cloud.Hierarchical network Two.All OSPF areas that make up an enterprise network G. Page 2: 6. One of the routers for Area 0 is acting as the A.SPF algorithm Seven.OSPF Areas The diagram depicts four areas labeled Area 1.4 . A fifth router acting as the A.Using multiple OSPF areas F. or redistributes static routes into the OSPF area is called an Autonomous System Border Router (ASBR). Area 0 has four routers inside the cloud and two A. A.1 Configuring Basic OSPF in a Single Area Page 1: Configuration of basic OSPF is not a complex task. BR.A SBR Five.1. The first step enables the OSPF routing process.A router that connects an area to the backbone area is called an Area Border Router (ABR).

It identifies the interfaces that are enabled to send and receive OSPF packets.1 .6 S0/0/0 ).16.1 6 0. R1 has the network 172. R1 is connected to R3 via Serial link (R1: 192. the area is always 0.1 0. or range of addresses.10. This statement identifies the networks to include in OSPF routing updates. R2. that will be enabled for OSPF.0. specifies the interface address.17.0. Even if there are no areas specified. there must be an Area 0. Command lined for R1.3 area 0 R2 R2 (config)#router OSPF 1 . along with the wildcard mask.10.10. In a single-area OSPF environment.168.168. R2: 192.0. The OSPF network command uses a combination of network address and wildcard mask.10.1 /30 S0/0/0.3 2 /29 attached to F A 0 /0 (F A 0 /0 I P: 172.1.10.15 area 0 R1 (config-router)# network 192.1.0 /24 attached to F A 0 /0 (F A 0 /0 I P: 10.2.3 3 /29).2 S0/0/0 ).168. R3 has the network 172. 6. R1.10. R3: 192.10. The process ID is only locally significant and does not have to match the ID of other OSPF routers.4 0.0.168.16.10. R2 has the network 10.168. R1 is connected to R2 via Serial link (R1: 192. R2 is connected to R3 via Serial link (R2: 192. R2: 192.10.1.0.168.3 area 0 R1 (config-router)# network 192.9 S0/0/1.168.1 ).16 /28 attached to F A 0 /0 (F A 0 /0 I P: 172.router(config)#router ospf <process-id> The process ID is chosen by the administrator and can be any number from 1 to 65535.Configuring Basic OSPF in a Single Area The diagram depicts a network showing all three interconnected routers.1 6.1 0.1 7 ).5 /30 S0/0/1.1.1. and R3 are as follows: R1 R1 (config)# router OSPF 1 R1 (config-router)# network 172. The area ID identifies the OSPF area to which the network belongs.10 S0/0/1 ).10. R2.168. The network address. Step 2: Advertise networks Router(config-router)#network <network-address> <wildcard-mask> area <area-id> The network command has the same function as it does in other IGP routing protocols. and R3.0.1 6.0 0.

255.10.0.255. All 255s mask: 255.3 area 0 R3 (config-router )# network 192.0.1 0.255 area 0 R2 (config-router)# network 192.0 0.255.10.255.0.0/24 subnet in OSPF.255.0.3 area 0 R2 (config-router)# network 192. Subtract the subnet mask from the all 255s mask to get the wildcard mask.3 area 0 R3 R3 (config) # router OSPF 1 R3 (config-router) # network 172.0 0.255 Subnet mask: -255. To determine the wildcard mask for a network or subnet.0 ----------------------- Wildcard mask: 0 . 0 .168.0.255.8 0.1 0.0. As an example. the wildcard mask is the inverse of the subnet mask.0.R2 (config-router)# network 10. an administrator wants to advertise the 10.8 0.0.10.4 0.1 0.0.3 area 0 Page 2: The OSPF network statement requires the use of the wildcard mask.3 2 0.0.255 The resulting OSPF network statement is: Router(config-router)#network 10. The subnet mask for this Ethernet interface is /24 or 255. simply subtract the decimal subnet mask for the interface from the all 255s mask (255.168.0.10. or supernetting.1.10.10.0.0.255 area 0 .10. When used for network summarization.255). 0 .168.0 0.168.16.255.0.7 area 0 R3 (config-router) # network 192.0.255.

192.6.255.172.168.255.255 area 0 Example 1: Network .192.2.2.15 area 0 Example 3: Network .1 0. since all 32 bits of the address must match.0.255 Network command: R1 (config-router) # network 172.128 /20 F.1.1.1.0.172.255.1 28 /25 H.0.16.1 . Example: Router(config-router) # network 10.240 Wildcard mask .255.192.0 /24 All 255s mask .172.1 6 /28 J.0.0.0.0.30.0.255.100.3 More information Instead of specifying a range of addresses that coincide with the subnet.172.255.0 /16 I.0.168.10.100.0.0.0.0.192.10.0 /8 K.10.1 0.255. A.10.0.255.0.4.0.0 /23 E.0 /24 M.1 .1.255.16.96 /27 D.2.0 0.4.53 /30 G.255.4 /30 All 255s mask .16.255.0.168.14.0.255.192.Configuring Basic OSPF in a Single Area Network command: R2 (config-router) # network 172.255.226.10.4 0.0.255.168.172.0.255.0 /24 C. you may specify the interface (host) IP address and use a 0.17.1 6.255.192.16 /28 All 255s mask .200.255.24.0.255 Subnet mask .100.200.168.168.255 Subnet mask .0 area 0 Page 3: 6.168.3 area 0 Example 3: Network .0.255 Subnet mask .24.0.255. This limits OSPF advertisements to that specific interface and address.Configuring Basic OSPF in a Single Area The diagram depicts an activity in which you must determine the required subnet mask and wildcard mask for the specified network.0 /23 L.172.64 /26 Page 4: .0.0 wildcard mask in the network statement.10.0 /8 B.15 Network command: R3 (config-router) # network 192.4.10.0 Wildcard mask .16 0.252 Wildcard mask .4.

2.Lab Activity Configure basic single area point-to-point OSPF and verify connectivity.2. R1. and R3. This method provides only a basic level of security because the key passes between routers in plain text form.1 . configure each router with a password. the OSPF packet. It is just as easy to view the key as it is the plain text. A hacker on a network could use packet sniffing software to capture and read OSPF updates and determine network information. With simple password authentication.Configuring OSPF Authentication The diagram depicts three routers. A more secure method of authentication is Message Digest 5 (MD5). This poses potential security threats to a network. To eliminate this potential security problem. It requires a key and a key ID on each router. A packet sniffer cannot be used to obtain the key because it is never transmitted.2. and R2 is connected to R3. 6. When authentication is enabled in an area.2 . R2. R1 is connected to R2. R1 is connected to R3. 6. Each OSPF packet includes that encrypted number. R2. which are as follows: R1 . called a key.2 Configuring OSPF Authentication Page 1: Like other routing protocols. and the key ID to generate an encrypted number. R3. all interconnected via serial links. configure OSPF authentication between routers. Click the lab icon to begin. There are screen captures of MD5 encryption configuration from R1. 6.Configuring Basic OSPF in a Single Area Link to Hands-on Lab: Configuring and Verifying Single Area OSPF Configure basic single area point-to-point OSPF and verify connectivity. the default configuration of OSPF exchanges information between neighbors in plain text. The router uses an algorithm that processes the key. routers will only share information if the authentication information matches. All OSPF packets from all three routers are encrypted.

3 Tuning OSPF Parameters Page 1: In addition to performing the basic configuration of OSPF. administrators often need to modify.0 R2 (config-if) # IP OSPF message-digest-key 10 md5 areapassword R3 R3 (config) # router OSPF 10 R3 (config-router) # network 10.1 255.0.0.255 area 0 R2 (config-router) # area 0 authentication message-digest R2 (config) # interface serial0/0/0 R2 (config-if) # IP address 10.2 .2.0. 6.0 R2 (config-if) # IP OSPF message-digest-key 10 md5 areapassword R2 (config) #interface serial0/0/1 R2 (config-if) # IP address 10.255.1.0 0.255.0.0.0.0.255. .2 255.0.1.0 R3 (config-if) # IP OSPF message-digest-key 10 md5 areapassword Page 2: Lab Activity Configure single-area point-to-point OSPF authentication using MD5.0.255 area 0 R1 (config-router) # area 0 authentication message-digest R1 (config) # interface serial0/0/0 R1 (config-if) # IP address 10.0 0.2 255. certain OSPF parameters.255.0 0.0.255 area 0 R3 (config-router) # area 0 authentication message-digest R3 (config) # interface serial0/0/0 R3 (config-if) # IP address 10.0.2.0.1 255.0.0.0.255 area 0 R2 (config-router) # network 10.0 R1 (config-if) # IP OSPF message-digest-key 10 md5 areapassword R2 R2 (config) # router OSPF 10 R2 (config-router) # network 10. or tune.0.255.0 0. Click the lab icon to begin.255.R1 (config) # router OSPF 18 R1 (config-router) # network 10.0.0.255. 6.0.1.Configuring OSPF Authentication Link to Hands-on Lab: Configuring OSPF Authentication Configure single-area point-to-point OSPF authentication using MD5.0.1.255.

Setting the interface priority or the router ID on specific routers accomplishes this requirement.168.255 . Use the clear ip ospf process command. 6. R2. in the sequence listed: 1.Turning OSPF Parameters The diagram depicts three routers. This option poses a problem if interfaces go down or are reconfigured. R1 IP: 192.168. Logical interfaces are always up.1 R2 IP: 192.1 255.3 There are three sets of OSPF configuration commands listed. The router selects the DR based on the highest value of any one of the following parameters. 2.1.1. Highest Physical Interface Address: The router uses the highest active IP address from one of its interfaces as the router ID. Router ID: The router ID is set with the OSPF router-id configuration command. which are as follows: Priority R1 (config) #interface fastethernet 0 /0 R1 (config-if) # IP OSPF priority 50 Router ID R1 (config) # router OSPF 1 R1 (config-router) # router-id 10.255.1 Loopback interface R1 (config) #interface loopback 1 R1 (config-if) # IP address 10. After changing the ID of a router or interface priority.2. 3. 4.255. Highest Loopback Address: The loopback interface with the highest IP address is used as the router ID by default. OSPF favors loopback interfaces since they are logical interfaces and not physical interfaces.3 .168. Interface Priority: The interface priority is set with the priority command.1.1.An example is when a network administrator needs to specify which routers become the DR and the BDR.1.2 R3 IP: 192. R1. reset neighbor adjacencies. This command ensures that the new values take effect.1. all connected to a switch S1.1. and R3.

Both commands specify an accurate value for use by OSPF to determine the best route. The IOS assumes a T1 bandwidth value on serial links even though the interface is actually only sending and receiving at 384 Kbps. In OSPF. Click the lab icon to begin.3 . On Cisco routers.Page 2: Lab Activity Configure OSPF loopback addresses in a multi-access topology to control DR/BDR election. use the ip ospf cost command. Page 3: Bandwidth is another parameter that often requires modification.Turning OSPF Parameters Link to Hands-on Lab: Controlling a DR/BDR Election Configure OSPF loopback addresses in a multi-access topology to control DR/BDR election. The bandwidth command modifies the bandwidth value used to calculate the OSPF cost metric. the bandwidth value on most serial interfaces defaults to 1. When a serial interface is not actually operating at the default T1 speed. This assumption results in improper path selection.2. This bandwidth value determines the cost of the link but does not actually affect the speed of the link. In some circumstances. because the routing protocol determines that the link is faster than it is. To directly modify the cost of an interface. an organization receives a fractional T1 from the service provider. the speed of a T1. 6. modification using the bandwidth interface command or the ip ospf cost interface command achieves the same result. One-fourth of a full T1 connection is 384 Kbps and is an example of a fractional T1. the interface requires manual modification. Configure both sides of the link to have the same value.544 Mbps. .

17) R2 has the network 10. R1.168.168.000 bps = 1562" R3 R3 (config) # interface serial0/0/0 R3 (config-if) # IP OSPF cost 1562 Page 4: Another parameter related to the OSPF cost metric is the reference bandwidth. R3: 192.168.168. it may be necessary to adjust the reference bandwidth value.32 /29 attached to F A 0 /0 (F A 0 /0 IP: 172.16.000 results in interfaces with bandwidth values of 100 Mbps and higher having the same OSPF cost of 1.1. The bandwidth on the link between R1 and R3 is 256 kbps. To obtain more accurate cost calculations.10.10. Using the default reference bandwidth of 100. such as Gigabit Ethernet and 10Gbit Ethernet links.9 S0/0/1.1) R3 has the network 172.6 S0/0/0) R2 is connected to R3 via Serial link (R2: 192. R2: 192.1. which is used to calculate interface cost.Turning OSPF Parameters The diagram depicts a network.1 0.5 /30 S0/0/1. is known as the reference bandwidth.16.0 /24 attached to F A 0 /0 (F A 0 /0 IP: 10.000/bandwidth.000.10. The bandwidth value calculation of each interface uses the equation 100. or 10^8.33 /29) The bandwidth on the link between R1 and R2 is 64 kbps. A problem exists with links of higher speeds. The bandwidth on the link between R2 and R3 is 128 kbps. The network topology consists of three routers.10. There are screen shots of R1 and R3. These commands are shown. which says "10 /64.10. 100. and R3.1.10. R1 is connected to R2 via a serial link (R1: 192.168.16 /28 attached to F A 0 /0 (F A 0 /0 IP: 172.000.000. as follows: R1 R1 (config) # interface serial0/0/0 R1 (config-if) # bandwidth 64 R1 (config-if) # interface serial0/0/1 R1 (config-if) # bandwidth 256 R1 (config-if) # end The bandwidth 64 is highlighted and there is a section at the bottom.16.6.000. identifying bandwidth and OSPF cost configuration commands. R2: 192.10. showing the bandwidth and OSPF cost command configurations used when calculating the OSPF cost metric. .10.16.168.3 .1.2 S0/0/0) R1 is connected to R3 via a serial link (R1: 192. also referred to as the link cost.10 S0/0/1) R1 has the network 172.1 0. R2.2. The reference bandwidth is modified using the OSPF command auto-cost reference-bandwidth.1 /30 S0/0/0.

or if it does not show a state of FULL.000. Problem: New 10 Gigabit Link to the ISP not performing as well as expected. If a router is a DROther. use the value of 10.3 . 6.default bandwidth only 1. When troubleshooting OSPF networks.2. use it on all routers so that the OSPF routing metric remains consistent.4 Verifying OSPF Operation Page 1: Once configured. the show ip ospf neighbor command is used to verify that the router has formed an adjacency with its neighboring routers. OSPF has several commands available that verify proper operation. adjacency occurs if the state is FULL or 2WAY. .2. Solution: Modify the reference bandwidth .Turning OSPF Parameters The diagram depicts a drawing of a flowchart to aid in problem solving. 6. The new reference bandwidth is specified in terms of Mbps. To set the reference bandwidth to 10-Gigabit speed. Click the lab icon to begin.3 . If the router ID of the neighboring router is not displayed. 6.2.When this command is necessary.544Mbps Page 5: Lab Activity Configure OSPF link cost in a point-to-point topology to influence routing decisions. the two routers have not formed an OSPF adjacency.Turning OSPF Parameters Link to Hands-on Lab: Configuring OSPF Parameters Configure OSPF link cost in a point-to-point topology to influence routing decisions.

10.2 R2 has network 10.1. Address .5.5 Pri . causing the routers to be on separate networks OSPF hello or dead timers do not match OSPF network types do not match There is a missing or incorrect OSPF network command 6.FastEthernet\0 /0 Explanations of various fields of the show IP neighbor command is shown as follows: Neighbor ID .10. which is shown from the R1 command prompt as follows: R1 #show IP OSPF neighbor Neighbor ID .1 R1 has network 10.FULL/D R Dead Time .5 on Loopback 0 R3 IP: 192.2. and R3.1 on Loopback 0 R2 IP: 192.Verifying OSPF Operation The diagram depicts three routers.1.168.192.1 State .168.10. R1.The priority of the router interface State .1.2 Interface .168.3 R3 has network 10.10.3.The IP address of the interface of the neighbor.10. Interface .00:00:37 Address .The router ID of the neighbor Priority .4 .5. DR and BDR labels display after FULL/ in the State column.2 Interface .The state of the neighbor relationship Dead Time .1.1.If this is a multi-access Ethernet network. Two routers may not form an OSPF adjacency if: • • • • The subnet masks do not match.6 The diagram depicts a table with the results of the show IP OSPF neighbor command.10.00:00:15 Address .10.192. R2. .FastEthernet0 /0 Neighbor ID .1.6 Pri .168.The interface of this router that formed the adjacency with the neighbor.168.The amount of time remaining before the router will declare the neighbor dead without receiving a Hello packet.2WAY/D R Other Dead Time .1.1 State . all connected to a switch with the following IP configurations: R1 IP: 192.

10.1 0. show ip ospf interface Displays information such as router ID. R3: 192.16.1.1 /32 R2 has the network 10. It also shows the last time the SPF algorithm executed.10. show ip ospf Displays the router ID and details about the OSPF process. show ip protocols Displays information such as the router ID. R2.3.1.168.5 /30 S0/0/1.1) Lo0: 10.16. timers. the networks that OSPF is advertising.10.1 /30 S0/0/0.2.168.33 /29) Lo0: 10.2.1.10.10.168.16 /28 attached to F A 0 /0 (F A 0 /0 IP: 172.3 /32 .168.10. R2: 192.Page 2: Several show commands are also useful in verifying OSPF operation. and the IP addresses of adjacent neighbors.6 S0/0/0) R2 is connected to R3 via a serial link (R2: 192. and R3.1.1 0.168.4 . 6. and timer settings.16. R2: 192. show ip route Verifies that each router is sending and receiving routes via OSPF.0 /24 attached to F A 0 /0 (F A 0 /0 IP: 10.32 /29 attached to F A 0 /0 (F A 0 /0 IP: 172. R1.10 S0/0/1) R1 has the network 172.2.10.168.3.2 S0/0/0) R1 is connected to R3 via a serial link (R1: 192.17) Lo0: 10.16.9 S0/0/1.10. R1 is connected to R2 via a serial link (R1: 192.2 /32 R3 has the network 172.1.Verifying OSPF Operation A network topology is shown as follows: Three Routers. network type cost. and area information.1.

4 0. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for networks: 172.211011:29:29 10.10.168.1.0. Area 0 Process ID 1.1.0 0.1 Number of areas in this router is 1. Router ID 10.3. line protocol is up Internet Address 192. Hello 10. Cost: 64 Transmit Delay is 1 sec.2.16 0.10. Retransmit 5 cob-re-sync time-out 40 Hello due in 00:00:07 Supports link-local Signaling (LLS) .0.1. 40.3 area 0 Reference bandwidth unit is 100 mbps Routing Information Sources: GatewayDistanceLast Update 10.1 /30.1.0.168. Dead 40.168.There are OSPF show command outputs as follows: show IP protocols R1 #show IP protocols Routing protocol is "OSPF 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 10.0.10.540.1.1.776 Supports only single TOS (TOS 0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transmit capability Router is not originating router-LSA with maximum metric Initial SPF scheduled delay 5000 millisecs Minimum hold time between two consecutive SPFs 10000 millisecs Maximum wait time between two consecutive SPFs 10000 millisecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 millisecs Area BACKBONE(0) Number of interfaces in this area is 3 Area has no authentication SPF algorithm last executed 11:30:31. Wait.16.3.0.1 Start time: 00:00:19.0. State POINT_TO_POINT. Time elapsed: 11:31:15.1. Network Type POINT_TO_POINT.628 ago SPF algorithm executed 5 times Area ranges are [output omitted] show IP OSPF interface R1 #show IP OSPF interface serial0/0/0 Serial0/0/0 is up.1.3 area 0 192.15 area 0 192.2. Timer intervals configured.3 110 11:29:29 Distance: (default is 110) show IP OSPF R1 #show IP OSPF [some output omitted] Routing Process "OSPF 1" with ID 10.

1 6 /28 [110 /129] via 192.2 /32 is directly connected.16.10.10.10. Serial 0/0/1 O192.1.16.6. 3 subnets C192. Serial0/0/0 O192.2 Suppress hello for 0 neighbor(s) show IP route R1 #show IP route Codes: [output omitted] Gateway of last resort is 192.10.0 is directly connected. Serial0/0/0 Page 3: 6. 1.4 network? 1. Five.2 to network 0.0.32 /29 [110 /782] via 192.2. 65. Serial0/0/0 C10.6.10. Adjacent neighbor count is 1 Adjacent with neighbor 10.1.0. 4.Verifying OSPF Operation The diagram depicts an activity in which you must answer the questions based on the output from the show IP route command of R2.168.168.What is the router ID for R2?.0 /16 is variably subnetted.0 /24 is subnetted.0.16. 65.Index 2 /2. 2 masks O172.How many subnets are there for the 172. 110. or 128.168. Serial0/0/0 172. Serial0/0/1 C172.16. 2. 2 masks O172.168.2.8 [110 /1562] via 192.10.0 is directly connected.0 /24 is directly connected.0.What is the administrative distance for OSPF routes? 1. 00:08:22.0 /0 [110 /1] via 192.16 /28 is directly connected.168.What is the metric for the path to the 192.10. 2 subnets.10.0 network? 0. Loopback0 O*E2 0.0 /16 is variably subnetted. Four. or 3 Two.10.168. 00:01:34. 2 subnets. .1.1 0.8 is directly connected. Serial0/0/1 [110 /1562] via 192. 30.0.How many networks were learned by OSPF? 6.3 2 /29 [110 /65] via 192.1.1.0 192.16.1 0. 00:08:22.2. FastEthernet0 /0 10. 00:08:22.16.2.168. 2 masks C10.168.0 [110 /782] via 192. FastEthernet 0 /0 One.4 [110 /128] via 192.0 /8 is variably subnetted.10.2. Three.10.168.10.0.10.10.10.0.1 0.16. 5. Loopback0 C10.0 /30 is subnetted.0 /30 is subnetted.168.0. 00:01:35.10. 3 subnets C192.168. Serial0/0/1 C192. Serial0/0/1 172.168.168.1 0.2. or 128.2.10.4 is directly connected. maximum is 1 Last flood scan time is 0 millisec maximum is 4 millisec Neighbor Count is 1. flood queue length 0 Next 0x0(0) /0x0(0) Last flood scan length is 1. 2 subnets O10.10. Serial0/0/1 10.1.10.168. Serial0/0/0 C192. which appears as follows: R2 #show IP route [output omitted] Gateway of last resort is not set 192. 2 subnets. 00:01:34.168. Serial0/0/1 O172.2.168.0 is directly connected.0.168.10. 00:01:35.0. or 3. 00:01:34.4 .168.10.0.

OSPF must also provide information about reaching networks outside of the AS.2. OSPF provides routing information about networks within an AS.192.168.192.1 0.2.10. 6.2.10. The ASBR connects the OSPF network to an outside network. including tuning parameters. an administrator configures this route on an Autonomous System Boundary Router (ASBR). With OSPF. D. Configuring static routes on all routers in a large network is cumbersome.A. it can be configured to advertise that pathway to the rest of the OSPF network. B.10. An easier method is to configure a default route that points to the Internet connection for a network. .2. As soon as the default route is entered in the routing table of the ASBR.3.Verifying OSPF Operation Link to Hands-on Lab: Configuring and Verifying Point-to-Point and Multi-Access OSPF Configure and verify point-to-point and multi-access OSPF networks.0. This process informs every router within the AS of the default route and spares the administrator the work of configuring static routes on every router in the network.10.2.1 Configuring and Propagating a Default Route Page 1: Most networks connect to other networks through the Internet.3 Using Multiple Routing Protocols 6.168.9.10. 6. Sometimes administrators configure static routes on certain routers to provide information that is not received via a routing protocol. Page 4: Lab Activity Configure and verify point-to-point and multi-access OSPF networks. including tuning parameters. Click the lab icon to begin. The ASBR is also often called the Autonomous System Border Router.4 . C.

"I have a default route to the ISP .3.0.0. R1(config)#ip route 0. By default. R3 is at the center of the topology. Step 1 Configure the ASBR with a default route. R1(config)#router ospf 1 R1(config-router)#default-information originate The routing tables of the other routers in the OSPF domain should now have a gateway of last resort and an entry to the 0. I will send it to the other routers within my A S.0.0 serial 0/0/0 The default static route statement can specify an interface or the next hop IP address. The default route injects into the OSPF domain so that it appears as an external type route (E2) in the routing tables of the other routers.Configuring and Propagating a Default Route The diagram depicts R1 and R2 directly connected by serial link to each other using the network address .Configuring and Propagating a Default Route The diagram depicts six routers connected in a pentagonal-shaped topology.1 .3. R1 announces.0 /0 network in their routing tables." Page 2: To configure a router to distribute a default route into the OSPF network.0. OSPF does not inject the default route into its advertisements even when the route exists in its routing table.0 0.0. follow these two steps. Step 2 Configure the ASBR to propagate the default route to other routers.0.6. 6. R1 is labeled as the ASBR and there is a dedicated serial link from R1 to the ISP .1 . This network forms an Enterprise A S.

" R2 says. Note: some of the output is omitted. R2 has a network connected to its FastEthernet interface using the network address 10.0.0.0 /24.0.10.0. R1 is connected by a serial link to the ISP with and the network address is 209.10.0.0.0.168.1.168. R2 S0/0/0 IP address 192.168.1 to network 0.224 /27.10.0 serial 0/0/1 R1 (config) # router OSPF 1 R1 (config-router) # default-information originate With Default Route R1# show IP route Gateway of last resort is 0.0 is directly connected. "show IP route" is issued.168.0.200. R1# show IP route Gateway of last resort is not set [output omitted] R2# show IP route Gateway of last resort is not set [output omitted] Creation and Propagation of Default Route R1 (config) # IP route 0.0 /30.10." I have nowhere to forward unknown traffic.0.0 /0 (110 /1) via 192.1.1 0.0. Serial0/0/1 R2# show IP route Gateway of last resort is 192.165.0. R1 says. 00:37:23.0 [output omitted] O*E2 0.0. Serial0/0/0 Page 3: Lab Activity Configure an OSPF default route and propagate it to other routers in the OSPF area through the routing protocol. Click the lab icon to begin. .0 0.10. R1 S0/0/0 IP address 192.192." Various outputs from R1 and R2 are shown when the following situations occur: When there is no default route configured Configuration commands to create and propagate a default route When there is a default route configured No Default Route R1 and R2 output is displayed when the command.0 to network 0.2.0.0.0 [output omitted] S* 0. "I have nowhere to forward unknown traffic.168.10.

Any packets forwarded to the flapping route while the route is down will simply be dropped at the summarizing router.0/24 192.168.3. such as: • • • • 192.1 .0/24 192. By default.3. every time a route flaps. It does not forward updates about the individual routes.0.168.0/24 192. 6. This can create a lot of traffic and processing overhead. Only one of the routes included within the summary must actually be up in order for the router to advertise the summary route. group together IP addresses in a network area. It also reduces memory requirements and the number of entries in the router updates.0 /22. Routes can be summarized into OSPF or between areas within the same OSPF network. supernet address to represent several routes. Flapping refers to a route that consistently goes up and down.168. issue the following command in router configuration mode: .168. Doing this reduces the number of networks that advertise throughout the OSPF domain.0.2. in a single OSPF area. If one or more of the routes is flapping. To facilitate OSPF summarization. allocate four contiguous network segments. Additionally.3. For example. summary routes reduce the issue of flapping routes. the router will continue to advertise the more stable summary route only. a link-state update is propagated throughout the entire domain.6. it uses a single.0/24 It is possible to summarize and advertise the four networks as one supernet of 192.2 Configuring OSPF Summarization Page 1: One method that reduces the number of routing updates and the size of the OSPF routing tables is route summarization.168. When a router is using a summary route.Configuring and Propagating a Default Route Link to Hands-on Lab: Configuring and Propagating an OSPF Default Route Configure an OSPF default route and propagate it to other routers in the OSPF area through the routing protocol.1. To configure an OSPF ABR router to summarize these networks to another OSPF area.

Network numbers in areas should be assigned in a contiguous way to be able to combine these addresses into one range. R3.2. 6. OSPF must maintain multiple databases and therefore requires more router memory and CPU capabilities than distance vector routing protocols.168.0 /24 connected. R2 has network 192.168. The ASBR router is connected to R1. . Click the lab icon to begin.168.area area-id range ip-address ip-address-mask Specify the area in which the networks are summarized as well as the starting network number and summary mask.3 OSPF Issues and Limitations Page 1: OSPF is a scalable routing protocol.0.0 /22.Configuring OSPF Summarization Link to Hands-on Lab: Configuring OSPF Summarization Configure OSPF summarization to reduce routing updates. In order to take advantage of summarization. The ASBR router has a serial link to the ISP router. There are however. R2. More Information Popup Inter-area route summarization is configured on Area Border Routers (ABR's) and applies to routes from within the A S. Four routers within the cloud have individual networks connected to them. R1 has network 192. Summary routes between autonomous systems are configured on the Autonomous System Border Router (ASBR).3.0 /24. 6.2 .Configuring OSPF Summarization The diagram depicts five routers in a cloud labeled Area 0.0 /24. some issues to consider when using it.168. 6.3.0 /24. Router R4 has the network 192. Page 2: Lab Activity Configure OSPF summarization to reduce routing updates.3. The summary route for Area 0 is 192.1. R3 has the network 192. which is situated outside the cloud. and R4 via serial links that are all within Area 0.0. It has the ability to converge quickly and operate within very large networks.3.168.2 .

In addition.3. Advantages Uses bandwidth as a metric Converges quickly using triggered updates Limits routing loops through consistent view of network topology Routing decisions based on latest information Minimizes link-state database . Flooding in large networks with many routers and low bandwidth noticeably decreases network throughput. Despite the issues and limitations of OSPF. interpreting the information contained in the OSPF databases and routing tables requires a good understanding of the technology.3. To avoid excessive use of router resources. 6.OSPF Issues and Limitations The diagram depicts the advantages and disadvantages of using OSPF as a routing protocol. OSPF can flood the network with LSAs and severely limit the amount of data that the network can transport. they may lose connectivity to other areas. OSPF can be challenging to configure if the network is large and the design is complex.The Dijkstra Algorithm requires CPU cycles to calculate the best path. Routers running OSPF are typically more powerful and more expensive. If not. the algorithm consumes significant resources when recalculating frequently.3 . If the OSPF network is complex and unstable. employ a strict hierarchical design to divide the network into smaller areas.fewer SPF calculations Converges faster Supports CIDR and VLSM Designed hierarchically using areas Disadvantages Requires more memory and processor power Requires more complex and expensive implementation Requires an administrator who understands the protocol Floods the network initially with LSA noticeably degrading network performance 6. it is still the most widely used link-state routing protocol within an enterprise. All areas must maintain connectivity to Area 0. During the initial discovery process.4 Using Multiple Protocols in the Enterprise .

there is the possibility of that router learning of a destination from multiple sources. There must be a predictable method for the router to choose which route to view as the most desirable pathway and place it in the routing table.Using Multiple Protocols in the Enterprise The diagram depicts the merging of traffic between two organizations. The code at the beginning of the routing table entry indicates the source of the route. organizations might choose different routing protocols. Directly connected to ABR of Organization A. each on a network cloud. via serial links. which is the fourth router. 6. are four routers. and B. The column headers are Route Source. each connected to their own networks. . A. Page 2: When a router learns of a single network from multiple sources.3.Page 1: For various reasons. the OSPF-learned route is the one that it chooses for the routing table. 6. Its AD is lower and.3. or how it was learned. When multiple routing protocols exist on a single router.4 . Three of the routers have networks connected to the BR. • • A network administrator may choose different routing protocols for different sections of a network. based on legacy equipment or available resources. The cloud surrounding Organization A uses the OSPF routing protocol. running two different routing protocols. Administrative Distance. Two companies that merge may have configured their networks using different routing protocols and still need to communicate with each other. it uses the administrative distance (AD) to determine which route it prefers. therefore. Organization B has four routers as part of its network. sending OSPF updates out of the ABR to the BR in Organization B. more desirable. The information below appears in a table. The routing protocol in use is RIP v2. The BR in Organization B sends RIP updates to Organization A. The border routers BR and ABR are running both routing protocols RIP v2 and OSPF.Using Multiple Protocols in the Enterprise The diagram depicts a comparison of various routing information from different protocols and router sources. The BR in B is directly connected to the ABR of Organization A. This enables traffic to traverse across both networks. The Cisco IOS assigns all routing information methods an AD.4 . If a router learns of a particular subnet by way of RIP and OSPF. Each code associates with a specific AD.

172.0 /24 [110 /65] via 172. Serial0/0/0 R192.2. E.168.3.110 Eight.3.0 /24.16.0. Serial0/0/0 172. 1 subnet S10.168.Using Multiple Protocols in the Enterprise The diagram depicts an activity in which you must analyze the routing table and determine the route source.110.0 /24.0 /16 is subnetted. FastEthernet0 /0 C172.0 is directly connected.16.110. 3 subnets C172.0 is directly connected. Serial 0/0/1 O192. A.120. and the metric.168. Serial0/0/0 D172.O D R Three.100.192.16.10.4.0.0 /24 is subnetted. the A D.0 /24 [110 /65] via 172.16. Route SourceAdministrative DistanceDefault Metric Connected00 Static10 EIGRP Summary Route50 External BGP20Bandwidth.1. Options.2.168.1.0 /24. 00:00:03.172.16. Serial0/0/0 O192.16. Delay Internal EIGRP 90Link cost (bandwidth) IGRP 100Link cost (bandwidth) OSPF110Hop count I S-I S 115Value assigned by a d m RIP 120 External EIGRP 170 Internal BGP200 Page 3: 6. 00:00:18.0 is directly connected. 00:00:03.16.120.168.0.2.16.4.3.0 /24 is directly connected. D. Serial0/0/0 C192. C.0 [90 /2172416] via 172.16.192.168.90 Nine.0 /24 [120 /65] via 172.1.0.and Default Metric.2.4 .0 Seven.0 /16.2.Static Five.1. Serial0/0/0 Router.SPF Two. B.BGP Four.0. 00:00:18. Routing Table Information Console output Gateway of last resort is not set 10.16. One.120 .1.1.2.Connected Six.0 /24.

6.168.0.1. as well as an individual network that is part of that summary.3.EIGRP Twelve.10101000.0/26 has the longest match.168. serial 0/0/0 Route 2O 192.RIP Thirteen.0.1 Fourteen. appearing in the routing table.23 Route 1O 192.0.00001111 Route 111000000. The decision of which route to use falls to the entry with the closest.168. and 172.00000000 Route 211000000.1.16. a router receives a packet with a destination IP address of 172.168.0 /24 [110 /65] via 192. It considers a summarized network.0 /22 [110 /65] via 192. Of the three routes.00000011.1.0 /22 [110 /65] via 192. each containing a single destination IP address.4 .16.10101000. thus identifying the network of the destination IP address. Route 2. The summarized network 192.00000001. When this situation occurs.00000000 (The highlighted area shows the longest match to the IP Packet destination. 172. The table lists the destination IP address along with each destination route appearing as follows.0/26.0.00000000.1.16. both networks are placed in the routing table. For any of these routes to be considered a match.16.168. as different networks.0.1.10101000.15 Route 1O 192.00000001. serial 0/0/1 Destination11000000.0.Ten. In the tables. The table helps explain that when a router has multiple routes in its routing table for a destination IP address.168. a router views them as identical.0/18.0/22 and the individual network 192.10101000.0.00000000 Route 211000000.) .0.168. there must be at least the number of matching bits indicated by the subnet mask of the route.0.65 Page 4: If two networks have the same base address and subnet mask.00000000 (The highlighted area shows the longest match to the IP Packet destination. with the corresponding routes. prefix match.Using Multiple Protocols in the Enterprise The diagram depicts three tables. or longest. Three possible routes match this packet: 172. the router will choose the single route with the longest bit match. 172. serial 0/0/0 Route 2O 192.1.2172416 Eleven.168.16.168.0/12.1.168.00010111 Route 111000000.00000001. Consider looking at the binary representation of each group of IP addresses and the highlighted matches.3.0. Destination192. As an example.1. serial 0/0/1 Destination11000000. or Route 3.0 /24 are different entries.1.1.10101000.10.168.) Destination192. Highlighted is the route with the longest match to the IP packet destination.0 /24 [110 /65] via 192. each IP address has information for their Route 1. even though the summarization includes the individual network.00000000.168.10101000.

168.2.0.1.168.1. Serial 0/0/0 Option 2.168.Using Multiple Protocols in the Enterprise The diagram depicts an activity in which you must answer the questions below One.10.1.0 /24 [110 /65] via 192.3. FastEthernet 0 /0 Option 3.168.) Page 5: 6.1.168.4.1.2. Serial 0/0/0 Option 3. Serial 0/0/0.Destination172.168. Select the route the packet will take if the destination network is 172.168.10 Route 1O 172.168.1.4 Chapter Summary 6.2.1. Option 1. D 192.3.3.16.1 Summary Page 1: 6.1.2.168.168. Serial 0/0/1 Five.00010000.168.4.16.0.2.1.0 /26 [120 /1] via 192. Serial 0/0/1 Three.0 /24 is directly connected FastEthernet 0 /0 Option 2.00000000.168.0 /16 [1 /0] via 192.133.168.Summary Three Diagrams.168.4. Serial 0/0/0 Option 2. Image .55.168. R 192.1 . R 192.16.3.2 Four. FastEthernet 0 /0 Option 3. D 192.0 /25 [120 /1] via 192. FastEthernet 0 /0. Slider Graphic Diagram 1.2. S 10.1 0.4. O 172. serial 0/0/0 Route 2O 172.00001010 Route 110101100.0.00010000. Option 1.0 /16 [110 /65] via 192.2.168. R 192.2.0 /16 [120 /1] via 192. O 192.1.1.3.2.168.0 /18 [110 /65] via 192.1 0.168.3.10. O 172. Serial 0/0/1 Option 3.168.16.0.168. Serial 0/0/1.168.00000000 Route 210101100. Option 3.1 0.0 /24 [110 /65] via 192.16.0 /24 [90 /21765] via 192.00000000 (The highlighted area shows the longest match to the IP Packet destination.1.00010000.4. Option 1. Option 2.1. O 192. Select the route the packet will take if the destination network is 192.0 /12 [110 /65] via 192.168.16. R 192.0 /26 [110 /65] via 192.2.168.1.1.228.168.0. Serial 0/0/1 6.0 /24 [120 /1] via 192.16.0 /24 [120 /1] via 192.0 /24 [110 /65] via 192.168.4.168.1. C 192.2.5 Option 1. O 172.2.00010000. Two.2.0 /20 [110 /65] via 192. Select the route the packet will take if the destination network is 192.00000000.0.168.00000000.168. Serial 0/0/0 Option 2. R 10.4 .0 /48 Option 1.0 /16 [90 /21765] via 192.1.0 /24 [90 /21765] via 192. Select the route the packet will take if the destination network is 192.0.0. Select the route the packet will take if the destination network is 10.00000000.2. serial 0/0/1 Destination10101100.10.168.1 0.168. D 10.10.00000000 Route 310101100.2.2.2. serial 0/0/1 Route 3O 172.2.

Diagram 2.4. OSPF requires more router memory and CPU resources which means more powerful and more expensive routers. OSPF uses bandwidth to generate the cost metric. Inter-area route summarization is configured on an ABR and applies to routes from within the A S. An ABR connects an area to the backbone area. The most secure method of authentication is MD5. It specifies the interface address or range of addresses enabled for OSPF. OSPF offers scalability. Image The diagram depicts six routers connected in a pentagonal-shaped topology. show IP route and show IP OSPF neighbor.2 Critical Thinking Page 1: 6. Image The diagram depicts three routers interconnected via serial links. Diagram 2 text The OSPF network command uses a combination of network address and wildcard mask. AD and longest prefix match determines the preferred route to a network. route summarization. OSPF routers within an area advertise information about the status of links to their neighbors using LSA. Other areas created are all adjacent to Area 0. OSPF routers use their router ID to elect a DR and BDR on multi-access networks.The diagram depicts four areas encompassing the EIGRP router. Route redistribution allows routes from one routing protocol or static routes to be imported into another routing protocol. Diagram 1 text OSPF is a classless interior link-state routing protocol used in enterprise networks. Diagram 3. Summary routes between autonomous systems are configured on the ASBR. An ASBR connects the entire OSPF A S to another A S. . or show IP OSPF interface. configure authentication between routers. show IP OSPF. and isolates routing issues. A network administrator can dictate which routers become the DR and the BDR by setting the priority or router ID on the routers.2 . The OSPF packets from all three routers are encrypted to increase security. Several show commands verify OSPF operation including show IP protocols. An OSPF A S design starts with the backbone area or Area 0.4. The bandwidth interface command and the IP OSPF cost interface command ensure that OSPF uses an actual cost to determine the best route. Diagram 3 text An administrator configures a default route on an ASBR and then configures it to advertise the default route into the rest of the OSPF network. To ensure the security of OSPF updates. 6.Critical Thinking The diagram depicts an activity in which you must answer the questions based on the information contained in the exhibit.

4.0.0 /8 is variably subnetted 3 subnets.FastEthernet 1 /0 Option 2.1 0.168.A packet is destined for 10.0.0 /0 is directly connected.1 0.3 /24. 2 masks R10.20.10.17 /29. 1 subnets C192.A packet is destined for 10.0 /24 [120 /1] via 10. FastEthernet0 /1 S10.FastEthernet 1 /0 Option 2. 00:0 0:1 2.4.Serial0/2/1 Option 4.A packet is destined for 10.0.Serial 0/2/1 Option 4.1 0.10.10.FastEthernet 0 /0 Three. From which interface will the packet leave? Option 1.Exhibit The exhibit depicts the output following the show IP route command of RTR1.Serial0/2/1 Option 4. Out of which interface does the packet leave? Option 1.16.3 /24.16.1 0.1 Quiz Page 1: Take the chapter quiz to check your knowledge.3 /24. Serial0/2/1 S*0.4. Serial0/2/1 192.0.5.0 /24 is directly connected.FastEthernet 1 /0 Option 2.FastEthernet 0 /0 Two.4. FastEthernet0 /0 One.FastEthernet 1 /0 Option 2.10.1 0. Out of which interface does the packet leave? Option 1.16 /29 is directly connected.FastEthernet 0 /1 Option 3.168. Click the quiz icon to begin.0 /30 is subnetted. Out of which interface does the packet leave? Option 1.FastEthernet 0 /1 Option 3.1.0 is directly connected. FastEthernet1 /0 C10.FastEthernet 0 /1 Option 3.A packet is destined for 10. .5 Chapter Quiz 6.FastEthernet 0 /0 6.1 0.FastEthernet 0 /1 Option 3.Serial 0/2/1 Option 4. RTR1# sh IP route [output omitted] Gateway of last resort is not set 10.10.FastEthernet 0 /0 Four.

Quiz Chapter 6 Quiz: Routing with a Link-State Protocol 1.If OSPF is configured in the network using the costs. What will be the router ID for RouterA when OSPF is re-established? RouterA# show running-config . C.168. FastEthernet 0/0 D 192. 00:00:05.1.168.168. Serial 0/0/0 R 192.0.0/24 (120/1) via 192.poison reverse C.R1 . as described in the Network Topology and Table of OSPF Costs. The configuration is then saved and the router restarted. which path will a packet taken from H1 to H2? To answer this question refer to the description of the Network Topology and the Table of OSPF Costs.168.R5 C. What action will the router take to forward a packet to the destination of 192.0/24 (90/21765) via 192.2. Finally R5 is connected via an Ethernet link to host H2.168. Table of OSPF Costs GigabitEthernet link = OSPF cost of 1 FastEthernet link = OSFP cost of 10 T3 link = OSFP cost of 20 Ethernet link= OSFP cost of 100 T1 link = OSFP cost of 800 A.To answer this question refer partial output from the show running-config command on RouterA.2.2.R3 .1. Destination IP address: 192.20.168. R1 is also connected via a T1 serial link to R4.The packet will be dropped by the router.1.R2 . Serial 0/0/1 The router learned three different routes to the subnet 192. 00:00:05. R2 is connected via a T1 serial link to router R5.R1 .2.R4 . R4 is connected via a GigEthernet link to R5. the network administrator modifies the configuration of the router by issuing the command no router-id 18.168.4.172.What attribute is associated with link-state routing protocols? A. R1 is connected via Ethernet cable to router R2.R1 .R4 . 00:00:05. R1 is also connected via an Ethernet cable to R5.5.1.3.20.6. R1 is also connected via a T3 serial link to R3. Network Topology Host H1 is connected via an Ethernet cable to router R1.The packet will be forwarded to the next hop of 192. With all interfaces on RouterA active.168.1 . 4.R5 D.168. D.R5 3.shortest-path first calculations 2.2.The packet will exit the router through the FastEthernet 0/0 interface.The packet will be load-balanced across the three routes.R5 B.4.low processor overhead D.0/24 (110/65) via 192.R1 . R3 is connected via a FastEthernet link to R4.168.1.split horizon B.143 Learned Routes: O 192.To answer this question refer to the information regarding the Destination IP address and the Learned Routes. B.1.143? A.

3/24.16.168.190. Network Topology Router A is connected to a LAN addressed 192. RouterA is connected to the core switch via F a 0/0 with the IP address 172.255.4/32.0 ! interface Loopback1 IP address 192.4.168.interface Loopback0 IP address 192.4.1 D.0 ! interface Serial0/0/0 IP address 172. and RouterC in the network topology are running OSPF on their Ethernet interfaces. RouterA.2/24.70.252 ! router ospf 100 router-id 18.10.18 255.172 A.4/24. Network Topology A switch at the core of a star topology is connected to routers A.168.168.192.20. RouterD is connected to the core switch via Fa0/0 with the IP address 172. Router B is connected to a LAN addressed 192. E.1 255.102.64/26.RouterD becomes the BDR and RouterA remains the DR.255.255.168.90.255.255. RouterC is connected to the core switch via F a 0/0 with the IP address 172.5.16. RouterD has a Loopback0 address 172.168. RouterD was just added to the network.18 255.168.RouterD becomes the DR and RouterB remains the BDR.128/27.10.255.192. D. RouterB has a Loopback0 address 172. B.192.10.20.20. RouterA has a Loopback0 address 172.16.70.RouterB takes over as DR and RouterD becomes the BDR. IP address 192.16.There is no change in the DR and BDR until either current DR or BDR goes down.RouterD becomes the DR and RouterA remains the BDR.255.20.5.2/32.1 255.20.255.16. What happens to the OSPF DR/BDR after RouterD is added to the network? A.30. Routers are configured with the loopback interfaces (Lo 0).255. Router A is also connected to Router B via a serial link.1 B.1 5.To answer this question refer to the Network Topology.16.18 E. C and D. What network commands will configure Router A to properly advertise the OSPF routes? .1 255.16.90. RouterC has a Loopback0 address 172.1/24.10. RouterB is connected to the core switch via F a 0/0 with the IP address 172.4.168.192/30.RouterC acts as the DR until election process is complete.5.18 C. 6.252 ! interface FastEthernet0/0 IP address 192.3/32.172. F.168.255.168.16. All networks from Router A and Router B are part of OSPF Area 0.To answer this question refer to the Network Topology.102. C.30.1/32.4.5. RouterB.0 ! interface FastEthernet0/1 IP address 192.20. B.

Based on the information given in the Network Topology.65 Number of areas in this router is 1. what is the problem with the router A configuration? A# show IP protocols Routing Protocol is "OSPF 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 192.To answer this question refer to the Network Topology.64/26.255. C.255.10.255.10. B.255.0. 9.168.A.0.10.63 area 0 Routing Information Sources: GatewayDistanceLast Update 192.252 area 0 7.Which two statements are true regarding the cost calculation for a link in OSPF? (Choose two.One of the network statements is wrong. Router C is connected to a LAN with the IP address 192.0 serial 1/0 HQ(config)# IP router OSPF 1 HQ(config-router) #default-information originate .0.168.64 0.10. 8.0. Router A is connected to a LAN with the IP address 192.0. South. D.0 255.To answer this question refer to the Network Topology.0.4/30.10. Network Topology Router HQ has a serial link to the Internet.10.10.It is set to 1544 by default for all OSPF interfaces.It is calculated proportionally to observed throughput capacity of the router.10.168.10.) A.63 area 0 network 192.0.192 255. OSPF routing protocol is configured for the routers.168. E.Auto-summarization needs to be disabled. Router A is connected to router B via a serial link with the IP address 192.network 192.255.0.255.0.128 0.10.168. 1normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 192.168.0.128 255.168.0.10.0 0.128/26.252 area 0 D.None of the interfaces are enabled.168.252 area 0 network 192.network 192.255. Router B is connected to router C via a serial link with the IP address 192.It can be set with the IP OSPF cost command.3 area 0 C.168. router A is not receiving any OSPF routed from the other routers.0. D.0.168.0. however.OSPF has an improper process ID.0/30.63 area 0 B.168.128 0.10.The configured loopback addresses map to link costs. B. C.192 0.0.64 0. HQ(config)# IP route 0.168.10.10.168.It may be calculated using the formula reference bandwidth/bandwidth.10.168.168.63 area 0 192.10.63 area 0 network 192. East and West similar to a hub and spoke type network.0 0.10. HQ has serial links to routers North. Router B is connected to a LAN with the IP address 192.255.252 area 0 network 192.192/26.64 255.168.network 192.network 192.0.6511000:00:28 Distance: (default is 110) A. Network Topology This network topology consists of three routers.168.

The default will be propagated to all routers participating in the same OSPF area.Version=1. All branch offices are connected to the Internet through the headquarters router.cli.to keep routing information being captured D. About   .netacad.Style=ccna3.to ensure the OSPF routing information takes priority over RIP and EIGRP updates. B.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.HQ(config)# exit A network administrator is implementing OSPF between headquarters and multiple branch offices.html?level=chapter&css=blackonwhite. RootID=knet‐ lcms_discovery3_en_40.Language=en. What effect will the commands entered on the headquarters router have? A.servlet.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.Theme=ccna3theme.The command must be applied to all routers in order for the default route to be propagated.to encrypt routing tables to prevent unauthorized viewing E. Go To Next Go To Previous Scroll To Top http://curriculum. Inc.) A.For what two reasons would a network administrator choose to enable authentication for OSPF exchanges? (Choose two.C CServlet/LMS_ID=CNAMS.to prevent routing information from being falsified B. All | Translated by the Cisco Networking Academy. 10.The default route will only be learned by the OSPF adjacent neighbors.rendering.to reduce OSPF information exchange overhead C.delivery. D. C.net/virtuoso/servlet/org.The command will only affect the local router.

0 Chapter Introduction 7. Compare common WAN encapsulations and configure PPP. After completion of this chapter. they often expand from a single location to multiple remote locations.0. devices. Service providers charge for the use of their network resources.Search | Glossary Course Index: CCNA Discovery . A popular WAN technology that uses packet-switching is Frame Relay.Introducing Routing and Switching in the Enterprise 7 Implementing Enterprise WAN Links 7. and services. most organizations purchase WAN services from a service provider. 7.1 .Introduction Connecting remote sites together by an enterprise WAN allows users to access network resources and information. As information traverses the WAN.0. ISPs allow users to . This expansion requires that the business network expand from a local area network (LAN) to a wide area network (WAN). Within a LAN. Although some larger companies maintain their own WANs. a network administrator has physical control over all cabling. you should be able to: Describe the features and benefits of common WAN connectivity options. Describe Frame Relay.1 Connecting the Enterprise WAN 7.1 Introduction Page 1: 7.1.1 WAN Devices and Technology Page 1: As companies grow. the Layer 2 encapsulation adapts to match the technology.

On the edge of the cloud.1 . A translation device.1.WAN Devices and Technology The diagram depicts a network cloud containing a WAN network. the WAN technology used determines the type of devices required by an organization. long-range communications at slower speeds than a LAN. This device integrates into the interface card in the router. and Orlando. Page 2: When implementing a WAN. The technologies also differ. including the cities of New York. The point at which the control and responsibility of the customer ends and the control and responsibility of the service provider begins is known as the demarcation point. Preparing the data for transmission on the WAN using digital lines requires a channel service unit (CSU) and a data service unit (DSU). the ISP owns and maintains most of the equipment. These two devices are often combined into a single piece of equipment called the CSU/DSU. switches. .1. or demarc. In certain environments. a C O switch is connected to a corporate network via a CSU/DSU that is owned by the customer. Page 3: The CO is the location where the service provider stores equipment and accepts customer connections. 7. Control of network resources is not the only difference between a LAN and a WAN. and a trunk. WAN technologies are serial transmissions. Boston. Osaka. such as a modem.WAN Devices and Technology The animation depicts the evolution of a WAN. All locations are connected together. 7. the subscriber may own and maintain some of the connection equipment. a modem is necessary. to describe equipment located at the customer site. Serial transmissions enable reliable. For example. The physical line from the CPE connects into a router or WAN switch at the CO using copper or fiber cabling. a router used as a gateway to connect to the WAN translates the data into a format that is acceptable to the service provider network. The most common LAN technology is Ethernet. service providers use the term customer premise equipment (CPE).1 . forming a WAN. For example. A companys network expands from a LAN in a single location to LAN's in multiple locations. Regardless of ownership.share resources among remote locations without incurring the expense of building and maintaining their own network. When using an analog connection. prepares the data for transmission across the service provider network. the demarc might exist between the router and the translating device or between the translating device and the central office (CO) of the service provider. When a business subscribes to WAN services through an ISP.

which is responsible for passing the data to the DCE. is data terminal equipment (DTE).This connection is called the local loop.21 An I T U-T standard for synchronous digital communications Uses a 15 pin D connector Page 4: Technology continuously develops and improves signaling standards that enable increased speed and traffic. 7.35.1.24 specification EIA /T I A . such as X. It also provides the clocking signal to the router. because it is the first part of the medium leading from the location of the customer. In the diagram.232 Allows signal speeds of up to 64 Kbps on a 25 pin D connector over short distances Formerly known as RS-232 Same as I T U-T V.1 . The following protocols may be used in a DTE and DCE connection. a Data Terminal Equipment (DTE) interface to a WAN link is connected to the Data Communication Equipment (DCE) end of a service providers communication facility.35 An I T U-T standard for synchronous communications between a network access device and a packet network at speeds up to 48 Kbps Uses a 34 pin rectangular connector X. The CSU/DSU is data communications equipment (DCE). These protocols establish the codes and electrical parameters that the router and the CSU/DSU use to communicate with each other.449/530 Faster (up to 2 Mbps) version of EIA /T I A-232 Uses a 36 pin D connector and is capable of longer cable runs Also known as RS-422 and RS-423 EIA /T I A . or last mile.612/613 Provides access to services of up to 52 Mbps on a 60 pin D connector V. it is the first mile. From the customer perspective. . EIA /T I A . The router. The DTE/DCE interface uses various Physical Layer protocols. The CSU/DSU or modem controls the rate at which data moves onto the local loop. The DCE is connected to the ISP .WAN Devices and Technology The diagram depicts the Layer 1 WAN protocols and a brief description of each.21 and V.

1. Bit rate Capacity: 64 Kbps. Line Type: 56. Bit rate Capacity: 34.544 Mbps.WAN Devices and Technology The diagram depicts a chart with the column headers Line Type. Bit rate Capacity: 2. plus an 8 kbps overhead channel. service providers supplied subscribers with specific increments of the DS0 channel. This standard enables speeds of up to 1. which supports 28 DS1s and speeds of up to 44. Line Type: J1. For example. As technology improved. Line Type: O C-1. Signal Standard: DS3.When choosing a WAN technology. .736 Mbps. Speed Standard: DS1. Europe offers lines such as E1s.736 Mbps. in North America. Signal Standard: DS0. Signal Standard: SONET.1 .048 Mbps. and Bit Rate Capacity associated with each WAN Technology. Line Type: E1. Bit rate Capacity: 56 Kbps.544 Mbps.84 Mbps. Signal Standard. Signal Standard: Y1. Signal Standard: ZM. Line Type: T3. The first digital networks created for WAN implementations provided support for a 64 kbps connection across a leased line. 7.048 Mbps. which support 16 E1s for a speed of up to 34. which support 32 DS0s for a speed of up to 2.064 Mbps. Bit rate Capacity: 2. The term digital signal level 0 (DS0) refers to this standard. Bit rate Capacity: 51. Signal Standard: M3. Line Type: E3. A T3 line uses a DS3 standard. also called a T1 line. Other parts of the world use different standards. defines a single line that supports 24 DS0s. Line Type: T1. it is important to consider the link speed. a DS1 standard.064 Mbps. Line Type: 64. Signal Standard: DS0. and E3s.048 Mbps. For example. Bit rate Capacity: 1. Bit rate Capacity: 44.

The portion of media that connects the end user with the C O. Bit rate Capacity: 155. Signal Standard: SONET.C O F.modem Definitions One. Three.32 Mbps. Signal Standard: SONET. Bit rate Capacity: 933.Line Type: O C-3.Equipment located at the site of the customer. Seven.WAN Devices and Technology The diagram depicts an activity in which you must match the WAN term to the definition.The location where the service provider takes over control of the WAN link. Line Type: O C-9. Signal Standard: SONET.12 Mbps. Four. Page 5: 7.CPE C.16 Mbps.de-marc B. Line Type: O C-36. Bit rate Capacity: 622.The local router is this type of equipment. Line Type: O C-24.DTE D.The location where the service provider houses equipment and accepts connections from customer networks.54.DCE E. Bit rate Capacity: 1244. Bit rate Capacity: 2488. Signal Standard: SONET.08 Mbps.CSU/DSU H.1. Two.local loop G. Eight.56 Mbps. WAN Terms A. Line Type: O C-48. Bit rate Capacity: 466. Line Type: O C-18. Signal Standard: SONET.The device that formats the WAN traffic into a format acceptable to the ISP's network. Signal Standard: SONET.24 Mbps. Signal Standard: SONET.1 . . Six.The device required to use an analog connection into the WAN. Bit rate Capacity: 1866.The CSU/DSU is this type of equipment. Five. Line Type: O C-12.

and encapsulation type. Some examples of Layer 2 WAN protocols are: • • • Link Access Procedure for Frame Relay (LAPF) High-level Data Link Control (HDLC) Point-to-Point Protocol (PPP) Several organizations are responsible for managing both the Physical Layer and Data Link Layer WAN standards.2 . The type of WAN technology employed determines the specific Data Link Layer standards used. Data Link Layer WAN standards include parameters such as physical addressing.2 WAN Standards Page 1: Designing a network based on specific standards ensures that all of the different devices and technologies found in a WAN environment work together. WAN standards describe the Physical Layer and Data Link Layer characteristics of data transportation. the Data Link Layer. Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical addressing Flow control Encapsulation type LAPF for Frame Relay HDLC PPP .1. as well as how the information moves across the WAN link.7. with the focus on Layer 2.WAN Standards The diagram depicts the layers of the O S I Model. These include: • • • • • International Telecommunications Union Telecommunications Standardization Sector (ITU-T) International Organization for Standardization (ISO) Internet Engineering Task Force (IETF) Electronics Industry Alliance (EIA) Telecommunications Industry Association (TIA) 7.1. flow control.

At the remote site.1.1.VTP Transport Mode Two.HDLC 7.232 protocol to connect to a modem.35 Six. The signals sent between the modem and the telephone network (POTS) are analog signals. Page 2: .PPP Three. or modulated. which connected to the host. onto a carrier wave.21 Four.2 .LAPF Seven.3 Accessing the WAN Page 1: WAN links use either digital or analog technology. A modem encodes the information onto that carrier wave before transmission and then decodes it at the receiving end. The modem connects to a POTS cloud. the signal is demodulated and the receiver extracts the information.3 . The POTS cloud connects to a second modem. The signals sent between the computer (client/host) and the modem are digital signal. Standards One. Modems enable remote sites to communicate through the plain old telephone system (POTS).1.WAN Standards The diagram depicts an activity in which you must determine whether the standards belong to Layer 1 or Layer 2. With analog connections.Accessing the WAN The diagram depicts a client communicating with a host.Physical Layer Page 2: 7. The modem gets its name from its task of modulation and demodulation of the carrier signal. The modulated signal then carries the information across the medium to the remote site. The client uses the EIA/T I A .V. also using the EIA/T I A -232 protocol.E I A /T I A-232 Five. They also enable end users to connect to service provider networks through DSL or cable connections.X. the data is encoded. 7.

wasting valuable bandwidth. Page 3: Time Division Multiplexing (TDM) allocates bandwidth based on pre-assigned time slots. In this way. or a fractional T1 or fractional E1. STDM The animation shows four hosts sending input into a multiplexor. the customer is ordering part of a T1/E1. Often this bandwidth is larger than the amount that the organization actually requires. Using STDM. . Each time slice represents a period of time during which a conversation has complete use of the physical media. 12 time slices are used to deliver nine time slices.3 . Each fractional connection enables full use of the media by the organization for part of the total time. Each host inputs three time slices. nine time slices are used to deliver nine time slices.Accessing the WAN The animation depicts the difference in bandwidth utilization when using a multiplexor that is implementing TDM and a multiplexor that is implementing STDM. Statistical Time Division Multiplexing (STDM) is similar to TDM except that it keeps track of conversations that require extra bandwidth. with standard TDM. A DS0 is not a separate physical entity but rather a time slice of the physical bandwidth on one wire.544 Mbps of traffic and an E1 link carries 2. There are three unused time slices between the four hosts. Site B is connected to the service provider via a Fractional T1 128 Kbps link. TDM The animation shows four hosts sending input into a multiplexor.048 Mbps of traffic.3 . 7. There are three unused time slices between the four hosts.544 Mbps link. These lines carry large amounts of data. STDM minimizes wasted bandwidth. For example. It then dynamically reassigns unused time slices on an asneeded basis. its time slice goes unused. a T1 link carries 1. Bandwidth is allocated to each channel or time slot regardless of whether the station using the channel has data to transmit. Organizations purchase one or more DS0 channels. Site C is connected to the service provider via a Fractional T1 64 Kbps link. Each host inputs three time slices.Companies often purchase connectivty using dedicated links between their location and the ISP. 7. Using TDM. These services are often obtained using leased lines for which the companies pay monthly for these services. Each of these time slices are then assigned to individual conversations.1.Accessing the WAN The diagram depicts Site A connected to the Service Provider via a T1-1. A T1 can be split into 24 DS0s of 64 Kbps each. High-bandwidth connections are split up into several DS0s. There are two techniques in which information from multiple channels can be allocated bandwidth on a single cable based on time: Time Division Multiplexing (TDM) and Statistical-Time Division Multiplexing (STDM). if a sender has nothing to say. Therefore.1. In this case. The ISP assigns each DS0 to a different conversation or end user.

A. Input Host A: unused. This method provides a level of security not available in packet switching or cell switching technology. No other organizations use the circuit until it releases.1. While the circuit is in place.3 . Circuit Switching Circuit switching establishes a circuit between end nodes before forwarding any data.Accessing the WAN The diagram depicts an activity in which you must organize the data blocks into the correct order to show how TDM and STDM uses bandwidth. . As an organization grows to multiple locations. 7. C Host D: unused. D Output TDM: Insert the output in order to fill all 12 time slices. B.Page 4: 7. Each link requires a separate physical interface and a separate CSU/DSU. Dedicated Leased Line One type of connection is a point-to-point serial link between two routers using a dedicated leased line. A standard telephone call uses this type of connection.4 Packet and Circuit Switching Page 1: An enterprise connects to WAN services in various ways. unused. Completion of the conversation releases the circuit. This enables a one-to-one connection for the basic function of data delivery across a link. supporting a dedicated leased line between each location becomes very expensive. unused Host B: B.1. STDM: Insert the output in order to fill all 7 time slices. it provides dedicated bandwidth between the two points. C. unused Host C: C.

Site C. or pathway.1. It is capable of transferring voice. The cost for circuit switching varies based on usage time and can become quite expensive if the circuit is used often.4.Packet and Circuit Switching The animation depicts the process involved in a circuit-switched call. Page 2: Packet Switching Packet switching uses bandwidth more efficiently than other types of switching. However. 7. but it is not an exclusive link. video.4. The data is then released into the service provider network. Frame Relay is an example of packet switching technology. The data is segmented into packets." At the end of the call. the service provider assigns links to different connections as the need arises.1. An advantage of ATM is that it prevents small messages from being held up behind larger messages. and data through private and public networks at speeds in excess of 155 Mbps. The small. A circuit is established between switches in the PSTN cloud connecting the modems. . Site A. and Site D are in separate locations connected to a cloud of switches.Packet and Circuit Switching The animation depicts the flow of traffic in a packet-switched network. The circuit." For the duration of the call the line is dedicated to the sender and receiver. Cell Switching Cell switching is a variation of packet switching. ATM introduces a large amount of overhead and actually slows network performance. with an identifier on each packet. The service provider accepts the data and switches the packet from one node to another until the packet reaches its final destination. Costs are incurred for the link only when the connection is active. 53-byte cells that have 48-bytes of data and a 5-byte header. 7.With circuit switching. the dedicated connection disappears. The service provider switches packets from multiple organizations over the same links. uniform size of the cells allows them to be switched quickly and efficiently between nodes." Once the call has ended. . Site B. Site A and Site B are both sending packets into . Asynchronous Transfer Mode (ATM) uses fixed length. The other modem says "I am accepting a call. the second modem says "I am terminating the call. The first modem says "I am initiating a call. for networks handling mainly segmented data. Two modems are connected to a PSTN cloud containing a network of switches. between the source and destination is often a preconfigured link.

The connection through the network is an SVC.the cloud. Permanent Virtual Circuit A permanent virtual circuit (PVC) provides a permanent path to forward data between two points. the service provider establishes virtual circuits (VCs). the medium is not private during the duration of a connection. As a result. . They speed the flow of information across the WAN. Between the two networks is a network cloud. PVC is configured by the network administrator and loaded at switch startup. An SVC is built up and torn down as required. The circuit is set up on demand and torn down when transmission is complete. Virtual circuits share the link between devices with traffic from other sources. Traffic from two virtual circuits share the same links. The packets traverse the cloud and reach their destinations at Site C and Site D. PVCs also provide the ISP with much greater control over the data-flow patterns and management of their network. Call clearing information tears down the connection after it is no longer required. An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU. The service provider must preconfigure the PVCs and they are very seldom broken or disconnected.. This eliminates the need for call setup and clearing. When establishing an SVC. Between the two networks is a network cloud. Frame Relay typically uses PVCs. constant flows of traffic. PVCs are more popular than SVCs and usually service sites with high-volume. This process introduces delays in the network as SVCs are built up and torn down for each conversation. Page 3: Virtual Circuits When using packet switching technology. such as after a file has been downloaded. . The connection through the network is a PVC. 7. An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU. call set-up information must be sent before transmitting any data.1. There are two types of virtual circuits: switched and permanent.4.Packet and Circuit Switching The diagram depicts networks connected via a Switched Virtual Circuit (SVC) and via a Permanent Virtual Circuit (PVC). Switched Virtual Circuit A switched virtual circuit (SVC) is dynamically established between two points when a router requests a transmission.

Long-range communications are usually those connections between ISPs or between branch offices in very large companies. . or cell-switched WAN conventions. The connection type used on the local loop. packet-switched. 7. The options are leased line. Some common last mile technologies are: • • • • • • • Analog dialup Integrated Services Digital Network (ISDN) Leased line Cable Digital Subscriber Line (DSL) Frame Relay Wireless Each of these technologies provides advantages and disadvantages for the customer. . An organization connects to multiple remote sites. When a service provider receives data.4.1. but only has one serial interface on their router. Five. One.Packet and Circuit Switching The diagram depicts an activity in which you must identify the best WAN convention to support the scenario. A small real estate company provides support to their sales staff to pick up email from their home offices. A company connects to their branch offices and securely transfers classified technical drawings.Page 4: 7. and data connections. Two. These remote sites connect either to the ISP network or pass from ISP to ISP to the recipient. circuit-switched.1. it must forward this data to other remote sites for final delivery to the recipient. Remote offices connect once a day to upload sales orders. or last mile. may not be the same as the WAN connection type employed within the ISP network or between various ISPs.5 Last Mile and Long Range WAN Technologies Page 1: ISPs use several different WAN technologies to connect their subscribers. A company WAN supports voice. Three. Four. Not all technologies are available in all locations. video.

Cable modem using coaxial cable to connect to the ISP. Page 3: .Last Mile and Long Range WAN Technologies The diagram depicts several Enterprise networks using a variety of devices and connections that are linked to the ISP.Many different WAN technologies exist that allow the service provider to reliably forward data over great distances. DWDM can carry IP.5 . Satellite modem connecting to a satellite that connects to the ISP.1. As a result. and South Africa. Wireless bridge using a wireless signal to connect to the ISP. SONET. Each channel is capable of carrying a multiplexed signal at 2. applications require more and more bandwidth.Last Mile and Long Range WAN Technologies The diagram depicts a map of the world with enterprise networks super-imposed over Asia. and leased lines. This growth requires technologies that support high-speed and high-bandwidth transfer of data over even greater distances. 7. North America. For example.5 Gbps. Some of these include ATM. as follows: Dialup using the telephone line to connect to the ISP. DSL using the telephone line to connect to the ISP. satellite. Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) are standards that allow the movement of large amounts of data over great distances through fiber-optic cables. Page 2: Enterprises are becoming larger and more dispersed. De-multiplexed data at the receiving end allows a single piece of fiber to carry many different formats at the same time and at different data rates. SDH and SONET are used for moving both voice and data. They all connect to a DWDM network cloud. DWDM assigns incoming optical signals to specific frequencies or wavelengths of light. One of the newer developments for extremely long-range communications is dense wavelength division multiplexing (DWDM). T1 Leased Line to connect to the ISP. Both SONET and SDH encapsulate earlier digital transmission standards and support either ATM or Packet over SONET/SDH (POS) networking. DWDM can multiplex more than 80 different wavelengths or channels of data onto a single piece of fiber.1. Frame Relay.5 . and ATM data concurrently. 7. It is also capable of amplifying these wavelengths to boost the signal strength.

Ethernet and WAN Encapsulation The animation depicts how the frame format changes as it travels across the network. E. C.Leased Line Eight.Satellite Four.7. Layer 2 adds header information that is specific to the type of physical network transmission. The frame headers contain information such as the source and destination MAC addresses.1.High speed internet service over existing copper phone cables.Cable Three. like the frame size and timing information.5 . A.80 channels on existing strand of fiber for extremely long range network. The encapsulation conforms to a specific format based on the technology used on the network. The diagram depicts a man. labeled Source. D. last mile connectivity using same cable for TV and data.Last Mile and Long Range WAN Technologies The diagram depicts an activity in which you must match the technology to the description. G. For example.DWDM Five.2. and data over fiber cable.Dial Up Seven.Dedicated connectivity for new company selling on-line shopping service. B.2 Comparing Common WAN Encapsulations 7.Connectivity to office in old hotel that has no high speed service.1 Ethernet and WAN Encapsulations Page 1: Encapsulation occurs before data travels across a WAN. Technologies One.Internet access for remote locations. if using Frame Relay on the link. F. Within a LAN environment.ATM Six. Layer 2 encapsulation adds addressing and control information. and specific Ethernet controls. . 7. video.Transfer of fixed length cells at 155 Mbps. The Data Link Layer encapsulates the packet into Ethernet frames. Before converting data into bits for transmission across the media.Long-range technology to move voice. the encapsulation of frames destined for transmission across a WAN link match the technology in use on the link. H. sitting at one end of a network using an Ethernet connection.Always-on. the type of encapsulation required is Frame Relay-specific. 7. Ethernet is the most common technology.DS Two.SONET Descriptions.1 .2. Similarly.

whereas the Network Layer encapsulation will not. by adapting the Data Link Layer frame format to a format that is appropriate to the interface. and back to Ethernet at the destination. A Data Link Layer encapsulation includes the following fields: Flag • Marks the beginning and end of each frame Address • • Depends on the encapsulation type Not required If the WAN link is point-to-point Control . As the message traverses the network. the Layer 2 encapsulation changes to match the technology in use. PPP. As data moves across a network. the frame format changes to accommodate the different protocols implemented within the networks the message travels through. HDCL. is sitting at the other end of the network using an Ethernet connection. the Data Link Layer encapsulation may change continuously. and the ISP . ATM. Connected to the network is a server farm. a DMZ. labeled Destination. PPP.A woman. and ATM. The frame format begins from the source as Ethernet. Protocols that may be in use during the transmission of the message from the source to the destination include HDLC. Network devices and connection types that make up the network are between the source and destination. PPP. Conversion of frames received on the WAN interface into the Ethernet frame format occurs before placement on the local network. The router strips off the Ethernet frame and then re-encapsulates that data into the correct frame type for the WAN. The encapsulation type must match on both ends of a point-to-point connection. Packets exit the LAN by way of the default gateway router. Page 2: The type of Data Link Layer encapsulation is separate from the type of Network Layer encapsulation. If this packet must move across the WAN on its way to the final destination. then changes to formats HDLC. The router acts as a media converter.

R1. R2.2. Page 3: 7. S2. which is connected to a router. S1. As the message reaches the LAN side of R2. Terms A. A computer. the protocol changes.2. The header is marked as an Ethernet header. R2 is connected to a switch. H1. Once the message reaches R1.1 .Address B. This will enable the message to travel through the network. H1 sends a message out.Ethernet and WAN Encapsulation The animation depicts the Layer 2 encapsulation process. which is connected to a computer. H2. the header is changed back to an Ethernet header.Ethernet and WAN Encapsulation The diagram depicts an activity in which you must match the Layer 2 encapsulation term with its definition. is connected to a switch.1 .• Used to indicate the type of frame Protocol • • Used to specify the type of encapsulated network layer protocol Not present in all WAN encapsulations Data • Used as Layer 3 data and IP datagram Frame Check Sequence (FCS) • Provides a mechanism to verify that the frame was not damaged in transit 7. There is a serial link connecting R1 and a router. requiring the header to change to a PPP header using the IP protocol. so the message can traverse the Ethernet network and finally reach H2.Control .

For that reason.2. Two. Cisco HDLC is the default Data Link Layer encapsulation type on Cisco serial links.2. Eight.Used to indicate the type of frame. known as the Type field. Cisco HDLC incorporates an extra field.2 . Four. Each frame has the same format. Note that the Cisco HDLC frame has a unique type not present in the Open Standard HDLC frame.Depends on the encapsulation type. The composition of these frames is listed below. High-level Data Link Control (HDLC) is a standard bit-oriented Data Link Layer encapsulation. which provides error-free communication between two points.FCS Definitions. The standard HDLC frame does not contain a field that identifies the type of protocol carried by the frame. standards-based HDLC cannot handle multiple protocols across a single link. Three. 7.HDLC and PPP The diagram depicts the Open Standard HDLC Frame and the Cisco HDLC Frame.Marks the beginning and end of each frame.Provides a mechanism to verify that the frame was not damaged in transit. Six.C. HDLC uses synchronous serial transmission.Data F.Flag E. Seven. HDLC defines a Layer 2 framing structure that allows for flow control and error control using acknowledgments and a windowing scheme.2 HDLC and PPP Page 1: Two of the most common serial line Layer 2 encapsulations are HDLC and PPP.Used to specify the type of encapsulation Network Layer protocol.Not present in all WAN encapsulations. One. which allows multiple Network Layer protocols to share the same link. multiples of 8 FCS: 16 or 32 Flag: 8 bits . or more bits. Open Standard HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 or 16 bits Information: Variable length 0. whether it is a data frame or a control frame. Use Cisco HDLC encapsulation only when interconnecting Cisco equipment. 7.Protocol D. Five.Not required if the WAN link is point to point.Used as Layer 3 data and IP datagram.

with the focus on PPP in Layer 2. the Data Link Layer. it enables communication between equipment of different vendors. 7. maintaining and terminating the point-topoint link.responsible for establishing. Because PPP is standards-based.HDLC and PPP The diagram depicts the three lower layers of the O S I model. Point-to-Point Protocol (PPP) is a Data Link Layer encapsulation for serial links. IPX. Network Control Protocol . and many others. IPCP. where there are two sub-protocols: Link Control Protocol and Network Control Protocol. PPP is at the Data Link Layer.provides interaction with different Network layer protocols. Page 3: .Cisco HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 bits Type (Protocol Code): 16 bits Information: Variable length. multiples of 8 FCS: 16 bits Flag: 8 bits Page 2: Like HDLC. It uses a layered architecture to encapsulate and carry multi-protocol datagrams over a point-to-point link. IPXCP.2 . The Network Control Protocol is involved in the interaction between the Data Link Layer and various Network Layer protocols: IP. The following interfaces can support PPP: • • • • Asynchronous serial Synchronous serial High-Speed Serial Interface (HSSI) Integrated Services Digital Network (ISDN) PPP has two sub-protocols: • • Link Control Protocol . Link Control Protocol is responsible for authentication and other options. 0 or more bits.2. The lowest level is the Physical Layer that deals with synchronous or asynchronous media.

The network cloud is linked by a serial connection to a second CSU/DSU. IP uses the IP Control Protocol (IPCP). to the computer. . Every Network Layer protocol carried on the PPP link requires a separate NCP.2.2 . and then to a computer.HDLC and PPP The diagram depicts the various options of the LCP negotiation process. Each process and a description of some devices used during the process are listed below. or modem.Link Control Protocol PPP uses the Link Control Protocol (LCP) to establish. 7. maintain. or modem. For example. Some of the options that LCP negotiates include: • • • • • Authentication Compression Error detection Multilink PPP Callback LCP also: • • • Handles varied packet sizes Detects common misconfiguration errors Determines when a link is functioning properly and when it is failing Network Control Protocol PPP uses the Network Control Protocol (NCP) component to encapsulate multiple Network Layer protocols. and IPX uses the IPX Control Protocol (IPXCP). Authentication The diagram depicts a switch that is linked to the CSU/DSU. NCPs include fields containing codes that indicate the Network Layer protocol. test. that is linked by a serial connection to the network cloud. Additionally. so that they operate on the same communications link. or modem. The flow of information is from the CSU/DSU. and terminate the point-to-point link. LCP negotiates and configures control options on the WAN link.

The client makes the initial call requests that it be called back. or modem. Compression options increase the effective throughput on PPP connections by reducing the amount of data in the frame that travels across the link. Link-Establishment Phase PPP sends LCP frames to configure and test the data link. The protocol decompresses the frame at its destination. and Network Layer protocol. With this LCP. must be complete before the receipt of a configuration acknowledgment frame. or modem. such as these. compression. authentication (optional). and terminates its initial call. Multilink The diagram depicts three computers directly connected to a switch and then to a multilink device that provides load balancing over the PPP router interfaces. Page 4: PPP sessions progress through three phases: link establishment. A link-quality determination test determines whether the link quality is good enough to bring up Network Layer protocols. The callback router answers the initial call and makes the return call to the client based on information configured in its memory. Two compression protocols available in Cisco routers are Stacker and Predictor. Callback The diagram depicts a switch that is linked to a CSU/DSU. The network cloud is linked by a serial connection to a second CSU/DSU. it assumes the default value.For authentication. Optional parameters. Between the switches are two compression devices that compress information on the fly between the networks. Receipt of the configuration acknowledgement frame completes the Link-Establishment phase. the calling side of the link is required to enter specific information to ensure that the caller has the permission to make the call. The flow of information in the diagram is in both directions through the network. Peer routers exchange authentication messages. If a configuration option is missing. Compression The diagram depicts two switches at the opposite ends of a network. LCP frames contain a configuration option field that negotiates options such as maximum transmission unit (MTU). Authentication Phase (optional) . Two authentication options are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). that is linked by a serial connection to the network cloud. and then to a computer. Link authentication and link-quality determination tests are optional parameters within the link-establishment phase. a Cisco router can act as a callback client or as a callback server. and link-authentication.

The authentication phase provides password protection to identify connecting routers. Authentication occurs after the two routers agree to the set parameters but before the NCP Negotiation Phase can begin.

NCP Negotiation Phase

PPP sends NCP packets to choose and configure one or more Network Layer protocols, such as IP or IPX. If LCP closes the link, it informs the Network Layer protocols so that they can take appropriate action. The show interfaces command reveals the LCP and NCP states.

When established, the PPP link remains active until the LCP or NCP frames close the link or until an activity timer expires. A user can also terminate the link.

7.2.2 - HDLC and PPP The animation depicts the negotiate phases of a PPP link, Link Establishment Phase, Authentication Phase, and Network Layer Protocol Phase. Link Establishment Phase The diagram depicts Router, R1, connected by serial link to Router, R2. R1 says, "I want to form a PPP connection with you. Can we agree to communicate using PPP with PAP authentication and compression?" R2 receives the message and replies, "I can form the PPP connection and can use PAP authentication, but I cannot support compression." R2 sends a message back to R1 with this information included in the message. R1 responds, "Can we agree to communicate using PPP with PAP authentication and no compression?" Authentication Phase R2 replies, "We can communicate using PPP with PAP authentication and no compression." R1 receives this message and replies, "My name is R1 and my password is cisco." R2 looks in its table of users, references the username, and compares the password to the one given by R1. R2 replies, "The password matches so I am now ready to form the connection." Network Layer Protocol Phase R1 replies, "I only have IP traffic so we only need to bring up IPCP. I am starting it now." R2 replies, "I have also started IPCP. We can now move IP traffic."

Page 5:

7.2.2 - HDLC and PPP Identify the correct layer and phase with the correct PPP components.

Layer and Phase A. Data Link Layer B. Physical Layer C. Phase 3 D. Phase 2 E. Phase 1 PPP Component One. Link Establishment Two. Authentication, other options, Link Control Protocol Three. Synchronous or Asynchronous Physical Media Four. NCP Negotiation Five. Network Control Protocol

7.2.3 Configuring PPP Page 1: On Cisco routers, HDLC is the default encapsulation on serial links. To change the encapsulation and use the features and functions of PPP, use the following command:

encapsulation ppp

Enables PPP encapsulation on a serial interface.

Once PPP is enabled, optional features such as compression and load balancing can be configured.

compress [predictor | stac]

Enables compression on an interface using either predictor or stacker.

ppp multilink

Configures load balancing across multiple links.

Compressing data sent across the network can improve network performance. Predictor and stacker are software compression techniques that vary in the way compression is handled. Stacker compression is more CPU-intensive and less memory-intensive. Predictor is more memory-intensive and less CPU-intensive. For this reason, generally use stacker if the bottleneck is due to line bandwidth issues and predictor if the bottleneck is due to excessive load on the router.

Only use compression if network performance issues exist because enabling it will increase router processing times and overhead. Also, do not use compression if the majority of traffic crossing the network is already-compressed files. Compressing an already-compressed file often increases its size.

Enabling PPP multilink allows for multiple WAN links to be aggregated into one logical channel for the transport of traffic. It enables the load-balancing of traffic from different links and allows some level of redundancy in case of a line failure on a single link.

7.2.3 - Configuring PPP The diagram depicts basic PPP configuration. Two routers, R1 and R2, are connected to each other via a serial link. The commands entered at the console terminal window are as follows: R1 R1 (config)# encapsulation ppp with R1 (config)# encapsulation ppp R2 R2 (config)# encapsulation ppp with R2 (config)# encapsulation ppp

Page 2: The following commands are used to verify and troubleshoot HDLC and PPP encapsulation:

show interfaces serial

Displays the encapsulation and the states of the Link Control Protocol (LCP).

show controllers

Indicates the state of the interface channels and whether a cable is attached to the interface.

debug serial interface

Verifies the incrementation of keepalive packets. If packets are not incrementing, a possible timing problem exists on the interface card or in the network.

debug ppp

Provides information about the various stages of the PPP process, including negotiation and authentication.

7.2.3 - Configuring PPP The diagram depicts router output from various commands. Two routers are connected to each other via a serial link. The network address is 192.168.2.0, and both routers have LANs connected to them. Router, R1, has network 192.168.1.0 connected to F A 0 /0. R2 has network 192.168.3 /0 connected to F A 0 /0. The diagram has buttons that can be pushed to highlight commands, show interfaces serial, show controllers, debug serial interface, and debug PPP. The outputs for these commands can be viewed in greater detail in the labs at the end of the module.

Page 3: Lab Activity

Configure and verify a PPP connection between two routers.

Click the lab icon to begin.

7.2.3 - Configuring PPP Link to Hands-on Lab: Configuring and Verifying a PPP Link Configure and verify a PPP connection between two routers.

7.2.4 PPP Authentication Page 1:

Authentication on a PPP link is optional. If configured, authentication occurs after establishment of the link but before the Network Layer protocol configuration phase begins. Two possible types of authentication on a PPP link are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

PAP provides a simple method for a remote device to establish its identity. PAP uses a two-way handshake to send its username and password. The called device looks up the username of the calling device and confirms that the sent password matches what it has stored in its database. If the two passwords match, authentication is successful.

PAP sends the username/password pair across the link repeatedly in clear text until acknowledgement of the authentication or termination of the connection. This authentication method does not protect the username and password from being stolen using a packet sniffer.

Additionally, the remote node is in control of the frequency and timing of the login attempts. Once authenticated, no further verification of the remote device occurs. Without ongoing verification, the link is vulnerable to hijacking of the authenticated connection and the possibility of a hacker gaining illegal authorized access to the router using a replay attack.

7.2.4 - PPP Authentication The diagram depicts two routers, R1 and R2, in the process of a PAP two-way handshake. The R1 username is Santa Cruz and the password is boardwalk. R1 sends the information to R2 to authenticate. R2 looks at its table for the username and password and accepts or rejects based on this authentication procedure.

Page 2: Another form of PPP authentication is Challenge Handshake Authentication Protocol (CHAP).

Challenge Handshake Authentication Protocol

CHAP is a more secure authentication process than PAP. CHAP does not send the password across the link. Authentication occurs both during initial link establishment and repeatedly during the time the link is active. The called device is in control of the frequency and timing of the authentication, making a hijack attack extremely unlikely.

CHAP uses a three-way handshake.

1. PPP establishes the link phase.

2. Local router sends a challenge message to the remote router.

3. Remote router uses the challenge and a shared secret password to generate a one-way hash.

4. Remote router sends back one-way hash to the local router.

5. Local router checks the response against its own calculation, using the challenge and the same shared secret.

6. Local router acknowledges authentication if values match.

7. Local router immediately terminates connection if the values do not match.

CHAP provides protection against playback attack through a variable challenge value. Because the challenge is unique and random, the resulting hash value is also unique and random. The use of repeated challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.

7.2.4 - PPP Authentication The animation depicts the CHAP authentication process. Two routers, R1 and R2, are linked by a serial connection. R1 sends a message to R2 and states, "Run PPP", indicating it wants to run PPP. R2 says, "Use CHAP", and sends the message, "Here is my Challenge information. Send me your username and password." R1 calculates a special value using the secret password and the challenge value. The one way hash is 6G4 # 9P4. Router R1 sends a message back to R2 with the username R1 and the password 6G4 # 9P4.

R2 calculates 6G4 # 9P4 using the same secret password. R2 states "Accept". R1 randomly challenges the remote router to verify authentication. R2 sends a message back to R1, "Here is a different Challenge value. Send me your username and password again to make sure its still you."

Page 3:

7.2.4 - PPP Authentication The diagram depicts an activity in which you must determine which of the following characteristics belongs to either PAP or CHAP. Characteristic Password never sent across link. Uses two-way handshake. Uses three-way handshake. Single authentication when link formed. Authentication occurs at configuration intervals. Password sent in clear text. Uses shared secret. Immune to replay attack. Username/Password easily sniffed from wire.

7.2.5 Configuring PAP and CHAP Page 1: To configure authentication on a PPP link, use the global configuration commands:

username name password password

• • •

Global configuration command. Creates a local database that contains the username and password of the remote device. The username must match the hostname of the remote router exactly and is case sensitive.

ppp authentication {chap | chap pap | pap chap | pap}

• • •

Interface configuration command. Specifies the type of authentication on each interface, such as PAP or CHAP. If more than one type is specified, example chap pap, the router attempts the first type listed and will only attempt the second if the remote router suggests it.

For CHAP authentication, no other configuration commands are required. However, in Cisco IOS version 11.1 or later, PAP is disabled on the interface by default. This means that the router will not send its own username and password combination just because PAP authentication is enable. Therefore, additional commands are required for PAP:

ppp pap sent-username name password password

• • •

Interface configuration command. Specifies the local username and password combination that should be sent to the remote router. This must match what the remote router has configured in the local username and password database.

7.2.5 - Configuring PAP and CHAP The diagram depicts two routers connected to a service provider by serial links. The commands used to configure PAP and CHAP on both routers can be viewed in greater detail in the labs attached to this module.

Page 2: With two-way authentication configured, each router authenticates the other. Use debug commands on both routers to display the exchange sequence as it occurs.

debug ppp {authentication | packet | error | negotiation | chap }

Authentication

Displays the authentication exchange sequence

Packet

Displays PPP packets sent and received

Negotiation

Displays packets transmitted during PPP startup, where PPP options are negotiated

Error

Displays protocol errors and statistics associated with PPP connection and negotiation

Chap

Displays CHAP packet exchanges

To turn off debug, use the no format of each command.

7.2.5 - Configuring PAP and CHAP The diagram depicts two routers connected by serial link. The output of the debug ppp command is listed. The different phases of the authentication process can be viewed by using this command. The different states can be defined as Challenge, Response, Successful Authentication, and Unsuccessful Authentication. The phases can be viewed more clearly when the command is entered by the student after PAP and CHAP are configured.

Page 3: Lab Activity

Configure and verify PAP and CHAP authentication on a PPP link.

Click the lab icon to begin.

7.2.5 - Configuring PAP and CHAP Link to Hands-on Lab: Configuring and Verifying PAP and CHAP Authentication

to the nearest point-of-presence of the service provider. Site C. .Overview of Frame Relay The diagram depicts a network cloud with ten interconnected switches inside. or DTE device. The router. Around the outside of the cloud are four building sites. Frame Relay is a nonbroadcast multiaccess network (NBMA).1 . As information is sent from Site A to Site D. 7. This connection is an access link. this address is the data-link connection identifier (DLCI). Frame Relay uses packet switching technology with variable length packets. each virtual circuit requires a Layer 2 address for identification. that are connected to the switches inside the cloud via routers at each site. normally connects to the service provider via a leased line. It connects via a Frame Relay switch. Site D.3. The connection between the two DTE devices is a virtual circuit (VC). Most service providers discourage or even disallow the use of SVCs in a Frame Relay network. It also makes use of STDM for optimum use of the available bandwidth.3. a virtual circuit path that the packets travel along is established between the sites.2 Frame Relay Functionality Page 1: In an NBMA network. The remote router at the destination end of the network is also a DTE device.3 Using Frame Relay 7. 7.Configure and verify PAP and CHAP authentication on a PPP link.1 Overview of Frame Relay Page 1: A common Layer 2 WAN encapsulation is Frame Relay.3. In Frame Relay. The virtual circuit is typically established using PVCs that the service provider preconfigures. 7. Site A. Site B. Frame Relay networks are multi-access networks similar to Ethernet except that they do not forward broadcast traffic. or DCE device.

226 DLCI 20. R1 is connected to S1 via Serial link on interface S0/0/0 I P:209.165.165. The remote device receives this information and maps the Layer 3 IP address to the local Layer 2 DLCI.165.225 DLCI 16. inside.3. The remote device announces its IP address on the VC. There is a frame relay cloud has two switches.226" and sends a response back to R1. The DLCI is stored in the address field of every frame transmitted. S1 states. R1 and R2. R2 is connected to S2 via Serial link on interface S0/0/0 I P: 209. "I have received an Inverse ARP request on DLCI 20 from 209. "DLCI 16 is active. "DLCI 16 is active. The DLCI usually has only local significance and may be different at each end of a VC.The DLCI identifies the VC that data uses to reach a particular destination. S1 is connected to S2 by Frame Relay.165.165.200. R2 states. . 7. I will send an Inverse ARP request to learn the I P address of the remote router.226. The local device maps the Layer 3 address of the remote device to the local DLCI on which it received the information. There are two routers.200. R1 references its Frame Relay Map that shows DLCI 16 = 209.200. Mapping the DLCI to a remote IP address can occur manually or dynamically using a process known as Inverse ARP." The request is sent from R1 over the Frame Relay network to R2. 2. R2 states "Inverse ARP response from 209." R1 sends a DLCI request to R2.225.165. Establishing a mapping of DLCI to remote IP address occurs in the following steps: 1.200." R2 references its Frame Relay Map that shows DLCI 20=209. S1 and S2.2 .Frame Relay Functionality The animation depicts how inverse ARP maps a Layer 2 DLCI to a remote IP address. 3.200. R1 states. 4.200. The Layer 2 DLCI is associated with the Layer 3 address of the device at the other end of the VC. The local device announces its presence by sending its Layer 3 address out on the VC.225. R2 sends a response to R1 with its IP address information.

There is a double-sided arrow with an X through it from R1 to R2 symbolizing the connection from R1 to . S1. and R3. LMI messages provide communication and synchronization between the network and the user device. R1. S2 is connected to S1.Page 2: Local Management Interface (LMI) is a signaling standard between the DTE and the Frame Relay switch. S3 is connected to S1. and R2. R1 is connected to the CSU/DSU. and three switches. and R3. and S3. There are three routers. S2. S2. R3 is connected to S3. Deleted State • The local connection receives no LMI messages from the FR switch or there is no service between the CPE router and the FR switch. R2 is connected to S2. 7. S1 is connected to the CSU/DSU. Inactive State • The local connection to the FR switch is working but the remote connection to the FR switch is not. All switches are inside a cloud. VC status messages prevent data being sent to PVCs that no longer exist. S2. S3. They periodically report the existence of new PVCs and the deletion of existing PVCs. and S3.3. LMI provides VC connection status information that appears in the Frame Relay map table: Active State • The connection is active and routers can exchange data. They also provide information about PVC integrity.Frame Relay Functionality The diagram depicts the use of LMI.2 . LMI reports the status of PVCs between devices. R2.

The Site B router via link. Frames transmitted above the speed of the CIR are uncommitted. which says (LMI. which is connected to the Site A router via link. up to the maximum speed of the access link.2 . if there is no congestion on the links. 7. There is a cloud. is known as the excess burst (Be). the provider first drops frames with the DE bit set. If congestion occurs. The cost of the Frame Relay service depends on the speed of the link and the CIR. One parameter is the committed information rate (CIR). Site A sends information to Site B. counting on the fact that the service provider supplies higher bandwidth and bursts their traffic when there is no congestion.3. but are forwarded if the network supports it. These extra fames are marked as discard eligible (DE). 768Kbps is . Users often pay for a lower CIR.R2 (DLCI = 400) is down. 400 = Inactive). Page 3: When an end user subscribes to a Frame Relay service.Frame Relay Functionality The diagram depicts the use of C I R within Frame Relay parameters. Local Access Loop = 1544Kbps link. The CIR defines the minimum rate provided. A keep-alive is sent to R3. 500 = Active. The number of committed bits within the Tc is the committed burst (Bc). the service provider boosts or bursts the bandwidth up to a second agreed-upon bandwidth. stating. however. The excess information rate (EIR) is the average rate above the CIR that a VC can support when no network congestion exists. "My provider guarantees bandwidth of 768Kbps. There is a double-sided arrow from R1 to R3 symbolizing the connection from R1 to R3 (DLCI = 500) is up. the user negotiates certain service parameters with the provider. Local Access Loop = T1. The calculated time interval is the committed time (Tc). Any extra bits above the committed burst. The service provider calculates the CIR as the average amount of data transmitted over a period of time. The CIR is the minimum bandwidth rate guaranteed by the provider for data on a VC. Service Provider.

SVC Seven. For example.my C I R. The Central Site says.PVC Definitions.C I R Five. FECN and BECN allow higher-layer protocols to react intelligently to these congestion indicators. and to the Central Site router via T1 link.3. A.Frame Relay Functionality The diagram depicts a bottleneck. There is a Frame Relay Cloud which is connected to the Branch Office Router via 56 Kbps link. 7.2 . The network must be congested. Terms One. Page 4: The forward explicit congestion notification (FECN) is a single-bit field that can be set to a value of 1 by a switch. B.Used to inform a receiving device that congestion was experienced.The type of virtual circuit most often used by Frame Relay.DLCI Three. when set to a value of 1 by a switch. The backward explicit congestion notification (BECN) is a single-bit field that." A caption on the cloud states. the sending device uses BECNs to slow its transmission rate. C.BECN Two.The type of VC most service providers will not permit.544 Mbps. . indicates that the network is congested in the opposite direction.FECN Four. I need to reduce the pace at which I send packets." Page 5: 7.Frame Relay Functionality The diagram depicts an activity in which you must match the terms to their corresponding definition.D E Six. D. "I have received a lot of BECN's. "The network is not congested so we are going to burst your speed to 1.2 .The contracted data rate that the service provider agrees to transfer.3.The Layer 2 address used by Frame Relay. E. It indicates to an end DTE device that the network is congested ahead. Frames continue to transmit to Site B until all information is sent. All packets above your C I R are Discard Eligible".

F.4. Frame Relay uses virtual circuits to connect a specific source to a destination. Frame Relay uses parameters such as C I R to establish the bandwidth used on each VC.1 . Diagram 1 text A WAN uses many different technologies. or long range which interconnects ISP's. which connects the ISP to the customer. Use FECN's and BECN's to inform the receiving and sending devices that the network is congested so that routers can take appropriate actions. and compression. CHAP issues challenges at configurable intervals and forces the connected device to re-authenticate. Virtual circuits can be switched or permanent.4. WAN technologies are either last mile. G.Summary Diagram 1.4 Chapter Summary 7. 7. Diagram 2 text HDLC is the default Layer 2 serial line encapsulation on Cisco routers. call back.Marks a frame as being less important on a network. The Layer 2 encapsulation changes as frames are moved across the WAN. each offering distinct advantages. or a CSU/DSU. Cisco HDLC incorporates an extra field to allow it to carry multiple Layer 3 protocols. packet switching. Diagram 3. Image The diagram depicts two users communicating across a complex network topology. Packet and cell switching technologies use either a PVC or SVC to send information across the network. WAN technologies divide into circuit switching. . Diagram 3 text Frame Relay is a packet-switched technology. PPP allows the negotiation of many advanced features including authentication. PPP supports both PAP and CHAP authentication. Diagram 2. Image The diagram depicts the bottleneck when a branch office connects using a 56 kbps connection to connect via the frame relay cloud to the central site which is using a T1 connection. converting the data format into an acceptable one requires a modem.1 Summary Page 1: 7. PAP authentication sends the username/password in clear text and is subject to sniffing and replay attacks. load balancing. and cell switching. Image The diagram depicts enterprises connecting to a cloud and shows traffic from two virtual circuits share the same links.Used to inform a sending device that congestion has occurred. Circuit switching technologies create a physical circuit between end devices before sending information. Depending on the technology in use.

used for digital transmission B.flow control B.Network C.5 Chapter Quiz 7.What three parameters are defined by WAN standards? (Choose three.) A.Session B.IP addressing D.routing protocol 2. establishes a connection between end nodes before forwarding data and ensures dedicated bandwidth .used for wireless transmission C.1 . 7.Data Link F.5.) A.Physical D.Which two layers of the O S I model describe WAN standards? (Choose two.Quiz Chapter 7 Quiz: Implementing Enterprise WAN Links 1.) A.What are two characteristics of a CSU/DSU? (Choose two.5.part of an integrated services router 4.installed at central office D.vendor C.often integrated into router's interface card E.physical addressing F. Click the quiz icon to begin.encapsulation E. Match the WAN connection term to the correct definition.Transport E.1 Quiz Page 1: Take the chapter quiz to check your knowledge.Application 3. WAN Connection Terms packet Switching circuit Switching cell switching SVC PVC Definitions virtual circuit that is dynamically established between two points when a router requests a transmission.7.

is a data link layer protocol B.) A.What two statements describe the Cisco implementation of High-Level Data Link Control protocol? (Choose two.What is used to identify a destination for a frame in a Frame Relay network? A.What two services allow the router to map data link layer addresses to network layer addresses in a Frame Relay network? (Choose two.Proxy ARP D.through the length of transmission virtual circuit that provides a permanent path to forward data between two points packets from multiple organizations are switched over the same links 5.BECN Search | Glossary Course Index: CCNA Discovery .0.is the default encapsulation on Cisco LAN interfaces 6.1 Introduction Page 1: 7.0 Chapter Introduction 7.DLCI C.ICMP C.ARP B. .1 .provides retransmission and windowing C. As information traverses the WAN.FECN D.uses the same frame format as standard HDLC E.Introduction Connecting remote sites together by an enterprise WAN allows users to access network resources and information. the Layer 2 encapsulation adapts to match the technology.0.supports multiple protocols on a single link D.Introducing Routing and Switching in the Enterprise 7 Implementing Enterprise WAN Links 7.Inverse ARP E.C I R B.) A.LMI status messages 7.

Page 2: When implementing a WAN. Describe Frame Relay. ISPs allow users to share resources among remote locations without incurring the expense of building and maintaining their own network. 7. After completion of this chapter. A translation device. Preparing the data for transmission on the WAN using digital lines requires a channel service unit (CSU) and a data service unit (DSU). such as a modem. forming a WAN. a modem is necessary. Compare common WAN encapsulations and configure PPP. long-range communications at slower speeds than a LAN.1. Boston. most organizations purchase WAN services from a service provider. The technologies also differ.1 . For example.1 WAN Devices and Technology Page 1: As companies grow. and services. WAN technologies are serial transmissions. Control of network resources is not the only difference between a LAN and a WAN. a router used as a gateway to connect to the WAN translates the data into a format that is acceptable to the service provider network. Within a LAN. 7. the WAN technology used determines the type of devices required by an organization. A companys network expands from a LAN in a single location to LAN's in multiple locations. Although some larger companies maintain their own WANs. devices. This expansion requires that the business network expand from a local area network (LAN) to a wide area network (WAN).WAN Devices and Technology The animation depicts the evolution of a WAN. The most common LAN technology is Ethernet. including the cities of New York.A popular WAN technology that uses packet-switching is Frame Relay. and Orlando. a network administrator has physical control over all cabling. These two devices are often combined into a single piece of equipment called the CSU/DSU. they often expand from a single location to multiple remote locations. you should be able to: Describe the features and benefits of common WAN connectivity options.1. When using an analog connection. Osaka. prepares the data for transmission across the service provider network. All locations are connected together. This device integrates into the interface card in the router.1 Connecting the Enterprise WAN 7. Service providers charge for the use of their network resources. Serial transmissions enable reliable. .

a C O switch is connected to a corporate network via a CSU/DSU that is owned by the customer. From the customer perspective. These protocols establish the codes and electrical parameters that the router and the CSU/DSU use to communicate with each other.21 and V.449/530 . is data terminal equipment (DTE). the ISP owns and maintains most of the equipment. 7.1 . Regardless of ownership.232 Allows signal speeds of up to 64 Kbps on a 25 pin D connector over short distances Formerly known as RS-232 Same as I T U-T V. or demarc. switches. the demarc might exist between the router and the translating device or between the translating device and the central office (CO) of the service provider. The CSU/DSU is data communications equipment (DCE). 7.1. The point at which the control and responsibility of the customer ends and the control and responsibility of the service provider begins is known as the demarcation point. the subscriber may own and maintain some of the connection equipment. The DCE is connected to the ISP .24 specification EIA /T I A .WAN Devices and Technology The diagram depicts a network cloud containing a WAN network. The CSU/DSU or modem controls the rate at which data moves onto the local loop. The DTE/DCE interface uses various Physical Layer protocols.1 . and a trunk. The router. The physical line from the CPE connects into a router or WAN switch at the CO using copper or fiber cabling. On the edge of the cloud. EIA /T I A . such as X.WAN Devices and Technology The diagram depicts the Layer 1 WAN protocols and a brief description of each. In certain environments.35.1. For example. It also provides the clocking signal to the router.When a business subscribes to WAN services through an ISP. In the diagram. Page 3: The CO is the location where the service provider stores equipment and accepts customer connections. it is the first mile. which is responsible for passing the data to the DCE. because it is the first part of the medium leading from the location of the customer. to describe equipment located at the customer site. The following protocols may be used in a DTE and DCE connection. This connection is called the local loop. service providers use the term customer premise equipment (CPE). a Data Terminal Equipment (DTE) interface to a WAN link is connected to the Data Communication Equipment (DCE) end of a service providers communication facility. or last mile.

A T3 line uses a DS3 standard.736 Mbps. which support 16 E1s for a speed of up to 34. which supports 28 DS1s and speeds of up to 44.21 An I T U-T standard for synchronous digital communications Uses a 15 pin D connector Page 4: Technology continuously develops and improves signaling standards that enable increased speed and traffic. and E3s. Bit rate Capacity: 56 Kbps.WAN Devices and Technology The diagram depicts a chart with the column headers Line Type. . Signal Standard: DS0. For example.Faster (up to 2 Mbps) version of EIA /T I A-232 Uses a 36 pin D connector and is capable of longer cable runs Also known as RS-422 and RS-423 EIA /T I A .1 . it is important to consider the link speed.048 Mbps. As technology improved. When choosing a WAN technology.064 Mbps. The first digital networks created for WAN implementations provided support for a 64 kbps connection across a leased line. service providers supplied subscribers with specific increments of the DS0 channel.612/613 Provides access to services of up to 52 Mbps on a 60 pin D connector V. in North America.544 Mbps. Line Type: 56. The term digital signal level 0 (DS0) refers to this standard. Line Type: 64. a DS1 standard. Bit rate Capacity: 64 Kbps. Signal Standard: DS0. Europe offers lines such as E1s. also called a T1 line. which support 32 DS0s for a speed of up to 2. defines a single line that supports 24 DS0s. plus an 8 kbps overhead channel. and Bit Rate Capacity associated with each WAN Technology. 7. This standard enables speeds of up to 1.35 An I T U-T standard for synchronous communications between a network access device and a packet network at speeds up to 48 Kbps Uses a 34 pin rectangular connector X. Other parts of the world use different standards.1. For example. Signal Standard.

Line Type: O C-12. Line Type: E1. Signal Standard: SONET. Signal Standard: SONET.064 Mbps. Bit rate Capacity: 1244. Line Type: O C-1.544 Mbps.24 Mbps. Signal Standard: SONET. Line Type: O C-3.12 Mbps. Line Type: T3. Signal Standard: ZM.08 Mbps.736 Mbps.84 Mbps.32 Mbps.Line Type: T1.048 Mbps. Bit rate Capacity: 34. Bit rate Capacity: 466. Signal Standard: Y1. Bit rate Capacity: 933.56 Mbps. Signal Standard: SONET. Bit rate Capacity: 1. Bit rate Capacity: 622. Bit rate Capacity: 51. Signal Standard: M3. Speed Standard: DS1. Bit rate Capacity: 2. Line Type: O C-18. Signal Standard: SONET. Line Type: O C-36.048 Mbps. Bit rate Capacity: 44. Signal Standard: SONET. Bit rate Capacity: 1866. Bit rate Capacity: 2. Line Type: O C-48. Signal Standard: SONET. Bit rate Capacity: 155. Line Type: E3.54. Line Type: O C-9. Line Type: O C-24. Page 5: .16 Mbps. Signal Standard: DS3. Signal Standard: SONET. Line Type: J1. Bit rate Capacity: 2488.

WAN Devices and Technology The diagram depicts an activity in which you must match the WAN term to the definition.1.The device that formats the WAN traffic into a format acceptable to the ISP's network.The location where the service provider takes over control of the WAN link.CSU/DSU H. flow control.modem Definitions One. WAN standards describe the Physical Layer and Data Link Layer characteristics of data transportation. Some examples of Layer 2 WAN protocols are: • • • Link Access Procedure for Frame Relay (LAPF) High-level Data Link Control (HDLC) Point-to-Point Protocol (PPP) Several organizations are responsible for managing both the Physical Layer and Data Link Layer WAN standards.The device required to use an analog connection into the WAN. Seven.The location where the service provider houses equipment and accepts connections from customer networks.The portion of media that connects the end user with the C O. Eight. Two. Three. Data Link Layer WAN standards include parameters such as physical addressing.DTE D.1. as well as how the information moves across the WAN link. Four.2 WAN Standards Page 1: Designing a network based on specific standards ensures that all of the different devices and technologies found in a WAN environment work together.The local router is this type of equipment.de-marc B. WAN Terms A.local loop G.DCE E. 7. and encapsulation type.The CSU/DSU is this type of equipment.C O F. Six.Equipment located at the site of the customer. Five.7.1 . These include: • International Telecommunications Union Telecommunications Standardization Sector (ITU-T) .CPE C. The type of WAN technology employed determines the specific Data Link Layer standards used.

PPP Three. the Data Link Layer. or modulated.E I A /T I A-232 Five.2 . The modulated signal then carries the information across the medium to the remote site.• • • • International Organization for Standardization (ISO) Internet Engineering Task Force (IETF) Electronics Industry Alliance (EIA) Telecommunications Industry Association (TIA) 7.2 . Standards One.X.3 Accessing the WAN Page 1: WAN links use either digital or analog technology.LAPF Seven. with the focus on Layer 2.1.HDLC 7. .V. the signal is demodulated and the receiver extracts the information.21 Four. The modem gets its name from its task of modulation and demodulation of the carrier signal. A modem encodes the information onto that carrier wave before transmission and then decodes it at the receiving end.VTP Transport Mode Two.WAN Standards The diagram depicts the layers of the O S I Model. onto a carrier wave. At the remote site.1. With analog connections.1.35 Six. the data is encoded. Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical addressing Flow control Encapsulation type LAPF for Frame Relay HDLC PPP Physical Layer Page 2: 7.WAN Standards The diagram depicts an activity in which you must determine whether the standards belong to Layer 1 or Layer 2.

High-bandwidth connections are split up into several DS0s. The signals sent between the computer (client/host) and the modem are digital signal. A DS0 is not a separate physical entity but rather a time slice of the physical bandwidth on one wire. its time slice goes unused. the customer is ordering part of a T1/E1. The signals sent between the modem and the telephone network (POTS) are analog signals. Each of these time slices are then assigned to individual conversations. They also enable end users to connect to service provider networks through DSL or cable connections. The client uses the EIA/T I A . which connected to the host. The POTS cloud connects to a second modem. Organizations purchase one or more DS0 channels.1. Often this bandwidth is larger than the amount that the organization actually requires. Therefore.3 .1. The modem connects to a POTS cloud. The ISP assigns each DS0 to a different conversation or end user. Site B is connected to the service provider via a Fractional T1 128 Kbps link.048 Mbps of traffic. Bandwidth is allocated to each channel or time slot regardless of whether the station using the channel has data to transmit.544 Mbps link.Accessing the WAN The diagram depicts Site A connected to the Service Provider via a T1-1. Site C is connected to the service provider via a Fractional T1 64 Kbps link. 7. For example. Each fractional connection enables full use of the media by the organization for part of the total time. A T1 can be split into 24 DS0s of 64 Kbps each. There are two techniques in which information from multiple channels can be allocated bandwidth on a single cable based on time: Time Division Multiplexing (TDM) and Statistical-Time Division Multiplexing (STDM).544 Mbps of traffic and an E1 link carries 2. Page 3: Time Division Multiplexing (TDM) allocates bandwidth based on pre-assigned time slots. . with standard TDM. wasting valuable bandwidth. also using the EIA/T I A -232 protocol.3 . In this case.232 protocol to connect to a modem. if a sender has nothing to say. a T1 link carries 1.Accessing the WAN The diagram depicts a client communicating with a host. 7. Each time slice represents a period of time during which a conversation has complete use of the physical media. These services are often obtained using leased lines for which the companies pay monthly for these services. or a fractional T1 or fractional E1. These lines carry large amounts of data. Page 2: Companies often purchase connectivty using dedicated links between their location and the ISP.Modems enable remote sites to communicate through the plain old telephone system (POTS).

STDM: Insert the output in order to fill all 7 time slices. STDM minimizes wasted bandwidth. A.1. unused. unused Host C: C. Dedicated Leased Line . 7. There are three unused time slices between the four hosts. Using TDM. Input Host A: unused. Page 4: 7. 12 time slices are used to deliver nine time slices. unused Host B: B.Accessing the WAN The diagram depicts an activity in which you must organize the data blocks into the correct order to show how TDM and STDM uses bandwidth. Using STDM.Accessing the WAN The animation depicts the difference in bandwidth utilization when using a multiplexor that is implementing TDM and a multiplexor that is implementing STDM.4 Packet and Circuit Switching Page 1: An enterprise connects to WAN services in various ways. Each host inputs three time slices. 7. C Host D: unused.1. C. In this way. nine time slices are used to deliver nine time slices. D Output TDM: Insert the output in order to fill all 12 time slices. TDM The animation shows four hosts sending input into a multiplexor. It then dynamically reassigns unused time slices on an asneeded basis. There are three unused time slices between the four hosts.3 .1.Statistical Time Division Multiplexing (STDM) is similar to TDM except that it keeps track of conversations that require extra bandwidth. Each host inputs three time slices.3 . STDM The animation shows four hosts sending input into a multiplexor. B.

The data is then released into the service provider network. While the circuit is in place. between the source and destination is often a preconfigured link. The cost for circuit switching varies based on usage time and can become quite expensive if the circuit is used often." At the end of the call. This enables a one-to-one connection for the basic function of data delivery across a link." Once the call has ended. As an organization grows to multiple locations. With circuit switching. The first modem says "I am initiating a call. or pathway. The data is segmented into packets.Packet and Circuit Switching The animation depicts the process involved in a circuit-switched call. No other organizations use the circuit until it releases.4. the second modem says "I am terminating the call.One type of connection is a point-to-point serial link between two routers using a dedicated leased line. Frame Relay is an example of packet switching technology. Each link requires a separate physical interface and a separate CSU/DSU. . A standard telephone call uses this type of connection. but it is not an exclusive link. the service provider assigns links to different connections as the need arises.1. Costs are incurred for the link only when the connection is active. Page 2: Packet Switching Packet switching uses bandwidth more efficiently than other types of switching. The other modem says "I am accepting a call. the dedicated connection disappears. The circuit. Completion of the conversation releases the circuit. . it provides dedicated bandwidth between the two points. The service provider switches packets from multiple organizations over the same links. Circuit Switching Circuit switching establishes a circuit between end nodes before forwarding any data." For the duration of the call the line is dedicated to the sender and receiver. This method provides a level of security not available in packet switching or cell switching technology. A circuit is established between switches in the PSTN cloud connecting the modems. supporting a dedicated leased line between each location becomes very expensive. Two modems are connected to a PSTN cloud containing a network of switches. The service provider accepts the data and switches the packet from one node to another until the packet reaches its final destination. 7. with an identifier on each packet.

An advantage of ATM is that it prevents small messages from being held up behind larger messages. . There are two types of virtual circuits: switched and permanent. Permanent Virtual Circuit . Site C. for networks handling mainly segmented data. and Site D are in separate locations connected to a cloud of switches. Switched Virtual Circuit A switched virtual circuit (SVC) is dynamically established between two points when a router requests a transmission. Call clearing information tears down the connection after it is no longer required. It is capable of transferring voice. such as after a file has been downloaded.Packet and Circuit Switching The animation depicts the flow of traffic in a packet-switched network. Traffic from two virtual circuits share the same links. 7. the service provider establishes virtual circuits (VCs). Virtual circuits share the link between devices with traffic from other sources. When establishing an SVC.4. Site A. Site A and Site B are both sending packets into the cloud.1. Page 3: Virtual Circuits When using packet switching technology. Asynchronous Transfer Mode (ATM) uses fixed length. The small. However. ATM introduces a large amount of overhead and actually slows network performance. The circuit is set up on demand and torn down when transmission is complete. As a result. Site B. and data through private and public networks at speeds in excess of 155 Mbps. the medium is not private during the duration of a connection. 53-byte cells that have 48-bytes of data and a 5-byte header. uniform size of the cells allows them to be switched quickly and efficiently between nodes. This process introduces delays in the network as SVCs are built up and torn down for each conversation. call set-up information must be sent before transmitting any data. The packets traverse the cloud and reach their destinations at Site C and Site D. video.Cell Switching Cell switching is a variation of packet switching.

. An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU. One. A company WAN supports voice. Remote offices connect once a day to upload sales orders.. An organization connects to multiple remote sites.1. They speed the flow of information across the WAN. PVCs also provide the ISP with much greater control over the data-flow patterns and management of their network. The service provider must preconfigure the PVCs and they are very seldom broken or disconnected. Three. . may not be the same as the WAN connection type employed within the ISP network or between various ISPs.Packet and Circuit Switching The diagram depicts networks connected via a Switched Virtual Circuit (SVC) and via a Permanent Virtual Circuit (PVC). 7.4. The connection through the network is an SVC. Between the two networks is a network cloud.Packet and Circuit Switching The diagram depicts an activity in which you must identify the best WAN convention to support the scenario. The connection type used on the local loop. Page 4: 7.A permanent virtual circuit (PVC) provides a permanent path to forward data between two points.1. Between the two networks is a network cloud. A small real estate company provides support to their sales staff to pick up email from their home offices. video. Some common last mile technologies are: • • • Analog dialup Integrated Services Digital Network (ISDN) Leased line . and data connections. An SVC is built up and torn down as required. PVC is configured by the network administrator and loaded at switch startup. but only has one serial interface on their router. The connection through the network is a PVC. PVCs are more popular than SVCs and usually service sites with high-volume. Frame Relay typically uses PVCs. Five. packet-switched.1. This eliminates the need for call setup and clearing. or cell-switched WAN conventions. An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU. or last mile. A company connects to their branch offices and securely transfers classified technical drawings. 7. circuit-switched. Two.4. Four. The options are leased line.5 Last Mile and Long Range WAN Technologies Page 1: ISPs use several different WAN technologies to connect their subscribers. constant flows of traffic.

Both SONET and SDH encapsulate earlier digital transmission standards and support either ATM or Packet over SONET/SDH (POS) networking. T1 Leased Line to connect to the ISP. One of the newer developments for extremely long-range communications is dense wavelength division multiplexing (DWDM). SDH and SONET are used for moving both voice and data. As a result. Satellite modem connecting to a satellite that connects to the ISP. This growth requires technologies that support high-speed and high-bandwidth transfer of data over even greater distances. Many different WAN technologies exist that allow the service provider to reliably forward data over great distances. it must forward this data to other remote sites for final delivery to the recipient. Wireless bridge using a wireless signal to connect to the ISP. Cable modem using coaxial cable to connect to the ISP. as follows: Dialup using the telephone line to connect to the ISP. Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) are standards that allow the movement of large amounts of data over great distances through fiber-optic cables. and leased lines. Not all technologies are available in all locations. Long-range communications are usually those connections between ISPs or between branch offices in very large companies.1.• • • • Cable Digital Subscriber Line (DSL) Frame Relay Wireless Each of these technologies provides advantages and disadvantages for the customer. applications require more and more bandwidth. When a service provider receives data. Frame Relay.5 . 7. Some of these include ATM.Last Mile and Long Range WAN Technologies The diagram depicts several Enterprise networks using a variety of devices and connections that are linked to the ISP. These remote sites connect either to the ISP network or pass from ISP to ISP to the recipient. Page 2: Enterprises are becoming larger and more dispersed. DWDM assigns incoming optical signals to specific frequencies or wavelengths of . DSL using the telephone line to connect to the ISP. satellite.

Always-on.5 .2 Comparing Common WAN Encapsulations 7.ATM Six.DWDM Five. A.Long-range technology to move voice. DWDM can carry IP.80 channels on existing strand of fiber for extremely long range network. and South Africa. Layer 2 encapsulation adds addressing and control information.1. Before converting data into bits for transmission across the media. Page 3: 7. Each channel is capable of carrying a multiplexed signal at 2.5 Gbps.Leased Line Eight. last mile connectivity using same cable for TV and data. 7. DWDM can multiplex more than 80 different wavelengths or channels of data onto a single piece of fiber. It is also capable of amplifying these wavelengths to boost the signal strength.Dedicated connectivity for new company selling on-line shopping service.DS Two.1. . and data over fiber cable. 7. E.2. De-multiplexed data at the receiving end allows a single piece of fiber to carry many different formats at the same time and at different data rates.Last Mile and Long Range WAN Technologies The diagram depicts a map of the world with enterprise networks super-imposed over Asia. SONET. H.5 . The encapsulation conforms to a specific format based on the technology used on the network. G.High speed internet service over existing copper phone cables. B. D.Connectivity to office in old hotel that has no high speed service. video.Cable Three. and ATM data concurrently.Transfer of fixed length cells at 155 Mbps. For example.Dial Up Seven. North America. C. Technologies One.Internet access for remote locations.SONET Descriptions. F.1 Ethernet and WAN Encapsulations Page 1: Encapsulation occurs before data travels across a WAN.light. They all connect to a DWDM network cloud.Satellite Four.Last Mile and Long Range WAN Technologies The diagram depicts an activity in which you must match the technology to the description.

and the ISP . HDCL. The Data Link Layer encapsulates the packet into Ethernet frames. if using Frame Relay on the link. like the frame size and timing information. is sitting at the other end of the network using an Ethernet connection. and specific Ethernet controls. the type of encapsulation required is Frame Relay-specific. The frame headers contain information such as the source and destination MAC addresses. Page 2: The type of Data Link Layer encapsulation is separate from the type of Network Layer encapsulation. The encapsulation type must match on both ends of a point-to-point connection. and ATM. the Layer 2 encapsulation changes to match the technology in use. The diagram depicts a man. PPP. sitting at one end of a network using an Ethernet connection. Conversion of frames received on the WAN interface into the Ethernet frame format occurs before placement on the local network. As the message traverses the network.1 . then changes to formats HDLC. The router acts as a media converter. the frame format changes to accommodate the different protocols implemented within the networks the message travels through. If this packet must move across the WAN on its way to the final destination. The router strips off the Ethernet frame and then re-encapsulates that data into the correct frame type for the WAN.Layer 2 adds header information that is specific to the type of physical network transmission. Protocols that may be in use during the transmission of the message from the source to the destination include HDLC. Network devices and connection types that make up the network are between the source and destination. PPP. and back to Ethernet at the destination. Ethernet is the most common technology. the Data Link Layer encapsulation may change continuously. PPP. A Data Link Layer encapsulation includes the following fields: . Similarly. Within a LAN environment. by adapting the Data Link Layer frame format to a format that is appropriate to the interface. labeled Destination. labeled Source.2. ATM. 7. The frame format begins from the source as Ethernet. whereas the Network Layer encapsulation will not. A woman. As data moves across a network. a DMZ. For example. the encapsulation of frames destined for transmission across a WAN link match the technology in use on the link. Packets exit the LAN by way of the default gateway router. Connected to the network is a server farm.Ethernet and WAN Encapsulation The animation depicts how the frame format changes as it travels across the network.

Flag • Marks the beginning and end of each frame Address • • Depends on the encapsulation type Not required If the WAN link is point-to-point Control • Used to indicate the type of frame Protocol • • Used to specify the type of encapsulated network layer protocol Not present in all WAN encapsulations Data • Used as Layer 3 data and IP datagram Frame Check Sequence (FCS) • Provides a mechanism to verify that the frame was not damaged in transit .

The standard HDLC frame does not contain a field that identifies the type of protocol carried by the frame. which provides error-free communication between two points.7.Not present in all WAN encapsulations. whether it is a data frame or a control frame.Used to specify the type of encapsulation Network Layer protocol. One. Each frame has the same format.Ethernet and WAN Encapsulation The animation depicts the Layer 2 encapsulation process. For that reason. A computer. As the message reaches the LAN side of R2.Ethernet and WAN Encapsulation The diagram depicts an activity in which you must match the Layer 2 encapsulation term with its definition.Provides a mechanism to verify that the frame was not damaged in transit.1 . 7. H1 sends a message out.Marks the beginning and end of each frame.1 . Four. S2. so the message can traverse the Ethernet network and finally reach H2.Flag E.FCS Definitions. Five. Page 3: 7.Not required if the WAN link is point to point. Six. Once the message reaches R1. Terms A. .Control C. Eight. the protocol changes. requiring the header to change to a PPP header using the IP protocol. High-level Data Link Control (HDLC) is a standard bit-oriented Data Link Layer encapsulation. R2.Address B. HDLC defines a Layer 2 framing structure that allows for flow control and error control using acknowledgments and a windowing scheme. Two. H2.Data F.2 HDLC and PPP Page 1: Two of the most common serial line Layer 2 encapsulations are HDLC and PPP.Used as Layer 3 data and IP datagram.2. S1.2.Used to indicate the type of frame. which is connected to a router.Depends on the encapsulation type. H1. This will enable the message to travel through the network. The header is marked as an Ethernet header.2. R1. which is connected to a computer. Three. R2 is connected to a switch.Protocol D. Seven. standards-based HDLC cannot handle multiple protocols across a single link. is connected to a switch. HDLC uses synchronous serial transmission. the header is changed back to an Ethernet header. There is a serial link connecting R1 and a router.

Point-to-Point Protocol (PPP) is a Data Link Layer encapsulation for serial links. Because PPP is standards-based. The following interfaces can support PPP: • • • • Asynchronous serial Synchronous serial High-Speed Serial Interface (HSSI) Integrated Services Digital Network (ISDN) PPP has two sub-protocols: . 0 or more bits. Use Cisco HDLC encapsulation only when interconnecting Cisco equipment.2 . It uses a layered architecture to encapsulate and carry multi-protocol datagrams over a point-to-point link. or more bits.Cisco HDLC incorporates an extra field. 7. multiples of 8 FCS: 16 bits Flag: 8 bits Page 2: Like HDLC.HDLC and PPP The diagram depicts the Open Standard HDLC Frame and the Cisco HDLC Frame.2. multiples of 8 FCS: 16 or 32 Flag: 8 bits Cisco HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 bits Type (Protocol Code): 16 bits Information: Variable length. which allows multiple Network Layer protocols to share the same link. known as the Type field. Cisco HDLC is the default Data Link Layer encapsulation type on Cisco serial links. Note that the Cisco HDLC frame has a unique type not present in the Open Standard HDLC frame. it enables communication between equipment of different vendors. Open Standard HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 or 16 bits Information: Variable length 0. The composition of these frames is listed below.

Additionally. IPXCP. with the focus on PPP in Layer 2. IPX.2. Link Control Protocol is responsible for authentication and other options. LCP negotiates and configures control options on the WAN link. the Data Link Layer. and many others.HDLC and PPP The diagram depicts the three lower layers of the O S I model. The lowest level is the Physical Layer that deals with synchronous or asynchronous media. PPP is at the Data Link Layer. maintaining and terminating the point-topoint link.responsible for establishing. IPCP.• • Link Control Protocol . and terminate the point-to-point link.provides interaction with different Network layer protocols. maintain. Network Control Protocol . where there are two sub-protocols: Link Control Protocol and Network Control Protocol. test. Some of the options that LCP negotiates include: • • • • • Authentication Compression Error detection Multilink PPP Callback LCP also: • • • Handles varied packet sizes Detects common misconfiguration errors Determines when a link is functioning properly and when it is failing Network Control Protocol . Page 3: Link Control Protocol PPP uses the Link Control Protocol (LCP) to establish.2 . 7. The Network Control Protocol is involved in the interaction between the Data Link Layer and various Network Layer protocols: IP.

authentication (optional). The client makes the initial call requests that it be called back. For example. Peer routers exchange authentication messages.2 . NCPs include fields containing codes that indicate the Network Layer protocol. and then to a computer. The network cloud is linked by a serial connection to a second CSU/DSU. and terminates its initial call. Authentication The diagram depicts a switch that is linked to the CSU/DSU. a Cisco router can act as a callback client or as a callback server. The callback router answers the initial call and makes the return call to the client based on information configured in its memory. The protocol decompresses the frame at its destination. that is linked by a serial connection to the network cloud. IP uses the IP Control Protocol (IPCP). Page 4: PPP sessions progress through three phases: link establishment. or modem. . Multilink The diagram depicts three computers directly connected to a switch and then to a multilink device that provides load balancing over the PPP router interfaces. Two authentication options are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). or modem. With this LCP. so that they operate on the same communications link. to the computer. Callback The diagram depicts a switch that is linked to a CSU/DSU. or modem. that is linked by a serial connection to the network cloud. Each process and a description of some devices used during the process are listed below. or modem. or modem. Two compression protocols available in Cisco routers are Stacker and Predictor. Compression options increase the effective throughput on PPP connections by reducing the amount of data in the frame that travels across the link. The network cloud is linked by a serial connection to a second CSU/DSU. and Network Layer protocol. The flow of information is from the CSU/DSU. The flow of information in the diagram is in both directions through the network. and IPX uses the IPX Control Protocol (IPXCP). Compression The diagram depicts two switches at the opposite ends of a network. 7. Between the switches are two compression devices that compress information on the fly between the networks. the calling side of the link is required to enter specific information to ensure that the caller has the permission to make the call.PPP uses the Network Control Protocol (NCP) component to encapsulate multiple Network Layer protocols. and then to a computer. For authentication. Every Network Layer protocol carried on the PPP link requires a separate NCP.HDLC and PPP The diagram depicts the various options of the LCP negotiation process.2.

Authentication Phase (optional) The authentication phase provides password protection to identify connecting routers. but I cannot support compression.2 . When established. The show interfaces command reveals the LCP and NCP states. Optional parameters. Link Establishment Phase. R2. connected by serial link to Router. A link-quality determination test determines whether the link quality is good enough to bring up Network Layer protocols. NCP Negotiation Phase PPP sends NCP packets to choose and configure one or more Network Layer protocols. compression. R1 responds. such as these.HDLC and PPP The animation depicts the negotiate phases of a PPP link. "I can form the PPP connection and can use PAP authentication. it informs the Network Layer protocols so that they can take appropriate action. A user can also terminate the link. and link-authentication. Authentication occurs after the two routers agree to the set parameters but before the NCP Negotiation Phase can begin. If LCP closes the link. Receipt of the configuration acknowledgement frame completes the Link-Establishment phase. such as IP or IPX. Link Establishment Phase The diagram depicts Router. R1 says. and Network Layer Protocol Phase. LCP frames contain a configuration option field that negotiates options such as maximum transmission unit (MTU)." R2 sends a message back to R1 with this information included in the message.Link-Establishment Phase PPP sends LCP frames to configure and test the data link. Can we agree to communicate using PPP with PAP authentication and compression?" R2 receives the message and replies. 7.2. If a configuration option is missing. it assumes the default value. "I want to form a PPP connection with you. must be complete before the receipt of a configuration acknowledgment frame. Authentication Phase. Link authentication and link-quality determination tests are optional parameters within the link-establishment phase. "Can we agree to communicate using PPP with PAP authentication and no compression?" Authentication Phase . R1. the PPP link remains active until the LCP or NCP frames close the link or until an activity timer expires.

" Page 5: 7.2. Phase 1 PPP Component One.HDLC and PPP Identify the correct layer and phase with the correct PPP components. use the following command: encapsulation ppp • Enables PPP encapsulation on a serial interface.2. and compares the password to the one given by R1. R2 replies. We can now move IP traffic. "The password matches so I am now ready to form the connection." R1 receives this message and replies. "We can communicate using PPP with PAP authentication and no compression. Data Link Layer B. Synchronous or Asynchronous Physical Media Four. Once PPP is enabled. Physical Layer C. NCP Negotiation Five. "I have also started IPCP.R2 replies. Phase 3 D. Layer and Phase A." R2 replies. ." R2 looks in its table of users. Link Control Protocol Three. I am starting it now. "My name is R1 and my password is cisco.3 Configuring PPP Page 1: On Cisco routers. Phase 2 E. optional features such as compression and load balancing can be configured. Authentication. Network Control Protocol 7. references the username.2 . To change the encapsulation and use the features and functions of PPP. other options. Link Establishment Two. "I only have IP traffic so we only need to bring up IPCP." Network Layer Protocol Phase R1 replies. HDLC is the default encapsulation on serial links.

For this reason. ppp multilink • Configures load balancing across multiple links.3 . Stacker compression is more CPU-intensive and less memory-intensive. generally use stacker if the bottleneck is due to line bandwidth issues and predictor if the bottleneck is due to excessive load on the router.2. Compressing an already-compressed file often increases its size. Compressing data sent across the network can improve network performance. The commands entered at the console terminal window are as follows: R1 R1 (config)# encapsulation ppp with R1 (config)# encapsulation ppp R2 R2 (config)# encapsulation ppp with R2 (config)# encapsulation ppp Page 2: .Configuring PPP The diagram depicts basic PPP configuration. Only use compression if network performance issues exist because enabling it will increase router processing times and overhead. are connected to each other via a serial link.compress [predictor | stac] • Enables compression on an interface using either predictor or stacker. Enabling PPP multilink allows for multiple WAN links to be aggregated into one logical channel for the transport of traffic. Predictor and stacker are software compression techniques that vary in the way compression is handled. 7. It enables the load-balancing of traffic from different links and allows some level of redundancy in case of a line failure on a single link. Two routers. Predictor is more memory-intensive and less CPU-intensive. Also. R1 and R2. do not use compression if the majority of traffic crossing the network is already-compressed files.

If packets are not incrementing. R1. including negotiation and authentication. Page 3: Lab Activity . and debug PPP.3 .168. debug serial interface.3 /0 connected to F A 0 /0.2. show controllers.168. The outputs for these commands can be viewed in greater detail in the labs at the end of the module.The following commands are used to verify and troubleshoot HDLC and PPP encapsulation: show interfaces serial • Displays the encapsulation and the states of the Link Control Protocol (LCP). debug ppp • Provides information about the various stages of the PPP process. has network 192.0 connected to F A 0 /0. 7.Configuring PPP The diagram depicts router output from various commands.1.0. debug serial interface • Verifies the incrementation of keepalive packets. and both routers have LANs connected to them. Router. Two routers are connected to each other via a serial link. The network address is 192. R2 has network 192. show controllers • Indicates the state of the interface channels and whether a cable is attached to the interface.168.2. show interfaces serial. a possible timing problem exists on the interface card or in the network. The diagram has buttons that can be pushed to highlight commands.

in the process of a PAP two-way handshake. PAP uses a two-way handshake to send its username and password. Once authenticated. The called device looks up the username of the calling device and confirms that the sent password matches what it has stored in its database.3 . If the two passwords match.2. Additionally. the remote node is in control of the frequency and timing of the login attempts. 7.2. authentication occurs after establishment of the link but before the Network Layer protocol configuration phase begins. 7. 7.PPP Authentication The diagram depicts two routers.4 . If configured. Click the lab icon to begin.Configure and verify a PPP connection between two routers. PAP sends the username/password pair across the link repeatedly in clear text until acknowledgement of the authentication or termination of the connection. the link is vulnerable to hijacking of the authenticated connection and the possibility of a hacker gaining illegal authorized access to the router using a replay attack. The R1 username is Santa Cruz and the password is boardwalk. Without ongoing verification.2. Two possible types of authentication on a PPP link are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). PAP provides a simple method for a remote device to establish its identity. authentication is successful. R1 and R2. This authentication method does not protect the username and password from being stolen using a packet sniffer.4 PPP Authentication Page 1: Authentication on a PPP link is optional. R1 sends the information to R2 to authenticate.Configuring PPP Link to Hands-on Lab: Configuring and Verifying a PPP Link Configure and verify a PPP connection between two routers. R2 looks at its table for the username and password and accepts or rejects based on this authentication procedure. Page 2: . no further verification of the remote device occurs.

CHAP does not send the password across the link. 4. using the challenge and the same shared secret. Authentication occurs both during initial link establishment and repeatedly during the time the link is active. Because the challenge is unique and random. the resulting hash value is also unique and random. Local router immediately terminates connection if the values do not match. 3. CHAP provides protection against playback attack through a variable challenge value. 6. Local router sends a challenge message to the remote router. The use of repeated . Local router acknowledges authentication if values match. Local router checks the response against its own calculation. 1. Challenge Handshake Authentication Protocol CHAP is a more secure authentication process than PAP. 2. 5.Another form of PPP authentication is Challenge Handshake Authentication Protocol (CHAP). CHAP uses a three-way handshake. Remote router sends back one-way hash to the local router. 7. making a hijack attack extremely unlikely. The called device is in control of the frequency and timing of the authentication. PPP establishes the link phase. Remote router uses the challenge and a shared secret password to generate a one-way hash.

The local router or a third-party authentication server is in control of the frequency and timing of the challenges. Uses three-way handshake. "Here is my Challenge information. Send me your username and password. Uses shared secret.PPP Authentication The animation depicts the CHAP authentication process. Send me your username and password again to make sure its still you. 7. 7. Single authentication when link formed. and sends the message. Password sent in clear text. Authentication occurs at configuration intervals. "Run PPP". R1 randomly challenges the remote router to verify authentication.challenges limits the time of exposure to any single attack.PPP Authentication The diagram depicts an activity in which you must determine which of the following characteristics belongs to either PAP or CHAP. Characteristic Password never sent across link. are linked by a serial connection. "Use CHAP". R1 sends a message to R2 and states.2. R2 calculates 6G4 # 9P4 using the same secret password. "Here is a different Challenge value. Two routers.4 .2." R1 calculates a special value using the secret password and the challenge value. Username/Password easily sniffed from wire. R1 and R2.4 . use the global configuration commands: username name password password . Uses two-way handshake. The one way hash is 6G4 # 9P4. indicating it wants to run PPP. R2 states "Accept". Router R1 sends a message back to R2 with the username R1 and the password 6G4 # 9P4. R2 sends a message back to R1. Immune to replay attack." Page 3: 7.2.5 Configuring PAP and CHAP Page 1: To configure authentication on a PPP link. R2 says.

Page 2: With two-way authentication configured. each router authenticates the other. no other configuration commands are required. Use debug commands on both routers to display the exchange sequence as it occurs.2. Therefore. This must match what the remote router has configured in the local username and password database. Specifies the local username and password combination that should be sent to the remote router. For CHAP authentication. If more than one type is specified. However. ppp authentication {chap | chap pap | pap chap | pap} • • • Interface configuration command. debug ppp {authentication | packet | error | negotiation | chap } . such as PAP or CHAP.1 or later. example chap pap. the router attempts the first type listed and will only attempt the second if the remote router suggests it. in Cisco IOS version 11. PAP is disabled on the interface by default. Specifies the type of authentication on each interface. The commands used to configure PAP and CHAP on both routers can be viewed in greater detail in the labs attached to this module.5 .• • • Global configuration command. This means that the router will not send its own username and password combination just because PAP authentication is enable. 7. The username must match the hostname of the remote router exactly and is case sensitive. additional commands are required for PAP: ppp pap sent-username name password password • • • Interface configuration command.Configuring PAP and CHAP The diagram depicts two routers connected to a service provider by serial links. Creates a local database that contains the username and password of the remote device.

The different phases of the authentication process can be viewed by using this command. Response. and Unsuccessful Authentication. The output of the debug ppp command is listed. . where PPP options are negotiated Error Displays protocol errors and statistics associated with PPP connection and negotiation Chap Displays CHAP packet exchanges To turn off debug. 7.Configuring PAP and CHAP The diagram depicts two routers connected by serial link. Successful Authentication. use the no format of each command.5 .Authentication Displays the authentication exchange sequence Packet Displays PPP packets sent and received Negotiation Displays packets transmitted during PPP startup. The different states can be defined as Challenge.2.

. The connection between the two DTE devices is a virtual circuit (VC). to the nearest point-of-presence of the service provider. The router. Click the lab icon to begin. 7.The phases can be viewed more clearly when the command is entered by the student after PAP and CHAP are configured. Frame Relay is a nonbroadcast multiaccess network (NBMA). normally connects to the service provider via a leased line.Configuring PAP and CHAP Link to Hands-on Lab: Configuring and Verifying PAP and CHAP Authentication Configure and verify PAP and CHAP authentication on a PPP link. Frame Relay uses packet switching technology with variable length packets.3.2. This connection is an access link. 7. It also makes use of STDM for optimum use of the available bandwidth. or DTE device. or DCE device.3 Using Frame Relay 7. It connects via a Frame Relay switch.1 Overview of Frame Relay Page 1: A common Layer 2 WAN encapsulation is Frame Relay. Frame Relay networks are multi-access networks similar to Ethernet except that they do not forward broadcast traffic. Page 3: Lab Activity Configure and verify PAP and CHAP authentication on a PPP link.5 . The remote router at the destination end of the network is also a DTE device.

Overview of Frame Relay The diagram depicts a network cloud with ten interconnected switches inside. that are connected to the switches inside the cloud via routers at each site. The local device announces its presence by sending its Layer 3 address out on the VC. As information is sent from Site A to Site D.3.2 Frame Relay Functionality Page 1: In an NBMA network. The Layer 2 DLCI is associated with the Layer 3 address of the device at the other end of the VC. .The virtual circuit is typically established using PVCs that the service provider preconfigures. Site B. The local device maps the Layer 3 address of the remote device to the local DLCI on which it received the information. Most service providers discourage or even disallow the use of SVCs in a Frame Relay network. Mapping the DLCI to a remote IP address can occur manually or dynamically using a process known as Inverse ARP. 4. Site A. 3. In Frame Relay. 7. 2.1 . each virtual circuit requires a Layer 2 address for identification. The DLCI is stored in the address field of every frame transmitted. Establishing a mapping of DLCI to remote IP address occurs in the following steps: 1. Around the outside of the cloud are four building sites. The remote device announces its IP address on the VC. Site C.3. The DLCI usually has only local significance and may be different at each end of a VC. this address is the data-link connection identifier (DLCI). a virtual circuit path that the packets travel along is established between the sites. 7. The DLCI identifies the VC that data uses to reach a particular destination. Site D. The remote device receives this information and maps the Layer 3 IP address to the local Layer 2 DLCI.

200.Frame Relay Functionality The animation depicts how inverse ARP maps a Layer 2 DLCI to a remote IP address. There are two routers." The request is sent from R1 over the Frame Relay network to R2.200.165. R2 is connected to S2 via Serial link on interface S0/0/0 I P: 209. R1 is connected to S1 via Serial link on interface S0/0/0 I P:209. R1 references its Frame Relay Map that shows DLCI 16 = 209. S1 and S2. "I have received an Inverse ARP request on DLCI 20 from 209. inside.200. They periodically report the existence of new PVCs and the deletion of existing PVCs. R1 states. LMI provides VC connection status information that appears in the Frame Relay map table: Active State • The connection is active and routers can exchange data.200.165.2 . R2 states. There is a frame relay cloud has two switches. LMI reports the status of PVCs between devices.3.165.200. I will send an Inverse ARP request to learn the I P address of the remote router. They also provide information about PVC integrity." R1 sends a DLCI request to R2.226" and sends a response back to R1. R2 states "Inverse ARP response from 209.225.165.226 DLCI 20. Inactive State • The local connection to the FR switch is working but the remote connection to the FR switch is not.165. .225. S1 is connected to S2 by Frame Relay.165.7. Page 2: Local Management Interface (LMI) is a signaling standard between the DTE and the Frame Relay switch. "DLCI 16 is active." R2 references its Frame Relay Map that shows DLCI 20=209.225 DLCI 16.226. VC status messages prevent data being sent to PVCs that no longer exist. LMI messages provide communication and synchronization between the network and the user device. S1 states.200. R2 sends a response to R1 with its IP address information. R1 and R2. "DLCI 16 is active.

and R2. S1. R1 is connected to the CSU/DSU. however.Deleted State • The local connection receives no LMI messages from the FR switch or there is no service between the CPE router and the FR switch. There is a double-sided arrow with an X through it from R1 to R2 symbolizing the connection from R1 to R2 (DLCI = 400) is down. R1. the service provider boosts or bursts the bandwidth up to a second agreed-upon bandwidth. S1 is connected to the CSU/DSU. The number of committed bits within the Tc is the committed burst (Bc). S2. if there is no congestion on the links. The CIR defines the minimum rate provided. and S3. S2. Page 3: When an end user subscribes to a Frame Relay service. The excess information rate (EIR) is the average rate above the CIR that a VC can support when no network congestion exists. R2 is connected to S2. R3 is connected to S3. The service provider calculates the CIR as the average amount of data transmitted over a period of time. is known as the excess burst (Be). and R3. the user negotiates certain service parameters with the provider. The cost of the Frame Relay service depends on the speed of the link and the CIR. S3 is connected to S1.Frame Relay Functionality The diagram depicts the use of LMI.3. Any extra bits above the committed burst. 7. and R3. S2. S3. and three switches. There is a double-sided arrow from R1 to R3 symbolizing the connection from R1 to R3 (DLCI = 500) is up. R2. and S3. up to the maximum speed of the access link. . All switches are inside a cloud. The CIR is the minimum bandwidth rate guaranteed by the provider for data on a VC. The calculated time interval is the committed time (Tc). One parameter is the committed information rate (CIR).2 . S2 is connected to S1. A keep-alive is sent to R3. 400 = Inactive). There are three routers. which says (LMI. 500 = Active.

768Kbps is my C I R.3." A caption on the cloud states. The backward explicit congestion notification (BECN) is a single-bit field that. It indicates to an end DTE device that the network is congested ahead. "I have received a lot of BECN's. counting on the fact that the service provider supplies higher bandwidth and bursts their traffic when there is no congestion.Frames transmitted above the speed of the CIR are uncommitted. There is a cloud. the sending device uses BECNs to slow its transmission rate. 7. "The network is not congested so we are going to burst your speed to 1. indicates that the network is congested in the opposite direction. the provider first drops frames with the DE bit set. Local Access Loop = 1544Kbps link." Page 5: . For example. when set to a value of 1 by a switch. stating. and to the Central Site router via T1 link. These extra fames are marked as discard eligible (DE).3. Local Access Loop = T1. The Central Site says.2 . The network must be congested. Frames continue to transmit to Site B until all information is sent. 7. FECN and BECN allow higher-layer protocols to react intelligently to these congestion indicators.2 . All packets above your C I R are Discard Eligible". Service Provider. Site A sends information to Site B. Page 4: The forward explicit congestion notification (FECN) is a single-bit field that can be set to a value of 1 by a switch. The Site B router via link. I need to reduce the pace at which I send packets. "My provider guarantees bandwidth of 768Kbps.544 Mbps.Frame Relay Functionality The diagram depicts the use of C I R within Frame Relay parameters.Frame Relay Functionality The diagram depicts a bottleneck. Users often pay for a lower CIR. There is a Frame Relay Cloud which is connected to the Branch Office Router via 56 Kbps link. If congestion occurs. which is connected to the Site A router via link. but are forwarded if the network supports it.

C. . Terms One. E. G.1 Summary Page 1: 7.The contracted data rate that the service provider agrees to transfer.SVC Seven.C I R Five.4 Chapter Summary 7. Image The diagram depicts enterprises connecting to a cloud and shows traffic from two virtual circuits share the same links. Cisco HDLC incorporates an extra field to allow it to carry multiple Layer 3 protocols.Used to inform a receiving device that congestion was experienced.Used to inform a sending device that congestion has occurred.DLCI Three.The type of VC most service providers will not permit. D. Diagram 2 text HDLC is the default Layer 2 serial line encapsulation on Cisco routers. WAN technologies are either last mile. Image The diagram depicts two users communicating across a complex network topology. each offering distinct advantages.Summary Diagram 1. converting the data format into an acceptable one requires a modem. Diagram 2. or a CSU/DSU. Circuit switching technologies create a physical circuit between end devices before sending information.4. load balancing.1 .Marks a frame as being less important on a network. packet switching.4.BECN Two.PVC Definitions.The Layer 2 address used by Frame Relay. Diagram 1 text A WAN uses many different technologies.FECN Four.Frame Relay Functionality The diagram depicts an activity in which you must match the terms to their corresponding definition. and cell switching.D E Six. call back. B.The type of virtual circuit most often used by Frame Relay. Depending on the technology in use. Packet and cell switching technologies use either a PVC or SVC to send information across the network. F. or long range which interconnects ISP's.7.3. The Layer 2 encapsulation changes as frames are moved across the WAN. A. PPP allows the negotiation of many advanced features including authentication. 7. WAN technologies divide into circuit switching.2 . which connects the ISP to the customer.

7.IP addressing D.physical addressing F. PPP supports both PAP and CHAP authentication.Data Link F. Click the quiz icon to begin.encapsulation E. Frame Relay uses virtual circuits to connect a specific source to a destination.What are two characteristics of a CSU/DSU? (Choose two. Frame Relay uses parameters such as C I R to establish the bandwidth used on each VC. 7.1 .Transport E.) A. Virtual circuits can be switched or permanent.Which two layers of the O S I model describe WAN standards? (Choose two.routing protocol 2.5.flow control B.5. Diagram 3 text Frame Relay is a packet-switched technology.Session B. Image The diagram depicts the bottleneck when a branch office connects using a 56 kbps connection to connect via the frame relay cloud to the central site which is using a T1 connection.and compression.Application 3.vendor C.) .1 Quiz Page 1: Take the chapter quiz to check your knowledge.) A.5 Chapter Quiz 7.Network C.What three parameters are defined by WAN standards? (Choose three. Diagram 3. CHAP issues challenges at configurable intervals and forces the connected device to re-authenticate. PAP authentication sends the username/password in clear text and is subject to sniffing and replay attacks.Quiz Chapter 7 Quiz: Implementing Enterprise WAN Links 1. Use FECN's and BECN's to inform the receiving and sending devices that the network is congested so that routers can take appropriate actions.Physical D.

Network Topology Router RTR_A is linked to router RTR_B via a serial link.is the default encapsulation on Cisco LAN interfaces 6.It monitors the link for congestion and dynamically adjusts the acceptable window size.ICMP C.) A.is a data link layer protocol B. 9. F.supports multiple protocols on a single link D. Match the WAN connection term to the correct definition.What is used to identify a destination for a frame in a Frame Relay network? A.It uses MD5 encryption while negotiating link establishment parameters.It negotiates options for Layer 3 protocols running over PPP.DLCI C.C I R B.It is responsible for negotiating link establishment.part of an integrated services router 4.BECN 8.FECN D. B.What two services allow the router to map data link layer addresses to network layer addresses in a Frame Relay network? (Choose two.installed at central office D. E.often integrated into router's interface card E.What two statements describe the Cisco implementation of High-Level Data Link Control protocol? (Choose two. WAN Connection Terms packet Switching circuit Switching cell switching SVC PVC Definitions virtual circuit that is dynamically established between two points when a router requests a transmission. D.It can test the link to determine if link quality is sufficient to bring up the link. The output from both routers appears as follows: .provides retransmission and windowing C. establishes a connection between end nodes before forwarding data and ensures dedicated bandwidth through the length of transmission virtual circuit that provides a permanent path to forward data between two points packets from multiple organizations are switched over the same links 5.used for digital transmission B.To answer this question refer to the Network Topology and router output.Which three statements are true regarding LCP? (Choose three.uses the same frame format as standard HDLC E.ARP B.) A.Proxy ARP D. C.LMI status messages 7.used for wireless transmission C.A.) A.Inverse ARP E.It terminates the link upon user request or the expiration of an inactivity timer.

10.RTR_B(config)# username RTR_B password gateway 10.exchanges random challenge number during the session to verify identity B.255.Version=1.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.Theme=ccna3theme.cli.RTR_B(config)# enable secret fortress C.252 encapsulation ppp ppp authentication chap Which command must be added to router RTR_B to allow router RTP_A to authenticate using CHAP? A.disconnects the PPP session if authentication fails C.2 255.RTR_B(config)# username RTR_A password fortress E.RTR_B(config)# enable secret gateway B.255.Style=ccna3. Inc. About .What are two features of the CHAP protocol? (Choose two.10.rendering.Language=en.servlet.10.RTR_B(config)# username RTR_B password fortress D.255.requires different passwords on each device E.delivery.10.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.1 255.html?level=chapter&css=blackonwhite.C CServlet/LMS_ID=CNAMS.) A.255.netacad.net/virtuoso/servlet/org. All | Translated by the Cisco Networking Academy.252 encapsulation ppp ppp authentication chap Router B hostname RTR_B ! enable fortress interface serial 0/0/0 IP address 10.Router A hostname RTR_A ! enable gateway username RTR_B password fortress ! interface serial 0/0/0 IP address 10.initiates a two-way handshake Go To Next Go To Previous Scroll To Top http://curriculum. RootID=knet‐ lcms_discovery3_en_40.sends authentication password to verify identity D.

delivery.disconnects the PPP session if authentication fails C. The output from both routers appears as follows: Router A hostname RTR_A ! enable gateway username RTR_B password fortress ! interface serial 0/0/0 IP address 10.255.) A.255. E.RTR_B(config)# username RTR_A password fortress E.RTR_B(config)# enable secret fortress C.252 encapsulation ppp ppp authentication chap Which command must be added to router RTR_B to allow router RTP_A to authenticate using CHAP? A.netacad.Theme=ccna3theme.Version=1.sends authentication password to verify identity D.What are two features of the CHAP protocol? (Choose two.It negotiates options for Layer 3 protocols running over PPP.It monitors the link for congestion and dynamically adjusts the acceptable window size.2 255.255.C CServlet/LMS_ID=CNAMS. C.It terminates the link upon user request or the expiration of an inactivity timer.net/virtuoso/servlet/org.10. Network Topology Router RTR_A is linked to router RTR_B via a serial link.RTR_B(config)# enable secret gateway B.10.8. D.Language=en. F.10.255. RootID=knet‐ .initiates a two-way handshake Go To Next Go To Previous Scroll To Top http://curriculum.Style=ccna3.cli.requires different passwords on each device E.) A.1 255.RTR_B(config)# username RTR_B password gateway 10.servlet. B.It can test the link to determine if link quality is sufficient to bring up the link.Which three statements are true regarding LCP? (Choose three.252 encapsulation ppp ppp authentication chap Router B hostname RTR_B ! enable fortress interface serial 0/0/0 IP address 10.10.rendering.exchanges random challenge number during the session to verify identity B.It is responsible for negotiating link establishment. 9.It uses MD5 encryption while negotiating link establishment parameters.RTR_B(config)# username RTR_B password fortress D.To answer this question refer to the Network Topology and router output.

lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright © 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

 

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise
8 Filtering Traffic Using Access Control Lists
8.0 Chapter Introduction
8.0.1 Introduction Page 1:

8.0.1 - Introduction Enterprise networks need security to ensure that only authorized users access the network. Traffic filtering tools, like Access Control Lists, are an important component of enterprise network security. ACL's permit and deny specific types of inbound and outbound traffic. Network engineers and technicians plan, configure, and verify ACL's on routers and other networking devices. After completion of this chapter, you should be able to: Describe traffic filtering. Explain how Access Control Lists (ACL's) can filter traffic at router interfaces. Analyze the use of wild-card masks. Configure and implement ACL's. Create and apply ACL's to control specific types of traffic. Log ACL activity and ACL best practices.

8.1 Using Access Control Lists
8.1.1 Traffic Filtering Page 1: Security within an enterprise network is extremely critical. It is important to prevent access by unauthorized users and protect the network from various attacks, such as DoS attacks. Unauthorized users

can modify, destroy, or steal sensitive data on servers. DoS attacks prevent valid users from accessing facilities. Both of these situations cause a business to lose time and money.

Through traffic filtering, an administrator controls traffic in various segments of the network. Filtering is the process of analyzing the contents of a packet to determine if the packet should be allowed or blocked.

Packet filtering can be simple or complex, denying or permitting traffic based on:

• • • • •

Source IP address Destination IP address MAC addresses Protocols Application type

Packet filtering can be compared to junk email filtering. Many email applications allow the user to adjust the configuration to automatically delete email from a particular source address. Packet filtering can be done in the same way by configuring a router to identify unwanted traffic.

Traffic filtering improves network performance. By denying unwanted or restricted traffic close to its source, the traffic does not travel across a network and consume valuable resources.

8.1.1 - Traffic Filtering The diagram depicts the use of traffic filtering. There is a circle with an internal network inside; the internal network contains four hosts connected to a switch. The switch is connected to a router which connects the internal network to external networks. The router is receiving four external packets. The packets labeled HTTP Protocol and Network 172.16.0.0 are allowed access into the network. The packets labeled IP Address 192.168.1.5 and Telnet are being blocked from accessing the network. The internal network uses MAC Address filtering. One of the four hosts is blocked from using the network.

Page 2: Devices most commonly used to provide traffic filtering are:

• • •

Firewalls built into integrated routers Dedicated security appliances Servers

Some devices only filter traffic that originates from the internal network. More sophisticated security devices recognize and filter known types of attacks from external sources.

Enterprise routers recognize harmful traffic and prevent it from accessing and damaging the network. Nearly all routers filter traffic based on the source and destination IP addresses of packets. They also filter on specific applications and on protocols such as IP, TCP, HTTP, FTP, and Telnet.

8.1.1 - Traffic Filtering The diagram depicts four traffic filtering devices: Cisco Security Appliances. Server-Based Firewall. Linksys Wireless Router with Integrated Firewall. Cisco Router with I O S Firewall.

8.1.2 Access Control Lists Page 1: One of the most common methods of traffic filtering is the use of access control lists (ACLs). ACLs can be used to manage and filter traffic that enters a network, as well as traffic that exits a network.

An ACL ranges in size from one statement that allows or denies traffic from one source, to hundreds of statements that allow or deny packets from multiple sources. The primary use of ACLs is to identify the types of packets to accept or deny.

ACLs identify traffic for multiple uses such as:

• • • • •

Specifying internal hosts for NAT Identifying or classifying traffic for advanced features such as QoS and queuing Restricting the contents of routing updates Limiting debug output Controlling virtual terminal access to routers

The following potential problems can result from using ACLs:

• • •

The additional load on the router to check all packets means less time to actually forward packets. Poorly designed ACLs place an even greater load on the router and might disrupt network usage. Improperly placed ACLs block traffic that should be allowed and permit traffic that should be blocked.

8.1.2 - Access Control Lists The diagram depicts the placement of Access Control Lists. Two ACL's that are placed strategically on the network are used to block specific traffic from accessing parts of the network.

8.1.3 Types and Usage of ACLs Page 1: When creating access control lists, a network administrator has several options. The complexity of the design guidelines determines the type of ACL required.

There are three types of ACLs:

Standard ACLs

The Standard ACL is the simplest of the three types. When creating a standard IP ACL, the ACLs filter based on the source IP address of a packet. Standard ACLs permit or deny based on the entire protocol, such as IP. So, if a host device is denied by a standard ACL, all services from that host are denied. This type of ACL is useful for allowing all services from a specific user, or LAN, access through a router while denying other IP addresses access. Standard ACLs are identified by the number assigned to them. For access lists permitting or denying IP traffic, the identification number can range from 1 to 99 and from 1300 to 1999.

Extended ACLs

Extended ACLs filter not only on the source IP address but also on the destination IP address, protocol, and port numbers. Extended ACLs are used more than Standard ACLs because they are more specific and provide greater control. The range of numbers for Extended ACLs is from 100 to 199 and from 2000 to 2699.

Named ACLs

Named ACLs (NACLs) are either Standard or Extended format that are referenced by a descriptive name rather than a number. When configuring named ACLs, the router IOS uses a NACL subcommand mode.

8.1.3 - Types and Usage of ACL's The diagram depicts a table of information about I O S Access Control Lists. The column head-ers include Type of ACL, Sample ACL Command/Statement, and Purpose of Statement. The type of ACL's described are Standard, Extended, and Named. Type of ACL: Standard Sample ACL Command/Statement: Router (config)# access-list 1 permit host 172.16.2.88 Purpose of statement: Permits a specific IP address. Type of ACL: Extended Sample ACL Command/Statement: Router (config)# access-list 100 deny tcp 172.16.2.0 0.0.0.255 any eq telnet Purpose of statement: Denies access from the 172.16.2.0 /24 subnet to any other host if they are attempting to use telnet. Type of ACL: Named Sample ACL Command/Statement: Router (config)# IP access-list standard permit-IP Router (config-ext-n ACL) # permit host 192.168.5.47 Purpose of statement: Creates a standard access list named permit-IP Allows access from IP address 192.168.5.47 The first command puts the router into N ACL sub-command mode

Page 2:

8.1.3 - Types and Usage of ACL's The diagram depicts an activity in which you must decide if each of the following characteristics belongs to a Standard, Extended, or Named ACL. One.Simplest type of ACL. Two.Uses a special sub-configuration mode. Three.Uses a numeric identifier and can filter on protocol and port numbers. Four.Can create both standard and extended access lists. Five.Identified by number range from 100-199. Six.Can only filter on source IP address or range. Seven.Uses a numeric identifier and can filter on source or destination IP address. Eight.Identified by number range from 1-99 Nine.Can be assigned a meaningful descriptive identifier.

8.1.4 ACL Processing Page 1:

Access control lists consist of one or more statements. Each statement either permits or denies traffic based on specified parameters. Traffic is compared to each statement in the ACL sequentially until a match is found or until there are no more statements.

The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. This feature prevents the accidental entry of unwanted traffic.

After creating an access control list, apply it to an interface for it to become effective. The ACL targets traffic that is either inbound or outbound through the interface. If a packet matches a permit statement, it is allowed to enter or exit the router. If it matches a deny statement, it goes no further. An ACL that does not have at least one permit statement blocks all traffic. This is because at the end of every ACL is an implicit deny. Therefore an ACL will deny all traffic not specifically permitted.

8.1.4 - ACL Processing The animation depicts the use of ACL's to limit traffic on a network. Network Topology There is a network cloud with two hosts, H1 and H2. The H1 IP address is 192.168.1.1. The H2 IP address is 192.168.1.5. There is a router, R1, attached to the cloud via S0/0/0. A switch, S1, is connected to R1 via S0/0/1. S1 is connected to two hosts, H3 and H4. A packet is sent from H1 to R1 via S0/0/0. R1 has an ACL on the inbound interface S0/0/0, as follows: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The IP address in the ACL statement matches the source IP in the packet so the packet is forwarded. A packet is sent from H2 to R1 via S0/0/0. R1 has an ACL on the inbound interface S0/0/0, as follows: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) This time the IP address in the ACL does not match the source IP in the packet. The packet is denied from being forwarded, receiving the Implicit Deny statement.

Page 2: An administrator applies either an inbound or outbound ACL to a router interface. The inbound or outbound direction is always from the perspective of the router. Traffic coming in an interface is inbound and traffic going out an interface is outbound.

When a packet arrives at an interface, the router checks the following parameters:

• • •

Is there an ACL associated with the interface? Is the ACL inbound or outbound? Does the traffic match the criteria for permitting or denying?

An ACL applied outbound to an interface has no effect on traffic inbound on that same interface.

Each interface of a router can have one ACL per direction for each network protocol. For the IP protocol, one interface can have one ACL inbound and one ACL outbound at the same time.

ACLs applied to an interface add latency to the traffic. Even one long ACL can affect router performance.

8.1.4 - ACL Processing The animation depicts how inbound and outbound ACL's process traffic. Network Topology There is a network cloud with a host, H1, with the IP address 192.168.1.1. Router, R1, is connected to the cloud via S0/0/0. R1 is connected to switch S1 via F A 0 /0. S1 is connected to two hosts, H2, I' P address 172.22.4.1, and H3, IP address 172.22.4.2. Inbound Traffic A packet is sent from H1 to R1. R1 says, "I have an ACL associated with the S0/0/0 interface." The packet reaches R1 where the ACL is applied to Interface S0/0/0 inbound. R1 says, "I have to filter traffic inbound. You match the permit statement of the ACL therefore move ahead." The ACL has the following information: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The packet is forwarded to its destination. Outbound Traffic A packet is sent from H1 to R1. R1 says, "I will switch you to the F A 0 /0 interface to reach your destination." The packet reaches R1. R1 says, "I have an ACL associated with the F A 0 /0 interface." The ACL is applied to Interface F A 0 /0 outbound. R1 says, "I have to filter traffic outbound. You match the permit statement of the ACL therefore move ahead."

The ACL has the following information: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The packet is forwarded to its destination.

Page 3:

8.1.4 - ACL Processing The diagram depicts an activity in which you must determine if the packet will be permitted or denied, based on the given Source IP Address. One.Source IP Address: 192.168.1.133 ACL Statements: access-list 1 permit host 192.168.1.33 access-list 1 permit host 192.168.1.233 Two.Source IP Address: 192.168.1.228 ACL Statements: access-list 2 permit host 192.168.1.215 Three.Source IP Address: 10.1 0.10.5 ACL Statements: access-list 3 permit host 10.1 0.10.5 access-list 3 deny host 172.22.4.1 Four.Source IP Address: 172.22.4.1 ACL Statements: access-list 4 deny host 172.22.4.1 access-list 4 permit host 172.22.4.2 Five.Source IP Address: 172.22.4.1 ACL Statements: access-list 5 permit host 10.1 0.10.5 access-list 5 permit host 172.22.4.1 Six.Source IP Address: 172.22.4.3 ACL Statements: access-list 6 deny host 172.22.4.3

8.2 Using a Wildcard Mask
8.2.1 ACL Wildcard Mask Purpose and Structure Page 1: Simple ACLs specify only one permitted or denied address. Blocking multiple addresses or ranges of addresses requires using either multiple statements or a wildcard mask. Using an IP network address with a wildcard mask allows much more flexibility. A wildcard mask can block a range of addresses or a whole network with one statement.

A wildcard mask uses 0s to indicate the portion of an IP address that must match exactly and 1s to indicate the portion of the IP address that does not have to match a specific number.

A wildcard mask of 0.0.0.0 requires an exact match on all 32 bits of the IP address. This mask equates to the use of the host parameter.

8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts a person sitting at a workstation with the following information displayed on the monitor: Wild-card masks that permit a single host: 172.16.22.87 0.0.0.0 host 172.2 2.8.17 Wild-card mask that permits a range of hosts for a /24 network: 172.16.22.0 0.0.0.255 Wild-card mask that permits an entire /16 network: 172.16.0.0 0.0.255.255 Wild-card mask that permits an entire /8 network: 10.0.0.0 0.255.255.255

Page 2: The wildcard mask used with ACLs functions like the one used in the OSPF routing protocol. However, the purpose of each mask is different. With ACL statements, the wildcard mask specifies a host or range of addresses to be permitted or denied.

When creating an ACL statement, the IP address and wildcard mask become the comparison fields. All packets that enter or exit an interface are compared to each statement of the ACL to determine if there is a match. The wildcard mask determines how many bits of the incoming IP address match the comparison address.

As an example, the following statement permits all hosts from the 192.168.1.0 network and blocks all others:

access-list 1 permit 192.168.1.0 0.0.0.255

The wildcard mask specifies that only the first three octets must match. Therefore, if the first 24 bits of the incoming packet match the first 24 bits of the comparison field, the packet is permitted. Any packet with a source IP address in the range of 192.168.1.1 to 192.168.1.255 matches the example comparison address and mask combination. All other packets are denied by the ACL implicit deny any statement.

8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts the steps involved to create an ACL with the following information: R1 (config) # access-list 1 permit 192.168.1.0 0.0.0.255 Steps. Step 1.Convert the decimal comparison to binary. Comparison Address: Decimal equivalent: 192.168.1.0 Binary equivalent: 11000000.10101000.00000001.00000000 Step 2.Convert the decimal wild-card mask to binary. Wild-card Mask: Decimal equivalent: 0.0.0.255 Binary equivalent: 00000000.00000000.00000000.11111111 Step 3.Compare the wild-card mask match bits (24 zeros) with comparison address bits. Comparison Address bits to match: Decimal equivalent: 192.168.1.X Binary equivalent: 11000000.10101000.00000001.XXXXXXXX Step 4.Compare the first 24 bits of an incoming packet IP address to the first 24 bits of the comparison address. Incoming Packet Address: Decimal equivalent: 192.168.1.27 Binary equivalent: 11000000.10101000.00000001.00011011 Step 5.Incoming packet IP address is a match with comparison address and wild-cards. If the bits match, the packet is permitted by the ACL.

Page 3:

8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts an activity in which you must determine the wild-card mask for each of the following ACL statement objectives. A.CL Statement Objective One.Deny all hosts from the 192.168.55.0 /24 network Two.Permit all hosts from the 172.20.4.0 /24 subnet Three.Permit only host 10.1 0.10.1 Four.Deny only host 192.168.93.240 Five.Deny all hosts from the 172.30.0.0 /16 network Six.Deny all hosts from the 172.25.0.0 /16 network Seven.Permit all hosts from the 10.0.0.0 /8 network Eight.Deny all hosts from the 10.0.0.0 /16 network

8.2.2 Analyzing the Effects of the Wildcard Mask Page 1: When creating an ACL, there are two special parameters that can be used in place of a wildcard mask: host and any.

Host parameter

To filter a single, specific host, use either the wildcard mask 0.0.0.0 after the IP address or the host parameter prior to the IP address.

R1(config)#access-list 9 deny 192.168.15.99 0.0.0.0

Is the same as:

R1(config)#access-list 9 deny host 192.168.15.99

Any parameter

To filter all hosts, use the all 1s parameter by configuring a wildcard mask of 255.255.255.255. When using a wildcard mask of 255.255.255.255 all bits are considered matches, therefore, the IP address is typically represented as 0.0.0.0. Another way to filter all hosts is to use the any parameter.

R1(config)#access-list 9 permit 0.0.0.0 255.255.255.255

Is the same as:

R1(config)#access-list 9 permit any

Consider the following example that denies a specific host and permits all others:

R1(config)#access-list 9 deny host 192.168.15.99

R1(config)#access-list 9 permit any

The permit any command permits all traffic not specifically denied in the ACL. When this is configured, no packets will reach the implicit deny any at the end of the ACL.

8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts a router connected to a switch with the following ACL inbound on F A 0 /0: access-list 9 deny host 192.168.15.99 access-list 9 permit any Network Topology Four hosts are connected to the switch. Three of the hosts with the following IP addresses can transmit ok: 192.168.15.77, 192.168.15.22, and 192.168.15.33. The host with the IP address 192.168.15.99 cannot transmit.

Page 2: In an enterprise network with a hierarchical IP addressing scheme, it is often necessary to filter subnet traffic.

If 3 bits are used for subnetting the 192.168.77.0 network, the subnet mask is 255.255.255.224. Subtracting the subnet mask from the all 255s mask results in a wildcard mask of 0.0.0.31. To permit the hosts on the 192.168.77.32 subnet, the ACL statement is:

access-list 44 permit 192.168.77.32 0.0.0.31

The first 27 bits of each packet match the first 27 bits of the comparison address. The overall range of addresses that this statement permits is from 192.168.77.33 to 192.168.77.63, which is the range of all addresses on the 192.168.77.32 subnet.

1. 0. 1. 0.168. 1.255. Page 3: Creating accurate wildcard masks for ACL statements provides the control required to fine-tune traffic flow.77.0 network.32 255.0/26 192. 32.128/26 192.64/26 192. B. creates the following four subnets: 192. An octet boundary is a place between the first and second or second and third octet.77. Wild-card Mask: 0.0.168. 1. Match Bits: First three bits of the above octet.255.77. All 1s. for binary octet: 1.192 or /26. 1. This breaks at the end of one octet and the beginning of the next is the boundary of the next octet.77. 0.168. for one octet: 128. 0. 64.2 . 0. and 1. 1. Subnet Mask: 1. Filtering different subnet traffic is the most difficult concept for beginners. 0.168. Example: A default Class A subnet falls between bit positions 8 and 9. The 192. Subnet address: 192.8.77.168. or C has a subnet mask and a wild-card mask that divide evenly at an octet boundary. 1.255.168.168.Analyzing the Effects of the Wild-card Mask The diagram depicts a subnet mask chart with the following explanation.32 0.0.77.224. 16. and 1 gives a decimal value of 255. 4.255. 2. 8. Comparison/Base Address: 192. 1.2. 1. Non-Match Bits: Last five bits of the above octet. 1 1. 1. and 1 gives a decimal value of 224. and 0 gives a decimal value of 224.192/26 . Subnets that do not break on an octet boundary produce a different wild-card mask value.31. Bit value. with a subnet mask of 255. More Information Popup A network that is a full Class A.77.

63 access-list 55 permit 192. This router is connected to four networks on Fast Ethernet ports.2.168. access-list 5 permit 192.77.168.0.127 8.63 IP Packet Address 192.Analyzing the Effects of the Wild-card Mask The diagram depicts an activity in which you must analyze the comparison address and wild-card mask. ACL Statements: access-list 66 permit 192.77. Subtracting the summarized subnet mask of 255.168.192 /26 and 192.77.2.168.0.0.168.168.128 /26 are blocked.0.168.0.168.195 Two.0.0 0.0.168.64 0.0.0.0.64 /26 and 192. Network Topology A router has an ACL outbound on S0/0/0.0 0.0.63 (implied deny any) OPTION B access-list 5 permit 192.168. One.255.168.To create an ACL to filter any of these four subnets. To permit traffic from the first two of these subnets. subtract the subnet mask 255. ACL Statements: access-list 66 permit 192.0.192 from the all 255s mask resulting in a wildcard mask of 0.0.127 (implied deny any) Page 4: 8. Networks 192.223.0 /26 are ok.77.122. Networks 192.64 0.2 .0.0.77.63 The first two networks also summarize to 192. Decide whether each packet will be permitted or denied based on the information.0/25. use two ACL statements: access-list 55 permit 192.255.77.168.0 0.77.128 from the all 255s mask results in a wildcard mask of 0.168.168.77.Analyzing the Effects of the Wild-card Mask The diagram depicts the effects of the wild-card mask.0.0.223.255.127.31 IP Packet Address: 192. Using this mask groups these two subnets together into one ACL statement instead of two.0 0.77.64 0.122.128 0.0. OPTION A access-list 55 permit 192.77.63.27 .168.77.2 .255.0.63 access-list 55 permit 192.0.

76. ACL Statements: access-list 66 permit 192.0 0.3 IP Packet Address: 10.0.8 0.93. ACL Statements: access-list 66 permit 172.16. Planning involves the following steps: 1.255 IP Packet Address: 192.255.168.32 0.Three.245 Five.1 Placing Standard and Extended ACLs Page 1: Properly designed access control lists have a positive impact on network performance and availability.155.0.10 Six.0.223.155.0.168.0.5 8. Determine in which direction to filter traffic Step 1: Determine Traffic Filtering Requirements .245 Seven.168.0.0. ACL Statements: access-list 66 permit 10.0 0. Determine the router and the interface on which to apply the ACL 4. ACL Statements: access-list 66 permit 192. IP Packet Address: 255 172. ACL Statements: access-list 66 permit 192.168.17.0.0 0.0. Plan the creation and placement of access control lists to maximize this effect. Decide which type of ACL best suits the requirements 3.3.155.60 Four.3 Configuring Access Control Lists 8.0.255 IP Packet Address: 192. Determine the traffic filtering requirements 2.31 IP Packet Address: 192.168.0.76.223.168.156.93.

The people are viewing a graphic on the overhead projector.Placing Standard and Extended ACL's The diagram depicts two scenarios that include a description and an example of Standard ACL Placement and Extended ACL Placement. 8. and security concerns. Therefore. Extended ACLs offer more control than Standard ACLs. traffic types. a standard ACL placed too close to the source may unintentionally block traffic that should be permitted. The packets are filtered before they cross the network. By looking at both the source and destination address.2.4. R1 through R4. 8. use an Extended ACL.1. The choice of ACL type can affect the flexibility of the ACL. Place an Extended ACL close to the source address. These requirements differ from enterprise to enterprise and are based on customer needs.3. With routes to multiple networks.1 . it is important to place standard ACLs as close to the destination as possible. However. transport layer protocol. Standard ACLs are simple to create and implement.168. traffic loads.Placing Standard and Extended ACL's The diagram depicts a boardroom environment with several people sitting at the boardroom table. and port numbers if required. Four routers are directly connected in a circle by a serial link.0 /24 R3: 192.0 /24 R2: 192. They filter on source and destination addresses.0 /24 R4: 192. the ACL blocks packets intended for a specific destination network before they leave the source router.168.3. They also filter by looking at the network layer protocol. as well as the router performance. and network link bandwidth.168. Page 2: Step 2: Decide Type of ACL to Suit Requirements The decision to use a Standard ACL or an Extended ACL depends on the filtering requirements of the situation.3. This increased filtering detail allows a network administrator to create ACLs that meet the specific needs of a security plan. When filtering requirements are more complex.Gather traffic filtering requirements from stakeholders from within each department of an enterprise.168. which helps conserve bandwidth. standard ACLs only filter based on the source address and will filter all traffic without regard to the type or the destination of the traffic. The network addresses for each connected network are as follows: R1: 192.0 /24 . Each of the routers.1 . has a FastEthernet port in use.

Good Location: Extended ACL is placed closest to source which prevents traffic from 192.0 network to reach other networks.255 192.0.0 network from entering the 192.1.Network Topology R1 and R4 are opposite each other.0 and 192.0 to reach other networks.4. A network administrator who does not have access to a router cannot configure an ACL on it.4.0.0 but also allows it to reach other networks. A network administrator must have control of these routers and be able to implement a security policy. Good Location: Meets all requirements.0 network from reaching 192. Allow 192.168.3.0 network.1.168.0. Scenario 1: Standard ACL Placement ACL access-list 9 deny 192. and the location of the designated router.0 network from reaching networks 192.0 0.168. Page 3: Step 3: Determine Router and Interface for ACL Place ACLs on routers in either the Access or Distribution Layer. Bad Location: Meets some of the requirements. the ACL type. Prevents traffic from 192.168.168.168.0. but allow the 192.0.2.168.0.168.0.0 network.4.168.255 access-list 9 permit any Requirements: Prevents traffic from the 192.168.0 0.168. It is best to filter traffic before it advances onto a lower bandwidth serial link.1.168.1. The interface selection is usually obvious once the router is chosen. visualize the traffic flow from the perspective of the router.0 0. Step 4: Determine Direction to Filter Traffic When determining the direction in which to apply an ACL.1.1.4.255 access-list 109 permit any any Requirements: Use extended ACL to prevent traffic from the 192. These blocks indicate where an ACL may be placed.1. .1.0 network from entering the 192.168. There are blocks at R1 and R4 between the router and its FastEthernet port.168. Scenario 2: Extended ACL Placement ACL access-list 109 deny IP 192. Selection of the appropriate interface depends on the filtering requirements.

The router compares the incoming packet to the ACL before looking up the destination network in the routing table. Network Topology Router.What kind of ACL? Answer: Extended ACL. .168.0.168.2.0 network.0 network but allow it to reach other networks.Placing Standard and Extended ACL's This animation depicts the process of determining the type and placement of an ACL. Packets discarded at this point save the overhead of routing lookups. Four.3.0 access-list 1 permit any Extended ACL access-list 101 deny 192. the router has already done a routing table lookup and has switched the packet to the correct interface.0 /24 F A 0 /0: 192.0 0.1.0 network from entering the 192.Inbound traffic is traffic that is coming into a router interface from outside.168.1.On which interface? Answer: F A 0 /0.2. The extended ACL is placed on the interface F A 0/0 on R1 to control access to the 192.0.168. Outbound traffic is inside the router and leaves through an interface.0 0.168.1. One.168.255 192.2.255 access-list 101 permit IP any any The following are questions included in the diagram. Three.168. 8.0.0 /24 The requirements given in the diagram are as follows: "We need to prevent traffic from the 192.In which direction? Answer: Inbound.1.4. The packet is compared to the ACL just before leaving the router.1 . Two. R1.3.0. The following are the network address assignments for each router: R1: F A 0 /1: 192.0 /24 R2: F A 0 /0: 192.168.0 /24 R3: F A 0 /0: 192.On which router? Answer: R1.1. is connected to routers R2 and R3 via serial links. For an outbound packet.168. This makes the inbound access control list more efficient for the router than an outbound access list." The Standard ACL and Extended ACL commands are listed below: Standard ACL access-list 1 deny 192.168.

0. The following are the router.1.S0/0/1 Option 2.S0/0/0 Option 4. but allows it to reach 172. and direction for the placement of the ACL in each of the following two scenarios.255 Network Topology The diagram depicts three routers.Page 4: 8. Scenario 1 Requirement: You have an extended ACL that prevents traffic from the 172.16.0 0.Placing Standard and Extended ACL's The diagram depicts an activity in which you must match the correct router.3. interface.255 access-list 101 permit IP any any Scenario 2 Requirement: You have a standard ACL that permits all traffic from any 172.16.1 .16.0 network. R1. ACL access-list permit 172. and R3.0.S0/1/0 Option 6.R2 Option 5.0.2. ACL access-list 101 deny IP 172.2.0 /24.0.2 Basic ACL Configuration Process Page 1: . and direction options.R3 Option 3.0 network to reach the ISP network but blocks all other traffic. R2: F A 0 /0: 172. interface. Option 1.0 /24.3.3.OUT Option 7.255.0 0.0 0.3.R1 Option 9.16. that are directly connected by serial link to each other.16.16. You need to minimize traffic on the WAN links and can only place the ACL on one interface.16. Decide which ones belong to each scenario.16.3. R2.0 /24.0.1. R3 F A 0 /0: 172. The networks connected to the FastEthernet ports of each of the routers are listed below: R1 F A 0 /0: 172.0 network from reaching the 172.0.16.F A 0 /0 8.IN Option 8.1.0 network and the ISP.16.255 172.0.

If a router is running IP exclusively. Configure an ACL with a permit statement or all traffic will be denied. Page 2: . Enter the Access list statements in order from specific to general.3. Extended IP ACLs have numbers in the ranges from 100 to 199 and from 2000 to 2699. planning the access control list. each interface handles a maximum of two ACLs: one inbound and one outbound.Basic ACL Configuration Process The diagram depicts the following guidelines for ACL Processing and Creation. ACL Processing and Creation Guidelines Configuring only one access list per protocol per direction. Apply extended access lists closest to the source. Each ACL requires a unique identifier. Determine the inbound or outbound direction looking at the port from inside the router. configure the ACL. and determining the location. More Information Popup Rejected packets cause an IP access list to send an ICMP host unreachable message to the sender and discards the packet. Outbound filters do not affect traffic that originates from the local router. Apply standard access lists closest to the destination. Since each ACL compares every packet passing through an interface. The limit for any one router interface is one ACL per protocol per direction. Create your ACL's in a text editor to make it easier to edit them. Use the correct number range for the type of list. Deny packet if no match is found. ACLs add to latency. This identifier can be either a number or a descriptive name. It is also possible to create AppleTalk and IPX ACLs. the number identifies the type of ACL created: • • Standard IP ACLs have numbers in the ranges from 1 to 99 and from 1300 to 1999. An implicit deny any is at the end of all access lists (does not appear in the listing).After capturing the requirements. You can copy and paste ACL statements into the router. Process statements sequentially from the top of the list to the bottom.2 . 8. In numbered access control lists.

however. deny a specific host of a network before permitting the remainder of the entire network. For example. use the command: no access-list [list number] . the order that statements are placed within the ACL can effect the latency introduced. In other words. The syntax for the Standard ACL statement is: access-list [access-list-number] [deny|permit] [source address] [source-wildcard][log] Since every packet is compared to every ACL statement until a match is found. Therefore. that once a match is found. statements that find a match for the highest amount of traffic should be placed toward the beginning of the ACL. the packet is no longer compared to any other statements within the ACL. Keep in mind. order the statements so that the more common conditions appear in the ACL before the less common ones. For this reason. ACL Creation Enter global configuration mode. plan the ACL so that the more specific requirements appear before more general ones. Enter all statements with the same ACL number until the access control list is complete. the packet will be permitted. This means that if one line permits a packet. enter the access control list statements. Using the access-list command. Document the function of each section or statement of the ACL using the remark command: access-list [list number] remark [text] To delete an ACL.Configuring an access control list requires two steps: creation and application. but a line further down the ACL denies it.

3.0.12 R2 (config) # access-list 3 permit 192.168.1.168.12 is specific. Apply a standard ACL as close to the destination as possible.4. access-list 3 permit 192.168.12.168.255 is general. R2 (config) # access-list 3 remark to departmental server R2 (config) # access-list 3 deny host 192. R2 has its two FastEthernet ports in use.0 0. R2(config-if)#ip access-group access list number [in | out] The following commands place access-list 5 on the R2 Fa0/0 interface filtering inbound traffic: R2(config)#interface fastethernet 0/0 R2(config-if)#ip access-group 5 in . R1 and R2. specifying either inbound traffic or outbound traffic.It is not possible to delete a single line from a standard or extended ACL.255 R2 (config) # access-list 3 permit 192. to an interface. the ACL as a whole is deleted and must be replaced in its entirety.4.2 .0 /24 and 192.0 /24.168.0.1.2. 8.3 Configuring Numbered Standard ACLs Page 1: An ACL does not filter traffic until it has been applied.3.3. The network addresses assigned to these networks are 192. The ACL commands are listed below for the placement on R2 on FastEthernet F A 0 /0.0.Basic ACL Configuration Process The diagram depicts an ACL configuration process. ACL Application Assign an ACL to one or more interfaces. are directly connected to each other via a serial link. R1 has its two FastEthernet ports in use.168.4. Network Topology Two routers. There is a server connected with the address 192. and a client computer connected with the address 192.0 /24 and 192. Instead.168. 8.168. The assigned network addresses for these networks are 192.4.3.0.66 Note: access-list 3 deny host 192.168.0 0.200.168.0 /24.168.4.4. or assigned.

use the no ip access-group interface command.66 After the ACL is configured on R2. One computer is connected to the FastEthernet port of R1.12 is denied. Page 2: Several ACL commands evaluate the proper syntax.255 R2 (config) # access-list 3 permit 192. Even though out is the default.4.4. 8.4.The default direction for an ACL applied to an interface is out.168. The commands for configuring the ACL are listed below: R2 (config) # access-list 3 remark to departmental server R2 (config) # access-list 3 deny host 192.12 R2 (config) # access-list 3 permit 192.0. and placement on interfaces. show ip interface • Displays IP interface information and indicates any assigned ACLs.1.3 . Network Topology Two routers connected by a serial link. To remove an ACL from an interface while leaving the ACL intact.0 0.168. packets still travel freely across the network. The commands for applying the ACL are listed below: R2 (config) # interface F A 0 /0 R2 (config) # IP access-group 3 out Once the ACL is applied to the F A 0 /0 interface of R2 the appropriate traffic from 192. show access-lists [access list number] . order of statements.0. There is a server and computer connected to each FastEthernet port of R2.168.168.Configuring Numbered Standard ACL's The animation depicts the application of an ACL to an interface.3. it is very important to specify the direction to avoid confusion and to ensure that traffic filters in the correct direction.

• Displays the contents of all ACLs on the router. Page 3: 8.0 /24 via F A 0 /1 R2 is connected to the following: LAN3 192.0 /24 via F A 0 /1 .168.168. This order may not yield the desired results. To resolve this issue. show access-list.2.3 .0 LAN.0 /24 via F A 0 /0 LAN2 192. It also displays the number of matches for each permit or deny statement since application of the ACL. However. show access-lists.1.3 . This allows the ACL to be easily edited and pasted into the router configuration. It is often recommended to create ACLs in a text editor. Applying ACL's is covered in the labs and the outputs to these commands are available once the ACL has been placed. remove the original ACL and recreate it. 8. Network Topology Two routers. and show running-config shows how adding an ACL to a configuration affects the output. If using numbered ACLs. A server and computer are connected to each FastEthernet port of R2 and one computer is connected to the FastEthernet port of R1. otherwise all statements will be pasted to the end. and show running-config. statements entered after the initial creation of the ACL are added to the end.168. are connected by serial link. even if they are not currently applied to an interface.3. selecting the buttons show IP interface.4. R1 is connected to the following: LAN1 192.Configuring Numbered Standard ACL's The diagram depicts sample output for the following show commands on R2: show IP interface.168. R1 and R2.3. To see a specific list. add the ACL name or number as an option for this command. show running-config • Displays all configured ACLs on a router.3.0 /24 via F A 0 /0 LAN4 192.Configuring Numbered Standard ACL's The diagram depicts an activity in which you must determine the correct sequence of commands to configure and apply a standard ACL that will control entry into the 192.1.168. In the diagram. Network Topology R1 is connect to R2 via a serial link. keep in mind when coping and pasting the ACL that it is important to remove the currently applied ACL first.

4.Configuring Numbered Standard ACL's Link to Hands-on Lab: Configuring and Verifying Standard ACL's Configure and verify a standard ACL. D.3. E. C. and port numbers.168. The more statements that an ACL contains. Since Extended ACLs can be very specific.interface F A 0 /0.255. B.3.77 host should not be able to access 192.0.0.3.The 192. Extended ACLs use an access-list number in the ranges 100 to 199 and 2000 to 2699.168.4. . The list of commands stated below are not in the correct order.3 . 8. protocol type.4 Configuring Numbered Extended ACLs Page 1: Extended ACLs provide a greater range of control than Standard ACLs.3. they tend to grow in size quickly.0. the more difficult it is to manage.168. Use the host or any keywords to represent IP addresses.0.access-list 44 permit 192.0 network should be permitted access.IP access-group 44 out.0 0.168.168.0 LAN but all other hosts on the 192.0. F. 8.255. A.0.168.1.0 0.access-list 44 permit 192. The same rules that apply to Standard ACLs also apply to Extended ACLs : • • • Configure multiple statements in one ACL.access-list 44 deny any. Assign the same ACL number to each statement.0.168. The Extended ACL permits or denies access based on source IP address.3.0 and 192.77 0.access-list 44 deny 192. Click the lab icon to begin. Page 4: Lab Activity Configure and verify a Standard ACL. destination IP address.3.

Internet Control Message Protocol IGMP . Source IP Address .0.255 host 172. Extended ACL's use numbers in the range of 100 to 199.0.168.0. This value can be: An individual host address A range of host addresses The host parameter The any parameter ACL Number . The following is the ACL. and OSPF. Condition .Ciscos GRE tunneling ICMP .5.Ciscos EIGRP routing protocol ESP .168.254 eq http ACL Fields Destination IP Address . and 2000 to 2699. This value can be: An individual host address A range of host addresses The host parameter The any parameter Matching Condition .permit Identifies whether a packet is to be permitted or denied.Configuring Numbered ACL's The diagram depicts an ACL A brief description of each of the fields of the ACL is given. Page 2: There are often many different ways to meet a set of requirements.http Identifies the application either by port number or acronym. or it can indicate filtering on a specific IP protocol such as TCP.Any Internet Protocol TCP Application .0 0. less than.255 Identifies the IP address of the source of the packet.192. greater than.4 .1 6. R2 (config) # access-list 105 permit tcp 192.eq Determines whether certain fields must match the application equally.254 Identifies the IP address of the destination of the packets.3. .host 172. This protocol can be IP.1 6.A key difference in the Extended ACL syntax is the requirement to specify a protocol after the permit or deny condition. and so on.0. indicating all IP traffic.5. ICMP.Encapsulation Security Payload GRE . Protocol .105 Identifies an ACL with a unique number. 8.Internet Gateway Message Protocol IP . Common options include: EIGRP .tcp Identifies Layer 3 / 4 protocols. UDP.5. A standard ACL uses numbers in the range of 1 to 99.0 0. and 1300 to 1999.5.

This approach ensures that packets do not compare to later statements. a company has a server with the address of 192. Consider denying a particular group rather than permitting a larger.168.0 /24 network should not be able to access the server 192.0. Option A R2 (config) # access-list 103 permit IP 192.168.168.4 .2. Two LAN's.66 host 192. In this topology.1.168.168.168. Below are two options that can be used to configure this ACL.0 0.Configuring Numbered ACL's The diagram depicts numbered extended ACL configuration. LAN1 has one computer connected. Allow access to host 192. LAN1 and LAN2.4. LAN3 has one server connected. all other traffic should be allowed.3.0 LAN.168. 8.255 host 192.4. Permit access to everyone else in the enterprise.255 host 192.75 R2 (config) # access-list 103 permit IP any any R2 (config) # interface F A 0 /0 R2(config-if)# IP access-group 103 out Option B R2 (config) # access-list 103 deny 192. When planning the ACL.66.3.0 0.3. Network Topology Two routers directly are connected by serial link.3. try to minimize statements where possible. Deny access to hosts on 192.168.168.168. Some ways to minimize statements and reduce the processing load of the router include: • • • Match high volume traffic and deny blocked traffic early in the ACL. are directly connected to each of the FastEthernet ports of R2.2.4.75 R2 (config) # access-list 103 deny IP 192. Both options achieve the same results. all traffic from the 192.0.0.168.75. It has the following requirements: • • • • Allow access to hosts on the 192.0 0.168. opposite group.1.0. Two LAN's.255 host 192.3.75. are directly connected to the FastEthernet ports of R1.For example.4.168.3. However. LAN3 and LAN4.0 LAN.75 R2 (config) # access-list 103 permit IP host 192. There are at least two possible solutions that satisfy these requirements. Consolidate multiple permit and deny statements into a single statement using ranges.168.75 R2 (config) # access-list 103 permit any any R2 (config) # interface F A 0 /0 R2(config-if)# IP access-group 103 out .3.0.0.

1.168.51 Source IP: 192.168.2.77 host 192.1.168.4 .255 host 192.0.75 Access-list 103 permit IP host 192. via F A 0 /1.34 Page 4: Lab Activity Plan. configure.168. Click the lab icon to begin.2.255 Access-list 103 deny any any (implied) Source IP: 192.168. 172. R1 and R2. based on the ACL listed below.16.0 0.Inbound Access-list 103 permit IP host 192.168.168.0 0.4.3.75 Source IP: 192.168.168.0 /24 connects to R1 via F A 0 /1.168.3.168. Network 192.168.0.0.168.0 /24.1.168. and verify an Extended ACL.51 Source IP: 192.1.1.168.77 Destination IP: 192.3.1.12.0. 192.4.0 0.168. ACL Statement ACL 103 Applied to R1 interface F A 0 /0 .0.66 Destination IP: 192.0.3.168.75 Access-list 103 deny IP 192.1.1. Network Topology There are two routers.169.0 /30.168.1.168.Page 3: 8.66 host 192.33 Destination IP: 192.2.255 192.1.200 /24 via F A 0 /0.3.168.3.168.0 0.0.255 Access-list 103 permit IP 192.0.168.3.255 192.1.Configuring Numbered ACL's The diagram depicts an activity in which you must determine if packets will be permitted or denied.168. R1 connects to R2 via S0/0/0.0 0. is connected.75 Access-list 103 deny IP 192.168.1. .0.66 connects to R1 via F A 0 /0. R2 connects to server 192.1.66 Destination IP: 192.88 Destination IP: 192.3.0.2. Host 192.168.75 Source IP: 192.88 Destination IP: 192.168. where the host.3.4. R2 connects to LAN 192.75 Source IP: 192.

3.1. one at a time. and verify an Extended ACL.5 . Configuring. The name given to an ACL is unique.66 0. 8.8. Apply a Named ACL to an interface in the same manner as applying a Standard or Extended ACL. The commands that help with evaluating Named ACLs for proper syntax. The commands used to configure the router are listed below: R1 (config) # IP access-list extended SALES-ONLY R1 (config-ext-n ACL) # permit IP 192. a descriptive name replaces the numerical ranges required for Standard and Extended ACLs. Using capital letters in the name makes it easier to recognize in router command output and troubleshooting. 8.3. and Verifying Extended ACL's Plan.0. only the syntax for creating them is different.3.77 0.Configuring Named ACL's The diagram depicts a person configuring a router. the router switches to NACL configuration subcommand mode. configure.1. A Named ACL is created with the command: ip access-list {standard | extended} name After issuing this command. In an NACL.0. After the initial naming command.5 Configuring Named ACLs Page 1: Cisco IOS versions 11. order of statements.Configuring Numbered ACL's Link to Hands-on Lab: Planning.0 any R1 (config-ext-n ACL) # permit IP 192. Named ACLs offer all the functionality and advantages of Standard and Extended ACLs. enter all permit and deny statements.0.168.0.0 any . NACLs use Standard or Extended ACL command syntax starting with the permit or deny statement.4 . and placement on interfaces are the same as the commands for Standard ACLs.2 and higher can create Named ACLs (NACLs).168.

. Unfortunately. such as 25. 30. Remove the ACL from the router.R1 (config) #interface F A 0 /0 R1 (config-if) # IP access-group SALES-ONLY in Page 2: Editing ACLs with older versions of IOS make it necessary to: • • • Copy the ACL to a text editor. To insert a new line between existing lines 20 and 30: • Issue the new ACL statement. Recreate and apply the edited version. thereby leaving the network open to potential security breaches. ACLs display with the lines numbered as 10. To see the line numbers. edit numbered and Named ACLs using the ip access-list command. Re-add the same line using its line number. use the command: show access-lists To edit an existing line: • • Remove the line using the no line number command. With current versions of the IOS. starting with a number between the two existing lines. and so forth. 20. this process allows all traffic to flow through the interface during the editing cycle. Issue the show access-lists command to display the lines re-sorted and renumbered by 10s.

3.75 20 permit IP host 192.1.Configuring Named ACL's The diagram depicts two editing techniques: Delete/Change and Insert.0 0.Configuring Named ACL's Link to Packet Tracer Exploration: Configuring and Verifying Standard Named ACL's Configure and verify a Standard Named ACL.0.5 .1.0.1. Click the lab icon to begin.88 any R1 (config-ext-n ACL) # end R1 # show access-lists Extended IP access-list SERVER-ACCESS 10 permit IP host 192.168.3.1.168.5 .3.168.3.168.168.77 any 30 deny IP 192.255 host 192.168.66 host 192.3.1.1.168. 8.75 20 permit IP host 192.168.3.0 0.168.77 any 25 deny IP host 192.75 Page 3: Packet Tracer Activity Configure and verify a Standard Named ACL.1.0.0. .88 any 30 deny IP 192. Click the Packet Tracer icon to begin.1.1. The commands used in these techniques are listed below: Delete/Change R1 (config) # IP access-list extended SERVER-ACCESS R1 (config-ext-n ACL)# no 20 R1 (config-ext-n ACL) # 20 permit IP host 192.255 host 192.168.8.168.66 host 192. Page 4: Lab Activity Configure and verify an Extended Named ACL.77 any R1 (config-ext-n ACL) #end R1 # show access-lists Extended IP access list SERVER-ACCESS 10 permit IP host 192.168.168.75 Insert R1 (config) # IP access-list extended SERVER-ACCESS R1 (config-ext-n ACL) # 25 deny IP host 192.

165.165.3.8.200. The purpose of restricting virtual teletype terminal (VTY) access is to increase network security. The hacker telnets to the address 209.3. Network Topology An Internet cloud is directly connected to a router. The IP address of the hacker is 209. Keep in mind. however. Outside intruders may attempt to gain access to a router.225. anyone trying to telnet to the router from an IP address not permitted in the ACL will be denied access. Telnet transmits username and password in plain text and. therefore. that this can create issues if the administrator must connect to the router from different locations using different IP addresses.6 Configure Router VTY Access Page 1: Network administrators often need to configure a router located at a remote location.202. If an access control list is not in place on the router virtual port. is not very secure. The last connection is from a hacker located outside the Internet cloud. the router initiates an inbound session. by serial link. they use a program such as Telnet or a Secure Shell (SSH) client. If an ACL is applied to the router vty port that permits only specific IP addresses.Configure Router VTY Access The diagram depicts router vty access configuration.225 for router 01234. anyone who can determine the Telnet username and password can gain entry.201.200.130 R1 (config) # line vty 0 4 R1 (config-line) # access-class 3 in The network administrator is permitted Telnet access to router 01234.5.Configuring Named ACL's Link to Hands-on Lab: Configuring and Verifying Extended Named ACL's Configure and verify an Extended Named ACL.130 to the address 209. . Telnet and SSH are in-band network management tools and require the IP protocol and a network connection to the router. When a network administrator connects to a remote router using Telnet. while the hacker's request to a Telnet session is denied.165.165.6 . To log into the remote router.202.3. labeled 01234. Also connected to the Internet cloud is a network administrator who telnets from a local machine with the IP address 209.165.5 . SSH transmits the username and password information in an encrypted format. 8. 8. The router has the following commands entered at the console session: R1 (config) # access-list 3 permit host 209.

" The client then enters the commands listed below: R1 (config) # line vty 0 4 R1 (config-line) # login R1 (config-line) # password its a secret R1 (config-line) # access-class 2 IN Page 3: .0.1.Page 2: The process used to create the VTY access control list is the same as for an interface. The network address bound to this link is 192.3.168. VTY sessions are established between the Telnet client software and the destination router. is the client 192. "I need to configure a Standard Numbered ACL. The client announces.23." The following command is used to configure access to the R1: R1 (config) # access-list 2 permit host 192.168. enters a username and password. The network administrator establishes a session with the destination router. to the VTY lines.3. and makes configuration changes. The network connected to the FastEthernet port of R1 is 192. Instead of using the ip access-group command. R1 and R2.2. Within this network.1. Network Topology Two routers. applying the ACL to a VTY line uses a different command. are directly connected by serial link to each other. not a Named ACL.168.1. use the access-class command. Connected to the FastEthernet F A 0 /0 of R2 is the network 192.6 .168. 8. "I need to configure the VTY Lines and apply the ACL. Place identical restrictions on all VTY lines.23 The client then announces. so that only I can configure the router remotely.0.0. because it is not possible to control the line on which a user may connect. and applying the ACL.Configure Router VTY Access The diagram depicts the configuration of the Standard Numbered ACL and the VTY Lines. Follow these guidelines when configuring access lists on VTY lines: • • Apply a numbered ACL. However.168. connected to R1.

Click the lab icon to begin.6 . Page 4: Packet Tracer Activity Plan. Some of the protocols available to use for filtering include IP. and Named ACL's. and Named ACL's Plan. 8.Lab Activity Configure and verify router VTY restrictions. Layer 4 transport protocols and application ports provide this capability. Extended. and Named ACLs. Click the Packet Tracer icon to begin. It is often desirable to filter on even more specific packet details.3.4.1 Configuring ACLs for Application and Port Filtering Page 1: Extended ACLs filter on source and destination IP addresses.Configure Router VTY Access Link to Hands-on Lab: Configuring and Verifying VTY Restrictions Configure and verify router VTY restrictions. Extended.6 . Extended. TCP. UDP.Configure Router VTY Access Link to Packet Tracer Exploration: Planning. OSI Layer 3 network protocol. and verify Standard. . 8. configure. configure. and verify Standard.4 Permitting and Denying Specific Types of Traffic 8. 8.3. and ICMP. Configuring. and Verifying Standard.

less than Consider the following example: R1(config)#access-list 122 permit tcp 192. If neither the port number nor the name is known for an application. and the Destination Port Number highlighted for the following ACL: access-list 101 permit tcp host 192. These port numbers describe the application or service required by the packet.89 eq 80 This ACL statement permits traffic from 192. Each application has a registered port number assigned.greater than lt .4.equals gt .168. If a user attempts to telnet or FTP into host 192.168. 8. The router must investigate the Ethernet frame to extract all of the IP addresses and port number information required for comparison with ACLs.255 host 192.Extended ACLs also filter on destination port numbers.168.168.1.0 0.7 e q 80 Page 2: Filtering based on a particular application requires knowledge of the port number for that application.1. it is necessary to specify a condition before the statement is matched.Configuring ACL's for Application and Port Filtering The diagram depicts a frame head-er with the Source IP. An ACL can reference port 80 or HTTP. Applications are associated with both a port number and a name.2.1.2. the user is denied due to the implicit deny statement assumed at the end of every access list.168. try these steps for locating that information: . In addition to entering port numbers.5 host 192.0 that is requesting HTTP access using port 80. the Destination IP.0.1 .3. The abbreviations most commonly used are: • • • eq .0.89.168.

Use the gt.1.1. Use the ? option in the access-list command. deny both ports. Some applications use more than one port number. two FTP ACL statements can filter into one with the command: R1(config)#access-list 181 deny tcp any 192. What port numbers should I filter? The following protocols are highlighted: pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) Page 3: Packet Tracer Activity . To accommodate multiple port numbers. 3.2. Refer to the software documentation. FTP data transmits using port 20. Refer to the website of the application vendor. Cisco IOS ACLs filter a range of ports. such as http://www.168.168. The list includes well-known port names and numbers for the TCP protocol. 4. but the session control that makes FTP possible uses port 21.0.77. I need to filter email traffic.0. For example. Research one of the IP addressing registry sites on the web.Configuring ACL's for Application and Port Filtering The diagram depicts a list of types of TCP protocols and port numbers for the following command: R1 (config) # access-list 101 permit tcp host 192. Use a packet sniffer and capture data from the application.1 .iana.0 0. To deny all FTP traffic.168.4.org/ 2. lt.1 host 192.255 range 20 21 8. For example. or range operators in the ACL statement to accomplish this. 5.89 eq? The computer user says.

8. To accomplish this. while protecting the internal network. A ping originating from external sources.2 Configuring ACLs to Support Established Traffic Page 1: ACLs are often created to protect an internal network from outside sources. all external tcp packets will be permitted under the condition that they are responses to internal requests. a statement using the keywords echo-reply and unreachable can be written to permit ping responses and unreachable messages.4.1 . all packets sent between the two devices will be permitted. the ACL must permit the requested html packets. will be denied unless specifically permitted in another statement. those requested resources must pass through the ACL. resources must be specifically permitted by the ACL. should an internal user wish to establish a connection with an external web server. For example. Click the Packet Tracer icon to begin. . In addition to established traffic. To resolve this issue. However. Individual permit statements for all possible requested resources can result in a long ACL and leave security holes. In this case. access-list 101 permit tcp any any established Using this statement.4. it is possible to create a single statement that permits internal users to establish a TCP session with external resources. it should still allow internal users access to all resources. Permitting the incoming responses to established communications is a form of Stateful Packet Inspection (SPI). It is not desirable. however. 8.Configure and verify Extended ACLs that filter on port numbers. Due to the ACLs use of implicit deny. use the keyword: established. it may be necessary for an internal user to ping external devices.Configuring ACL's for Application and Port Filtering Link to Packet Tracer Exploration: Configuring and Verifying Extended ACL's Configure and verify Extended ACL's that filter on port numbers. however. Once the TCP three-way handshake is accomplished and the connection is established. to allow external users to ping or trace a device on the inside network. When internal users access external resources.

0 0. sends a ping. is also connected to the ISP . to R2.8. Network Topology An internal network has hosts.Configuring ACL's to Support Established Traffic The diagram depicts an activity in which you must determine whether the packets will be permitted or denied.168. R2 has network 192.1. When the response reaches the F A 0 /0 of R1. H2 sends a ping. also known as an echo request. R1and R2.168. access-list 101 permit tcp any any established Next.0 attached to interface F A 0 /0. R1. via a serial connection. based on Source and Destination addresses in the following ACL statements. H3.0 attached. the following ACL command is matched and the packet is denied.3. S0/0/0.0.4. R1 is connected to router. access-list 101 deny any any The output of R1's command prompt is as follows: R1 (config) # access-list 101 permit tcp any any established R1 (config) # access-list 101 permit icmp any any echo-reply R1 (config) # access-list 101 permit icmp any any unreachable R1 (config) # access-list 101 deny any any R1 (config) # interface F A 0 /0 R1 (config-if) # ip access-group 101 out Page 2: 8.255 echo-reply R1 (config) # interface S0/0/0 R1 (config-if) # IP access-group 101 In Network Topology There are two routers. the following ACL command is matched and the packet is allowed access to H2. A foreign network with host. The web server sends a response. connected by a switch to router.4. R1 has networks 192.Configuring ACL's to Support Established Traffic The animation shows how an ACL is used to filter specific traffic from entering an internal network. ACL Statement R1 (config) # access-list 101 permit tcp any any established R1 (config) # access-list 101 permit icmp any 192. but allow the same traffic access from the internal network. located on the foreign network.3. R2 is part of the ISP cloud. R2.2. When the ping reaches the F A 0 /0 of R1. H1 and H2.0 and 192. .2 . H3. R2 sends a ping. R1 is connected to R2 via serial link. echo reply. The packet successfully travels across the network to the web server. the following ACL command is matched and the packet is allowed access to H1. back to H2. to the internal network. echo request. When the ping reaches the F A 0 /0 of R1.2 .0. H1 sends a request to the web server. which also includes a web server. access-list 101 permit icmp any any echo-reply Finally.168.168.

168.2.12 Packet type: Web request Source IP: 192.168.66 Destination IP: 192.3.1. it is important to know how they interact in the router.75 Packet type: echo-request Source IP: 192.168.1.12 Packet type: echo-reply 8. If the packet comes inbound into a NAT outside interface.Packet Information Source IP: 192. If the packet goes outbound through a NAT outside interface.75 Packet type: echo-reply Source IP: 192.2.168.168.1.3 Effects of NAT and PAT on ACL Placement Page 1: Implementing NAT and PAT may create a problem when planning ACLs.44 Packet type: FTP response Source IP: 192. the router: • • • Applies the inbound ACL Translates the destination address from outside to inside.3.168.168.66 Destination IP: 192.168.168. or global to local Routes the packet 2. Network administrators need to account for the address translation when creating and applying ACLs to interfaces where NAT occurs. the router: .77 Destination IP: 192.168.168.15 Destination IP: 192.77 Destination IP: 192.44 Packet type: Web response Source IP: 192.2.1. When using NAT with ACLs.168. 1.25 Destination IP: 192.1.3.4.1.

0. the NAT.200.0 /16 to a public address of 209. R1 has network 10. Users from outside the 10.1. enabled on R1.0 0. 8.1.0. depending on the relationship with NAT.200. R1 is connected to R2 via serial link.200. A packet from the 10.• • Translates the source address from inside to outside.4.0 /16 network have been given access to a server in an ACL statement. If traffic is inbound or outbound on a NAT outside interface. S0/0/0. so the packet is denied.1.0.165. however NAT has blocked the traffic from entering the network. the addresses to filter are the public ones.0.1.4.0 network access the server?" Page 2: Lab Activity Configure an ACL with NAT. Click the lab icon to begin.0.255 host 209.165.1.Effects of NAT and PAT on ACL Placement The animation depicts a conflict between NAT and an ACL statement that has been implemented. The computer user in the diagram asks.0.230.0 /16 network is sent to the server 209. The ACL is unable to match this newly translated address. ACL Statement R1 (config) # access-list 101 permit 10.Effects of NAT and PAT on ACL Placement Link to Hands-on Lab: Configure an ACL with NAT 8. 8.0. R1 and R2.226.165.230 R1 (config) # interface S0/0/0 R1 (config-if) # IP access-group 101 out Network Topology There are two routers.3 .230. R2 is connected to an ISP cloud containing a web server 209.0 /16 attached on its F A 0 /0 interface.165.255.200.1.4 Analyzing Network ACLs and Placement . "Why cant the users on the 10. translates the source address from the private address of 10.4. When the packet reaches the S0/0/0 of R1. or local to global Applies outbound ACL Plan the ACL so that it filters either the private or public addresses.3 .

168. Net Admin.1.. and so on. Telnet. HQ.168. There is an ACL on the S0/0/0 interface of HQ. HQ has Network 192. 8. attached to the Payroll Server. Network 192. .1. UDP. Main is attached to Sales via Serial link.39. and ICMP protocols. Sales has Network 192.3. HQ is attached to R1 via Serial link. HQ: S0/0/0.2. Main has Network 192.168.1. 192. IP: 192.168. 192. one line at a time.Page 1: Network administrators evaluate the effect of every statement in an ACL prior to implementation. Sales. HTTP.4 .Analyzing Network ACL's and Placement The diagram depicts the placement and use of ACL's to filter traffic to and from specific parts of a network. Main.0 /24 attached on Interface FA0/0. and H1.5.1.168. including any TCP. Administrators need to examine the ACL. These problems range from a false sense of security to an unnecessary load on a router or even a non-functioning network.0 /24 connected to interface FA0/0.3 .57.30.0 /24 has a Server Farm with three servers. server IP: 192. and R1. The key phrase permit ip is used to permit all IP.168. and answer the following questions: • • • • • • What service does the statement deny? What is the source and what is the destination? What port numbers are denied? What would happen if the ACL was moved to another interface? What would happen if the ACL filtered traffic in a different direction? Is NAT an issue? When evaluating an Extended ACL. Main. HQ is attached to Main and Sales via Serial link. as well as two hosts.3.0 /24 connected to interface FA0/0.5. There are ACL's on the FA0/0 interface of the HQ.1. attached to the File Server. and Sales Routers. server IP: 192.15.4.168. it is important to remember these key points: • • The keyword tcp permits or denies protocols like FTP. An improperly designed ACL can immediately cause problems when it is applied to an interface.168. Network Topology There are four routers.168.

R1 has Web Server attached to interface F A 0 /0 (Web Server IP: 192.168.168.0.1. Select from the following fields to populate nine fields for the numbered extended ACL.255 any eq 80 .Interface S0/0/0 IN Access-list 105 permit icmp any any echo-reply .168.168. R2: S0/0/0).Extended ACL 100 .0 /24 attached to interface F A 0 /0.168.Deny user PC's Telnet access Access-list 100 permit IP any any .0 0.0.168.3.0 /25 attached to interface F A 0 /0. Some components will not be used.255 any eq 53 . Network Topology There are two routers.1.Allow all other traffic Sales F A 0 /0 ACL Sales .0.1.3.0.168.168.84) Create the Numbered Extended ACL statement that will only allow users on network 10.allow pings from inside to return from Internet Access-list 105 permit icmp any any unreachable .0 /24 HTTP access to Web Server on network 192.Extended ACL 111 . Components Choice 1.99 .4.0.Allow all users on this net access to remote DNS Access-list 111 permit tcp 192.The ACL's and the functions of each are as follows: HQ S0/0/0 ACL HQ .0 0.0 /24 attached to interface F A 0 /1.Allow all users on this net access to Web services Page 2: 8. The ACL will be applied to the R2 S0/0/0 interface outbound.168.0 0.0. R1 and R2.2.0.0.Allow established TCP sessions from Internet HQ F A 0 /0 ACL HQ .Allow Payroll server access to anywhere Access-list 111 permit udp 192.255 any range 20 21 .5.168. R1 is connected to R2 via serial link (R1: S0/0/0.255 host 192. R2 has network 10.5.0.1.168.Analyzing Network ACL's and Placement The diagram depicts an activity in which you must create an extended ACL given the following requirements and Network Topology.57 .3.1.Allow all users on this net access to Web services Main F A 0 /0 ACL Main .0 0.Allow all users on this net access to FTP Data and FTP session control Access-list 122 permit udp 192.Interface FA0/0 IN Access-list 122 deny IP 192.168.5.0.57 any .1.Allow all users on this net access to remote DNS Access-list 122 permit tcp 192. R1 has network 182.0.Interface FA0/0 IN Access-list 111 permit IP host 192.5.0.15 any . R2 has network 10.1.3.0 0.0.Allow Net Admin and Server Farm full access Access-list 100 deny tcp 192.168.Extended ACL 122 .Interface FA0/0 IN Access-list 100 permit IP 192.0.1.255 any eq 53 .255 any eq 80 .255 eq 23 .0.0.1.4 .Deny access from this net to Payroll Server Access-list 122 permit udp 192.0 0.0.1.Allow error messages to return from Internet Access-list 105 permit tcp any any established .0 0.0 0.Extended ACL 105 .

0.eq 21 Choice 16.permit Choice 10.IP Choice 3. V LAN1 contains three servers.udp Choice 12.deny Choice 5.10.Host Choice 17.Choice 2.tcp 8. it is sometimes necessary to control traffic from one VLAN to another using ACLs. All rules and guidelines for creation and application are the same for ACLs on subinterfaces as they are for physical interfaces.255 Choice 14. which is connected to a router.5 . Apply ACLs directly to VLAN interfaces or subinterfaces on a router just as with physical interfaces.Configuring ACL's with Inter-V LAN Routing The diagram depicts the use of V LAN's to separate network devices.10. 8.192.168.0 Choice 8.4. access to the server VLAN requires filtering.0 Choice 11.255.255 Choice 6.4.1.5 Configuring ACLs with Inter-VLAN Routing Page 1: When routing between VLANs in a network. Both V LAN's are connected through a switch. Page 2: Lab Activity .1. Enterprise networks typically have servers on a different VLAN than user groups.192. S1. Network Topology There are two V LAN's.0.0.1.84 Choice 9.eq 80 Choice 13.0.0 Choice 4.Any Choice 18.access-list Choice 7.168. In such cases.2.0.1. R1. and V LAN2 contains three hosts.1.101 Choice 15.

an ACL statement captures the number of matches and displays them at the end of each statement. a network administrator evaluates the number of matches. Click the Packet Tracer icon to begin.5 .1 Using Logging to Verify ACL Functionality Page 1: After writing an ACL and applying it to an interface. 8.4.Configuring ACL's with Inter-V LAN Routing Link to Hands-on Lab: Configuring and Verifying ACL's to filter Inter-V LAN Traffic Configure and verify ACL's to filter inter-V LAN traffic. 8. this is a match. View the matches using the following command: show access-list .4. Click the lab icon to begin. Page 3: Packet Tracer Activity Configure and verify an Extended ACL that creates a DMZ and protects the corporate network. When the fields of an incoming packet are equal to all ACL comparison fields. Viewing the number of matches helps to identify whether the ACL statements are having the desired effect. 8. By default.5.5 .5 Filtering Traffic Using Access Control Lists 8.Configure and verify ACLs to filter inter-VLAN traffic.Configuring ACL's with Inter-V LAN Routing Link to Packet Tracer Exploration: Configuring and Verifying Extended ACL's with a DMZ Configure and verify an Extended ACL that creates a DMZ and protects the corporate network.

Logging activates for individual ACL statements.168.2 host 192. R1 connects via S0/0/0 to the S0/0/0 port of router R2.168. When the packet reaches the F A 0 /0 of R1.1.11 eq telnet (1 matches) 20 permit IP 192.2 host 192.168. R2 is connected via F A 0 /0 to H3.3.168.1. Host.0. Use logging for a short time only to complete testing of the ACL.255 any R1 (config) # R1 (config) # Int F A 0 /0 R1(config-if)# IP access-group 123 in R1 (config) # end R1# show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.2. H2 has the IP address 192.255 any (1 matches) .168. The ACL configuration is listed.1.0 0.The basic match counts that are displayed with the show access-list command provide the number of ACL statements matched and the number of packets processed. The output does not indicate the source or destination of the packet or the protocols in use.168. Default Network Topology Host. R1 # show access-list 123 Extended IP Access list 123 10 deny tcp host 192.255 any (1 matches) Next.168.2 host 192.3.1.1 .0. has the IP address 192.11. Host.11 eq telnet (1 matches) 20 permit IP 192.Using Logging to Verify ACL Functionality This animation depicts the different methods of viewing ACL matches.1.2 host 192.5.11 e q 23 R1 (config) # access-list 123 permit IP host 192. The process of logging events places an additional load on the router.0 0. Both hosts are connected to the F A 0 /0 of R1.0 0. The ACL has been placed on F A 0 /0. When the packet reaches the F A 0 /0 of R1.0.168.1.11 eq telnet (1 matches) 20 permit IP 192.3.1. H2 sends a packet onto the network.3. the packet is allowed as highlighted in the ACL output. activate a process called logging.1. the packet is denied.1.0.168.2.168. as highlighted in the ACL output.168.0.0.168.0 0. as follows: R1 (config) # access-list 123 deny tcp host 192. For additional details on packets permitted or denied. H3 has the address 192. H1.0.1.168. add the log option to the end of each ACL statement to be tracked.168. To activate this feature.255 any (1 matches) H1 sends a packet onto the network. 8.3.3.168.0. default and logging. R1# show access-list 123 Extended IP Access list 123 10 deny tcp host 192. The link between the two routers is on the network 192.0.

2.11 using port 23. H1 connects to F A 0 /0 of router R1.168.168.168.3.168. *Sep 9 20:02:53.168.2 host 192.2. allow the user to view them both. configure a router to send logging messages to an external server.3. in real time or at a later date.168.168.168.1. H2 has the address 192.2. The link between these two routers is on the network 192. The message types include eight message severity levels. Instead.168.11(30).168.11(23).168. The levels range from 0. destination 192.2.1.3.2.168.168.979: %SEC-6-IP ACCESS LOG P: list 123 permitted udp 192.279: %SEC-6-IP ACCESS LOG P: list 123 denied icmp 192.3. called syslog messages. R2 is connected via F A 0 /0 to host H2.1.1.168. ACL logging generates an informational message that contains: . H1 sends the first packet using its IP address as the source 192. as follows: R1 (config) # no access-list 123 R1 (config) # access-list 123 deny tcp host 192.168.0. These messages. *Sep 9 20:02:11. representing an emergency or an unusable system.0.0 0.255 any log R1 (config) # access-list 123 deny IP R1 (config) # end R1 # H1 sends three packets onto the network.168. The following logged entries from the router configuration describe the outcome. destination 192.3. representing informational messages such as debugging. 1 packet H1 sends the third packet using its IP address as the source 192. destination 192.20 using the protocol CMP.2(2138) 192.1. *Sep 9 20:03:48.067: %SEC-6-IP ACCESS LOG P: list 123 denied tcp 192.11. to level 7.0.By looking at the text taken from the end of the following router config and subsequent show access list command you can see where matches were made and if the matches were denied or permitted. which is a limited resource. R1 connects via S0/0/0 to the S0/0/0 port of router R2.3.2(1141) 192.2 192.1. 1 packet Page 2: Logging to the console uses router memory.168.1.11 using port 30.1. The ACL configuration is listed.1. Logging Network Topology H1 has the IP address 192.3.3.168. 1 packet H1 sends the second packet using its IP address as the source 192.20(8 /0).11 eq 23 log R1 (config) # access-list 123 permit IP host 192.

Logging Levels: debugging . Severity Level: (severity =3).debugging messages.• • • • ACL number Packet permitted or denied Source and destination addresses Number of packets The message generates for the first packet that matches and then at 5-minute intervals. Severity Level: (severity =0). use: no logging console To turn off all debugging.Error conditions. Severity Level: (severity =2). Severity Level: (severity =1). Logging Levels: critical .System is unusable.Using Logging to Verify ACL Functionality The diagram depicts a desktop PC with a large red alert sign displayed on the screen. Logging Levels: emergencies . use: undebug all To turn off specific debugging.1 . Logging Levels: filtered . To turn off logging.Immediate action needed.Enable filtered logging. . use: no debug ip packet 8.Critical conditions. Severity Level: (severity =7). such as ip packet. Logging Levels: errors . More Information Popup Logging Levels: alerts .5.

5. 8.Severity Level: not available Logging Levels: guaranteed . which is a limited resource. Click the lab icon to begin. sometimes called syslog messages. to an external server.1 .Normal but significant conditions Severity Level: (severity =5) Logging Levels: warnings .5.Configuring ACL's and Verifying with Console Logging Link to Hands-on Lab: Configuring ACL's and Verifying with Console Logging Configure ACL's and verify using the show access-lists command and console logging. configure a router to send logging. This method allows viewing the messages in real time and also at a later time.Guarantee console messages Severity Level: not available Logging Levels: informational .Informational messages Severity Level: (severity =6) Logging Levels: notifications . Types of reported events include the status of: • • • • • Router interfaces Protocols in use Bandwidth usage ACL messages Configuration events . 8.2 Analyzing Router Logs Page 1: Logging to the console uses router memory.Enable logging in XML Severity Level: not available Page 3: Lab Activity Configure ACLs and verify using the show access-lists command and console logging. Instead.Warning conditions Severity Level: (severity =4) Logging Levels: xml .

routers.It is advisable to include the option to notify a network administrator by email. storage systems. but there are also several free programs available on the Internet. Other configurable options include: • • • • Providing notification of new messages received Sorting and grouping messages Filtering messages by severity Removal of all or selected messages Syslog software is available from many resources. including switches. and UNIX hosts. or cell phone when a critical event occurs. thinking. The level of reporting and ease of use vary with the price.2 . pager.168. a router is sending out an emergency message to the man." In the diagram. Page 2: To use a syslog server. Linux. modems. install the software on a Windows.11 When troubleshooting a problem.5.3. always set the service timestamps for logging. . Syslog is a protocol supported by all network equipment. A sample of the command that specifies the IP address of the host where the syslog server is installed is: logging 192.Analyzing Router Logs The diagram depicts a man on his cellular phone. Be sure the router date and time are set correctly so that log files display the proper time stamp. "The router is alerting me to an emergency on the network. or MAC OS server and configure the router to send logged events to the syslog server. wireless devices. 8. UNIX. firewalls.

Analyzing Router Logs Link to Hands-on Lab: Configuring ACL's and Recording Activity to a Syslog Server Configure ACL's and download a syslog server to record ACL activity. Page 3: Lab Activity Configure ACLs and download a syslog server to record ACL activity. To set the time zone: R1(config)#clock timezone CST -6 To set the clock: R1#clock set 10:25:00 Sep 10 2007 8.Analyzing Router Logs The diagram depicts a map of the world with a vertical line that passes through Greenwich England. first set the time zone.5.5.Use the show clock command to check the date and time setting.2 . indicating Greenwich Mean Time (GMT).2 . Base the time zone on Greenwich Mean Time (GMT) and then set the clock. . Click the lab icon to begin. Note that the clock set command is not used in configuration mode.213 UTC Mon Mar 1 2007 To set the clock. 8. R1>show clock *00:03:45.

Image . This statement allows tracking the number of matches for packets denied. Use the reload in 30 command when working with remote routers and testing ACL functionality.1 Summary Page 1: 8. When logging. do not edit a live ACL.ACL Best Practices The diagram depicts a list of Best Practices. Using this command. remote connectivity may be denied. When satisfied with how the ACL is functioning. When logging. copy the running configuration to the startup configuration.5. add the deny ip any statement to end of ACL. If a mistake in an ACL blocks access to the router. 8.3 .3 ACL Best Practices Page 1: ACLs are a very powerful filtering tool.6.Summary Diagram 1. They are active immediately after application onto an interface. 8.6. Always test basic connectivity before applying ACL's.8. It is far better to spend extra time planning and troubleshooting before applying an ACL.5. add the deny IP any any statement to end of ACL. If pinging a host is unsuccessful because of a bad cable or an IP configuration problem. than trying to troubleshoot after applying the ACL. the router reloads in 30 minutes and reverts to the startup configuration. Best Practices Create and edit ACL's in a text editor. the ACL can compound the problem and make it harder to troubleshoot. such as notepad. Always test basic connectivity before applying ACLs.6 Chapter Summary 8. Use the reload in 30 command when working with remote routers and testing ACL functionality.1 .

255.0. and Named ACL.255). The wild-card mask compares the incoming address to a comparison address to determine which bits match.16.0. To determine the wild-card mask.22. ACL's filter traffic based on source and destination IP address.255.255.255 Wild-card mask that permits an entire /8 network: 10.0.0. Wild-card masks that permit a single host 172.0.16.0. There are three types of ACL's: Standard. Each interface supports one ACL per direction per protocol.22. The keyword any refers to all hosts and the keyword host refers to an individual IP address. Image The diagram depicts four lines of information as listed below. The show IP interface. Diagram 1 text Traffic filtering is the process of analyzing the contents of a packet to determine if the packet should be allowed or blocked.0 0. application.17 Wild-card mask that permits a range of hosts for a /24 network: 172. and protocol. Diagram 2. show access-lists and show running-config commands allow a network administrator to view all ACL's that have been configured on a router.0 0. subtract the decimal subnet mask for an address or range from the all255s mask (255.0. Standard ACL's filter on source IP address. Apply an ACL to a router interface to examine packets that are inbound or outbound. . and should be placed as close to the source as possible. Image The diagram depicts ACL Processing and Creation Guidelines. Decide placement of ACL's based on type of ACL and requirements.16.0 0.0 host 172. The access-class command is used to apply VTY ACL. Create an ACL using a unique identifier and apply either inbound or outbound on an interface using the IP access-group command. The switch is connected to four computers on an internal network.The diagram depicts a router directly connected to a switch. Extended ACL's can filter on source and destination addresses.255 Wild-card mask that permits an entire /16 network: 172.255. as well as on protocol and port number.8. and are placed as close to the destination as possible.22. There is implied deny any statement at end of the ACL.255. Extended. and can block a range of addresses or whole networks with one statement. Diagram 3.0.255 Diagram 2 text Using a wild-card mask provides flexibility. ACL's enable management of traffic and security access to and from a network and its resources. Named ACL's offer all the functionality and advantages of Standard and Extended ACL's. ACL's restrict VTY access to increase network security.87 0.

The log contents can be sent to an external syslog server. Use the correct number range for the type of list. Always set the service timestamp for logging and be sure the router date and time are set correctly.2 Critical Thinking . Configure an ACL with a permit statement or all traffic will be denied. 8. protocol. ACL's filter a range of ports using gt. Image The image depicts a map of the world focused on GMT. and the destination application port numbers in a frame. Apply ACL's directly to V LAN interfaces just as with physical interfaces. The process if logging events. Add the deny IP any any log to monitor the number of packets that are not matched by previous ACL statements. Apply standard access lists closest to the destination. Determine the inbound or outbound direction looking at the port from inside the router. The order in which the statements are written has an impact on how the router performs. Network administrators account for NAT when creating and applying ACL's. or range operators. Use the established parameters to filter traffic that is a response to a request. The relevant information is shown in a summary: Diagram 5 text An ACL statement captures the number of matches and displays them at the end of each statement matched. There are different ways to approach writing ACL's: permit specific traffic first and then deny general traffic or deny specific traffic first then permit general traffic. Process statements sequentially from the top of the list to the bottom.6. Diagram 4. Image The diagram depicts the image of an Ethernet frame. Logging gives additional details on packets permitted or denied. lt.Diagram 3 text Configuring only one access list per protocol per direction. Deny packet if no match is found. The frame consists of the following: MAC address head-er IP head-er addresses TCP head-er ports Data FCS Diagram 4 text Extended ACL's filter source and destination IP addresses. To activate logging add the log option to the end of each ACL statement. Greenwich Mean Time. places an additional load on the router. Enter the Access list statements in order from specific to general. Apply extended access lists closest to the source. Diagram 5. so that Log files display the proper stamp.

0 B. Router RTA interface S0/2/0 is connected to RTC interface S0/1/0 using a serial link.0.0 0.1.10.10.1.10.1 0.0 10. What should the second line of the access list be? A.1 0.0. The rest of the 10.10.1.20.0.10.0.0.255 any Question Four.0.Router(config)# access-list 101 permit IP 10. Questions: Question One.0.1.1 0.255 C.0 0.0.30. The PC IP address is 10. What should be the first line of the access list? A.0.0.1 0.10.1. What should the third line of the access list be? A.0.10.255 D.30.0 10.0 0.10.0.0.0 0.10.Router(config)# access-list 101 permit IP 10.0.0.0.0 10.0.0.10.10.10.0.10.1 0.0 0.Router(config)# access-list 101 deny IP 10.0.30.10.1 0.30.0 0.0.255 eq any F.1.10.10.255 any Question Three. Router RTC interface Fa0/0/1 is connected to a LAN switch and one PC using network number 10.0.10.0.6.0.20.0.0 D.30.0.0 10.0. RTB and RTC are connected with each supporting a LAN.10.0.0 0.0 0.Router(config)# access-list 101 deny IP 10.0 /24.0.0 B.10.1.1 0.Router(config)# access-list 101 deny IP 10.0.10.0.10.30.0.0 /24 subnet and the 10.30.Router(config)# access-list 10 permit 10.10.1.Router(config)# access-list 10 permit 10.255 10.Router(config)# access-list 101 permit IP 10.Router(config)# access-list 10 permit 10.0.0.30.0. Router RTA interface Fa0/0/1 is connected to a LAN switch and two PCs using subnetwork number 10.0 network should have access to the 10.0 eq ftp D.1.0.0.0.Router(config)# access-list 10 permit 10.0 0.0 0.Router(config)# access-list 10 deny 10.1 0.255 C. Router RTB interface Fa0/0/1 is connected to a LAN switch and an FTP Server and PC using subnetwork number 10.20.1. Scenario: A single access list needs to be created to deny the 10.0.255 E.0.0 /24 network.168.0 /24 subnet.1 0.0 D.255 E.30.30.255 C.0.0. Network Topology: Three routers.255 eq any .0.Router(config)# access-list 101 permit IP 10.0.0.1.0.0 10.1.0.0 /24 subnet from reaching the 10.0.255 eq any E. All users should be able to access the Internet.10. Router RTA interface S0/0/1 is connected to RTB interface S0/2/0 using subnetwork number 192.10.0 0.0.Router(config)# access-list 101 permit IP 10.0 /24.0.1 0.1.0.10. The PC IP address is 10.Critical Thinking The diagram depicts an activity in which you must answer questions regarding Access Controls Lists based on specified requirements and a network topology diagram.10.255 any E.0.255 10.30.0.1.0.1 0.Router(config)# access-list 101 deny IP 10.0.1. RTA.Page 1: 8.0.Router(config)# access-list 10 permit 10.1 0.255 Question Two.0.0.10.0 /24.Router(config)# access-list 101 deny IP 10.0 B.0.255 F.0.0.30.0 0.2.30.10.0 0.10.1.255.10.10. What should the fourth line of the access list be? A.0.1.0.0.0 10.Router(config)# access-list 10 deny 10.0 10.Router(config)# access-list 101 permit IP 10.10.Router(config)# access-list 101 permit IP 10.0 0. Router RTB interface S0/1/0 is connected to the Internet cloud.0.0.0.255 10.30.0.10.20.0.0 0.0.1.0 0.10.0 /30.10.10.10.10. The FTP Server IP address is 10.Router(config)# access-list 101 deny IP 10.Router(config)# access-list 101 permit IP 10.10.1.255 C.1.10.0.0 0.0.10.30.1.255 10.2 .10.1 should have access to the FTP Server only.0 0.0 0. Host computer 10.30.1 0.Router(config)# access-list 10 deny 10.0 0.255.0.1.0 B.1.

What IP address and wildcard mask pairs will test for only addresses of a subnet containing a host configured with 192.0.12.168.7 Chapter Quiz 8. it must be applied in the proper location to have the desired effect.1 .192.0.The first 32 bits of a supplied IP address will be matched. C.Once an ACL has been created.15? (Choose two.0.192.The first 28 bits of a supplied IP address will be matched.S0/0/1 on RTA as an outbound list F.The last four bits of a supplied IP address will be matched.6 0.S0/2/0 on RTB as an outbound ACL B.Quiz Chapter 8 Quiz: Filtering Traffic Using Access Control Lists 1.192.0.0.168. F.6 255. B.7.7 B.255.168.192.255.0.Fa0/0/1 on RTB as an inbound ACL D. E.12.248? A. Click the quiz icon to begin.Question Five.255 4.6 0.provide traffic flow control E. What rules should be observed when applying ACL's? (Choose two.notify downstream devices in the event of increased traffic or congestion C.) . What are some of the suggested uses for ACL's that the trainee should learn? (Choose three. 3.The first 28 bits of a supplied IP address will be ignored. Where should the access list be placed to ensure it is effective? A.12.open additional links when paths become saturated 2.1 Quiz Page 1: Take the chapter quiz to check your knowledge.The last five bits of a supplied IP address will be ignored.8 C.determine whether interfaces are active or shutdown during peak usage D. D.S0/1/0 in RTB as an outbound list E.S0/2/0 on RTB as an inbound ACL C.limit network traffic and increase performance B.S0/2/0 on RTA as an inbound list 8.) A. 8.168.168.0.7.0.An administrator has been asked to explain ACL's to a trainee.) A.0 0.The last four bits of a supplied IP address will be ignored.15 D.0.0.0 0.12.What statements are true regarding the meaning of the access control list wildcard mask 0.12.provide a basic level of security for network access F.

Host 10.106.177.Router(config)# access-list 95 deny 172.16.A network administrator is writing a standard ACL that will deny any traffic from the 172.) Router# show running-config Building configuration.All ACL statements are processed for each packet through the interface. C.255 6. one named Marketing.16.0.18.0 255.106. This network is called .Router(config)# access-list 95 deny any B.177.0.255.112.This access control list will not limit any traffic through the router. 7. D.0 F.Extended ACL's should be applied closest to the source.0.76.0.16.213.213.18. B. 198.0 0.255.0 D.1/24 S0/0/0 and Engineering 198.255.Router(config)# access-list 95 deny 172. Which two commands should be used? (Choose two.0 255.0.0/24. These two routers are connected to each other via a serial link Marketing IP 198. D.255. C.0/16 network. Current configuration 1084 bytes ! version 12.The new security policy for the company allows all IP traffic from the Engineering LAN to the Internet while only web traffic from the Marketing LAN is allowed to the Internet.0.76 access-list 99 permit any ! [some output text omitted] A.This is an extended IP access list.16. 5.0 IP access-group 99 in no fair-queue clockrate 56000 ! IP classless no IP http server ! access-list 99 deny 10.18.Router(config)# access list 95 host 172.1.A.What can be concluded from the output shown below? (Choose two.) A. Network Topology This topology consists of two routers.2.255.168.0.1 [some output text omitted] interface Serial0/1 IP address 192.16. 192. but permit all other traffic.Standard ACL's should be applied as close to the source as possible. and one named Engineering.0/24.The wildcard mask must be configured for this access list to function properly.177.Router(config)# access-list 95 172. E.Outbound filters do not affect traffic that originates within the local router.The keyword host is implied in the command line access-list 99 deny 10.1 255. This network is called the Marketing LAN. The Marketing router is connected to a switch via interface F A 0 /0 on the Marketing router. E.Router(config)# access-list 95 permit any E. Which ACL can be applied in the outbound direction of Serial 0/0/1 on the Marketing router to implement the new security policy? To answer this question refer to the network topology below.2/24 S0/0/0.0. B.255..The inbound and outbound interface should be referenced as if looking from the outside of a router.213.100 will be allowed access to the Serial0/1 interface. The Engineering router is connected to a switch via interface F A 0 /0 on the Engineering router.255 C..

26.25.255 any access-list 197 permit IP 198.What are two purposes of IP access control lists? (Choose two.0/24 network.Which two statements are correct based on the set of commands shown in the output below? (Choose two.0/16 network. Place the commands in the order.26 eq 23 Router(config-ext-nacl)# permit IP any any Router(config-ext-nacl)# exit Router(config)# interface F A 0 /0 Router(config-if)# IP access-group Server1Access out A.0.0 0.128.128.25.255 any access list 165 permit tcp 198.0.0.Second command is R1(config)# prompt 3.168.168.255 any Router(config-ext-nacl)# deny tcp 192.26.Host 192.0.) Router(config)# IP access-list extended Server1Access Router(config-ext-nacl)# deny IP 10.2.line vty 0 4 B.0 0. A.access-list 165 permit IP 192.168. The S0/0/1 interface on the Marketing Router is attached to the Internet with the IP address 198.Standard ACL's can restrict access to specific applications and ports.0 0.0.0.0.25. C.18.76 will not be able to establish an FTP session with available hosts on the 172.114.0.0 0.ACL's control host access to a network or to another host.0 0.access-list 1 permit host 10.112.0 0.85.255 any eq www access-list 165 permit IP any any C.255 any eq www B.0.Host 172.0 network.access-list 1 deny IP any any F.0 0.ACL's can permit or deny traffic based upon the MAC address originating on the router.76 will be able to establish an FTP session with available hosts on the 172.255 any access-list 137 permit tcp 198.access-list 137 permit IP 192.0.112.114.255 any access-list 89 permit IP 198.Host 192.) A.0.85.0.0.85.0.18.First command is R1(config)# prompt 2.0.A network engineer wants to ensure that only users of the network management host can access the vty lines of R1.ACL's provide a basic level of security for network access.128.255 any eq www 8.76 will be able to establish a Telnet session with host 172.18.0.112.0.255 any eq www D.0.0.0. 9.0.112.access-list 89 permit TCP 192.access-list 197 permit IP 192.76 will be able to establish a Telnet session with host 172.0.0 0. B.85. D.0.168.18.0.0 0.1/24.0.0.Host 10.0 0.2.) A.Host 10. .0.2.Third command is R1(config-line)# prompt 10. which they would be entered into the router using the three router prompts listed below.1 1.0.0.25. E.26 will not be able to establish a Telnet session with available hosts on the 192.2.0.255 host 172.access-list 1 deny any E.the Engineering LAN.25.0.access-class 1 in C. (Not all commands will be used. C.114.IP access-group 1 in D.114.0.18.25. D. B.

net/virtuoso/servlet/org. B.3 host.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.10. Go To Next Go To Previous Scroll To Top http://curriculum.10.3. RTA has a host connected via its Fa0 interface with a host addressed as 172. 11.10.28. All | Translated by the Cisco Networking Academy.Version=1. Output from RTAs command line is shown as follows: hostname RTA ! access-list 101 permit tcp 10.A network administrator is interested in tracing all packets that do not match any statement in a standard ACL. What could be the cause? To answer this question refer to the network topology below.C CServlet/LMS_ID=CNAMS. About   .rendering. RTA is connected to the Internet via its S0 interface.Theme=ccna3theme.0 0.Style=ccna3. C.10.The line access-list 101 permit tcp any any established should be added before the permit statement. What must the network administrator do to allow tracking? A.28. B.16.16.16. However.delivery.0. telnet access fails when host 10. D.Enter the syslog command in global configuration mode.0.The port number is incorrect for the access list. Inc.Nothing. C.255 any host eq 23 access-list 101 deny IP any any A.10.Add permit IP any log to the end of the ACL statements.10.cli.servlet. D. Access list 101 is applied as an inbound ACL on the interface Serial 0 of Router RTA and should permit telnet access to the 172.The line access-list 101 permit tcp any any established should be added after the permit statement. RootID=knet‐ lcms_discovery3_en_40.3/24.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.netacad. 12.The access list should be on the outbound interface of FastEthernet 0.E.html?level=chapter&css=blackonwhite.3.Enter the command debug ACL deny from global configuration mode.3 attempts to connect to host 172. RTB is connected to the Internet via its S0 interface.ACL's can be applied to only one interface. RTB has a host connected via its Fa0 interface with a host addressed as 10. Network Topology This topology consists of two routers named RTA and RTB. logging of denied packets happens automatically.Language=en.28.

proactive maintenance. and ACL's.1 Enterprise Network Requirements Page 1: Most enterprises rely on their networks to provide consistent and reliable access to shared resources. WAN links.1 Introduction Enterprise networks can have problems that range from poor performance to unreachable resources. Network downtime is any time that the network is not performing as required. .0.Introducing Routing and Switching in the Enterprise 9 Troubleshooting an Enterprise Network 9. Isolate and correct ACL issues. Network monitoring.1 Understanding the Impact of Network Failure 9. you should be able to: Explain the importance of uptime and the types of issues that cause failure. 9. After completion of this chapter.0.1 Introduction Page 1: 9. Isolate and correct WAN configurations.1.0 Chapter Introduction 9. Isolate and correct routing issues.Search | Glossary Course Index: CCNA Discovery . effective troubleshooting methods and an awareness of failure domains can help to minimize network downtime. Network problems can involve a variety of technologies including LAN switching. A reduction in the performance level of the network may have a negative impact on the business. routing protocols. Network uptime is the time that the network is available and functioning as expected. Isolate and correct switching problems.

many organizations lose access to customer databases and accounting records that employees need to perform their daily activities.Without a reliable network.1 .1. and suppliers accessing their network around the clock. Many factors cause network downtime. In addition. any downtime is extremely costly. 9. Large enterprises generally span many different time zones and have employees. Network outages also prevent customers from placing orders or obtaining the information they require.1. To ensure the proper and efficient flow of traffic. and time. . a good design includes redundancy of all critical components and data paths. The three-layer hierarchical network design model separates the functionality of the various networking devices and links. These include: • • • • • • • • Weather and natural disasters Security breaches Man-made disasters Power surges Virus attacks Equipment failure Misconfiguration of devices Lack of resources 9. the use of enterprise class equipment provides a high degree of reliability. This separation ensures efficient network performance.1 . Downtime results in lost productivity. Page 2: Many different metrics are used to determine the cost of downtime to an enterprise. Page 3: A well-planned network design and implementation are crucial for meeting uptime requirements. showing a storm. This redundancy eliminates single points of failure.Enterprise Network Requirements The diagram depicts a satellite image of the earth.Enterprise Network Requirements The diagram depicts a silhouette of a group of people. For these organizations. The actual cost to a company varies depending on the day. date. and often the loss of customers to competitors. customer frustration. customers.

1. an enterprise should have service level agreements (SLAs) with key suppliers.Enterprise Network Requirements The diagram depicts a network with a headquarters and a backup site.1. which incorporates good design characteristics. An SLA clearly documents network expectations in terms of level of service. Warrantees provide for rapid replacement of mission-critical components.1 . Distribution.1. Any observed deviations from this baseline indicate potential problems with the network and .Even with proper network design. in case of failure at the primary site. To guarantee service levels. SLAs often specify the penalty associated with any loss of service. To minimize this type of downtime requires warrantees on all critical pieces of equipment. Business continuity plans provide a detailed plan of action in case of unexpected man-made or natural disasters such as power failures or earthquakes. To keep downtime to a minimum and ensure rapid recovery requires additional considerations. 9. 9. These expectations include the acceptable level of downtime as well as the recovery period.Enterprise Network Requirements The diagram depicts a network design showing three layered hierarchical leveled network structure including the Core. and Access Layers.1 . with minimal disruption to its clients. The purpose of network monitoring is to watch network performance in comparison to a predetermined baseline. Business continuity plans provide the details on how the business continues or resumes operations. such as redundancy. 9. One way to ensure functionality is to have a redundant backup site at another location. Page 4: Outages are not only associated with loss of service from ISPs. after the disaster. They clearly specify how the network re-establishes functionality in the event of a catastrophic failure. the problem stems from the failure of a key piece of equipment that is part of the local network. Quite often.2 Monitoring and Proactive Maintenance Page 1: One way of ensuring uptime is to monitor current network functionality and perform proactive maintenance. some downtime is inevitable.

using the protocols and applications that are normally encountered on the network. This documentation includes: • • • Physical and logical topology diagrams Configuration files of all network devices A baseline performance level It is best practice to determine baseline network performance levels when the network is first installed and then again after any major changes or upgrades occur. Using these tools in combination provides comprehensive information on current network performance. Several groups of tools are available for monitoring network performance levels and gathering data. and programs rely on the availability of a complete set of accurate and current network documentation. Network administrators perform baseline testing of the network under normal load levels. These tools include: • • • Network utilities Packet sniffing tools SNMP monitoring tools Each of these groups of tools has different capabilities and provides different types of information. .require investigation. 9. Like regular servicing on a car. techniques. By doing this.2 . As soon as the network administrator determines the cause of degraded performance.Monitoring and Proactive Maintenance The diagram depicts a technician working on a rack of equipment. proactive maintenance extends the life of a network device. corrective actions can be taken to prevent a serious network outage. Page 2: Network monitoring tools.1. A network administrator performs proactive maintenance on a regular basis to verify and service equipment. the administrator can detect weaknesses prior to a critical error that could bring down the network.

are less accurate but often provide sufficient information to alert the administrator to a problem.1. Page 3: Simple network utilities.2 . traffic sniffing can detect whether a type of traffic or a particular transaction occurring on the network is unexpected. does not provide a reason for the difference in times. 9. 9. which provides a quick way of locating the source of this traffic. "Should I use ping? tracert? Packet Sniffing?" Page 4: Simple Network Management Protocol (SNMP) allows monitoring of individual devices on the network. Baseline On FEB 2. Others.66. SNMP-compliant devices use agents to monitor a number of predefined parameters for specific conditions. He thinks to himself. 2007 08:14:43 a ping command to the following IP was made 10.159.254. Performing these commands at multiple times shows the difference in time required for a packet to travel between two locations. Congestion problems? On MAR 17. like ping and tracert.Monitoring and Proactive Maintenance The diagram depicts the following screen captures of the ping command. provide information on the performance of the network or network link. They examine the contents of the packets.66. These agents collect information and store it in a database known as the management information base (MIB). Packet sniffing tools monitor the types of traffic on various parts of the network.Monitoring and Proactive Maintenance The diagram depicts a user connected to a small network of three routers. 2007 14:41:06 a ping command to the following IP was made 10.254. however.Many complex tools and procedures exist to determine performance baselines. These tools indicate if there is an excessive amount of a particular traffic type. The delay times for the ping were all 1 millisecond.1. .159. such as a simple ping. For example. Using these commands. The delay times for the ping were all 6 millisecond.2 . The tests determine the network performance under very accurately defined loads and conditions. Some programs perform many different tests with different types of traffic. These tools may also be able to remedy the situation before network congestion becomes critical. This detection might stop a potential denial of service attack before it impacts network performance.

SNMP traps the condition and sends it to a network management station (NMS). and a server labeled Central MIB.SNMP polls devices at regular intervals to collect information about managed parameters. The following are monitoring tools on the network: a router labeled Management Agent and Router MIB.1. A proper Network Monitoring Plan and the use of proper tools help a network administrator evaluate the health of the network and detect any problem situations. traffic load. labeled Management Station. The network administrator defines a specific level of acceptable errors for that interface. If the errors exceed the threshold level.1. and a multitude of other conditions. a switch labeled Management Agent and Switch MIB. server configurations. such as the automatic reconfiguration of a device. Network Management Protocol. The workstation is connected to a small network.Monitoring and Proactive Maintenance Link to Packet Tracer Exploration: Creating a Baseline Design a network and create a baseline. These tools monitor traffic type.1. SNMP also traps certain events that exceed a predefined threshold or condition.2 . Click the Packet Tracer icon to begin. Some SNMP systems trigger events. 9.3 Troubleshooting and the Failure Domain Page 1: . traffic patterns. SNMP monitors a router interface for errors.Monitoring and Proactive Maintenance The diagram depicts a man sitting at a workstation. A number of freeware and commercial proactive network monitoring tools exist. Page 5: Packet Tracer Activity Design a network and create a baseline. The NMS alerts the network administrator. to eliminate the problem.2 . 9. 9. For example. Most enterprise class network management systems use SNMP.

determine the scope of the issue and isolate the issue to a specific failure domain. router. The actual size of the domain depends on the device and the type of failure or misconfiguration. Page 2: Quick solutions are not always possible or appropriate. In a redundant environment. If a quick fix compromises this security. The plan includes: • • • • Documentation of potential problems Description of the appropriate course of action in the event of problems Details of the security policy of the company Details of the security risks of the actions When designing an enterprise network limit the size of a failure domain. This temporary solution allows the network to maintain functionality and gives the administrator time to diagnose and correct the problem with the failed link. if one link goes down.3.Troubleshooting and the Failure Domain The animation depicts the importance of maintaining security. The security of the network and the resources that it houses must always be the highest priority. including a server.3. In some situations.1.Troubleshooting and the Failure Domain The diagram depicts a corporate network and a number of Hot Swappable Spares. putting a temporary solution into place allows investigation and correction of the problem under a less critical time constraint. When troubleshooting a network. Achieving this objective often means postponing an extensive or prolonged process for determining the cause of a problem in favor of quickly re-establishing functionality. Detail security concerns in the business continuity plan. traffic diversion to the redundant link occurs immediately. If problems occur with a specific device or configuration. 9. having backup copies of the configuration files or spare devices allows quick restoration of connectivity. Redundancy is a key design element for enterprise networks.1. that are used for rapid restoration of network functionally. take the time to investigate an alternative solution that is more appropriate.The objective of any troubleshooting effort is to return functionality quickly and with little disruption to the end users. The failure domain is the area of the network that is impacted by the failure or misconfiguration of a network device. 9. and switches. .

R5 connects to routers. The hacker thinks to himself." Someone within the enterprise thinks to himself. they affect different failure domains. 9. but it is stopped by the firewall. The router has a larger impact on the network. "The firewall is stopping me from entering the company. however. R4 and R6 . which includes all devices in the network located behind the ISP connection. R2 connects to routers. To get the network up quickly. R6 connects to three switches. Under normal circumstances." The hacker then has access to the network.Troubleshooting and the Failure Domain The diagram depicts the different effects that the failure of a Layer 2 switch and a Layer 3 router have on a network. R4 and R6.A hacker sends a packet through the Internet to an enterprise network.1. R2. The Layer 3 router failure shows a much larger failure domain. the size of the failure domain is not the deciding factor in troubleshooting.Troubleshooting and the Failure Domain The diagram depicts an activity in which you must determine how many hosts will be unable to connect to the Internet when each router fails. "The firewall just went down." The hacker sends another packet through the Internet to the enterprise and thinks to himself. The failure of a Layer 2 switch on a LAN segment only affects user in the broadcast domain. It has no affect on other regions of the network. troubleshoot resources with the larger failure domains first. R4 connects to three switches. R3 connects to two switches. If a business critical server is connected to a failed switch. R3 and R5. R5. In some circumstances. "The firewall must be down. R1. Failure of a border router. Each switch connects to two hosts. Page 4: 9. prevents all users in the company from connecting to network resources outside of their local network. Page 3: If both a Layer 2 switch and a border router fail at the same time. it has a larger failure domain. correction of this issue may take precedence over the border router.1. which connects to router.3.3. R3 also connects back to router. I can access the network easily now. The Layer 2 switch failure shows a small failure domain of only the two hosts connected to it. we will replace the firewall with a router. Network Topology The Internet connects to router.

or 16. 10. 4. 10. 4.) R5: Number of hosts unable to connect? (2. 4. 4. Correcting the problem in this manner saves a great deal of time. Both of these cases require a more structured approach to troubleshooting. Many different structured and unstructured problem-solving techniques are available to the network technician. 12. or 16. The technician uses previous experience to determine if the issue is associated with the lower layers of the OSI model or the upper layers. 12. or 16.) R4: Number of hosts unable to connect? (2. troubleshooting that problem quickly and efficiently is very important to avoid extended periods of downtime. 6. Additionally. 6. 6. 10. 6. 4. . or 16.4 . Unfortunately. 12. 10.) R2: Number of hosts unable to connect? (2. 10. 9. less experienced technicians cannot rely solely on previous experience. 6. 12. These include: • • • • • Top-down Bottom-up Divide-and-conquer Trial-and-error Substitution Most experienced network technicians rely on the knowledge gained from past experience and start the troubleshooting process using a trial-and-error approach.) R3: Number of hosts unable to connect? (2. many times the trial-and-error approach does not provide a solution. The layer dictates whether a topdown or bottom-up approach is appropriate.) R6: Number of hosts unable to connect? (2.1. Page 2: When a situation requires a more structured approach. Outcome when each router fails. 12.1.Troubleshooting Process The diagram depicts a man deep in thought. 10.) 9. or 16.each connect to three switches. 6. most network personnel use a layered process based on the OSI or TCP/IP models. 4.4 Troubleshooting Process Page 1: When a problem occurs on an enterprise network. Each switch is connected to two hosts. 12. or 16. R1: Number of hosts unable to connect? (2.

Data Link. and terminating end-to-end communication sessions between applications. repeat the process as necessary.4 . An application server failing during a communication session. maintaining. . and Transport Layers are functional.When approaching a problem situation. Document the initial symptoms and all attempts at finding and correcting the cause. Network.1. Layer 3. Network Layer. to save time during future troubleshooting activities. Presentation Layer. Layer 6. This documentation serves as a valuable resource should the same or similar problem occur again. Transport Layer. suspect the Presentation Layer. Uses port numbers to identify the type of traffic being carried in the conversation. while the Physical. Includes compression and encryption.Troubleshooting Process The diagram depicts the O S I Model and examples of common problems that can exist at each layer. Verify that any encryption keys match and are properly configured. Responsible for data representation. the problem is associated with this layer. • • • • • • Define the problem Gather facts Deduce possibilities and alternatives Design plan of action Implement solution Analyze results If the first pass through this procedure does not determine and correct the problem. Layer 4. O S I Model Application Layer. Responsible for establishing. If data is being reliably transmitted across the network but is unreadable on the receiving end. Layer 7. Session Layer. It is important to document even failed attempts. Misconfigured ACL's are a common problem at the Transport Layer. could generate problems at the Session Layer. If resources are unreachable or unusable. 9. follow the generic problem-solving model. regardless of the type of troubleshooting technique used. Related to synchronization and flow control. Associated with specific services such as FTP and DNS. Layer 5.

Concerned mainly with the encapsulation of data.Data Link E.Involved with logical addressing and best path determination. Physical Layer. Workstations. Five.Tyrone checks the MAC address table on the switch and notices that the value for one of the connected hosts is not correct. In wireless networks. physical damage to ports and power issues.Application D. Three.Network B. Six. Two.Physical C. The most common problems are improperly configured addresses and improper routing information. antennas are physical layer devices as is the RF medium. Layer 2.2 Troubleshooting Switching and Connectivity Issues 9.Gustavo configures PPP encapsulation on one end of the serial link to the ISP and the link goes down.2.Troubleshooting Process The diagram depicts an activity in which you must match each problem to the O S I model layer with which it is best associated. Any loss in signal strength or interference is considered a Layer 1.Carlos misconfigures an ACL to filter DNS traffic when he meant to filter FTP traffic. 9. Layer 3 addressing and routing problems are associated with the Network Layer.Rebecca installs the wrong type of antenna on the AP. Improperly configured switch ports and Layer 2 addressing issues are also common. Common issues include damaged or improper cabling. . Four. printers.4 .Suresh mistypes the IP address on the router interface. Data Link Layer. Physical Layer.1 Troubleshooting Basic Switching Page 1: Switches are currently the most commonly used Access Layer networking device. Misconfigured ACL's are an issue at the Network Layer. Concerned with physical connectivity. Faults with the switch hardware or configuration prevent connection between these local and remote devices. problem.Transport Problem Scenarios One. Mismatched encapsulation is one of the most common issues at the Data Link Layer.Vida is unable to connect to a web server even though she is able to ping and tracert to the same address. Data Link Layer. Layer 1. Page 3: 9. and servers connect into the network through switches. Layer Choices A. Misconfigured V LAN's can generate problems at Layer 2.1. Includes improper conversion of Layer 2 encapsulation as the frames move across the network.

9. Ensure that switches are placed in a physically secure area. and if the link LED is illuminated. If a switch is installed in an unprotected environment. One of the switches has 16 connections to individual client computers. the easiest way to test it is to move the physical connection to another port and see if this corrects the problem. The other switch only has one RJ-45 port utilized. the switch configuration is the most likely problem. Ensure that the correct type of cable connects the end device to the switch. If an end device cannot connect to the network and the link LED is not illuminated. Check the configuration to ensure that the port is in a no shutdown state.2. Reseat the cables at both the workstation and the switch end. Page 2: If a switch port fails or malfunctions. Ensure that switch port security has not disabled the port.Troubleshooting Basic Switching The diagram depicts two rack mount switches that have connections stemming out of the RJ-45 ports. review the security policy to see if altering the security is acceptable. it can suffer damage such as dislodged or damaged data or power cables. the link or the switch port is defective or shutdown. If a connectivity problem exists. perform the following steps: • • • • Ensure that the power LED is illuminated.1 .The most common problems with switches occur at the Physical Layer. Confirm this using the following commands: show running-config show port-security interface interface_id If the switch security settings are disabling the port. .

are directly connected to each other by an Ethernet link from F A 0 /2 on both switches.0582Dynamic F A 0 /2 10010. The table headers include the following: V LAN. S1 has F A 0 /4 and F A 0 /6 in use. issue the command: clear mac-address-table dynamic The switch then repopulates the MAC address table with updated information.d.29a0.6563.cccdStaticCPU All 0100.29a0.01f7Dynamic F A 0 /4 101000d. the switch forwards information to the wrong port and communication does not occur. and Ports.Troubleshooting Basic Switching The diagram depicts a topology with a switch that fails.88e0Dynamic F A 0 /2 .0ccc. S1# show mac-address-table MAC Address Table V LAN MAC AddressTypePorts All000. The command "show mac-address-table" has been issued. MAC Address.Switches function at Layer 2 and keep a record of the MAC address of all connected devices.6563. 9.ddddStaticCPU 1000d. Network Topology Two switches.0ccc. use: show mac-address-table To clear the dynamic entries in the table.2.a4fa. If the MAC address in this table is not correct.1 . The following is the output.bd00StaticCPU All0100. S2 has its F A 0 /1 port in use.ccccStaticCPU All0100. R1 has a serial link to the WAN cloud.0ccc.d04d. To display the MAC address of the device connected to each switch port. S1 and S2. Type. An Ethernet link between S2 and R1 has been established.b23eDynamic F A 0 /6 100b0.88e0Dynamic F A 0 /2 1000d.

If this is the suspected problem.29a0. F A 0 /1 of S2 is directly connected to the F A 0 /0 of router. constant address relearning. . The serial interface S0 /1 of R1 is connected by serial link to the WAN cloud. mismatched speed or duplex settings can prevent the link between the switch and end device from functioning. loops may occur. Network Topology A switch.0582Dynamic F A 0 /2 103000d.6563. or MAC address flapping messages Increasing number of output drops on many interfaces 9. R1. from. and F A 0 /6 in use.6563. S1. S2.88e0Dynamic F A 0 /2 103000d. Indicators that a loop is present in a network include: • • • • • • Loss of connectivity to. and through affected network regions High CPU utilization on routers connected to affected segments High link utilization up to 100% High switch backplane utilization as compared to the baseline utilization Syslog messages indicating packet looping.0582Dynamic F A 0 /2 102000d.6563. F A 0 /2 on S1 is directly connected to the F A 0 /2 of switch. lock down the values on the switch port to match the host device using the interface speed and duplex commands. If STP bases its decisions on inaccurate information.88e0Dynamic F A 0 /2 102000d. To display both the speed and duplex settings of the port. Some switches do not properly detect the speed and duplex of the connected device.Troubleshooting Basic Switching The diagram depicts the speed and duplex settings of a switch.101000d. with the Fast Ethernet ports F A 0 /4.1 .2. F A 0 /2.0582Dynamic F A 0 /2 Total MAC addresses in this criterion: 14 Page 3: Although automatically detected on many devices. use the command: show interface interface_id Switching loops are another potential source of connectivity issues.29a0. STP prevents bridging loops and broadcast storms by shutting down redundant paths in a switched network.

6563. remove as many of the redundant links as possible. Changing the priority value on a switch can force the selection of the root bridge. A port that is flapping causes multiple transitions to occur. 100Mb/s Page 4: A loop develops when the switch does not receive BPDUs or is unable to process them. Another troubleshooting issue is suboptimal switching. To remedy this type of problem.bd06) {output omitted} Full-duplex. line protocol is up (connected) Hardware is Fast Ethernet. STP does not always identify the best root bridge or root ports.bd06 (b I a 000d.Items of interest are highlighted in the following output of S1: S1 # show interface FA0/6 Fast Ethernet0/6 is up. When troubleshooting STP. Left to default values. address is 000d. The root bridge should normally be at the center of the network to provide for optimum switching. This problem could be due to: • • • • Misconfigurations Defective transceivers Hardware and cabling issues Overloaded processors Overloaded processors disrupt STP and prevent the switch from processing the BPDUs. This should be a rare occurrence in a properly configured network. use the following commands: To provide information about the STP configuration: show spanning-tree To provide information about the STP state of an individual port: . These multiple transitions can overload the processors.6563.

and F A 0 /6 in use. F A 0 /1 of S2 is directly connected to the F A 0 /0 of router.6563. S2.6563.2 P 2 p .---.-------------------------------F A 0 /2 Root FWD 19 128.0580 Cost 19 Port 2 (FastEthernet 0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-ID-ext 1) Address 000d. Network Topology A switch.Nbr Type ---------------.2 P 2 p F A 0 /4 D e s g FWD 19 128.--------. with the Fast Ethernet ports F A 0 /4.---. 0580 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.--. S1 and S2.-------. S1# show spanning-tree V LAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000d.6563.Nbr Type ---------------. is entered and executed for each of the switches.6 Shr S2# show spanning-tree V LAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000d.2. The command.-------------------------------F A 0 /1 D e s g FWD 19 128.show spanning-tree interface interface_id 9. The serial interface S0 /1 of R1 is connected by serial link to the WAN cloud. S1. F A 0 /2.6563.1 P 2 p F A 0 / 2 D e s g FWD 19 128.--------. F A 0 /2 on S1 is directly connected to the F A 0 /2 of switch.0580 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-ID-ext 1) Address 000d.--.1 .-------.bd00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Troubleshooting Basic Switching The diagram depicts the output of the show spanning-tree command.4 P 2 p F A 0 /6 D e s g FWD 19 128. show spanning-tree. R1.

IEEE 802. check the VLAN configuration. 9. If information is required on a specific VLAN. such as a router.Page 5: Packet Tracer Activity Troubleshoot host connectivity on a switch. If the non-functioning ports are in different VLANs. communication is only possible with the aid of a Layer 3 device.Troubleshooting Basic Switching Link to Packet Tracer Exploration: Troubleshooting Host Connectivity on a Switch Troubleshoot host connectivity on a switch. use the following command show vlan id vlan_number to display the ports assigned to each VLAN. 9. Newer switches default to 802.1Q and ISL are not compatible. verify the following configurations: • • • One port from each VLAN connects into a router interface or subinterface.2 Troubleshooting VLAN Configuration Issues Page 1: If the Physical Layer is functioning correctly and communication is still not occurring between end devices. the hosts must have IP addresses on the same network or subnet in order to communicate.1 . If the non-functioning ports are in the same VLAN.1Q and Cisco proprietary Inter-Switch Link (ISL) format.2.2. but some Cisco switches support both 802. Both the switch port and the router interface are configured with trunking. . Click the Packet Tracer icon to begin.1Q should be used whenever possible.1Q. because it is the de facto standard and 802. Both the switch and router interface are configured with the same encapsulation. If inter-VLAN routing is required.

9. F A 0 /19. and show v lan id 101 are applied to S2. F A 0 /14. F A 0 /21. F A 0 /15.-----. F A 0 /22 F A 0 /23. R1. Below is the output when commands show v lan.-----.-------------------------------. is directly connected to switch. F A 0 /15. F A 0 /21. F A 0 /14.---. F A 0 /20. F A 0 /11. F A 0 /24 101 V LAN0101 active F A 0 /5. F A 0 /7.2.--------. S2 # show v lan V LAN Name Status Ports ---. F A 0 /19.----. F A 0 /16 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active S2#sh v lan id 101 . on both switches. S2 has its FastEthernet F A 0 /1 directly connected to the F A 0 /0 of router.2 . F A 0 /17. F A 0 /24 101 V LAN0101 active F A 0 /5. R1 has its serial interface S0 /1 connected by serial link to the WAN cloud. F A 0 /7.--------1 default active F A 0 /3. show v lan brief. F A 0 /18. F A 0 /17. S1. F A 0 /10. F A 0 /22 F A 0 /23. S2. F A 0 /8 102 V LAN0102 active F A 0 /9.0 0 1005 e net 101005 1500 0 0 S2# show v lan brief V LAN Name Status Ports ---. Network Toplogy Switch. F A 0 /4.-------. F A 0 /2. with the connection established between the two FastEthernet ports. F A 0 /10. F A 0 /16 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active V LAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---. F A 0 /11.---------. F A 0 /18.0 0 1003 e net 101003 1500 0 0 1004 e net 101004 1500 . F A 0 /12 103 V LAN0103 active F A 0 /13. F A 0 /8 102 V LAN0102 active F A 0 /9. F A 0 /12 103 V LAN0103 active F A 0 /13. F A 0 /4.-------------------------------.--------.----.Troubleshooting V LAN Configuration Issues The diagram depicts V LAN configuration issues.--------1 default active F A 0 /3.1 e net 100001 1500 0 0 101 e net 100101 1500 0 0 102 e net 100102 1500 0 0 103 e net 100103 1500 0 0 1002 e net 101002 1500 . F A 0 /20.

--------.2 0. F A 0 /8 V LAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---. with the connection established between the two FastEthernet ports F A 0 /2 on both switches. Use the command: show ip route 9. S2 has its FastEthernet F A 0 /1 directly connected to the F A 0 /0 of router.Troubleshooting V LAN Configuration Issues The diagram depicts the output of the commands. F A 0 /7.100.---------. S1. is directly connected to switch. ensure that there is no IP address on the physical interface of the router.1 YES manual up up .101 e net 100101 1500 0 0 Page 2: When troubleshooting inter-VLAN issues.103. The interface must be active.2 0. If it is not directly connected to the VLAN subnets.----. check the configuration of the routing protocol to verify that there is a route to each of the VLANs.-----.2. S2.103 10. To verify the interface configuration.V LAN Name Status Ports ---.101 10.1 YES manual up up FastEthernet0 /0.1 YES manual up up FastEthernet0 /0. use: show ip interface brief The network associated with each VLAN should be visible in the routing table.---. recheck all physical connections and trunk configuration on both ends of the link.100 10.--------101 V LAN0101 active F A 0 /5.101.-------. show IP interface brief and show IP route when applied to R1.-------------------------------. R1#sh ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0 /0 unassigned YES manual up up FastEthernet0 /0.2 0.102 10.200.1 YES manual up up FastEthernet0 /0. R1. R1 has its serial interface S0 /1 connected by serial link to the WAN cloud.2 .----. Network Topology Switch.102.-----. If not.

E2 .2 0.IS-IS level-1.30. IA .101. Serial0/0/1 C 10.IS-IS level-2. a frame sent from VLAN10 on one side is received on VLAN14 on the other. FastEthernet0 /0. If one end of the trunk is configured for native VLAN10 and the other end is configured for native VLAN14. FastEthernet0 /0. This can create unexpected connectivity issues and increase latency. L1 .EGP i . If the native VLAN assignment is changed on a device.2 0. VLAN10 "leaks" into VLAN14.103 C 10.2 0.2 0. N2 . It is sometimes advisable to lock the port into either access or trunk status to avoid potential problems with this detection process. each end of the 802. quicker transitions.100.OSPF external type 2.OSPF external type 1.2 /32 is directly connected.0.100 C 10. EX = EIGRP external.1 YES manual up up R1 # show ip route Codes: C = connected.30.102.2 0.2 0. O = OSPF.OSPF NSSA external type 1. I A = OSPF inter area N1 .0 /24 is directly connected.0 /24 is directly connected. other switch port modes are available and the switch automatically configures the port to the appropriate status. U = per-user static route. verify that the native VLAN assignment is the same on all devices throughout the network. Native and Management VLANs The native VLAN and management VLAN are VLAN1 by default. FastEthernet0 /0. Untagged frames sent across a trunk are assigned to the native VLAN of the trunk line. B = BGP D = EIGRP. M = mobile.2 0. For smoother.0.0 /24 is directly connected. Serial0/0/1 C 10. 2 masks C 10.30.0 /24 is directly connected. o = ODR P = periodic downloaded static route Gateway of last resort is not set 10. 6 subnets.FastEthernet0 /1 unassigned YES unset administratively down down Serial0/0/1 10.IS-IS inter area * = candidate default. S = static.101 Page 3: Access or Trunk Port Each switch port is either an access port or a trunk port. E . FastEthernet0 /0.OSPF NSSA external type 2 E1 .102 C 10.1Q trunk should be configured with the same native VLAN number. L2 .0 /24 is directly connected. On some switch models.103. .0/8 is variably subnetted. R = RIP. I = IGRP.IS-IS.

9. S1 is connected to S2 and has a Native V LAN 14.Troubleshooting V LAN Configuration Issues The animation depicts how V LAN traffic travels across a network. Page 4: Packet Tracer Activity Troubleshoot inter-VLAN routing issues. The revision numbers are the same on all devices.3 Troubleshooting VTP Page 1: VTP simplifies the distribution of VLAN information to multiple switches in a domain. Two VTP servers exist in every domain.Troubleshooting V LAN Configuration Issues Link to Packet Tracer Exploration: Troubleshooting Inter-V LAN Routing Issues Troubleshoot inter-V LAN routing issues. . S1 is acting as the Access Port and has a Native V LAN 10. S1. When the message reaches S2.2.2. in case one fails. Network Topology A user is sitting at a desktop computer. 9. When troubleshooting VTP on a network. and modifies VLAN information. The connection between S1 and S2 use Trunk Ports. The user issues the command. client. which is directly connected to switch.The response starts out from S2 labeled V LAN 14 and is re-labeled at S1 with V LAN 10. deletes.2 . Only the server adds. which is sent across V LAN10 from S1 to S2. or transparent. All devices use the same VTP version. Click the Packet Tracer icon to begin. show CDP neighbors. Switches that participate in VTP operate in one of three modes: server. it is re-labeled as V LAN 14. All servers have the same information. ensure that: • • • • • All participating devices have the same VTP domain name.9.2 .2.

and F A 0 /2 in use. S2# show vtp status VTP Version : 2 Configuration Revision : 5 Maximum V LAN's supported locally : 64 Number of existing V LAN's : 8 VTP Operating Mode : Server VTP Domain Name : Toronto VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A Configuration last modified by 10.100. show vtp status.2.2 at 9-17-07 20:26:40 Local updater ID is 10.2 0.2 on interface V11 (lowest numbered V LAN interface found) S1# show vtp status VTP Version : 2 Configuration Revision : 5 Maximum V LAN's supported locally : 64 Number of existing V LAN's : 8 VTP Operating Mode : Client VTP Domain Name : Toronto VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled . The serial interface of R1.3 . Network Topology S1 with its three FastEthernet ports F A 0 /4. F A 0 /6. S0 /1.To display the VTP version in use on a device. and the VTP revision number. S2 has its F A 0 /1 in use and is connected to the F A 0 /0 of R1.Troubleshooting VTP The diagram depicts the outputs of the command.2 0. the VTP mode. S2 is connected to S1 via F A 0 /2 on both switches. issue the command: show vtp status To modify the VTP version number. the VTP domain name. use: vtp version <1 | 2> 9.100. The following outputs for the show vtp status command for each switch can be viewed in its entirety by configuring VTP and then using to the show command to view the configuration changes in the lab attached to this module. is in use and connected to the WAN cloud. when applied to S2 and S1.

Network Topology The server. about V LAN's. To prevent this situation. connects to the client S1. "I must tell the clients about V LAN 100. and 103. 102. either set the switch mode to transparent or change the VTP domain name. use the global configuration command: vtp password password When configured. R1 S0 /1 connects via serial link to the WAN cloud.102 and 103. the authentication password must be the same on all devices in the VTP domain. To reset the revision number.Troubleshooting VTP The animation depicts a new switch updating a VTP domain during the following two scenarios. 101.2. The F A 0 /2 of S1 connects to the server S2 Fa0/2. If updates are not propagating to a new switch in the VTP domain." .MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A Configuration last modified by 10. If the revision number of the update is higher than the revision number currently in use.2 0. without a VTP password. S2.2 at 9-17-07 20:26:40 Page 2: VTP clients and servers use the VTP revision number to decide if they should update their VLAN information. use the command: show vtp password 9. it responds by stating. I now know about these V LAN 100. To verify the password. "Thank you for revision 5.3 .100. S2 Fa0/1 connects to the F A 0 /0 of R1. The revision number is stored in NVRAM and erasing the start-up configuration on the switch does not reset this value. No VTP Password S2 sends a message to the client switch. To set a VTP password for the domain. I will send out revision 5 to let them know. the client and server use the information to update the configuration. Always check the VTP revision information and mode on any switch before allowing it to join the network. suspect the password. It is also a problem if a rogue switch joins the domain and modifies VLAN information. it is important to configure a password on the VTP domain. 101. and with a VTP password." After the message is received by S1. S1.

" This message is sent to S2. it states." S3 now sends this message to S1. Click the Packet Tracer icon to begin. which states. and 168 from an old configuration. I must tell them what I know. and 168. 23. 23. Now that I am connected to the other switches.The VTP Server switch. Since you do not have the correct password. 102. I will send out revision 17 to let everyone know." Since the S1 did not recognize the password that accompanied the revision number information. S1 states.3 . is added. "I now know about V LAN's 100.Troubleshooting VTP Link to Packet Tracer Exploration: Troubleshooting VTP Issues Troubleshoot and correct VTP issues. I will use the VTP domain password cisco. S3. 9. "I now know about V LAN 17. I will not accept your update. 23. "I must tell the clients about V LAN 100. 23.3 Troubleshooting Routing Issues . it rejects the update. 101. 102. "I have information about V LAN 17. "Revision 17 is higher than revision 5 so it must have newer information. and 168 while S1 states. "Thank you for revision 5." S1 sends a message back to S2 stating. I must tell them what I know." The VTP Server switch. "Sorry. and 103. Now that I am connected to the other switches. 101. and 168 from an old configuration. I will send out revision 5 to let them know. "I have information about V LAN 17.2. now sends this message to S1." S3. Page 3: Packet Tracer Activity Troubleshoot and correct VTP Issues. When S1 receives the update. "I now know about V LAN 17. The password is correct." VTP password S2 states. I will send out revision 17 to let everyone know. So they know it is from me. and 103. and states. S3." S2 sends the message to S1. When S1 receives the update. appears and states. 9. it states. so I will accept the information.

1 .0 /24 on interface F A 0 /0.0 IP address 192.20/1. R1# show IP protocols Default version control: send version 2. narrow the problems to a likely subset of causes.1 RIP Issues Page 1: Many tools exist for troubleshooting routing issues. R1 has network 192.255.2.1.1 255.3. Network Topology There are two routers.20.168. not to monitor normal network operation. debug commands and TCP/IP utilities such as ping. R2 has network 192. R1 is connected to R2 via serial link (R1: S0/0/0 to R2: S0/0/0.1. Use a combination of show commands and debug commands to troubleshoot RIP routing protocol issues.9. 9. traceroute and telnet.3.255. network: 172. Use TCP/IP utilities such as ping for verifying connectivity.0 R1# show running-config interface FastEthernet0/0 description LAN gateway for 192.168.168. These include IOS show commands. and shows a screen capture of some of the various show commands. The show commands display a snapshot of a configuration or of a particular component.0 interface Serial0/0/0 description WAN link to R2 IP address 172.255. Use debug commands to isolate problems.0 192.0 /24 on interface F A 0 /0. Before using the debug command.0. detecting neighboring routers. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities.1.168.252 router rip .1.20. isolating problems in the network. R1 and R2.0 /30).1 255. Only sections of each command are shown below. and monitoring the network in general. The debug commands are dynamic and provide real-time information on traffic movement and the interaction of protocols. The show commands are important tools for understanding the status of a router.168. receive version 2 Routing for Networks: 172.255. All other output from the commands is omitted.1.RIP Issues The diagram depicts a network.

0 network 192. In addition to the issues identified here.1.0. This limitation alone can be a problem in a large enterprise network.0 R1# show interfaces MTU 1500 bytes. BW 100000 Kbit.2 on Serial0/0/0 Page 2: RIP is a fairly basic and simple protocol to configure.0. line protocol up Multicast reserved groups joined: 224. check for the following problems: • • • • • • • • Layer 1 or Layer 2 connectivity issues Requirements for VLSM subnetting but using RIPv1 RIPv1 and RIPv2 routing configurations mismatched Network statements missing or incorrect Interface IP addressing incorrect Outgoing interface is down Advertised network interface is down Passive interface misconfigurations When testing with the show ip route command.9 R1# show IP route (No output is highlighted here for this command.) R1# debug IP rip *Sep 12 21:09:16 399: RIP: received v2 update from 172.0. Auto Speed.0.1. it is a good idea to clear the routing tables using the clear ip route * command.version 2 passive-interface FastEthernet0/0 network 172. line protocol up Multicast reserved groups joined: 224. Compatibility issues exist between RIPv1 and RIPv2.9 Serial0/0/0 is up. some common issues can arise when configuring RIP routers.20. .0. DLY 100 usec. If the RIP routes are not being advertised. 100BaseTX/FX R1# show IP interface FastEthernet 0 /0 is up. However.168.20. it is always important is remember that RIP has a hop count limit of 15 hops. Auto-duplex.

20.223: RIP:ignored v1 packet from 172.9. R1# show IP protocol Default version control: send version 2.3. receive version 2 Interface SendRecv Triggered RIP Key-chain Serial0/0/0 1 1 2 R1 debug IP rip *Sep 12 22:09:08. Click the Packet Tracer icon to begin.168. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities.0. receive version 2 Interface SendRecv Triggered RIP Key-chain Serial0/0/0 2 2 R2# show IP protocol Default version control: send version 2.147: RIP:sending v2 update to 224.1 .1. network: 172.RIP Issues The diagram depicts a network. Only sections of each command are shown below.0 /30).1 . R1 is connected to R2 via serial link (R1: S0/0/0 to R2: S0/0/0.2 (illegal version) R1# show IP route (No output is highlighted here for this command.RIP Issues Link to Packet Tracer Exploration: Troubleshooting RIP Troubleshooting RIP using show and debug commands.0 /24 on interface F A 0 /0.2.168. R1 and R2. Network Topology There are two routers.1. All other output from the commands is omitted. R1 has network 192.20/1.9 via Serial0/0/0 (172.0.1.1) *Sep 12 22:09:08.20. 9.) Page 3: Packet Tracer Activity Troubleshoot RIP using show and debug commands. R2 has network 192.3. Page 4: .0 /24 on interface F A 0 /0. and a screen capture of some of the various show commands.

. feasible distance. and interface. 9. show ip eigrp topology Displays the topology table of known networks with successor routes. show ip eigrp traffic Displays EIGRP traffic statistics for the AS configured. and so on. updates.Lab Activity Troubleshoot RIPv2 routing issues. 9.RIP Issues Link to Hands-on Lab: Troubleshooting RIP v2 Routing Issues Troubleshoot RIP v2 routing issues.3. including hello packets sent/received. Commands specific to troubleshooting EIGRP include: show ip eigrp neighbors Displays neighbor IP addresses and the interface on which they were learned. Click the lab icon to begin.3.1 .2 EIGRP Issues Page 1: A number of IOS show commands and debug commands are the same for troubleshooting EIGRP routing issues as they are for RIP. status codes.

Network: 172. Only sections of each command are shown below. R3: S0/0/1. 00:11:53.1. and shows a screen capture of some of the show commands.0 /24 [90 /2172416] via 172. Network: 172.20.4 /30).3.EIGRP Issues The diagram depicts a network.20.1 255.255.6. R1. R2.168.168.debug eigrp packets Displays real-time EIGRP packet exchanges between neighbors.0 /24 attached to the F A 0 /0 interface. R1 has network 192. R1# show IP route D 192.255.2 .0 /24 attached to the F A 0 /0 interface.1.1.1.2.0 net IP address 192.3.1.0.20. R3: S0/0/0.168.0 /30 172.20.168.168.0 R1# show IP interface Multicast reserved groups joined: 224.168.0 /24 attached to the F A 0 /0 interface.0 interface Serial0/0/0 description WAN link to R2 IP address 172.1.1.0 /24 [90 /2172416] via 172.168. such as link status changes and routing table updates. Network: 172.0 /30). Serial0/0/0 D 192. R2 is connected to R3 via Serial link (R2: S0/0/1. 00:11:53. and R3.255.3.2. R3 has network 192.252 .255.1.4 /30 192.168. 9. debug ip eigrp Displays real-time EIGRP events.10 R1# show running config interface FastEthernet0 /0 description LAN gateway for 192.1. R2 has network 192.1. R2: S0/0/0.20.1.1. Network Topology There are three routers. R1 is connected to R3 via Serial link (R1: S0/0/1.20.0. Serial0/0/1 R1# show IP protocols Redistributing: EIGRP 101 Routing for Networks: 172.20. All other output from the commands is omitted.2. R1 is connected to R2 via Serial link (R1: S0/0/0. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities.1 255.20.8 /30).

12 Uptime .252 router EIGRP 101 network 172.) Page 2: Certain issues commonly occur when configuring the EIGRP protocol.1.Num .18 H-0 Address .21 R1# show IP EIGRP topology (No output is highlighted here for this command.5 255.168.) R1# debug IP EIGRP (No output is highlighted here for this command.1.S e0/0/0 Hold .200 Q-0 Seq .00:13:59 SRTT .172.3 network 192.6 Interface .20.1 RTO .0.255.interface Serial0/0/1 description WAN link to R3 IP address 172.0.0.) R1# show IP EIGRP traffic Hellos sent/received: 1102 /469 Updates sent/received: 10 /19 Queries sent/received: 0 /5 Replies sent/received: 5 /0 Acks sent/received: /11 R1# debug EIGRP packets (No output is highlighted here for this command.20.S e0/0/1 Hold .172.200 Q-0 Seq .1.20.00:15:29 SRTT .1.0.1. Possible reasons why EIGRP may not be working are: .0 0.10 Uptime .1 RTO .2 Interface .20.0 no auto-summary R1# show IP EIGRP neighbors H-1 Address .20.1.3 network 172.4 0.255.

R2 is connected to R3 via Serial link (R2: S0/0/1.8 /30).168.20. and shows a screen capture of some of the EIGRP related show commands. and R3.2. 9. R2:S0/0/0. The outgoing interface is down. Network Topology There are three routers. The link may be congested or down.20. R2. An interface has incorrect addressing or subnet mask.0 /30). the only neighbor adjacency formed is with R3.4 /30).EIGRP Issues The diagram depicts a network. R1 is connected to R2 via Serial link (R1: S0/0/0.• • • • • • • Layer 1 or Layer 2 connectivity issues exist. R1 is connected to R3 via Serial link (R1: S0/0/1. Page 3: Packet Tracer Activity Troubleshoot common EIGRP issues using show and debug commands.0 /24 attached to the F A 0 /0 interface. Network: 172.0 /24 attached to the F A 0 /0 interface. no neighbor adjacencies have formed. R1# show IP EIGRP neighbors IP-EIGRP neighbors for process 101 NOTE: Using A S # / process 101. The wrong network or incorrect wildcard mask is specified in the routing process. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities. R2# show IP EIGRP neighbors IP-EIGRP neighbors for process 11 NOTE: Using A S # / process 11.1. routes may not be advertised correctly.2. R1. If auto-summarization is enabled on routers with discontiguous subnets. R2# show IP route NOTE: No routes learned from other EIGRP routers. R1 has network 192.3.20. Network: 172.2 . .3. R3: S0/0/0.1. Network: 172. AS numbers on EIGRP routers are mismatched.168.168.1. All other output from the commands is omitted.1. R3 has network 192.168. Only sections of each command are shown below. Check EIGRP configuration on R1 and R3. R2 has network 192. The interface for an advertised network is down.0 /24 in the routing table.0 /24 attached to the F A 0 /0 interface. R3: S0/0/1. R1# show IP route NOTE: Missing route 192. R2 is configured with the wrong A S number.

3 . R1 is connected to R2 via Serial link (R1: S0/0/0. Interfaces for neighbors must have compatible IP addresses and subnet masks. R1.EIGRP Issues Link to Packet Tracer Exploration: Troubleshooting Common EIGRP Issues Troubleshoot common EIGRP issues using show and debug commands.4 /30) R2 is connected to R3 via Serial link (R2: S0/0/1. Routers in an area should have the same OSPF hello interval and dead interval.8 /30) . In addition to the standard show and debug commands. Authentication must be correctly configured on routers for communication to occur.0 /30) R1 is connected to R3 via Serial link (R1: S0/0/1. The appropriate wildcard masks must be used to advertise the correct IP address ranges. OSPF Troubleshooting Issues • • • • • • Neighbors must be part of the same OSPF area. R2:S0/0/0.20.OSPF Issues The diagram depicts a network.2 . Network: 172.3 OSPF Issues Page 1: The majority of problems encountered with OSPF relate to the formation of adjacencies and the synchronization of the link-state databases. and shows a screen capture of several OSPF show commands.1. 9.Click the Packet Tracer icon to begin. R2.3. 9. Network: 172. Network: 172.1. R3: S0/0/1. the following commands assist troubleshooting OSPF issues: • • • • • show ip ospf show ip ospf neighbor show ip ospf interface debug ip ospf events debug ip ospf packet 9. The routers must advertise the correct networks for interfaces to participate in the OSPF process.3.1.3.20. and R3.20. R3: S0/0/0. Network Topology There are three routers.

and the interface on which they were learned.R1 has network 192.FULL/ Dead Time . Area 0 Process ID 1.168.168. link cost.351: OSPF: Send hello to 224.00:00:31 Address .1.1.0 /24 attached to the F A 0 /0 interface R2 has network 192. show IP OSPF Displays information about the OSPF routing process.Serial0/0/0 show IP OSPF interface Displays Router ID. line protocol is up Process ID 1. line protocol is up Internet Address 192. authentication.172. All other output from the commands is omitted.192.1.168.168.2. Cost: 6 debug IP OSPF events Displays real-time OSPF exchanges between neighbors. Useful for troubleshooting adjacency problems. Network Type POINT_TO_POINT.2 Interface .0 State .0 State . DR ID.Serial0/0/1 Neighbor ID .1.00:00:37 Address .1.5 area 0 on Serial0/0/1 from 172.20.FULL/ Dead Time .5 *Sep 14 17:23:00.168.168. including hellos and LSA R1# debug IP OSPF events *Sep 14 17:23:00. the IP addresses of the neighbor interfaces.1. State. SPF executions indicate a change in the topology. R1# show IP OSPF interface FastEthernet 0 /0 is up.240 ago SPF algorithm executed 6 times show IP OSPF neighbor Displays neighbor ID.20.0. R1# show IP OSPF neighbor Neighbor ID .1. Router ID 192.0 /24 attached to the F A 0 /0 interface R3 has network 192.168.168. Cost: 1 Neighbor Count is 0. Interface priority.3. and how often the SPF algorithm executes.1 /24.2. Adjacent neighbor count is 0 Serial0/0/1 is up.655: OSPF: Rcv hello from 192. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities.168. Network Type Broadcast. Router ID 192.172.0 /24 attached to the F A 0 /0 interface Only the highlighted parts of each command from R1 are shown below.1 Area BACKBONE (0) Number of interfaces in this area is 3 Area has no authentication SPF algorithm last executed 00:08:48.1 area 0 from Serial0/0/1 1 . such as a router being added or a network link going down.20.3. and Neighbor adjacency information.1.1 Pri . number of interfaces.6 Interface .192. R1# show IP OSPF Routing Process "OSPF1" with ID 192.1 Pri .3. Timer intervals configured.1. areas.1.1668.0. Network Type.

1 110 01:44:03 192. R2 is connected to R3 via Serial link (R2: S0/0/1. One.3 has 4 IP addresses in it. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 172.This router has 3 network statements defined in the OSPF routing process. R2. and R3. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 .debug IP OSPF packet Displays real-time information for each OSPF packet received.168. Time elapsed: 00:17:56.0 0. R1# debug IP OSPF packet (No output is highlighted here for this command. R1 has network 192.0 /24 attached to the F A 0 /0 interface.168.The OSPF Administrative Distance is 100.0 /30).1.340.1.0 /24 attached to the F A 0 /0 interface. R1 is connected to R3 via Serial link (R1: S0/0/1.OSPF Issues The diagram depicts an activity in which you must determine whether the statements are True or False for each scenario.0.552 Number of areas in this router is 1.20.1.2.When calculating link cost on this router the reference bandwidth of 100. Three. Five. R1.168.168. R3 has network 192. using the network topology below.3.The highest numbered interface IP address on this router is 192.3.20.20. Network: 172.168. Network: 172.3. R2 has network 192.0.20.4 0.1 Start time: 00:08:40.3.1.0.8 /30).168. True or False.1.1. Scenario 2 R1 # show IP OSPF ***Some output omitted *** Routing Process "OSPF 1" with ID 192. R3: S0/0/0.2.1. Network Topology There are three routers.3 area 0 Reference bandwidth unit is 100 mbps Routing Information Sources: Gateway Distance Last Update 192.000 is divided by the bandwidth of the interface.3 . R2:S0/0/0.1 110 01:44:03 Distance: (default is 110) Statements. Four.168.1 Number of areas in this router is 1.168.1.Network 172.) Page 2: 9. Network: 172.1.000.4 /30). R1 is connected to R2 via Serial link (R1: S0/0/0. R3: S0/0/1.0.20. Scenario 1 R1# show IP protocols Routing Protocol is "OSPF1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 192.0 /24 attached to the F A 0 /0 interface. Two.

3.1.1. Serial0/0/0 O 172. Retransmit 5 Neighbor Count is 0.5 /30.Cost:64 Timer intervals configured.1. line protocol is up Internet Address 172. Wait 40. line protocol is up Internet Address 172. Two. Network Type POINT_To_POINT. Wait 40. Three. Wait 40. Five.The OSPF network type for interface S0/0/0 is Broadcast.2.This router has only one adjacent neighbor.This router has three OSPF interfaces that are up. Three.1 Serial0/0/0 is up.No topology changes involving this router have taken place in the last 24 hours. Network Type BROADCAST. Area 0 Process ID 1. Serial0/0/0 O 172.Area BACKBONE (0) Number of interface in this area is 3 Area has no authentication SPF algorithm last executed 00:08:00.20.1. Cost:64 Timer intervals configured.1. True or False. Serial0/0/1 [110/128] via 172.The OSPF process ID for this router is 192. Hello 10.1. Priority 1 Designated Router (ID) 192.1. State D R.2.1.1.Other routers must authenticate with this router to form an adjacency.20. Router ID 192. True or False. 00:02:55.1. 3 subnets O 172. Four.1. Adjacent neighbor count is 0 Serial0/0/1 is up.1 Statements.20. Hello 10.1. Hello 10.1.20.0 network.20.168. Area 0 Process ID 1. Scenario 4 R1 # show IP route [output omitted] Gateway of last resort is not set 172.This router has 3 OSPF interfaces. Dead 40. Dead 40.000 ago SPF algorithm executed 6 times Statements.0. Dead 40. Interface address 192.1 /24.20.168.0 /30 is subnetted. line protocol is up Internet Address 192.1. 00:02:55. Retransmit 5 Neighbor Count is 1.4 is directly connected. Retransmit 5 Neighbor Count is 1.168. RouterID 192.168.0 is directly connected.This router is a Designated Router (DR) for the 192.Link S0/0/1 is point-to-point with a cost 64 indicating it is a T1. Adjacent neighbor count is 1 Adjacent with neighbor 192.168.168. One. Four. Five.168.20.20.168. Cost: 1 Transit Delay is 1 sec.1.168.1 /30. Adjacent neighbor count is 1 Adjacent with neighbor 192. Network Type POINT_To_POINT.1.1.1 No backup designated router on this network Timer intervals configured. Area 0 Process ID 1.8 [110/128] via 172. RouterID 192.1.This router is a border router between Area 0 and Area 1.168. One.6. Scenario 3 R1 # show IP OSPF interface [output omitted] FastEthernet0/0 is up.1. Two.1. Serial0/0/1 .

1.0. v:2 t:1 1:48 rid:192. v:2 t:1 1:48 rid:192. Page 3: Lab Activity Troubleshoot OSPF routing issues. Scenario 5 R1#debug IP OSPF packet OSPF packet debugging is on R1# *Sep 14 17:26:36. 00:02:55.168.3.2.20.This router is receiving packets from R2 on S0/0/1.168. 9.2.3 . Five.0 /24 [110/65] via 172.3.3.4 Route Redistribution Issues .651: OSPF: rcv.0 chk:674B aut:0 auk: from Serial0/0/0 *Sep 14 17:26:40.2.0 chk:664B aut:0 auk: from Serial0/0/1 *Sep 14 17:26:46.1 aid:0.0. Three.The IP address for the next hop interface for network 192. True or False. FastEthernet0/0 O 192.0 chk:664B aut:0 auk: from Serial0/0/1 Statements.3. True or False. 00:02:55.0.168. Two. One.6.168.3.20. v:2 t:1 1:48 rid:192. v:2 t:1 1:48 rid:192.6.0 /24 is directly connected.0 chk:674B aut:0 auk: from Serial0/0/0 *Sep 14 17:26:50.The router is receiving OSPF packets from two other routers. Serial0/0/1 Statements.The OSPF cost of the route to the 192.1 aid:0.0 /24 [110/65] via 172.0. Click the lab icon to begin.The router is receiving OSPF version 2 packets.This router learned about network 192.MD5 authentication is being used on this router. Serial0/0/0 O 192.168.168.0 from R3.1.The packet type being received is Hello packets.0 network is 128.475: OSPF: rcv.2.8 network from this router.168.1. Two.0.3.2.475: OSPF: rcv.1.168.0.1 aid:0.0.1 aid:0.651: OSPF: rcv. 9.20.O 192. Three.There are two equal-cost routes to the 172. R1 receives updates from R3 on FastEthernet 0/0.20. One. Five.168. Four. Four.3.0.168.0 is 172.1.OSPF Issues Link to Hands-on Lab: Troubleshooting OSPF Routing Issues Troubleshoot OSPF routing issues.

20. EIGRP redistributes default routes directly. R2 has network 192.0 0.0 /24 attached on the F A 0 /0 interface. Network: 172. configure the edge router to send or propagate its default route to the other routers.0 /24 attached on Lo0. and ISP. ip route 0.0 /24 attached on the F A 0 /0 interface.2. and shows screen captures of some of the various commands used for RIP.168. OSPF.0. R2: S0/0/0.168. the redistribute static command can also be used. enter router configuration mode and use the command default-information originate.0. EIGRP. EIGRP and OSPF. A better solution uses the routing protocol to propagate the default route on the edge router to other internal routers. provide mechanisms to accomplish this. R2.1.224 /30). All routing protocols. However.0 /30).0. ISP: S0/0/0.1. this method does not scale well with large networks.4 .3.1. I S P has network 10. Network Topology There are three routers.Page 1: Configuring a static default route on an edge router provides a gateway of last resort for packets destined for IP addresses outside the network. it does not provide a way out of the internal network for other internal routers.1.220. 9.Route Redistribution Issues The diagram depicts a network. With RIP and OSPF. Failure to properly implement default route redistribution prevents users that are connected to internal routers from accessing external networks. R1 has network 192. Although this configuration provides a solution for the edge router. RIP R2# show running-config . Network: 209.165. configure a default quad 0 static route on the edge router.0 S0/0/0 Next. With each routing protocol. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities.0. R2 is connected to ISP via Serial link (R2: S0/0/1. All other output from the commands is omitted. One solution is to configure a default route on each internal router that points to the next hop or edge router. R1 is connected to R2 via Serial link (R1: S0/0/0. including RIP. R1. Only sections of each output from R1 and R2 are shown below.

0 S* 0.226 to network 0.) R2# show IP route Gateway of last resort is 209.0.165.0 /0 [1 /0] via 209.(No output is highlighted here for this command. Click the lab icon to begin.226 to network 0.226 R2# show running-config (No output is highlighted here for this command.0. Page 3: Lab Activity Troubleshoot OSPF router configurations to determine why a default route is not being redistributed.165.0.0.0.0.165.4 .200. Click the lab icon to begin.200.200.165.0.200.0 /0 [1 /0] via 209.0.0.200. .0.0 S* 0.226 Page 2: Lab Activity Troubleshoot default route redistribution with EIGRP.165. 9.226 EIGRP R1# show IP route Gateway of last resort is 209.0 /0 [1 /0] via 209.3.Route Redistribution Issues Link to Hands-on Lab: Troubleshooting EIGRP Default Route Redistribution Troubleshoot default route redistribution with EIGRP.0 S* 0.0.) R2# show IP route Gateway of last resort is 209.200.0.) OSPF R2# show running-config (No output is highlighted here for this command.165.226 to network 0.

4 .4 Troubleshooting WAN Configurations 9. and loose or faulty connectors. the network administrator uses the configuration information provided by the ISP to ensure connectivity. swap the current cable with one known to work. R2. Serial line connections link a DCE device to a DTE device.4.35. Two different types of cables exist for connecting devices: DTE and DCE. clock rate 56000 The show controllers command is issued on R2.1 . Some of these problems are unavoidable if the network administrator only has control over one end of the link and the ISP controls the other end.Route Redistribution Issues Link to Hands-on Lab: Troubleshooting OSPF Default Route Redistribution Troubleshoot OSPF router configurations to determine why a default route is not being redistributed. cable types. If a cable cannot be correctly connected. 9. a number of potential problem areas can surface. and clocking. The following line is highlighted in the show command output: . Usually the DCE device at the service provider provides that clocking signal.3. connected to the D T E router.4. Visually check each cable for loose connections or faulty connectors. To display the type of cable and the detection and status of DTE. DCE. The following line is highlighted in the show command output: R1# show controllers s0/0/1 DCE V. At the Physical Layer. the most common problems involve clocking.9. use the following command: show controllers <serial_port> 9. R1.Troubleshooting WAN Connectivity The diagram depicts the DCE router. In this case.1 Troubleshooting WAN Connectivity Page 1: When configuring WAN interfaces. The show controllers command is issued on R1.

R1# show interfaces s0/0/1 Encapsulation PPP The show interfaces command is issued on R2. SLARP assumes that each serial line is a separate IP subnet. For example. and that one end of the line is host number 1 and the other end is host number 2. SLARP automatically configures an IP address for the other end. The default format on Cisco devices is Cisco Frame Relay format. do not use the Cisco default encapsulation when connecting to a non-Cisco device.R2# show controllers s0/0/1 D T E V. . The show interfaces command is issued on R1 The following line is highlighted in the show interfaces output. both ends of the link must be on the same network or subnet.4. R1. Although it is not necessary to use an IP address on a serial link. To see the encapsulation in use on a serial line. use the command: show interfaces <serial_port> Layer 3 configurations can also prevent data from moving across a serial link.35 TX and RX clocks detected Page 2: For a serial link to come up. The default serial line encapsulation used on Cisco routers is HDLC. connected to the DTE router.1 . the encapsulation format on both ends of the link must match. As long as one end of the serial link is configured. Some Layer 2 encapsulations have more than one form. Since Cisco HDLC and open standard HDLC are not compatible. The following line is highlighted in the show interfaces output. R2# show interfaces s0/0/1 Encapsulation PPP Page 3: A process known as serial line address resolution protocol (SLARP) assigns an address to the end point of a serial link if the other end is already configured. These formats are not compatible. 9. if one is used. Cisco routers support both the proprietary Cisco Frame Relay format as well as the industry-standard IETF format.Troubleshooting WAN Connectivity The diagram depicts the DCE router. R2.

1Yesmanualupup FastEthernet0/0. R1.2 0.20.10110. If the interface is down. LCP establishes the link and verifies that it is of sufficient quality to bring up the Layer 3 protocols. S2 is connected to the F A 0 /0 of router.100. S1. S2. The following is the output the show IP interface brief command. Interfaces are shutdown by default. If this step still does not correct the problem. R1 connects to the WAN cloud via its S0/0/1 port. NCP allows Layer 3 traffic to move across the link. is connected to switch. If the status of an interface is administratively down.101.103.20.1Yesmanualupup FastEthernet0/0. There is an optional authentication field between the LCP and NCP phases. replace the cable. there is a problem with the interface itself.The IP address configured on an interface and the status of the port and line protocol is viewable with the command: show ip interface brief Before Layer 3 information moves across the link.10310.30. both the interface and the protocol must be up. If the interface is up but the line protocol is down.Troubleshooting WAN Connectivity The diagram depicts the output when troubleshooting a WAN topology. check that the proper cable is connected and is firmly attached to the port.1Yesmanualupup FastEthernet0/0.1Yesmanualupup Serial0/0/0unassignedYESmanualupup FastEthernet0/1unassignedYESunset administrativelydowndown Serial0/0/110. 9. the most probable cause is that the no shutdown command was not entered on the interface.20.4.10010. R1 # show IP interface brief InterfaceIP-AddressOK?MethodStatusProtocol FastEthernet0/0unassignedYesmanualupup FastEthernet0/0. .102.20.1YESmanualupup Page 4: The PPP process involves both the LCP and NCP phases.10210. Network Topology Switch.1 .

debug ppp negotiation. CDPCP The following is the debug ppp negotiation command output: R1 # debug ppp negotiation . use: debug ppp negotiation To display real-time PPP packet flow. R2.1 . when R1 is connected to router.Each phase has to complete successfully before the other begins. The following is the show interfaces s0/0/1 command output: R1 # show interfaces s0/0/1 Encapsulation PPP LCP Open Open: IPCP.Troubleshooting WAN Connectivity The diagram depicts the output for router. and the following commands are used: show interfaces s/0/0/1. via a serial connection.4. if configured NCP phase is complete Commands are available that assist in troubleshooting PPP. verify that: • • • LCP phase is complete Authentication has passed. R1. use: debug ppp packet 9. and debug ppp packet. To show the status of the LCP and NCP phase. use: show interface To display PPP packets transmitted during the startup phase where PPP options are negotiated. When troubleshooting PPP connectivity.

sent id 1. line up 1d05h: S e0/0/1 PPP: I pkt type 0xC021. Unauthenticated User 1d05h: S e0/0/1 CHAP: I SUCCESS id 148 len 4 1d05h: S e0/0/1 PPP: Phase is AUTHENTICATING. datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 1 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 1 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: 0 pkt type 0x0021. line up 1d05h: S e0/0/1 PPP: I pkt type 0xC021. datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 3 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 3 l e n 12 magic 0x136F1E39 Page 5: Packet Tracer Activity . sent I d 3. datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 1 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: Received is 1. sent id 2. Authenticated User 1d05h: S e0/0/1 CHAP: O SUCCESS id 146 4 1d05h: S e0/0/1 PPP: Phase is UP 1d05h: S e0/0/1 IPCP: State is Open 1d05h: S e0/0/1 CDCP: State is Open 1d05h: %LINEPRONTO-5-UPDOWN: Line protocol on Interface Serial0/0/1. datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 2 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 2 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 3 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: I pkt type 0xC021. changed state to up The following is the debug ppp packet command output: R1 #debug ppp packet PPP packet diplay debugging is on R1 # 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 1 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: I pkt type 0xC021. Fast Starting 1d05h: S e0/0/1 PPP: Treating connection as dedicated line 1d05h: S e0/0/1 PPP: Phase is ESTABLISHING. datagramsize 116 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 2 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: I pkt type 0xC021. by both 1d05h: S e0/0/1 CHAP: O CHALLENGE id 146 len 28 from "R1" 1d05h: S e0/0/1 CHAP: I CHALLENGE id 148 len 27 from "R2" 1d05h: S e0/0/1 CHAP: Using hostname from configured hostname 1d05h: S e0/0/1 CHAP: O CHALLENGE id 146 len 28 from "R1" 1d05h: S e0/0/1 CHAP: Using password from AAA 1d05h: S e0/0/1 CHAP: O RESPONSE id 146 len 28 from "R1" 1d05h: S e0/0/1 CHAP: I RESPONSE id 148 len 27 from "R2" 1d05h: S e0/0/1 PPP: Phase is AUTHENTICATING. line up 1d05h: S e0/0/1 PPP: I pkt type 0xC021.1d05h: S e0/0/1 LCP: AuthProto CHAP (0x0305c22305) 1d05h: S e0/0/1 LCP: Lower layer not up. datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 3 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: Received I d 3. Active Open 1d05h: S e0/0/1 LCP: AuthProto CHAP (0x0305c22305) 1d05h: S e0/0/1 LCP: State is Open 1d05h: S e0/0/1 PPP: Phase is AUTHENTICATING. datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 2 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: Received id 2.

If the LCP is not able to connect.Troubleshoot WAN connectivity issues. The absence of active NCPs indicates a failed authentication. negotiation of the optional parameters.1 . R1 is connected to R2 via a serial link. A man is on a host computer. authentication has been successful and the problem is elsewhere. The host is connected to R1. the problem exists with the physical link between the source and destination.2 . Authentication occurs as an optional phase after the establishment of the link with LCP but before the NCPs allow the movement of Layer 3 traffic.4.4. Click the Packet Tracer icon to begin. 9. that is connected to a simple two router network. Among these features is the ability to use either PAP or CHAP to authenticate end devices. If the LCP is open and the NCPs are not. authentication is suspect.Troubleshooting WAN Connectivity Link to Packet Tracer Exploration: Troubleshooting WAN Connectivity Troubleshoot WAN connectivity issues. . 9. 9.4. If the LCP is not open.2 Troubleshooting WAN Authentication Page 1: PPP offers many advantages over the default HDLC serial line encapsulation. cannot occur. When troubleshooting PPP authentication. including authentication. determine if authentication is the problem by examining the status of the LCP and NCPs using the show interface command.Troubleshooting WAN Authentication The diagram depicts the four steps used when debugging PPP. If both the LCP and NCPs are open.

Step 4. To display packets involved in the authentication process as they are exchanged between end devices." Step 1.The man thinks. Use the debug ppp negotiation command. If uncertain. The most common problem with authentication is either forgetting to configure an account for the remote router or misconfiguring the username and password. By default. If using PAP authentication on a current version of the IOS. verify that a user account exists for the remote device and that the password is correct. The man thinks. On both ends of the link. Step 3. Step 2. use the command: debug ppp authentication . the username is the name of the remote router. remove the old user account statement and recreate it. Two-way authentication requires that each end device authenticate to the other. For enhanced security. use two-way or mutual authentication. I will change the R2 to CHAP and try again." Page 2: Authentication can be either one-way or two-way. The configuration on both ends of the link must specify the same type of authentication. activate it with the command: ppp pap sent-username username password password Debugging the authentication process provides a quick method of determining what is wrong. Once the problem has been identified implement a solution. "I cannot connect to R2. Use the debug ppp negotiation command. Both the username and the password are case-sensitive. Identify the problem. "I see the error.

9. 9. Router.4. Page 4: Lab Activity Troubleshoot WAN and PPP connectivity. R1.Troubleshooting WAN Authentication Link to Packet Tracer Exploration: Troubleshooting PPP Authentication Using CHAP Troubleshoot PPP authentication using CHAP. Click the lab icon to begin. changes state to up No User Account 03:21:43: S E0/0/1 CHAP: Unable to authenticate for peer Wrong Password 03:17:47: S E0/0/1 PPP: Received LOGIN Response from AAA = FAIL Page 3: Packet Tracer Activity Troubleshoot PPP authentication using CHAP.2 . is connected via a serial connection to router. and wrong password.4.2 . Proper Configuration 03:03:35: S e0/0/1 PPP: Received LOGIN Response from AAA = PASS 03:03:36: %LINEPRONTO-5-UPDOWN: Line protocol on Interface Serial0/0/1. Click the Packet Tracer icon to begin.4.2 . no user account.9. R2.Troubleshooting WAN Authentication Link to Hands-on Lab: Troubleshooting WAN and PPP Connectivity .Troubleshooting WAN Authentication The diagram depicts the output of the debug ppp authentication command when the following conditions occur: proper configuration.

192. Output R1 (config)# access-list 123 deny tcp host 192.168.5. Network Topology Two hosts with the following IP addresses. R2. add the log keyword to the end of ACL statements.168.0 /24.2.3 are on the 192. it is important to verify basic network connectivity before applying an ACL. By default.168.1.1 /30.168.168.5. The configuration commands for placing the ACL are listed below. A server is connected to the switch with an IP address of 192.0 /24 network. Ask the following questions to help to isolate the problem: • • • • • • • Is an ACL applied to the problem router or interface? Has it been applied recently? Did the issue exist before the ACL was applied? Is the ACL performing as expected? Is the problem with all hosts connected to the interface or only specific hosts? Is the problem with all protocols being forwarded or only specific protocols? Are the networks appearing in the routing table as expected? One way to determine the answer to several of these questions is to enable logging.2.5 Troubleshooting ACL Issues 9. Therefore.0.2 and 192.2. When networks or hosts become unreachable and ACLs are in use. 9.20. The R2 F A 0 /0 is connected to another switch with a network address of 192.1 . Router.1.Troubleshoot WAN and PPP connectivity. it is critical to determine if the ACL is the problem.168. Logging shows the effect that ACLs are having on various packets.168. R1.1 Determining if an ACL is the Issue Page 1: ACLs add a level of complexity to troubleshooting network issues.1. S0/0/0 is connected to the S0/0/0 of router. This interface has an ACL applied (ACL 123 inbound). A switch is connected to the R1 F A 0 /0. To display details about packets permitted or denied. with a of network address 172.2 eq 23 log .Determining if an ACL is the Issue The diagram depicts the output when examining an ACL on a network.2 host 192. 9.1.2. the number of matches display with the show access-list command.

1 packet R1# *Sep 12:34:35:54.168. use: debug ip packet The debug ip packet command shows packets whose source or destination is a router interface.168.0.6 -IPACCESSLOGP: list 123 permitted icmp 192.3 192.255 any log R1 (config)# access-list 123 deny IP any any log R1 (config)# int FA0/0 R1 (config-if)# IP access-group 123 In ACL Console Logging *Sep 12:34:35:54.067: *SEC .2. use: clear access-list counters To display the source and destination IP address for each packet received or sent by any interface on the router.1.168. This command includes packets that are denied by an ACL at the interface. To display all ACLs configured on the router.1.067: *SEC .2(1141) 192. whether applied to an interface or not.2(23).6 -IPACCESSLOGP: list 123 denied tcp 192.168.1.168. 1 packet Page 2: A number of commands help to determine if ACLs are configured and applied correctly.0 0.2 (8 /0).2. use the following command: show access-lists To clear the number of matches for each ACL statement.0. Examples of traffic that create a debug message include: • RIP updates to or from a router interface .R1 (config)# access-list 123 permit IP 192.

R1. no debug message is generated.168.2. via F A 0 /0. Indicate whether the statements regarding ACL's and their effects are True or False.3.0 /24 network.0. d=192. IP: s=192..168.1 .2.255 any R1 # debug IP packet *Sep 19 .2 and 192.168. with a network address of 172. 9. This interface has an ACL applied (ACL 123 inbound).2(fastethernet0/0)..1.168. R2 F A 0 /0 is connected to another switch on the 192.1. R1 S0/0/0 is connected to the S0/0/0 of router. The two hosts have the IP addresses 192.3.0 /24 network.1.• Telnet from an external source to an external destination blocked by an ACL on the interface If the packets are simply passing through and the ACL does not block a packet from this IP address.168. R2.0 IP access-group 123 in [output omitted] access-list 123 deny tcp host 192. R1 S0/0/0 is connected to router. A switch is connected to the router.0. len 48.omitted. R1# debug IP packet.1.0.Determining if an ACL is the Issue The diagram depicts an activity in which you must analyze the network topology and router command output. This interface has an ACL applied (ACL 123 inbound).1.1 255.20.255. host 192.1. The following commands are used: R1# show running-config.168.2.168.0.0. R1# show IP interface. .1 . The switch is connected to the router.1 /30.0 /24 network.2. and are part of the 192. with a network address of 172.0 0. R2. A server is connected to the switch with an IP address of 192.1.255 any (24 matches) 30 deny IP any any (3 matches) Page 3: 9.168..2.168.2.5.1. R1 F A 0 /0..2 host 192. Output R1 # show running-config IP address 192.168.2.1.168.168.1. A server is connected to the switch with an IP address of 192.2.168. access denied R1 # show IP interface Outgoing access list is not set Inbound access list is 123 R1 # show access-lists Extended IP access list 123 10 deny host 192.2. The two hosts have the IP addresses 192.168.0 /24 network.2 eq telnet (9 matches) 20 permit IP 192.168.168. and R1# show access-lists.2 eq telnet access-list 123 permit IP 192.5.0 0.168.2 and 192.0.1 /30. and are part of the 192. Network Topology Two hosts are connected to a switch.2.1. R2 F A 0 /0 is connected to another switch on the 192. Network Topology The diagram depicts two hosts connected to a switch.168.1.20.2.255.168.Determining if an ACL is the Issue The diagram depicts the output when examining an ACL on a network.

1.255.252 no fair-queue interface Serial0/0/1 no IP address shutdown router rip version 2 passive-interface FastEthernet 0/0 network 172.255.This router is configured with a standard ACL..1.1. R1# show running-config Building Configuration.168. Four.0.168.1.1. Three.If an HTTP packet from a host on network 192.0.0 IP access-group 123 in duplex auto speed auto interface FastEthernet 0 /1 no IP address shutdown duplex auto speed auto interface Serial0/0/0 description WAN link to R2 IP address 172.0 0.0.1 255.1 255.168.255. Scenario 2 .Host 192.168.0 is received on F A 0 /0 inbound it will permitted.1..1.2 is permitted to transfer files to and from any FTP server.1.2 any eq telnet access-list 123 permit tcp host 192.Scenario 1 The following is the router output for the command show running-config.This ACL is applied to F A 0 /0 inbound. Two.1.168. One.168.2 any range ftp-data ftp access-list 123 deny tcp any any eq telnet access-list 123 tcp any any range ftp-data ftp access-list 123 permit IP 192.255 any access-list 123 deny IP any any Determine if the statements below are True or False.168.255.If a telnet packet from 192.0 network 192. (**output omitted**) hostname R1 interface Fast Ethernet 0 /0 description LAN gateway for 192.20.0 no auto-summary access-list 123 permit tcp host 192.20.168.0 net IP address 192. Five.1.5 enters F A 0 /0 it will be permitted.168.

168.1.d=192. Three.1.1.1.168.168. One.168.1.9 are being blocked by the ACL on this router.3 (FastEthernet 0 /0). . d= 224.PC's other than 192. Four. s=192.168.1. access denied *Sep 19 17:09:26.1.168.9. recvd 2 *Sep 19 17:11:45.0.119: IP: s=172.255 any (250 matches) deny IP any any (22 matches) Determine if the statements below are True or False.Packets from host 192.20.This router is running only the EIGRP routing protocol.168. One.168.5 (FastEthernet 0/0).1.2 any range ftp-data ftp deny tcp any any eq telnet (8 matches) deny tcp any any range ftp-data ftp (12 matches) permit IP 192. Two.d=192. Two. d=224.2 on the 192.168.555: IP: tableid=0.2.1. Three. s=192.1.The IP address of the S0/0/0 interface on this router is 172. sending broadcast/multicast R1# *Sep 19 17:09:25.The following is the router output for the command show access-list.168.0.168.5 have been permitted by this router and ACL.d=192.168.2. len 48. Scenario 3 The following is the router output for the command debug IP packet. R1 # show access-list Extended IP access-list 123 permit tcp host 192.1. len 52.2 Page 4: Packet Tracer Activity Troubleshoot ACL issues using show and debug commands.0 network have attempted to telnet to other networks.1.Routing updates to multicast addresses 224.168.3 to PC 192.1.1 (local.1.3 (FastEthernet 0 /0) routed via FIB *Sep 19 17:11:34:555: IP: s=172.168.This ACL prevents transferring a file using using FTP from PC 192.1.0.20.0.555: IP: s=192.This router ACL allows an administrator PC (192.0.168.555: IP: tableid=0.0.2 any eq telnet (24 matches) permit tcp host 192.9 (Serial0/0/0).3 may be permitted by this router and ACL depending on the protocol they are using.20.2 (Serial 0/0/0).1 (local). len 52.168.g.1. Five.5 (FastEthernet 0 /0) routed via FIB Determine if the statements below are True or False.168.0. Four. access denied *Sep 19 17:09:26.1. HTTP) to connect to other networks.5 Five.0.The administrator has been using FTP extensively. R1# debug IP packet IP packet debugging is on R1# *Sep 19 17:09:25. len 48. d=192.2.All packets from host 192.555: IP: s=192.2) to Telnet and FTP to any location.1 (local).1.Most hosts have used IP protocols other than FTP and Telnet (e.168.2.1.0 0.

1. The two hosts have the IP addresses 192.168.1. R1 # show IP route R 192. R2 F A 0 /0 is connected to another switch. R2# show access-lists. The switch is connected to the router. Serial 0/0/0 R1 # debug IP rip *Sep 19 21:12:59622: RIP: received v2 update from 172.168. R2# show IP route.1 .168.0 /24 network. Network Topology Two hosts are directly connected to a switch. 192.Click the Packet Tracer icon to begin. Complete outputs may be seen in the Hands-on Labs or Packet Tracer Activities.168.1. there are several issues to check. R1. All other output from the commands is omitted. the ACL may permit or deny the intended traffic but can also have unintended effects on other traffic.20. 00:00:06. An ACL (123) has been placed on the serial interface S0/0/0 inbound on R2.2 . A server is connected to the switch with an IP address of 192.5.168. Only sections of each command are shown below.2.2.168. 9.2.1.20. R1 S0/0/0 is connected to router. and R2# show IP interface s0/0/0. Use logging to determine if the ACL is optimized or working as expected.20.5. R2# (console logging on).2.0 /24 [120 /1] via 172. R2. R2# debug IP rip.0 /30 network. and are part of the 192.2. The implicit deny may be having unintended effects on other traffic. R1# debug IP rip. If the ACL statements are not in the most efficient order to permit the highest volume traffic early in the ACL.0 /24. and are part of the 172. If so. In some cases. 9. If it appears that the ACL is the problem.3. 9.2 and 192.1.1.5. check the logging results to determine a more efficient order.2 on Serial0/0/0 . S0/0/0. use an explicit deny ip any any log command so that packets that do not match any of the previous ACL statements can be monitored.2 ACL Configuration and Placement Issues Page 1: Issues such as slow performance and unreachable network resources result from an incorrectly configured ACL.Determining if an ACL is the Issue Link to Packet Tracer Exploration: Troubleshooting ACL Issues Troubleshoot ACL issues using show and debug commands.ACL Configuration and Placement The diagram depicts output when using the following commands: R1# show IP route.

20. therefore.168.9 via Serial0/0/0 (172.1) R2 # show IP route (No output is highlighted here for this command.) R2 # (console logging on) *Sep 19 20:21:28.2. The routers along the potential path never see the denied packets. it is also important to apply the ACL to the right router or interface. Packets destined for networks other than the one being blocked are unaffected.0. and in the appropriate direction.) R2 # show access-lists 20 deny any (matches) R2 # show IP interface s0/0/0 Outgoing access list is not set Inbound access list is 1 Page 2: In addition to determining whether the ACL is correctly configured.0 /24 via 0.9 R2 # debug IP rip (No output is highlighted here for this command.0.0. Placing a Standard ACL close to the source may unintentionally block traffic to networks that should be allowed.1 -> 224.0.20.1. place them as close to the destination as possible. This is a waste of valuable bandwidth.0. which helps to conserve bandwidth. Standard ACLs filter only on the source IP address.139: %SEC-6 IP ACCESS LOG N P: list 1 denied 0 172. Using an Extended ACL resolves both of these issues. in 1 hops *Sep 19 21:12:59622: RIP: sending v2 update to 224. .0. A correctly configured ACL that is incorrectly applied is one of the most common errors when creating ACLs.1.*Sep 19 21:12:59622: 192.0. Placing the ACL close to the destination unfortunately allows traffic to flow across one or more network segments prior to being denied.

4. There is a Standard ACL placed between the 192. On R1 there is an extended ACL placed on F A 0 /0 which connects network 192.1.0.1.4.3. connected by serial links to each other. The Standard ACL information is as follows: Standard ACL Place closest to the destination Denies 192.168.0.4.0 /24 and is also connected to R4.1.2 .168.168.4.0.ACL Configuration and Placement This diagram compares the use of a standard ACL with an extended ACL to prevent network 192. R2.168.168. Traffic should be allowed to reach all other networks.0 traffic to 192.9.0 Wastes bandwidth ACL commands access-list 1 deny 192. R3.168. and R4.0 /24.0 Allows it to reach other networks and saves bandwidth ACL commands access-list 101 deny ip 192.255 192.0 traffic from entering the 192. R3 is connected to network 192.1.ACL Configuration and Placement Link to Packet Tracer Exploration: Troubleshooting ACL Placement .255 access-list 1 permit any Page 3: Packet Tracer Activity Troubleshoot the placement and direction of an ACL.0.0. The extended ACL information appears as follows: Extended ACL Place closest to source Denies traffic from 192.5. 9.4.168.168.0.1.168.255 access-list 101 permit ip any any Network Topology Continued R2 is connected to network 192.2.0 0.2 .0 0. Router R4 has its FastEthernet F A 0 /0 O U T in use and connected to network 192. R1. Router R3 connects to both R1 and R4.0 /24 network and the interface.168.0 /24.4. Network Topology The diagram depicts four routers.5.168.0 network from reaching 192. Click the Packet Tracer icon to begin.0 0.168.1.168.0 /24 to R1.0 network.168.

.2 . Image The diagram depicts two rack mounted switches and RJ-45 connections. packet sniffing tools. Diagram 1 text Adherence to the three-layer hierarchical network design model assists in troubleshooting efforts. and isolate the issue to a specific failure domain. Backups of the configuration files. Diagram 2. SNMP enables monitoring the performance of individual devices on the network using agents and a MIB. Click the lab icon to begin. Network monitoring tools include: network utilities. When troubleshooting a network.6. The business continuity plan details the security policy and disaster recovery plan. 9. determine the scope of the problem.ACL Configuration and Placement Link to Hands-on Lab: Troubleshooting ACL Configuration and Placement Troubleshoot ACL configuration and placement issues. or backup sites enable quick restoration of connectivity. Diagram 2 text The most common problems with switches occur at the Physical Layer.6 Chapter Summary 9. Image The diagram depicts a hierarchal network design. and SNMP monitoring tools.Troubleshoot the placement and direction of an ACL.5. 9.1 Summary Page 1: 9.6.1 Summary Diagram 1. spare devices. Page 4: Lab Activity Troubleshoot ACL configuration and placement issues.

Diagram 4. and NCP completed. incorrect wildcard mask. Diagram 5 text ACL's can create complications in troubleshooting network issues. An Extended ACL filters on source and destination as well as protocols and port numbers. Enable logging to determine the effect that ACL's have on traffic. and autosummarization issues with discontiguous subnets. debug commands and TCP/IP utilities. For enhanced security. authentication. The majority of OSPF problems relate to the formation of adjacencies and the synchronization of the linkstate databases. Ensure all devices sharing V LAN information have the same VTP domain name. Standard ACL's filter only on one source IP address so they are normally placed as close to the destination as possible. Check the VTP revision information and mode before enabling a switch to join the network. Image The diagram depicts a simple two router network and various output. use mutual authentication. . When troubleshooting PPP connectivity verify that the LCP has been opened. Diagram 4 text The most common physical layer WAN problems are not specifying a clock rate on the link or using the wrong type of cable. the username used during the authentication process. verify that a user account exists for the remote device and that the password is correct. ACL needs to be applied to the correct router and interface and in the correct direction. not to monitor normal network operation. Diagram 3. Image The diagram depicts the show controllers command from a DCE and a DTE end of two connecting routers. Use debug commands to isolate problems. Placing an extended ACL close to a source can deny traffic before it passes though the router and before it traverses the WAN link. Problems with RIP v1 include lack of VLSM support and intermixing RIP v1 and RIP v2 devices. Ensure that the encapsulation is the same on both sides of the serial link. Both the username and the password are case sensitive. The route bridge should be centrally located within the network. Diagram 3 text Many tools exist for troubleshooting routing issues include I O S show commands. Change the priority value on a switch to force the selection of the root bridge. If an IP address is used both ends of the link must be on the same network or subnet. is the name of the remote router. By default. Always verify basic network connectivity before applying an ACL. On both ends of the link. Diagram 5. SLARP assigns an IP address to the end point of a serial link if the other end is already configured. Ensure there are two VTP servers in one domain to provide backup.Visually checking L E D's and cable connections assist in troubleshooting Physical Layer problems. Image The diagram depicts a network with an ACL applied. Common issues with EIGRP include: mismatched A S numbers.

Add the command: R3 (config ) # IP route 0.0 s0/0.1 0. There are two switches.0. R2 is connected to R3 via serial link (network: 192.0.0. or permit traffic that should not be permitted. There is a screen capture of the output of R2 which appears.168. Exhibit Network Topology There are two routers. R3 (config-router) # no auto-summary.Critical Thinking Critical Thinking Answer the following questions based on the exhibit.0 /24.0.4.10.16.0.Add the command: R2 (config-router) # no version 2.0.168.16.10.3. what will the results be? a.All packets will reach the destination and network applications will have connectivity.0 /8. d.Some packets will be dropped.2 .0.168.0. c.10.0 /30).Change the network statement on Router 3: R3(config)# network 10. Two.1 0.0 /8 and 10.6.10.0.0 [output omitted] One. S1 has one host attached (Host IP: 10.63 /24).1 255. d.4.0 interface s0/0 IP address 192.All packets will reach the destination but network applications will not have connectivity. as follows: hostname R2 [output omitted] interface F A 0 /0 IP address 10. If host 10. R2 has S1 attached (network: 10.1 0. c.3. R2 and R3.10.10. Three. . b.10. b.1 0.0.16.0.4.10. Which route advertisements does R3 receive from R2? a. S1 and S2.10. 10.1 0.4.63.0.4.3. S2 has one host attached (Host IP: 10.4.1 0. b.255.0 /24.0 /24.255. d. e.0 /24 and 10.10. c.0 /24).Add the command: R3 (config-router) # version 2. R3 has S2 attached (network: 10.25.0 /24).All packets will be dropped.4. 9.0 /24.0. What must an administrator do on R3 to ensure that update packets are sent with subnet mask information? a.0 0.0.0.255.2 Critical Thinking Page 1: 9.252 ! router rip network 192.75 /24).8.1 255.0.0.An ACL placed on the wrong interface or in the wrong direction can block traffic that should not be blocked.0 network 10.6.75 attempts to ping host 10.4.

9.0 The following output is displayed from RTB's configuration: hostname RTB ! router rip network 192. The following output is displayed from RTA's configuration: hostname RTA ! router rip network 192.168.0/24.All IP addresses have been correctly configured and all interfaces are up.) Network Topology In this topology.R2 is able to receive RIP v1 and RIP v2 update packets. c.7. Click the quiz icon to begin.50.1 0.RTA and RTB do not learn any routes from each other through the RIP process. RTB is connected to two switches on the following networks 192.0/24 and 192.3.63. . B.RTA and RTB are able to ping each others serial interfaces.R2 is able to send and receive RIP v1 and RIP v2 update packets.63.4.0 network 192.80.Four.A ping command will fail between host 10. router RTA is connected via its S0/0 to router RTB's S0/0 port on the network 192.7 Chapter Quiz 9.168.1 0.1 0. which two statements describe what will occur while testing the network? (Choose two.20.1 . b.1 0.7.168.1 Quiz Page 1: Take the chapter quiz to check your knowledge.0 network 192.168.168.168. 9.20.168.0/24 and 192.Quiz Chapter 9 Quiz: Troubleshooting an Enterprise Network 1. R1 and R3 is configured with the commands: version 2 no auto-summary Which two statements are true? (Choose two.30.168.0 A.) a.0/24.168. Based on the network topology and router output described below.30.0/24. RTA is connected to two switches on the following networks 192.50.80.10.4. d.3.A ping command will be successful between host 10.75 and host 10.75 and host 10.

16. 2.10.Answer this question based on the network topology and router output below.168.5.0.1. Given the output of the show vtp status command. RTA's ACL's are shown as follows: RTA(config)# access-list 100 deny ip 192.The access list should be applied inbound on the interface instead of outbound. 4.The access list has the source address and destination address reversed. What could be the cause of the problem? Network Topology A switch on network 192.The access list should be a standard access list instead of and extended. E. B. what is the reason why information is not shared in this VTP domain? Sw-1#show vtp status VTP Version:2 Configuration Revision: 247 Maximum VLANs supported locally: 1005 Number of existing VLANs:40 VTP Operating Mode:Client VTP Domain Name:Lab_Network VTP Pruning Mode:Enabled VTP V2 Mode:Disabled VTP Traps Generation:Disabled MD5 digest: 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 10.C.5/24.12.5.ping B.0 0.0/24 is connected to the Fa0/0 of router RTA.168.RTA has all five of the networks listed in the routing table.0. D.16.The access list should specifically deny TCP port 80.RTA and RTB will have three entries in the route table found via RIP.tracert D.1 at 8-12-08 12:04:42 Sw-2#show vtp status VTP Version:2 Configuration Revision: 247 Maximum VLANs supported locally: 1005 Number of existing VLANs:40 VTP Operating Mode:Server VTP Domain Name:Lab_Network VTP Pruning Mode:Enabled VTP V2 Mode:Disabled VTP Traps Generation:Disabled . the users can still reach this server.255 host 172.1. C. RTA is connected via its Fa0/1 to another switch which connects to a server with the address 172. However. An administrator has been adding new V LAN's to Sw-2 and notices that the new information is not recognized by Sw-3. D. The network administrator configured the ACL to deny the LAN access to a web server with known viruses.packet sniffer 3.Which utility is able to detect and monitor different types of traffic on a network and trigger an alarm when an excessive amount of a specified packet type is seen? A.Answer this question based on the switch output below.RTB has all five of the networks listed in the routing table.5 RTA(config)# access-list 100 permit ip any any RTA(config)# interface fa0/0 RTA(config)# ip access-group 100 out A.SNMP C.

C.12. Fa0/7. Fa0/24 10EngineeringactiveFa0/5. 5. Fa0/13. Fa0/6. which statement is true? 03:17:47: Se0/1 PPP: Authorization NOT required 03:17:47: Se0/1 CHAP: O CHALLENGE id 15 len 28 from "R1" 03:17:47: Se0/1 CHAP: I CHALLENGE id 17 len 27 from "R2" 03:17:47: Se0/1 CHAP: Using hostname from configured hostname 03:17:47: Se0/1 CHAP: Using password from AAA 03:17:47: Se0/1 CHAP: O RESPONSE id 17 len 28 from "R1" 03:17:47: Se0/1 CHAP: I RESPONSE id 15 len 27 from "R2" 03:17:47: Se0/1 PPP: Sent CHAP LOGIN Request to AAA 03:17:47: Se0/1 PPP: Received LOGIN Response from AAA=FAIL 03:17:47: Se0/1 CHAP: O FAILURE id 15 len 26 msg is "Authentication failure" E.only one side required authentication F. D. Fa0/15 . Engineering is V LAN 10. Support is V LAN 20.VTP version 2 has been disabled.the authentication methods are incompatible 6. The network administrator issued the show vlan command on SW2 to verify the V LAN configuration. Fa0/9 20SupportactiveFa0/10. Fa0/4.an incorrect hash string is received from the remote router G. Fa0/14.Sw-3 is configured for transparent mode. Two neighboring routers are not able to establish connectivity.the remote location is configured with PAP authentication instead of CHAP H.1 at 8-12-08 12:08:52 Sw-3#show vtp status VTP Version:2 Configuration Revision: 247 Maximum VLANs supported locally: 1005 Number of existing VLANs:25 VTP Operating Mode:Transparent VTP Domain Name:Lab_Network VTP Pruning Mode:Enabled VTP V2 Mode:Disabled VTP Traps Generation:Disabled MD5 digest: 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 10.10. and Sales is V LAN 30. SW2 is connected to switches SW1 and SW3.The VTP domain is not the same between the switches. Fa0/12. The ACME Company implements V LAN's across its network infrastructure to further control the network traffic.10.1 at 8-12-08 13:34:49 A. Fa0/21.12. Fa0/22. Fa0/8. Fa0/23.MD5 digest: 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 10. Fa0/11. B. Based on the output of the debug ppp authentication command. SW2# show vlan VLANNameStatusPorts 1defaultactiveFa0/3. Which statement is true? Network Topology Router RTA is connected to switch SW2.VTP traps have been disabled.Answer this question based on the network topology and the switch output below.Answer this question based on the router output below.

168.ensure devices are not-swappable 8.16.2Serial0/1 A.Answer this question based on the network topology below.10Ethernet0 172. Fa0/18.168.It is participating in OSPF over a point interface. RTA can connect to any port in V LAN 1 to route between different V LAN's.OSPF authentication has been enabled on the local router but not on the neighboring route.34/27.The IP address assigned to the server is the network address for this subnetwork.16.To answer this question.16.implement a classless routing protocol B. A. B.168.1371Full/-0:00:33192.102.The network commence if misconfigured on the neighbouring router.10. Fa0/17. Why is neighboring 192.99/27 and a server with the IP address 192. The server was just added to the network and no hosts are able to connect to it.102.show ip interface 10. C.168. Go To Next .) A.30SalesactiveFa0/16.199. B. The switch is connected to two hosts on the 10.168.The status "active" indicated there are 22 devices currently connected to SW2. 192.show ip route D. 7.60.102.199. What could be the problem? Network Topology Router RTA is connected via Fa0/0 to a switch.48.15Full/DR0:00:31172. RTB is connected via Fa0/0 to a switch.show protocols B.11Full/BDR0:00:33172. D.0/24 network with the following IP addresses.168.1.48.Traffic in each V LAN will not be seen in other V LAN's. Fa0/19.The network commence if misconfigured on the local router.48.127/27.11Full/DROTHER0:00:33172.What is one way to limit the size of a failure domain? A. C. Fa0/20 A.show access-lists E. The switch is connected to a host with the IP address 192. B.102.50.The network is not subnetted correctly. D.16.The IP address assigned to the server is the broadcast address for this subnetwork.16.create redundant paths wherever possible C. refer to the router output below.1Ethernet0 172.16. Which two commands can the technician use to verify that the ACL is incorrectly configured? (Choose two.A technician is troubleshooting a loss of connectivity and suspects that and incorrectly configured ACL is the cause. C.10.50/27 and 192.backup configuration files D. RTA has a serial connection port S0/0 to RTB port S0/0.137 not a DROTHER? Neighbor IDPriStateDead TimeAddressInterface 172. D.All ports will be participating in V LAN1.show running-config C.The IP address of the server should be dynamic instead of static.200Ethernet0 192.Since V LAN 1 is the management V LAN. 9.168.40.

RootID=knet‐ lcms_discovery3_en_40. Inc.Go To Previous Scroll To Top http://curriculum.delivery.Language=en.servlet. About   .rendering.net/virtuoso/servlet/org.html?level=chapter&css=blackonwhite.Version=1. All | Translated by the Cisco Networking Academy.Theme=ccna3theme.netacad.cli.Style=ccna3.C CServlet/LMS_ID=CNAMS.Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro All contents copyright © 2007-2008 Cisco Systems.

Sign up to vote on this title
UsefulNot useful