1

SUBNETTING
You think Subnetting is a beast? You think you have to be Superbrain to understand it? You are wrong! Here the step-by-step course. After reading and some self-training, you should be able to fix Subnetting-Questions in CCNA Exam without any problems in a snatch. Relax! What is a Subnetmask? With Subnetmasks, we can divide an IP-Address in network-part and in host-part. A given IP-Network can be divided in smaller parts. Each of this smaller parts is called a "Subnet". If we for example have the network 192.168.10.0 255.255.255.0 We have here ONE Class C - network, with 253 useable IPs for Client-PCs. The useable IP Range of this network is 192.168.10.1 - 192.168.10.254 The very last IP of each Subnet is called Broadcast-Address. This address is in that example 192.168.10.255 and its NOT useable for host-pcs. If we want to divide this network in two parts, we must use subnetting. With Subnetmask 255.255.255.128 we would divide the network in two parts. 192.168.10.1 - 192.168.10.127 192.168.10.128 - 192.168.10.255

So in this example, BEFORE we had one big Network. With the change of the Subnetmask we did divide it in two smaller networks. First with Subnetmask 255.255.255.0 we had THIS network: 192.168.10.0 >>> This is the "Network-IP" which is NOT useable for Host-PCs 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.4 192.168.10.5 ... ... ... 192.168.10.253 192.168.10.254 192.168.10.255 >>>This is the Broadcast-IP, which is NOT useable for Host-PCs Now with Subnetmask 255.255.255.128 we have THIS two networks: First Subnet: 192.168.10.0 >>> This is the "Network-IP" which is NOT useable for Host-PCs

3
192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.4 192.168.10.5 ... ... ... 192.168.10.125 192.168.10.126 192.168.10.127 >>>This is the Broadcast-IP, which is NOT useable for Host-PCs Second Subnet: 192.168.10.128 >>> This is the "Network-IP" which is NOT useable for Host-PCs 192.168.10.129 192.168.10.130 192.168.10.131 192.168.10..132 192.168.10.133 ... ... ... 192.168.10.253 192.168.10.254 192.168.10.255 >>>This is the Broadcast-IP, which is NOT useable for Host-PCs The Subnetmask defines how big the subnet is. That means - how many Client-PCs will have place in that subnetwork. A Subnetmask of 255.255.255.0 means in binary 11111111.11111111.11111111.00000000 So, what do we see? 4 Blocks, divided with a ".". Each of these blocks is also called "octett". Because - each Block has 8 bits. To be able to do subnet-calculation, we first must understand binary calculation. Lets take the first block. The first "1" stands for a 128. The second "1" stands for a 64. The third "1" stands for a 32. The fourth "1" stands for a 16. The fifth "1" stands for a 8. And so on. That means: 11111111=255 11110000=240 11100000=224

4
If we see something like "/24", that means that 24 bits are set to "1", from the left side. Examples: /16 = 255.255.0.0 = 11111111.11111111.00000000.00000000 /20 = 255.255.240.0 = 11111111.11111111.11110000 If we would take a subnetmask of 255.255.255.255 that would be 128+64+32+16+8+4+2+1.128+64+32+16+8+4+2+1.128+64+32+16+8+4+2+1. 128+64+32+16+8+4+2+1 and in binary it would be 11111111.11111111.11111111.11111111 Calculation of Subnetmask big enough for a specified number of Hosts If they ask.. "create a subnet with minimum 10 host IPs" than 1. calculate a power of two, that is minimum 10 2^3=8. That is not enough 2^4=16 That is higher than 10. Good. 2. Now put the LAST 4 Bits of your subnetmask to 0. 11111111.11111111.11111111.11110000 That is in decimal 255.255.255.240 With THIS Subnetmask, you have minimum 10 Host-Ips in the Subnet, without wasting to much IP-Addresses. -----------------------------------------------------------Other example If they ask Create a subnet with minimum 70 Host-IPs 1. Calculate a Power of 2 that is MINIMUM 70 2^6=64. Not enough. 2^7=128. Thats higher than 70. Good. 2. Put the LAST 7 Bits of your Subnetmask to 0. 11111111.11111111.11111111.10000000 That is in decimal

5
255.255.255.128 You have a Subnetmask, with more than 70 Host-IPs. Look here, for some step by step examples, how to calculate subnets.. http://www.sadikhov.com/forum/index.php?showtopic=44874 ------------------------------------------------------------------------Calculation what is the Broadcast-IP of a Subnet When they ask "There is subnet 172.16.64.0/20. What is the BROADCAST ADDRESS of that Subnet, dude?"

1. Step /20 meens 255.255.240.0 2. Step Now analyze the Subnet Oktett to find out the "network-jumps" 240 means 11110000 The LAST of the 1s is under decimal 16. That are our "network jumps" (128/64/32/16/8/4/2/1) 3. Step Write down the network-jumps 172.16.64.0 - 172.16.79.255 +16 172.16.80.0 - 172.16.95.255 +16 172.16.96.0 - 172.16.111.255 +16 172.16.112.0 - 172.16.127.255 Because the NEXT Subnet in the example is 172.16.80.0, the broadcast must be 172.16.79.255, cause THAT is the IP BEFORE the next Subnet starts = the BroadcastAddress.

-----------------------Other example of Broadcast-IP calculation: If it would be 172.16.64.0 /26 Same procedure /26 means 255.255.255.192 192 is binary 11000000 The LAST 1 stands under the 64. That are in that example our "net-jumps".

6
172.16.64.0 - 172.16.64.63 <<<in this example THIS is the broadcastaddress of first subnet 172.16.64.64 - 172.16.64.127 172.16.64.128 - 172.16.64.191 --------------------------------------------------------------------Calculating first and last possible IP for a Host You have Network 192.168.20.32 /27 The very first IP is reserved for Default Gateway! What is the first and last valid IP for a Host-PC? 1.Step /27 is 255.255.255.224 2.Step 224 means 11100000 The LAST 1 is under the 32. That are our "network-jumps" in this example (128/64/32/16/8/4/2/1) Valid IPs in that subnet: 192.168.20.33 - 192.168.20.62 (192.168.20.63 is NOT useable, this is the very last IP and so the BROADCAST-IP). 192.168.20.64 <<<this is the network-IP of the NEXT Subnet! So, because the very first IP is reserved for Default Gateway, our first Host-PC IP would be 192.168.20.34 The very last Host-PC IP would be 192.168.20.62 ################################################################### Here some examples of real exam questions, and step by step solutions: Given that you have a class B IP address network range, which of the subnet masks below will allow for 100 subnets with 500 usable host addresses per subnet? A. 255.255.0.0 B. 255.255.224.0 C. 255.255.254.0 D. 255.255.255.0 E. 255.255.255.224 Solution: Allways the same game... Like in 5 minute course.. Power of 2 that is minimum 500? 2^7=128 2^8=256 2^9=512 >>voila! Now - put the last 9 Bits of your Subnetmask to "0" 11111111.11111111.11111110.00000000

7
That is in decimal 255.255.254.0 ===================================================================== If a host on a network has the address 172.16.45.14/30, what is the address of the subnetwork to which this host belongs? A. 172.16.45.0 B. 172.16.45.4 C. 172.16.45.8 D. 172.16.45.12 E. 172.16.45.18 Solution: 172.16.45.14/30 /30 means 11111111.11111111.11111111.11111100 The last of the ones stands under the "4". That is our increment or network jump. 172.16.45.0 - 172.16.45.3 172.16.45.4 - 172.16.45.7 172.16.45.8 - 172.16.45.11 172.16.45.12 - 172.16.45.15 172.16.45.16 - 172.16.45.19 As we see, the Ip is in the Range of 172.16.45.12 - 172.16.45.15. So the network Address is 172.16.45.12 ================================================= QUESTION NO: 9 Which two of the addresses below are available for host addresses on the subnet 192.168.15.19/28? (Select two answer choices) A. 192.168.15.17 B. 192.168.15.14 C. 192.168.15.29 D. 192.168.15.16 E. 192.168.15.31 F. None of the above Solution: /28 means 11111111.11111111.11111111.11110000 The last 1 stands under the 16. This is increment or network-jumps. 192.168.15.0 - 192.168.15.15 192.168.15.16 - 192.168.15.31 192.168.15.32 - 192.168.15.47 Only A and C are IPs in the right range. Also E is in the right range. But - this is not useable for hosts, cause its broadcastaddress. So answer is A and C. ################################################################ ------------------------------------------------------------------------------------------------------------------------Calculation of Wildcard-Masks (Needed for Access Lists and OSPF Configuration)

8
You have Network 192.168.32.0 /28 Only THIS network should be denied of accessing a network or server. 1. Step calculate the wildcard mask /28 means 255.255.255.240 binary this is 11111111.11111111.11111111.11110000 For wildcard-mask only the ZEROS are interesting. 11110000 Make a addition of all the fields, that are set to zero 128/64/32/16/8/4/2/1 That is 8+4+2+1=15 So the wildcard-mask will be 0.0.0.15 access-list will be access-list 1 deny 192.168.32.0 0.0.0.15 access-list 1 permit ip any any now, we have to bind that access-list to a routerinterface. In the example, this is e0. interface e0 ip access-group 1 out (or in!) exit ------------------------------------------------------------------------------------------------------------------------PS. Its good to write on a BIG paper the powers of 2 2^2=4 2^3=8 2^4=16 2^5=32 2^6=64 2^7=128 2^8=256 2^9=512 2^10=1024 2^11=2048 2^12=4096 And write on that paper the numbers 128 192 224 240 248 252 254 Cause this are the Numbers, you will allways need in calculating Subnets. Burn them in your mind! Hang the paper in front of your eyes to never forget them. Then you will be able to calculate Subnets in your head in a half second!

9
Isnt live easy? Wildcard Mask or some people, Subnet Calculation is real horror. After some time of learning and training, they find out that Subnetting is very easy. Then these people come in touch with the "Wildcard Mask Tragedy". WHAT IS THIS? Well, did we say Subnetting is easy? Wildcard Mask Calculation is EASIER! Lets say... We have network 100.0.0.0 with Subnetmask 255.255.255.240. We want to create an ACL for this network. THis WHOLE network should be denied something. For the acl, we need the proper Wildcard Mask for that Subnet. The Subnetmask is binary 11111111.11111111.11111111.11110000=255.255.255.240 For Wildcard Masks, only the ZEROS are interesting. So make a simple addition (watch the last oktett!) 8+4+2+1=15 So the wildcard mask will be 0.0.0.15 --------------------------------------------Other example We have network 100.0.0.0 with Subnetmask 255.255.248.0 255.255.248.0=11111111.11111111.11111000.00000000 4+2+1.128+64+32+16+8+4+2+1 That is Wildcard Mask 0.0.7.255

ROUTING
As a candidate for CCNA Certification, one of main topics is ROUTING. What is routing? What is difference between routing and switching? Questions over Questions! Here comes OSI Model (or TCP/IP, what is a "little" OSI Model) into the game. Switches only work at Layer 2 (Datalink layer). They dont need an IP-Address to do their job. Switches are only interested in MAC Addresses. They learn the mac-address of connected pcs and write them in their mac-table. Switches can only be used to connect devices, which are in the same subnet. If we want to bring traffic from one subnet to another subnet, we need a router between the subnets.

10
The router holds a routing table. In the routing table are entries, which say, over which of the router ports a paket with a specific destination IP-Address has to be send. Read slowly the following sentences, and then read them again. Routing protocols are used to route a routed protocol. Routed Protocols are IP or IPX. Routing protocols are used by routers to select best path to destination. Routing protocols are used to send routing information to other routers. There are three different "Types" of Routing Protocols 1. Distance Vector Routing RIP1 RIP2 and IGRP -advantage RIP: RIP is simple to configure, and works on all routers (compatibility) -disadvantage:no VLSM support, higher bandwidth waste, metric is very simple and unintelligent -RIP1 and IGRP do not support VLSM (Variable Length Subnet Mask) and so do not send Subnetmask Information via Route-Updates -sends entire Routing-Table to directly connected Neighbours -RIP uses as Metric (for best Path Selection) "Hopcounts". A Hop is a router in the Path. If there are 5 routers on the path to a destination, and 3 routers on another path, the second route will be choosen, because it has less Hops to destination. Maximum Hop Counts are 15 in RIP. -IGRP uses "cost" as Metric. Dependent on Bandwidth and Delay is the best path selected. -variance and traffic-share commands can be used for loadbalancing on IGRP -IGRP maximum Hopcount is 255. -IGRP is proprietary, can only be used between Cisco Routers. 2. Hybrid Routing EIGRP -rapid convergence -reduces bandwidth useage on routing updates -supports multiple network layer protocols (apple talk, ipx, ip) -supports VLSM -EIGRP uses same metrics as IGRP; Delay, Bandwidth, Reliability and Load. By default, only Delay and Bandwidth -Only EIGRP Routers of the same Autonoumous System exchange Routingupdates. -Maximum Hopcount is 255. -EIGRP is proprietery, only between Cisco Routers useable. EIGRP Tables: 1. Neighbour table -lists adjacent routers, comparable to adjacencies database used by ospf -only lists informations about directly connected neighbours 2. Topology table -here are all route entries for all destinations that router has learned -contains "Feasible Successors". These are backup routes, if "Successor Route" (which is primary route) fails. 3. Routing table -the best route from topology table, becomes "Successor Route" or "Primary Route" and is choosen to forward traffic to destinations. The "successor" is placed in topology table, and also in routing table!!! Feasible successors (backup routes) are only saved in topology table. (ICND Book page 3-101) The selection which feasible successor will become new successor, if successor fails, is done with DUAL (Diffusing Update Algorithm).

11
3. Links State Routing OSPF and ISIS -OSPF:Hirarchical System. One or more "Areas" are connected to a "Backbone Area" which is Area 0. -Routers send Linkstate-Informations to all other Routers of their area. -The Link States are Informations of bandwidth and status of the routerinterfaces. -Based on the LSAs all Routers build a Topology Database, which is a "Model" of the entire area. -Djikstra Algorythm calculates from the Information in Topology Database the shortest path and creates the Routing Table. -OSPF: Hopcounts unlimited -Used in huge Networks -supports VLSM -ospf: useable area numbers go from <0-4294967295> VLSM Support IGRP and RIP v1 do NOT support variable length subnet mask. That means, no subnetmask information is sent to other routers via route-updates. Also called "classfull" routing. RIP v2, EIGRP, OSPF and ISIS support VLSM. Administrative Distance On a router can run more than one routing protocols in the same time. The router has to decide, which of the configured protocols he will believe more. That decisions are made with the aministrative distance. The lower the AD is, the more will this route be prefered for selection of best path to destination. 0 Directly connected Interface 1 Static Route 90 EIGRP 100 IGRP 110 OSPF 120 RIP How to configure... 1. RIP router rip network 132.43.54.0 network 145.65.76.0 The network command defines the networks hosted by THIS Router, depending on the IP of the Router Interfaces. Networks of the other RIP routers will be learned by RIP updates. 2. IGRP router igrp 33 network 134.43.54.0 network 143.56.76.0 The 33 is the Number of the Autonomous System. Only IGRP Routers from the same AS exchange Routing Updates. 3. EIGRP

12
router eigrp 33 network 172.16.0.0 network 10.0.0.0 4. OSPF router ospf 1 network 132.43.56.0 0.0.0.255 area 0 network 145.54.34.6 0.0.63.255 area 0 The 1 is the Process Number, which is only locally significant. If there are more than one area, which represent a "part" of the hirarchy, all areas must be connected to the backbone area. 5. Static Route ip route 143.45.5.0 255.255.255.0 154.43.45.4 <<this is ip of the NEXT Hop Routerinterface over which the network 143.45... is reachable. or ip route 143.45.5.0 255.255.255.0 s0 <<this is the LOCAL routerinterface over which the network 143...is reacheable 6. Default Route or Gateway of last resort ip route 0.0.0.0 0.0.0.0 143.45.65.6 <<< remote IP of the next hop Router interface or ip route 0.0.0.0 0.0.0.0 s0 <<<local interface s0 on that router Means: Route all Pakets, for which are NO Routes in the Routing Table, over THIS Interface. Troubleshooting: To see in realtime, what a routing protocol is doing, give in command debug ip ospf To see the entries in routing table use command show ip route Check all active routing protocols with command show ip protocols Route Summerization Ripv1 and IGRP those protocols do auto summary to the classfull network which means if you try to add a network of 10.1.1.1 it will auto summary to 10.0.0.0 You cant turn off this auto summary in Ripv1 and IGRP you can turn it off on Ripv2 and EIGRP summarizing OSPF and IS IS does not auto summery

13
Note: Classful routing protocols (RIPv1 and IGRP) automatically summarize routes on the classful network boundary and do not support summarization on any other bit boundaries. Classless routing protocols support summarization on any bit boundary. Route Summarization Calculation example suppose you got this networks attached to your router like different LAns 172.16.12.0/24 172.16.13.0/24 172.16.14.0/24 172.16.15.0/24 1) first step: You will convert everything to binary 10101100.00010000.00001100.00000000 -->172.16.12.0 10101100.00010000.00001101.00000000 --->172.16.13.0 10101100.00010000.00001110.00000000 -->172.16.14.0 10101100.00010000.00001111.00000000 -->172.16.15.0 2) Second Step You need to locate the bits till where the bits are equals What i mean with this ? 10101100.00010000.00001100.00000000 -->172.16.12.0 10101100.00010000.00001101.00000000 --->172.16.13.0 10101100.00010000.00001110.00000000 -->172.16.14.0 10101100.00010000.00001111.00000000 -->172.16.15.0 As you can see all the bits are equal till 6th bit of the 3rd octet(can you can see it above i BOLDED all the equals bits) Now you find this we will go to step 3 3)Third step You need to count those bits, the subnet mask will be the number of common bits. the summary route number you get it by doing an AND operation like this 10101100.00010000.00001100.00000000 -->172.16.12.0 10101100.00010000.00001101.00000000 --->172.16.13.0 10101100.00010000.00001110.00000000 -->172.16.14.0 10101100.00010000.00001111.00000000 -->172.16.15.0 10101100.00010000.00001100.00000000 and there you go 172.16.12.0 if you convert that number to decimal So in simple words the masked portion is the summarize address so the answer is 172.16.12.0/22

14
Well i think this is all you need to know about summarizing If anyone find any mistake on my explanation they are welcome but im pretty sure its like this.

EIGRP
Here is a short tutorial on EIGRP for the ccna.Can use it to revise >Covers most of the stuff on the exam *********EIGRP************* Advantages 1.Fast convergence 2.Loop free topology 3.VLSM support 4.Multicast update 5.Multiple routed protocols ********IGRP v/s EIGRP***** 1.Load balancing across 6 paths (min 4 paths) 2.Similar metric structure 3.Automatic redistribution occurs when the same AS number is used for EIGRP and IGRP Differences IGRP EIGRP 1.Classful Classless 2.Metric=10^7/BW Metric=10^7/BW *256 Delay=delay/10 delay=delay/10 *256 24 bit metric for BW &dly 32 bit metric 3.Max hop cnt=255 Max hop cnt=224,default=100 4.No diff bet int and Outside routes redistributed and tagged ext routes 5.AD=100 AD=90 for IEGRP,=170 for Ext EIGRP

**********Metric******* k1 for bandwidth=1 k2 for load=0 k3 for delay=1 k4 and k5 for Reliability=0 metric-BW+delay *************EIGRP terminology************** 1.Neighbor table Each EIGRP router maintains a neighbor table that lists adjacent routers. This table is comparable to the adjacency database used by OSPF. There is a neighbor table for each protocol that EIGRP supports. 2.Topology table Every EIGRP router maintains a topology table for each configured network protocol. This table includes route entries for all destinations that the router has learned. All learned routes to a destination are maintained in the topology table. 3.Routing table EIGRP chooses the best routes to a destination from the topology table and places these routes in the routing table. Each EIGRP router maintains a routing table for each network protocol. 4. Successor A successor is a route selected as the primary route to use to reach a destination. Successors are the entries kept in the routing table. Multiple successors for a destination can be retained in the routing table.

15
5.Feasible successor A feasible successor is a backup route. These routes are selected at the same time the successors are identified, but are kept in the topology table. Multiple feasible successors for a destination can be retained in the topology table. ***************EIGRP Neighbor adjacency*********** EIGRP routers establish adjacencies with neighbor routers by using small hello packets. Hellos are sent every 5 seconds by default K values must be the same between neighbors. An EIGRP router assumes that, as long as it is receiving hello packets from known neighbors, those neighbors (and their routes) remain viable. Hold time tells the router how long it should consider the neighbor alive if it has not received any EIGRP packets (Hello, EIGRP updates, etc.) Hold time is normally three times the configured Hello interval. Both the Hello and Hold time intervals are configurable on a per interface basis, and do not have to match neighbor. EIGRP routers exchange routing information the same way as other distance vector routing protocols, but do not send periodic updates. EIGRP updates are only sent when a network is added or removed from the topology database, when the successor for a given network changes, or when the locally used metric is updated. (later) EIGRP, like any other distance-vector routing protocol uses split-horizon. By forming adjacencies, EIGRP routers do the following: Dynamically learn of new routes that join their network Identify routers that become either unreachable or inoperable Rediscover routers that had previously been unreachable

A neighbor meets the feasible condition(FC) if the reported distance by the neighbor is smaller than or equal to the current feasible distance (FD) of this router. ***********IF successor fails**************** Feasible Successor exists: If current successor route fails, feasible successor becomes the current successor, i.e. the current route. Routing of packets continue with little delay. No Feasible Successor exists: This may be because the Reported Distance is greater than the Feasible Distance. Before this route can be installed, it must be placed in the active state and recomputed. (later) Routing of packets continue but with more of a delay. If a feasible successor does not exist: 1. The router flags the route as active. 2. The router looks for an alternate path by sending out a query packet to all neighbors to learn if they have a path to the given destination. The query packets are multicast out every interface except the one which the dead link was learned, adhering to the split horizon rule. 4. When the query router receives replies, it reacts based on the answer in the reply: If the reply included a successor or feasible successor, the information is put into its topology table, and the querying router waits until all replies are received. It then recalculates the topology table, and adds the successr(s) to the routing table. The route returns to a passive state in the topolgy table and routing can continue. If none of the replies includes a successor or feasible successor, the querying router removes the active route from its topology table and routing tables. If a neighbor router to which a query is sent does not reply within the active time of 180 seconds, EIGRP tears down the neighbor relationship with the offending router and puts routes learned from that router into an active state ***************EIGRP packet types************ 1.hello 2.Ack 3.update

16
4.query 5.reply ********Config EIGRP*********** Router(config)#router eigrp autonomous-system-number This value must match all routers within the internetwork. Router(config-router)#network network-number The network command configures only connected networks. Router(config-if)#bandwidth kilobits When configuring serial links using EIGRP it is important to configure the bandwidth setting on the interface. If the bandwidth setting is not changed for these interfaces EIGRP assumes the default bandwidth on the link instead of the true bandwidth. EIGRP automatically summarizes routes at the classful boundary, the boundary where the network address ends as defined by class-based addressing. In the presence of discontiguous subnetworks, automatic summarization must be disabled for routing to work properly. To turn off auto-summarization, use the following command: Router(config-router)#no auto-summary Manual summary per interface Router(config-if)#ip summary-address eigrp autonomous-system-number ip-address mask administrative-distance

************EIGRP show and debug commands********************* 1.show ip protocols: shows metrics;maximum hopcount:default 100;metric variance:1;AS no,autosummarization if in effectInterfaces participating in eigrp and AD 2.show ip route:eigrp routes marked with D;AD/metric;neighbor and interface on which update was recd 3.show ip eigrp neighbor:Shows AS no Neighbor address:Provides address Interface:local interface on which update is being recd Hello:Time left for next hello SRTT:time to sent request and receive update RTO:time to wait before re-transmit Q count:No of hellos for which reply is awaited Seq:Sequence no of packet sent 4.show ip eigrp topology shows if routes learnt are in active or passive state no of successor and feasible successor routes for a particular network the feasible distance and the reported or advertised distance of each route 5.show ip eigrp traffic shows no of hellos sent and recd no of acks sent and recd no of replies sent and recd no of updates sent and recd no of queries sent and recd 6.debug ip eigrp shows all updates sent and recd

ACCESS LISTS

17
Access Lists (ACL) Knowledge needed for Cisco CCNA Exam ...just an fast overview With Access Lists, you can filter traffic on your Cisco Router. It filters only traffic coming in or going through your router. It does not filter traffic which origins from the router. Its kind of "Firewall"-Feature. You can permit or deny traffic from or to a network or host, and can filter on special ports. Its useable for "basic" security. For komplex Firewall settings, better use a "real" Firewall, because to much filtering can make the device slower, cause each paket has to be checked, and the more rulez are configured, the more the CPU of the router has to work. There are two kinds of Access Lists on Cisco Routers 1. Standart ACLs -Numbered from 1-99 (and some higher ranges) -filter ONLY on SOURCE IP -needed to permit or deny a single source ip or source network to access another network or host 2. Extended ACLs -Numbered from 100-199 (and some higher ranges) -filter on Source IP and protocols and ports/applications -needed to filter only traffic from a specified host or network and specified protocols and ports ACLs can be identified by numbers, or by names. For named ACLs, see this Link for more Informations.

CODE http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/10w518e/config/acl_cnfg.htm#63407 Handling of Access-Lists 1. Configure some statements. example1: Deny http and telnet access from a Network to an Host access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80 access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23 access-list 100 permit ip any any example2: Deny complete ip access from a network access-list 1 deny 143.43.43.0 0.0.0.255 access-list 1 permit any any example 3: Deny Ping from a network to a host access-list 101 deny icmp 132.43.4.0 0.0.0.255 host 145.52.54.9 access-list 101 permit ip any any 2. ALL the statements build ONE Access List. Bind the ACL on an interface with command "ip access-group <acl-number> <in or out>

18
interface e0 ip access-group 101 in Rules 1. "Last" deny statement of every ACL At the end of EVERY access-list there is a "access-list deny ip any any" statement, which is invisible. Thats why we have to use the "access-list <nr> permit ip any any" statement at the end of OUR ACL. 2. From first to last In filtering the packets, the router checks the statements of the ACL from the first to the last. When an statement is found as true, the next statements are not checked anymore. example access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 80 access-list 100 deny tcp 143.43.43.0 0.0.0.255 132.32.32.4 0.0.0.0 eq 23 access-list 100 permit ip any any If a host with IP 143.43.43.6/24 would try to access the Webserver 132.32.32.4 he would be denied, because of the first statement. The second and third statement would not be checked in that case. If the same host would try to access the telnet port of the Webserver, then the first statement would be checked. Because its NOT Port 80 which the host wants to reach, the second statement would be checked. The second statement denys telnet, and the host would not access the Webserver via Telnet. 3. Placement of ACLs Put standart ACLs close to the Destination Host or Network which has to be protected Put extended ACLs close to the Source Hosts or Network, from where the traffic will origin. 4. You can put ONE ACL per Interface, per Protocol, per Direction You cant bind more than one ACL to an Interface per Direction (incoming or outgoing). 5. Single statements of an ACL can NOT be deleted If you have to change or delete a single statement, you have to delete the whole ACL and write a new one. Only in named access-lists it is possible to change or delete single statements of the ACL. 6. Different terms for different useage There are different terms which can confuse. access-group Used to bind an access-list to an interface access-class Used to deny or permit telnet access to a router vty line. 7. synthax of extended ACL access-list <number> <permit or deny> <protocol> <source> <wildcard> <destination> <wildcard> eq <portnumber or application> 8. syntax of standard ACL access-list <number> <permit or deny> <source> <wildcard>

NAT
To have a public IP-Address costs money. To have a whole public subnet, costs more money. So companys with little money but clever admins can use a technic, which helps them to use less public IP-Addresses, but make it possible for lots of clients to connect to the Internet. This technic is called NAT or Network Address Translation. As the name says, an Network Address (IP-Address) is been translated to another address. Mostly, a private IP-Address (172.16.X.X or 196.168.X.X) is translated in a public IP which the company

19
gets from an ISP and pays for the public IP or IPs. There are some terms which must be understanded before going deeper in that material. Its necessary for CCNA Certification to differ between them. Inside local address A private IP Address, not useable in the Internet. Inside global address A public IP address in the inside network. Outside local address A IP on the outside of the network, as its seen by an inside host. Not necessarily public address. Outside global address A IP address in the outside network, which is a public address. There are three forms of NAT Static NAT ONE private IP is translated to ONE public IP. Allways the same private IP is mapped to the same public IP. Dynamic NAT A private IP is mapped to a public IP, which is from a pool of public IPs. It must not allways be the same privat IP, which is mapped to a specific public IP. This is selected dynamically. Overloading Many private IPs are mapped to one public IP. This is also known as PAT (Port Address Translation). Its a Form of dynamic NAT. A private IP establishes a connection, for example is source port 2353. The pakets come to the router. The router translates the IP to a public IP. The router writes the Information about source IP and source Port into its NAT Table. When the answer Pakets arrive from Internet the router again checks its NAT Table and translates the pakets back to the private IP from where the requesting pakets did origin, depending on the port entry in NAT Table. Configuration commands Static NAT router(config)#ip nat inside source static local-ip global-ip router(config)#interface fa0/4 router(config-if)#ip nat inside <<<interface inside network router(config)#interface fa0/4 router(config-if)#exit router(config)#interface s0 router(config-if)#ip nat outside >>>interface outside network Dynamic NAT router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} router(config)#access-list acl-number permit source-IP [source-wildcard] router(config)#ip nat inside source list acl-number pool name router(config)#interface fa0/4

20
router(config-if)#ip nat inside router(config-if)#exit router(config)#interface s0 router(config-if)#ip nat outside Overloading router(config)#access-list acl-number permit source-IP source-wildcard router(config)#ip nat inside source list acl-number interface interface overload router(config)#interface fa0/4 router(config-if)#ip nat inside router(config-if)#exit router(config)#interface s0 router(config-if)#ip nat outside You had to bring this one up didn't you! This whole inside outside stuff turns you upside down. cisco also has a little "dynamic NAT Flash animation" and an explanation of the process at their web site "How NAT works": h**p://www.cisco.com/warp/public/556/nat-cisco.shtml

DHCP
DHCP is everywhere needed where a Device has to get automatically an ip address to be able to communicate with other devices. How can the Client find a DHCP Server? When a pc boots up, and it has no static IP address set, it will "look up" for an IP-Address. The pc will try to discover a DHCP Server on the local subnet (DHCPDISCOVER) via broadcast message. Which Broadcast-IP Address will the PC use for that? 192.168.255.255? NOT AT ALL! The pc in that moment DOES NOT KNOW which network or subnetwork is in use in the local network, so the pc also can not know what is the Broadcast-IP of that network! So the PC will send out DHCP Discover packets via broadcast to the address 255.255.255.255 (or in hex FF-FF-FF-FF-FFFF). So that Broadcast will reach ALL devices in the local network. If there is a DHCP on the local network, the DHCP may answer with a DHCP Reply and offer an free and valid IP-Address to the client. But the DHCP Server can do much more - it will offer the whole network configuration to the client if configured - incl. DNSServer IPs, WINS-Server IPs, DHCP Lease Time, Default Gateway - and (if configured and needed) also several other options, depending on the GOAL and NEED. DHCP is very powerfull, you can also use vendor classes and / or user classes to configure some special attributes needed for any purpose. With user classes you can give a command on a client pc, and according to that command the dhcp server will provide "special configuration" to all clients which have this command set as they will send special request attributes to the DHCP Server in the DHCP discover packets. Which Ports does DHCP use? DHCP Server "listens" on Port UDP 67. DHCP Client receives dhcp offers on Port UDP 68. So - source port of the dhcp discover is UDP68 (Client), and destination Port is UDP 67 (DHCP Server Listener Port). The DHCP answers to the discover with source port UDP 67 (DHCP Server) and destination Port UDP 68 (Client). Which DHCP Messages exist?

21
DHCPDISCOVER Client sends dhcp discover packets into the local subnet to ask ANYONE on the local subnet for an ip address. DHCPOFFER The DHCP Server "offers" an ip and some other options to requesting clients. DHCPREQUEST The client - after it has received a valid ip address from a dhcp server - sends dhcprequest as broadcast to the local subnet to "inform" eventually other existing dhcp servers that it has an ip and it does not need another ip. That dhcprequest contains the ip of the dhcp server which provided a ip to the client. These other dhcps will withdraw any offers that they might have made to the client. DHCPACKNOWLEDGEMENT Finally, the dhcp server which provided an ip to the client will provide some additional information to the client, if configured, for example lease time etc. What if there are more then one DHCP Servers in the local network?? But what if there is ANOTHER DHCP Server in the local net? How does our Client know the RIGHT and legitimate DHCP Server? Well - the Client will take ANY DHCP Offer it gets! So if you have 3 DHCP Servers in your local lan, the FIRST DHCP (or the fastest..) will be the one which will give an IP Address to the client. So it could disturb a network if there are "illegal" DHCP Servers seriously! To prevent "illegal" dhcp servers from disturbing the network, there are several technics... 1. configure DHCP Snooping on the switches to allow DHCP offers ONLY on configured and allowed uplink ports or 2. use dhcp classes (user class or vendor class) so that only DHCP offers which fit to the class and configuration will be accepted by the client or 3. if you find a user which provides illegal dhcp services, nail him on a cross so that the other users are warned... What if the DHCP Server is located on another subnetwork? Oups! As Clients use broadcasts to get a IP from DHCP Server - and broadcasts are NOT forwarded by routers normally, how can the client get an ip from dhcp server? Well, thats what "DHCP Relay Agents" are designed for. A DHCP Relay Agent is a device on the local subnet, which "collects" dhcp discover broadcasts, and encapsulates them in a unicast message which can be forwarded to the DHCP Server in another subnet. We can also use so called "ip helpers" on cisco devices, thats the same function like a dhcp relay agent. What if the DHCP Server is unreachable? Well, all the clients which still did get a IP-Address from the DHCP Server as it still WAS reachable, will still be able to communicate with other devices. When the HALF DHCP Lease Time is over, a client contacts again DHCP Server to renew the lease. If the DHCP Server is not reachable, the client will hold the given IP till the lease time is over. When the DHCP Lease Time on the Client expires - then its FINITO! The client loses its ip configuration. Windows PCs have a feature called APIPA (Automatic private IP Address). When a Windows Client can not get an ip from a DHCP Server, the OS provides the client with an IP from the Microsoft-IP Range 169.254.X.X. The windoes clients on the network "negotiate" with each others so that no other pc on the local subnet gets the same ip of this 169.254. Range. So the windows clients will still be able to communicate - but only with other clients in the local subnet, which also did get automatically a ip from the 169.254 Range. How to configure redundant DHCP Service on the LAN?

22
Nothing easier then this! Install and configure your DHCP Server. When its ready - just duplicate the DHCP Server. You only have to "split" the DHCP Scope Ranges so that both DHCP Servers can not offer the SAME IP-Address to different clients, otherwise you will get IP conflicts! So, first DHCP could provide IP Range 192.168.1.1 - 192.168.127.254 and the second DHCP could provide IP Range 192.168.128.1 - 192.168.255.254 to the clients (for example..).

VLANS
VLANs are used, to break the limits of a "normal" network. VLANs are virtual Subnets or Broadcastdomains. Normally, you have in the middle a router, and on the routerinterfaces there are connected some switches. Each of these switches is ONE Broadcast Domain or Subnet. With VLAN Technic, you can assign each of the switchports to be in another Broadcastdomain, or Subnet. So you can logically put ports in one Broadcastdomain, and this by logical reasons, and not because of physical reasons. So people in different buildings can be in ONE Broadcastdomain or Subnet, no matter about the physical layout of the network. To be able to send pakets from one vlan to another, there MUST be routing between them. On Cisco Routers, you do this by creating subinterfaces and bind different vlans to each subinterface. Another way to do it is to give the vlans ip addresses and to route between them. The logical IP Address of the subinterface ior the vlan is the default gateway for the clients, whos pc is connected to a switchport, which is configured as access port and binded to one of these vlans or subnet. Creating VLANs and bringing Layer 3 into the game.... Create some VLANs (with "vlan database" command or on newer switches with "vlan xy" command) vlan database vlan 2 name stuff or if there is no "vlan database" vlan 2 name stuff vlan 3 name testnet vlan 4 name office To create a subinterface on a router interface use the command interface FastEthernet0/1.1 ip address 154.55.1.1 255.255.255.0 no shutdown interface FastEthernet0/1.2 ip address 154.55.2.1 255.255.255.0 no shutdown interface FastEthernet0/1.3 ip address 154.55.3.1 255.255.255.0

23
no shutdown To bind a special vlan to a special subinterface, use the command interface FastEthernet0/1.1 encapsulation dot1q 1 interface FastEthernet0/1.2 encapsulation dot1q 2 interface FastEthernet0/1.3 encapsulation dot1q 3 The command "encapsulation dot1q" means that 802.1q tagging will be used. Instead of 802.1q you could also use ISL, if you only use Cisco devices. ISL is a Cisco-proprietary Protocol and can not be used on most other vendors network devices. 802.1q is a Standart which is supported by most other vendor network devices. Some older Cisco devices only support ISL. They are not useable in a multi vendor network if use of network-wide VLANs is needed. To make it possible that pakets from a vlan can come to another vlan, configure some routes. But normally they will be created automatically, cause - hey, this is a router! For the router, if ip routing is enabled, the vlans with ip-addresses are like virtual interfaces and the routes are automatically added to the routing-table. ip route 154.55.1.0 255.255.255.0 FastEthernet0/1.1 ip route 154.55.2.0 255.255.255.0 FastEthernet0/1.2 ip route 154.55.3.0 255.255.255.0 FastEthernet0/1.3 To configure a switchport to be in a special vlan, use the command interface fa0/24 switchport mode access switchport access vlan 3 So, each PC which will be connected to Switchport 24, will automatically be in VLAN 3. In our example, the PC which is connected to that port, must have an IP of the Subnet 154.55.3.0 /24 and the gateway of the PC will be 154.55.3.1. Though a normal PC can not understand VLANs, it can communicate over that port. The reason is simple - on an access port, the "VLAN ID"-tag is removed from each paket which will pass the Interface. There is also another way to configure routing between vlans. You can give a vlan an ip-address and use a routing protocol, in the example its RIP, to route between different vlans. Router#configure terminal Router(config)#ip routing Router(config)#router rip Router(config-router)#network 10.0.0.0 Router(config-router)#network 20.0.0.0 Router(config-router)#interface vlan 10 Router(config-if)#ip address 10.1.1.1 255.0.0.0 Router(config-if)#no shutdown

24
Router(config-if)#exit Router(config-router)#interface vlan 20 Router(config-if)#ip address 20.1.1.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#exit So - for VLAN 10, the Default Gateway for the clients in this vlan will be 10.1.1.1. For VLAN 20, the D.Gateway is 20.1.1.1. With RIP Routing in the example, Pakets from vlan 10 will be able to get to VLAN 20, and back. What is Tagging? To make a network device able to differ the pakets which belong to different vlans, there must be "tagging". If you use only ONE Vlan, you dont need tagging, because there is nothing you have to differ. When you start to create and use more than one vlan, you have to decide, which of the vlans pakets should be tagged. Tagging is nothing else, but putting an extra tag into each of the pakets. This tag contains the "vlan id". Its like "marking" the pakets with colours. VLAN2 could be green, VLAN3 could be red and so on. What is a Trunk? To make it possible for network devices, to bring vlan pakets from one device to another, the uplink ports between the devices must be configured as "trunk ports". Between the devices must be established a "trunk". Use this commands, to configure a trunkport and define what is the native VLAN on that port: interface fa0/1 switchport mode trunk switchport trunk encapsulation dot1q (or isl) switchport trunk native vlan 1 You can imagine a trunk as a "bridge" which can carry multiple vlan pakets to another device. Its important, that on each end of the trunk the same vlan must be configured as native vlan. The native vlan (or default vlan) is the vlan which pakets are NOT tagged. All other vlans MUST be tagged, or the devices will not be able to differ between them. You dont have to put a special command to select which vlan has to be tagged. You only can select, which vlans pakets will NOT be tagged. You do this by using command switchport trunk native vlan 1 That means, the pakets from vlan 1, which will pass this interface, will NOT contain a vlan id. All other VLAN pakets from the other vlans used on that device will be tagged automatically. On the path over multiple switches and routers, the pakets can on each uplink be encapsulated (tagged) or decapsulated. But on each side of a uplink it must be configured to have the same native vlan. In addition, you can give some options at trunk configuration, for example some negotiation, so that the port automatically becomes trunkport, depending on the uplink device ports settings. VLANs are used, to increase the number of broadcast domains, independent of the physical layout. Trunks are used, to transport Pakets with different VLAN IDs over uplinks between network devices. VLAN is NOT an encryption method! With a sniffer in promiscuous mode, the pakets CAN be sniffed, and the data is not encrypted, even if they have a vlan tag. What is VTP? With VTP (Virtual Trunking Protocol) we can make management of vlan creation and deletion easier. VLANs are created on ONE Switch (VTP Server) and this switch advertises the VLANs to all other Switches, which are in "VTP Client" Mode. So the VLANs have to be created and deleted only on one device, and the other switches synchronize automatically.

25
Now that we know, how to create VLANs, lets see what can VTP do for us. We have 4 switches. They are connected over uplink ports. The uplinks are all configured as trunk ports. Switch 1 vtp mode server vtp domain goodfood vtp pruning Switch 2 vtp mode transparent vtp domain goodfood Switch 3 vtp mode client vtp domain goodfood Switch 4 vtp mode client vtp domain betterfood We create VLANs on Switch 1, which is in vtp server mode. The VLAN Informations are advertised to switch 2, which is in vtp transparent mode. The switch 2 does not learn the vlans which were created on switch 1. But switch 2 sends the vlan informations to switch 3, which is in vtp client mode. Switch 3 now has the same vlans like switch 1, though we did not create them on it. But the VLANs will not be learned by switch 4 - because it has another vtp domain name.

COLLISION DOMAIN VERSUS BROADCAST DOMAIN

26

STP
And here is one on STP covers most of the stuff ----------STP ----------1.Main function to remove switching loops, broadcast storms caused due to arp requests 2.802.1d --------BPDU --------1.Bridge Protocol data unit 2.Used to share STP info 3.Multicats on LAN 4.Used to learn topology 5.If loops are found switch will disable them 6.Sent every 2 secs 7.Contains bridge ID:2 byte priority+6byte MAC address 8.Default priority 32768.Can vary from 0-65535 9.BPDU sent initially contains following --Root bridge ID.Initially every switch thinks it is the root

27
-- Cost to reach the root. Initially this will be zero. Cost from 0-65535 --Senders Bridge ID 10.Bridges save a copy of only the best BPDU seen on every port. 11.When making this evaluation, it considers all of the BPDUs received on the port, as well as the BPDU that would be sent on that port. 12.As every BPDU arrives, it is checked against this four-step sequence to see if it is more attractive (lower in value) than the existing BPDU saved for that port. 13.Only the lowest value BPDU is saved. 14.Bridges send configuration BPDUs until a more attractive BPDU is received. --------STP process --------------STP Convergence Step 1 Elect one Root Bridge Step 2 Elect Root Ports Step 3 Elect Designated Ports Step 1.Electing the root bridge 1.Each bridge sends BPDU claiming itself to be root, with cost 0 and its own bridge id 2.BPDU message used to identify root, Its BID and cost is called Hello BPDU 3.If root hears a BPDU with lower BID (either priority or MAC) than itself, stops advertising itself and starts forwarding Hello BPDUs of that swutch 4. Different roots and STP instance for each VLAN 3.You can modify the path cost by modifying the cost of a port. Switch(config-if)# spanning-tree cost value Four-Step decision Sequence Step 1 - Lowest BID Step 2 - Lowest Path Cost to Root Bridge Step 3 - Lowest Sender BID Step 4 - Lowest Port ID Step 2: 1.Elect root port:Port with lowest cost to reach root bridge. 2.Port cost value inverse of bandwidth 3.Port cost values 10 Mpbs -100 100 Mbps-19 1Gbps-4 10Gbps-2 4.Port also has priority assigned.Default is 32.Lower priority preferred 5.Path cost calculated as follows.Root adv BPDU with 0 cost.When other bridge receives it it increments the cost with the cost of the port on which the BPDU enters the bridge. 6.Advertises updated BPDU with its cost added 7.Remember that path costs are incremented as a BPDU comes into a port, not when a BPDU is advertised out of a port *******Steps to choose root port******* 1.Choose the path with the lowest accumulated path cost to the root if there is a choice between two or more paths to reach the root. 2. If there is a tie between port priorities, choose the neighboring switch (that your switch would go through to reach the root) with the lowest switch ID value.

28
3. If you have multiple paths, and they all go through the same neighboring switch, choose the port with the lowest priority value. 4. If the priority values are the same between the ports, choose the physically lowest-numbered port on the switch (on a 1900, that would be Ethernet 0/1). Step3.Elect designated port Besides each switch having a root port, each segment also has a single port that is uses to reach the root. This port is called a designated port. 1.The connected switch on the segment with the lowest accumulated path cost to the root bridge will be used. 2. If there is a tie in accumulated path costs between two switches, then the switch with the lowest switch ID will be chosen. 3. If it happens that it is the same switch, but with two separate connections to the LAN segment, the switch port with the lowest priority is chosen. 4. If there is still a tie (the priorities of the ports on this switch are the same), then the physically lowest numbered port on the switch is chosen 5.every active port on the root switch is a designated port. **********Port states in STP********** Blocked Listening Learning Forwarding Disabled ********Blocking********** Ports will go into blocking under the foll conditions 1.During election of root switch 2.If a BPDU with better cost is heard on a port than current existing one being used 3.If its not a root or designated port Will remain in blocking state for 20 secs called MAx age seconds.Listens for BPDUs,but does not process any user data. ********Listening********* After 20 secs of being in blocked state port transitions to listening state In listening state port is listening to BPDUs to learn new topology but does not process user traffic.This last for 15 secs called forward delay time. **********************Learning***************** In this state user data is not forwarded, but MAC addresses are learned from any traffic that is seen. The learning state lasts for 15 seconds and is also called the forward delay. BPDUs are still processed. ************Forwarding********** 1.Ports process BPDU 2.Learn MAc addresses 3.Forward user traffic ***********Disabled******** Port not participating in STP Total time for STP to converge is 20+15+15=50 secs

29

Step 1.Elect Root Bridge: Check the priority forst.Since priorities are not given default priority assumed.Hence lowest MAC address will become root bridge.That is Switch C.All ports on Switch C will be designated ports hence forwarding Step 2.Elect Root ports For Switch A the root port will be port connecting Switch D since it has the lowest path cost that is 8 (4+4) to the root For Switch B:Direst connection to switch C with path cost 4 For switch D:Direct connection to switch C Step 3:Designated ports For LAN segment between Switch A -Switch B=Switch Bport will be designated port since its port on the LAN has lowest path cost to root i.e 4 as compared to Switch A i.e 19.Hence switch A port will be blocking Switch B-Switch D=Both ports of Switch D and Switch B have same path cost 4.But Switch D has lower mac hence its port will be designated port with path cost 4.Switch B port will be blocking Switch A-SwitchC=Switch C port will be designated port hence Switch A port is blocking -----------------------------------------------RSTP-Rapid Spanning Tree protocol __________________________________ 1.802.1w spec 2.additional port roles --alternate port -- backup port 3.New port role of discarding state instead of blocking 4.Faster covergence *********RSTP link types******** 1.Point to point: between 2 switches. Improves convergence on full duplex 2.Link type shared: Typically when a hub is connected to a switch and the PCs are connected to hub.RSTP does not do anything for such links 3.Edge type: When pc is connected to switch port directly:places in forwarding state from blocking immediately *********Port states******** 1.Listening 2.Learning 3.Forwarding. 4.Discarding 5.Disabled **********RSTP process********* 1.Does not wait for max age secs.Instead it considers root dead if no info recd for 3 times hello time 2.Similar to Cisco Backbone Fast feature it acceps inferior BPDUs. 3.If link between Sw A and SwB fails then Switch B gets inferior BPDUs.IN three times hello interval it informs switch C to set to root port. 4.Edge ports are transitioned to foirwarding from discarding.Similar to port fast 5.RSTP removes the need for listening state and reduces the time required for learning state by

30
actively discovering the networks new state. 6.STP passively waits on new BPDUs, and reacts to them, during the listening and learning states. 7.With RSTP, the switches negotiate with neighboring switches. 8.When ports that can be transitioned immediately to forwarding state are discovered, they are transitioned immediately. ***********Optional STP features************** 1.Etherchannel:Allows from 2 to max 8 links between 2 switches to be viewed as a single logical interface.STP will not converge if one of them goes down. 2.Etherchannel config:Interface sub command :channel-group <channel-group no> mode <auto,on,desirable> 3.Show cmds:show etherchannel <group no> <brief|detail|port|portchannel|summary>:Diplays logical interface as port channel eg Po1 for channel group 1 2.Portfast:Access port transitioned to forwarding immediately *************Spanning tree configuration************ 1.(config)#spanning-tree vlan <id> root:Changes switch to root for that vlan.Set its priority to Courrent root port priority-100 or 24,576 less 2.(config)#spanning-tree vlan <id> priority <value>:Changes priority of switch for this vlan from default 32768 to value specified 3.(config-if)#spanning-tree cost <value>:Set value of port cost ***********Show commands********** 1.show spanning-tree:shows details of STP including port states 2.show spanning-tree vlan <no>:Show STP details for that vlan 3.show spanning-tree <interface> <value>:shows details for particular port 4.debug spanning-tree:provides info on messages on STP

PORT-SECURITY
A switch learns MAC Addresses on its ports. If a PC or whatever is connected to a switchport, the MAC Address of the PCs Networkcard is saved by the switch in its MAC Table. If another Device is connected to the same port, its MAC is learned, too, and the MAC of the first device stays in the MAC table till a aging time expires. If we want, that only ONE MAC Address is allowed on a special switchport, we can use a feature called "Port-Security". With port-security, we can bind a special MAC of a specific PC to that switchport, or a defined number of MAC Addresses which will be allowed to use that switchport. So, if another PC connects to that port, which MAC is not binded to that switchport, the port can go secure-down and the "foreign" pc can not communicate with the LAN. With port-security, we could also prevent the useage of hubs or other switches on a switchport, what can be very usefull to prevent users to experimenting with perhaps unallowed enlargement of their access ports to the LAN. To enable port security, use the following command switch(config)#interface fa0/1 switch(config-if)#switchport port-security Now we can configure, WHICH MAC will be binded to that switchport switch(config-if)#switchport port-security mac-address 00:e3:d2:e1:ee:af We can configure, how many MACs will be maximum allowed on that port switch(config-if)#switchport port-security maximum 5 We can configure, what should happen, if a violaton of the port-security rule occurs. switch(config-if)#switchport port-security violation [ protect | restrict | shutdown ]

31
When configuring port security violation modes, note the following information: protectDrops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. restrictDrops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment. shutdownPuts the interface into the error-disabled state immediately and sends an SNMP trap notification Configure the secure MAC address aging time on the port. There are two aging modes - absolute and inactivity. Default is absolute. switch(config-if)#switchport port-security aging time 10 The aging time range is 1 to 1440 minutes (default is 0).

BOOTING UP THE ROUTER

Cisco routers can boot Cisco IOS software from 1. Flash memory 2. TFTP server 3. ROM (not full Cisco IOS) Normally its booted from Flash RAM. But if it fails, it tries to load IOS from tftp server. If this also fails, it boots a "small" ios which is in ROM. Default boot sequence for Cisco IOS software: img89.imageshack.us/my.php?image=routerboot3wi.jpg

32

1. NVRAM (check config-register) 2. FLASH (load IOS) 3. TFTP (boot IOS from tftp if FLASH fails) 4. ROM (If TFTP fails, load "mini" IOS from ROM Booting up the router and locating the Cisco IOS 1. POST (power on self test) 2. Bootstrap code executed 3. Check Configuration Register value (NVRAM) which can be modified using the config-register command 0 = ROM Monitor mode 1 = ROM IOS 2 - 15 = startup-config in NVRAM 4. Startup-config file: Check for boot system commands (NVRAM) If boot system commands in startup-config a. Run boot system commands in order they appear in startup-config to locate the IOS b. [If boot system commands fail, use default fallback sequence to locate the IOS (Flash, TFTP, ROM)?] If no boot system commands in startup-config use the default fallback sequence in locating the IOS: a. Flash (sequential) b. TFTP server (netboot) c. ROM (partial IOS) or keep retrying TFTP depending upon router model 5. If IOS is loaded, but there is no startup-config file, the router will use the default fallback sequence for locating the IOS and then it will enter setup mode or the setup dialogue. 6. If no IOS can be loaded, the router will get the partial IOS version from ROM

33
Default (normal) Boot Sequence Power on Router - Router does POST - Bootstrap starts IOS load - Check configuration register to see what mode the router should boot up in (usually 0x2102 to read startup-config in NVRAM / or 0x2142 to start in "setup-mode") - check the startup-config file in NVRAM for boot-system commands - load IOS from Flash. Boot System Commands Router(config)# boot system flash IOS filename - boot from FLASH memory Router(config)# boot system tftp IOS filename tftp server ip address - boot from a TFTP server Router(config)# boot system rom - boot from system ROM configuration Register With "configuration register", we can configure, what the router will do at the next reboot. To see, what is the actual setting of your routers configuration register, use the command router#show version To change the configuration register, use the following command in global config mode: Router(config)#config-register 0x2142 For CCNA exam, you need to know two configuration register settings. These are: 0x2102 is the factory-default configuration register value. 0x2142 boots from flash without using NVRAM contents good for password recovery. When the config. register is set to 2142, the router will start in setup-mode, where you can interactive select some options. The "normal" config. register is 2102.

PRIVATE AND PUBLIC IP ADDRESSES

For your company or home network, you could theoretically use ANY IP Range, you want. The problem is - if you give your own network a IP Range, which is public, and you have to route to Internet, there will be a problem, cause someone else still has the range, that you use in your network. Routing Problems will occur. So there were defined private IP Address ranges, which can be used for private networks.

Public IPs can be resolved and routed across the Internet from one point to another. Unlike public IP, private IP addresses are not valid on the Internet. Three ranges of private IP addresses have been selected for the three network classes. For Class A network, 10.0.0.0 - 10.255.255.255 (10/8 prefix) range (For big network that requires a huge pool of 16 million private IP addresses) For Class B network, 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) range (For medium-sized network that requires 65000 private IP addresses) For Class C network, 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) range (Commonly used IP range on smaller network for easier addressing of 254 IP addresses. May not necessarily be smaller network but network managed in smaller blocks.) "Special Cases"

34
Beside these, there is Microsofts 169.254.0.0 range of default IP addresses that are allocated to systems when they are unable to obtain address from a DHCP server. The sense of this so called "Automatic Private IP Addressing" is, that the hosts in a local subnet can still comunicate with each other, though they did not get a DHCP IP. The Clients deal with each other, which PC will get which IP from the range 169.254.0.0 so that no IP Address conflict occurs. Also network 127.0.0.0 to 127.255.255.255. which is reserved for "loopback" purposes. IP datagrams sent by a host to a 127.x.x.x loopback address are not passed down to the data link layer for transmission. Instead, they loop back to the source device at the IP level. In essence, this represents a short-circuiting of the normal protocol stack; data is sent by a device's layer three IP implementation and then immediately received by it.

CABLING BETWEEN DEVICES

TFTP SERVER FOR BACKUP AND RESTORE

Knowledge of TFTP Service is important for real life, and also for CCNA exam. What is it? TFTP= Trivial File Transport Protocol Its a very simple transport protocol, and uses UDP. Its used by Cisco devices, to backup and restore config files (startup-config) and also IOS Images to or from a TFTP Server. What do we need to use it? We need a TFTP Server. This service could run on a Linux machine, or also on a Windows machine. To be able to save files to the tftp server, the file must still EXIST on the tftp server! For example, if i want to save my startup-config, i must first create a file with the exact name of the file. So on linux machines, i simple create an "empty" file in the right directory (with "touch"), and i must configure the rights of the file (with "chmod"), so that its allowed, to save the file and read the file over the network. chmod 777 would mean, that EVERYONE can read and change the file. So it can make sense, to use "hosts_allow" file in "/etc/hosts_allow" to configure, which devices (IP-Addresses) will be allowed to write or read to the created file. linux-tftp#cd backups linux-tftp:/backups#cd startup-configs linux-tftp:/backups/startup-configs#touch <name_of_file> linux-tftp:/backups/startup-configs#chmod 777 <name_of_file> Now, that we created the file on the linux-tftp-server, and configured the rights of the file, we can save a startup-config from a router or switch. Use this command router#copy startup-config tftp://linux-tftp.blah.com/backups/startup-configs/<name_of_file>

35
There can also be used aliases, which are shortcuts for long commands. Have a look at "show run" to see, which aliases are configured on your system. Normally, there should be aliases "wr" which is "copy run start" and the alias "wn" what makes a backup of startup-config to a tftp server. With aliases, you dont have to type long commands, everytime you want to save your config or ios to tftpserver. If we have to restore the file from tftp-server to the network device, use the command router#copy tftp://linux-tftp.blah.com/backups/startup-configs/<name_of_file> startup-config If we want to upgrade for example an WLAN Access Point, we can use the command accesspoint#download-sw /reload /overwrite tftp://linux-tftp.blah.com/ios/<name_of_ios.ja(4).blah.tar> The IOS-Image will be downloaded, and installed, and the old IOS will be overwritten.

FRAME RELAY
Frame Relay is packet switched WAN techonlogy for transporting Data across Conection oriented Virtual Circuits using Public Data Networks (PDN). its high performance alternative to overly reliable / slow X.25 Wan Protocol. it have no Error Recovery but have smart flow control (fecn becn). it can support up to T3 line (44.736 Mbps) in 1984 FRAME RELAY started to develop Frame Relay deliver variable size data frames to multiple WAN site. Multi Access is the most obvious difference between Frame Relay and Leased lines. Leased lines ae used as acccess link of Frame Relay. in 1990 FRAME RELAY CONSOTIUM was created by following four copmanies. 1 CISCO 2 STARTDACOM 3 NORTEL 4 DEC. (AKA: GANG OF FOURs) to standardize the Frame Relay this consortium start working Later ANSI & ITU-T aslo like the idea. DTE --> Data Terminating Equipment DCE-->Data Circuit Terminating Equipment NOTE: Router operate on Layer 3 and Switch operates on Layer 2. when Frame RelayNetwork a Router is working as a Frame relay switch then its operating on Layer 2. [b]L.M.I some LMI type is required between DTE and DCE (Switch). LMI autosense enabled in IOS 11.2 & greater. 1 LMI exists per serial Interface. Data Link Connection Identifier. DLCI In header there is a single DLCI field. No Source or Desitnation field like LAN addresses. LOCAL DLCI Global DLCI A Practical Way to identifiy between Global and Local DLCI is. if two Virtual Circuit terminate at a DTC and a single DLCI is shown. its most probably is GLOCBAL DLCI. if one DLCI is shown per VC then it is depicting Local DLCI. FRAME RELAY PACKET consist of 2 Bytes. . 6 Bits of First Bytes are called High Order Bits 4 Bits of Second Bytes are called Low Order Bits DLCI number consist of 6+4 Bits of high and low order bits 7th Bits is CR (Committed RATE) -- First Byte 8th Bit is EA------------------------------5th Bit is FORWARD EXPLICIT CONGESTION NOTIFICATION (FECN) -- Second Byte 6th Bit is BACKWARD EXPLICIT CONGESTION NOTIFICATION (BECN) -- Second Byte 7th Bit is Discard Eligibility------------------------------------------------------------------ Second Byte 8th Bit is EA--------------------------------------------------------------------------------------Second Bytes Plz note that FECN-BECN is always set by (DCE) Frame Relay Switch and Discard Eligibility is set by Sending Router

36
Broadcast are not supported over a framerelay network so this is done in 2 steps. 1. IOS sends copies of Broadcast accross each VC u instruct. 2.Router Places these Broadcast in Different Ques then the ordinary user traffic. TYPE OF CONFIGURATION----------SPLIT HORIZON IS No Subinterfaces---P2P------------------Enable No Subinterfaces Multi Point----------Disabled Subinterfaces-------P2P------------------Enable Subinterfaces Multi Point--------------Disable if)#ip split horizon if)#no ip split horizon Address Mapping 1 Static Config Mapping 2 Dynamically Mapping Dynamic Mapping use a process called INVERSE ARP. each router announces its layer 3 addresss + DLCI to its adjacent Routers. INVERSE ARP is enabled by default at 11.2 and greater versions unless point to point subinterfaces are used. PART 2??? h**p://www.delmar.edu/Courses/ITSC1391/Sem4/6FrameRelay.htm h**p://dl.njfiw.gov.cn/books/cisco/CCNP%20PPT/Bcran/BCR1011A.PPT to help clear up any frame-relay split-horizon questions

37

pretty good FR ppt: www.mdh.se/netcenter/ct3560/vt-2003/forelas/Cisco_6_%203.ppt

38
happy trails

ISDN
...............................SWITCHED NETWORKS ................................................| ................................................| ..........PACKET SWITCHING.................CIRCUIT SWITCHING ..............................|......................................| ..............................|......................................| ..........................FRAME RELAY......................ISDN Advantages of Circuit Switching: Once the circuit has been set up, communication is fast and without error. It is highly reliable Disadvantages: Involves a lot of overhead, during channel set up. Waists a lot of bandwidth, especial in speech whereby a user is sometimes listening, and not talking. Channel set up may take longer. CIRCUIT Switching establishes fixed bandwidth circuits/channels between nodes before user can communicate. and those cirucuit cannot be used untill the circuit is released. netword resources are dedicated\static untill the transfer of entire message. even after the delivery of message realease of circuit is depending on the will of involving (sender and receiver) hosts. message follows the same path ISDN Integrated Services Digital Network is a set of comminucation protocol, developed by Telco to digitalized their services to carry VOICE,VIDEO and DATA. Analog services are called PLAIN OLD TELEPHONE SERVICES POTS ISDN is a set of protocols which cover 3 OSI layes NETWORK,DATA LINK AND PHYSICAL. its a low cost reliable and high speed link, run on both COPPER and FIBER media Its a circuit switched network. B Chanels Circuit switch and D Chanels Packet Switch. ... ?? it is true ADVANTAGES 1- 5+ times faster then 28.8kpbs analog modem. 2- use multiple devices on the same fone line like Video, Voice, Fax,Video Confrence etc 3-Drops from 2 B Chanels to 1 when incomig call detected. 4-Dynamic allocation DISADVANTAGES 1-Central office OR Service Provider should be in 5 mile radius. 2-Difficult Setup ITU-T define standerd which are important for Exam (difficult for candidate to digest) SERIES--OSI--EXAMPLE------DESCRIPTION E...........E-163........Packet Switch Telephone Network its a International Telephone Numbering System E...........E-164........ISDN numbering Standerd I...........I-100........Concepts, Stractures, Termonology I...........I-200........Services Aspects I...........I-300........Network Aspects I...........I-400........User Network Interface (Uni) I......1....I-430........Define Connectors, Encoding Frames, Reference Points I......1....I-431........Define Connectors, Encoding Frames, Reference Points

39
I...........I-411........ISDN REFERENCES POINT (IMPORTANT Detail is following) Q......2....I-921........Signaling, Switching at Data link Layer LAPD(Link Access Procedure Dedicated) Q......3....I-931........its works on Network Layer in ISDN . . TOOL To remember Focus on 2nd Digit in Q Series. it matches to the layer e.g. Q921 = Layer 2 Standerd and Q931 = Layer3 Standerd SERVICES 2 Services r supported on ISDN BRI (BASIC RATE INTERFACE) PRI (PRIMARY RATE INTERFACE) BRI+B & D Channels its also known as 2B+D. B Channels are aslo called CLEAR CHANNELS because they r clear to send data Data is transfered in B Channel and Singnals (Call setup etc) are resposiblity of D CHANNELS D makes it posssible to connect relativly much faster.D is called OUT OF BAND Channel coz it only takes Signalling (Rest of every thing OUT). B Chanel 64 Kbps Each D Chanel 16 Kbps B........128Kbps (64*2) D.........16Kbps -----------.........144Kbps -----------Plus Frame OverHead= 144 + 48Kbps (Frame Overhead) so total bandwidth supported by this chanel is 192Kbps is Total Bandwidth of BRI channel ANY ROUTER WITH A SERIAL INTERFACE CAN BE CANNECTED TO A BRI WITH A TERMINAL ADAPTER (TA). ????????question is the following statment true ?????????????????????????????? D CHANNEL operated on LAPD and LapD depends on HDLC . . PRI its also known as (23B+D for T1 ) and (30B+D for E1 ). B Channels are aslo called CLEAR CHANNELS because they r clear to send data B Chanel 64 Kbps Each D Chanel 64 Kbps--------Different then BRI(16Kbps) Transfer RATE T1.... 1.544Mpbs.....23 B Channels.....USA and Japan E1.... 2.048Mpbs.....30 B Channels.....Rest of world in E1 Sequence of Channels 1--15 channels....B 16th .Channel.....D 1--15 channels....B PRI uses DSU\CSU for T1\E1 Connection.

40

Terminals \ Functional Groups These are PHYSICAL DEVICES involved in ISDN connectivity. TERMINAL EQUIPMENT 2 (Functional Group) TE2 is old technology (like ordinary fone sets working on analog) that dont support ISDN series so it need a Conversion Device named TERMINAL ADAPTOR. (THINK LIKE SOMETHINGMODEM) TERMINAL EQUIPMENT 1 (Functional Group) TE1 is ISDN Ready Devices that dont need any converion device like Terminal Adaptors. TERMINAL ADAPTOR. (Functional Group) Takes the analog data from TERMINAL EQUIPMENT 1 and make it ISDN READY. converts EIA\TIA-232, V35 & into BRI SIGNAL. Network Termination 2 (Functional Group) NT2 is the point (Device) at which all ISDN lines at Customer Premises are agregated and Switched using cusmtomer Switch Device Private Branch Exchange(PBX). they r very rare in usage. so even most documents dont Discuss them. Network Termination 1 (Functional Group) NT1 is a LOCAL LOOP TERMINAER. it converst BRI singnals intor formused by ISDN DIGITAL LINE. it can be in Customer premises or in TELCO (diffent in Europe and USA) . . . REFERENCE POINTS (I-411 STANDERD) RP are used to characterised the interfaces between ISDN Devices. (RF are logical) RF--Location (Function Group)------R---Between TE2 and TA--------------between NON ISDN DEVICE AND TERMINAL ADAPTOR S---Between TE1\TA and NT2----------ISDN READY to Network Terminator T---Between NT2 and NT1 U---Between NT1 and ISDN Network note: Electronically S and T are same so some devices are labeled as ST. they r identical so in most cases we dont see the S RPoint and our networks work properly. TOOL TO REMEMBER R---- not isdn ready old device-->R=REGULAR S---- isdn ready devices--------->S=SPECIAL T-------------------------------->T=TERMINATION POINT U----if its in Cus.Premises then customer will -----provide power to the NT1 so->U=UNPOWER Functional Groups + References Points altogather -------R-----------S--------------T--------------U TE2-------->TA----------->NT2------------>NT1------------>TELCO . . . --------------S-------------------T--------------U TE1---------------------->NT2------------>NT1------------>TELCO ALSO TRY TO DRAW FUNCTION GROUPS AND REFERENCE POINT ON PAPER SO THAT U CAN VISUALISE THEM PROPERLY. IF you have BRI interface in ur Router, its NT1 so U Labled on interfce

41
No Bri Interface but Serial interface(TE2) Use External T.A if u must supply NT1 (in US) make sure Router have U interface otherwise purchase NT1 SPID many books gave it many names like SERVICE PROFILE ID, SERVICE PROVIDER ID, PSEUDO PASSWORD ID Etc. it is a numerical string of 14 characters assigned by TELCO to EACH B CHANNEL on an ISDN link GENERIC FORMAT OF SPID NUMBER OF DIGITS---NAME-------------------RANGE 10-----------------Digit form------------02-----------------Sharing Terminal ID----01-32 02-----------------Terminal ID------------01-08 SWITCH TYPE there r different switch types around the globe (No Standard). and unfortunatly cisco supports then so do CCNA. Switch type and SPID is informed by the telco to customer. and it can be configureable in Global or Interface Mode. Router(config)#isdn switch-type example Router(config)#isdn basic-ni1 Switch type value---Description basic-5ess----------AT&T in USA basic-dms100--------NorTel USA basic-ni1-----------National ISDN1 North America basic-ts013---------Australia basic-net3----------net3 & net5 are used in UK and Europe basic-nit-----------Japan note missed topic are DDR ISDN SBus References CBT Nuggets CD 4 Version 2.1.0 (i got the version info form CBT nugget help) ICND ------------------------------------ Cisco Press 640-507 by Steve McQuery Cicso CCNA Exam Certification guide------ Cisco Press 640-507 by Wendell Odem

COMMAND SUMMARY
IP ROUTING #sh ip route - To view IP routing tables created on a Cisco router. -Static Routing- Routers are manually configured for networks that are not directly connected, to be able to route to all networks via the next-hop interface. Example- Let 192.168.30.0/24 be the IP of a network not directly connected Let 192.168.20.2 be the next hop interface (config)#ip route 192.168.30.0 255.255.255.0 192.168.20.2 -to remove static route (config)#no ip route 192.168.30.0 255.255.255.0 192.168.20.2 -Default Routing- Used on stub networks only to send packets with remote destination network not in the routing table to the next hop router.

42
(Assume IP 192.168.40.1 is not in routing table) -first remove static route (config)#no ip route 192.168.30.0 255.255.255.0 192.168.40.1 (config)#ip route 0.0.0.0 0.0.0.0 192.168.40.1 -RIP- A distance vector routing protocol that passes complete routing table contents to neighbouring routers Example- Let 192.168.10.0 & 192.168.20.0 be directly connected networks of a router interfaces and 192.168.30.0 be nondirectly connected -first delete all static routes (config)#no ip route 192.168.30.0 255.255.255.0 192.168.20.2 (config)#router rip (config-router)#192.168.10.0 (config-router)#192.168.20.0 (config-router)#^z # -Verifying RIP 1.Sh ip route 2.debug ip -Holding Down RIP Propagation-To stop RIP update sending but allow its receipt -say for s0/0 with ip 192.168.10.0 (config)#router rip (config-router)#network 192.168.10.0 (config-router)#passive-interface serial 0/0 -IGRP- Also a distance routing protocol Example- Let 192.168.10.0 & 192.168.20.0 be directly connected networks of a router interfaces with autonomous system number of 10 and 192.168.30.0 be non-directly connected #router igrp 10 (config-router)#network 192.168.10.0 (config-router)#network 192.168.20.0 (config-router)#^z # -Verifying IGRP 1.sh ip route 2.sh protocols- Displays routed protocols and their interfaces 3.sh ip protocols- Displays routing protocols configured 4.debug igrp events- Displays summary of IGRP routing information running on the network 5.debug igrp transactions- Displays messages request from neighbour routers -Turning off all possible debugging #un all -EIGRP- Uses classless routing which is subnet mask information sent with routing protocol updates. Example- Let 192.168.10.0 & 192.168.20.0 be directly connected networks of a router interfaces with autonomous system number of 20 and 192.168.30.0 be non-directly connected #router eigrp 20 (config-router)#network 192.168.10.0 (config-router)#network 192.168.20.0 (config-router)#^z

43
-To stop EIGRP from working on an interface-no sending no receipt (config)#router eigrp 20 (config-router)#passive-interface serial 0/0 -To enable EIGRP on discontiguos networks(two different subnetworks of classfull network connected by another different classful subnetwork) Example- Let 172.16.0.0 & 10.0.0.0 be directly connected to a router to another remote subnetwork of 192.168.10.0, then to enable EIGRP, we use (config)#router eigrp 100 (config-router)#network 172.16.0.0 (config-router)#network 10.0.0.0 (config-router)#no auto-summary N.B-The no auto-summary command sholuld be enabled in routers that encloses such networks. -Verifying EIGRP 1. sh ip route- Shows entire routing table 2. sh ip route eigrp- Shows only EIGRP entries in the routing table 3. ip eigrp neighbours- Shows all EIGRP neighbours 4. ip eigrp topology- Shows entries in the EIGRP topology table OSPF- A link-state routing protocol Example- Let 10.0.0.0 be the network directly connected to the router upon which OSPF is to be enabled; with ospf ID of 1 and area o (config)#router ospf 1 (config-router)#network 10.0.0.0 0.255.255.255 area0 -Loopback Interface- They are configured to be used as the routers RID to advertise the routes and elect DR and BDR. Example- Let the loopback iinterface be configured on interface with ip 172.16.10.1 (config)#int loopback 0 (config-if)#ip address 172.16.10.1 255.255.255.0 (config-if)#no shut (config-if)#^z -Verifying OSPF Configuration 1. sho ip ospf- Used to display all OSPF information 2. sho ip ospf database- indicates the number of links and neighboring router ID 3. sho ip ospf interface- Displays all OSPF interface related info 4. sho ip ospf neighbour- Summarizes OSPF info about neighbours 5. sho ip protocols- Overview of all present running protocols - Verifying Loopback and RID 1. sho running-config- To verify loopback address 2. sho ip ospf database- Verifies the new RID of each router 3. sho ip ospf interface- Verifies the new RID of each router -Initial configuration of a 1900 Switch with ip 172.16.10.16 >en #config t (config)#enable password level 1 kennifeh (config)#enable password level 15kennifeh 1 (config)#enable secret kennifeh 2(when enabled no need 4 enable password) (config)#hostname kenn 1900 (config)#ip address 172.16.10.16 255.255.255.0 (config)#ip default-gateway 172.16.10.1

44
(config)#int f0/1 (config-if)#description Finance_vlan (No space for 1900) (config-if)#int f0/26 (config-if)#description Trunk_to_Biulding (config-if)#exit (config)# -Initail Configuration of 2950 Switch with ip 172.16.10.17 255.255.255.0 >en #config t (config)#hostame kenn2950 (config)#enable password kenn (config)#enable password kenn1(enable and enable secret password must be different) (config)#line vty 0 15 (config-line)#login (config-line)#password telnet (config-line)#line con 0 (config-line)#login (config-line)#password console (config-line)#exit (config)#int vlan 1 (config-if)#ip address 172.16.10.17 255.255.255.0 (config-if)#no shut (config-if)#int f0/1 (config-if)#description sales printer(with space) (config-if)#int f0/12 (config-if)description connection to backbone config-if)#exit (config)#ip default-gateway 172.16.10.1 (config)# -Erasing Switching Configuration 1900 #delete nvram yes -Erasing Switching Configuration 2950 #erase startup-config Enter -Configuring VLANS 1900 >en #config t (config)#vlan 2 name Cisco (config)#vlan 3 name Microsoft (config)#vlan 4 name Comptia (config)#exit verify with command sh run -Configuring VLANS for 2950 >en #vlan database (vlan)#vlan 2 name Cisco (vlan)#vlan 3 name Microsoft

45
(vlan)#vlan 4 name Comptia (vlan)#apply (vlan)#^c verify with command sh vlan brief -Assigning Switch Ports To Vlan-1900 (config)#int e0/2 (config-if)#vlan-membership static 2 (config-if)#int e0/3 (config-if)#vlan-membership static 3 (config-if)#exit verify with sh vlan -Assigning Switch Ports To Vlan-2950 (config)#int f0/2 (config-if)#switchport access vlan 2 (config-if)#int f0/3 (config-t)#switchport access vlan 3 (config-if)#int f0/4 (config-if)#switchport access vlan 4 (config-if)# verify with sh vlan brief -Configuring Trunks ports (config)#int f0/26 (config-if)#trunk on -Configuring Trunk Ports for 2950 (config)#int f0/12 (config-if)#switchport mode trunk (config-if)#^z # -To disable Trunk use- switchport mode access -To verify Trunking use sh running config -Configuring Inter-vlan Routing for 1900 connecting to 2600 (config)#int f0/0.1 (config-if)#encapsulation isl vlan (d number) -Configuring Inter-vlan Routing for 2950 connecting to 2600 (config)#int f0/0.1 (config-if)#encapsulation dot1q vlan (d number) -Configuring VTP for 1900 (config)#vtp server (config)vtp domain kenn (config)#vtp password kenn -Configuring VTP for 2950

46
(config)#vtp mode server (config)#vtp domain routersim (config)#^z -verify with sh vtp status -Checking the Current Configuration Register Values show version or show ver -Changing Configuration Register (config)#config-register 0x101 (d default is 0x2102) (config)#^z -Recovering Passwords -1. Interrupt the Router Boot Sequene ctrl+Break key (windows wont perform break key, only 95/98) -2. Changing the configuration register -for 2600 series router rammon>confreg 0x2142 -for 2500 type 0 after a break and enter the command o/r 0x2142 -3. Reloading the Router and Entering Privilged mode -for 2600-type reset -for 2500-type I -4. Viewing and changing the configuration -copy run start -5. Resetting the configuration Register and Reloading the Router -config t -config-register 0x2102 -copy run start-to save -Backing up and restoring the Cisco ios -1. verifying flash memory-Ensuring flash memory has enough room router#sh flash -2. Backing-up the ciso ios first verify server connectivity by- Router#ping 192.168.0.120 then; router#copy flash tftp -3. Restoring or upgrading the cisco router ios router#copy tftp flash [confirm][ENTER] ?[ENTER] -Backing up and Restoring the Cisco configuration 1.Backing up the cisco router configuration -copy runing config tftp 2. verifying the current configuration -sh run

47
3. copying the current cofiguration to NVRAM -copy run start 4. copying the current configuration to a TFTP server -copy run TFTP 5. Restoring the Cisco Router Configuration -copy TFTP run 6. Erasing the configuration -erase startup-config -Getting CDP timers and Holdtime information Router#config t Router(config)#cdp timer 90 Router(config)#cdp holdtime 240 Router(config)#^z -To turn-off CDP Completely-no cdp run -Gathering Neighbour information kenn2509#sh cdp nei- delivers information about directly connected devices OR kenn2509#sh cdp neighbour detail Also sh cdp entry -Gathering Interface Traffic Information kenn2509#sh cdp traffic -Gathering port and Interface information kenn2509#sh cdp interface -To turn off cdp on a router, use no cdp enable then ^z -Using Telnet kenn2509#telnet 172.16.10.2 -Telnetting into multiple devices simultaneously kenn2509#telnet 172.16.10.2 then, 2501B>{cntl+shift+6, then x} -checking Telnet connections kenn2509#sh sessions-connections from your router to remote -checking Telnet users kenn2509#sh user -closing Telnet sessions 1900switch>exit OR kenn2509#disconnect1 (num of active networks) -Resolving Hostname kenn2509#config t kenn2509(config)#ip host 2501B 172.16.10.2 kenn2509(config)#ip host 1900switch 192.168.0.148 kenn2509(config)#^z -To remove a hostname from a table, use RouterA(config)#no ip host routerB

48
-Using DNS to resolve names #config t (config)#ip domain-lookup (usually turned on by default) (config)#ip name-server 192.168.0.70 (ip of an assumed DNS set) (config)#ip domain-name kenn.com (Appends the domain name to a host) (config)#^z -Check Network Connectivity use ping command #ping kenn2509 -Using Traceroute command #trace 2501B -Creating a Standard Access Lists (1-99 or 1,300-1,999) (config)#access-list 10 deny 172.16.30.2 (using the ip as a test) -Controlling vty(Telnet) sessions (config)#access-list 50 permit 172.16.30.2 (config)#line vty 0 4 (config-line)#access-class 50 in -Creating Extended Access-lists (100 to 199) OR (2000 to 2699) (config)#access-list 110 deny tcp any host 172.16.30.2 eq 23 log (config)#access-list 110 permit ip any any (config)#int f0/0 (config-if)#ip access-group 110 in (config-if)#ip access-group 110 out

QUICK NOTES
IP ROUTING - Typically, in a large network, a combination of both static and dynamic routing is used. - A packet can also be dropped on the RETURN trip. Example -- if you ping a host and it doesn't answer, that doesn't necessarily mean the forward path is broken. - Static Routing -- an entry is added to the routing table of each router, for each remote network. - Static Routing Advantages -- no overhead on the router CPU, no bandwidth usage between routers, security. Primarily used in small networks (< 10 routers). - Static Routing Disadvantages -- Time-consuming, therefore not appropriate for large networks (100 routers for example). - Static Routing Syntax -- "ip route [destination_network] [mask] [next_hop or exit_interface] [administrative_distance] [permanent]" - Static Routing Example -- "ip route 172.16.20.0 255.255.255.0 172.16.10.2". Display the current routing table -- "sh ip route". - Default Routing -- can only be used on stub networks (only one exit port out of the network). - Before setting up a default route, remove any static routing entries -- "no ip route 172.16.20.0 255.255.255.0 172.16.10.2". - Set up a default route -- "ip route 0.0.0.0 0.0.0.0 172.16.10.2". Verify the changes -- "sh ip route" -- the default route shows as "S*". - ALWAYS remember to use "ip subnet-zero" and "ip classless" -- both are enabled by default in Cisco IOS 12.x. - Dynamic Routing -- happens automatically, but uses CPU and network resources. - Dynamic Routing Protocols within a network: - RIP -- Routing Information Protocol. - IGRP -- Interior Gateway Routing Protocol -- Cisco proprietary. - EIGRP -- Enhanced Interior Gateway Routing Protocol -- Cisco proprietary. - OSPF -- Open Shortest Path First -- non-proprietary. - Dynamic Routing Protocols across networks: - IGP -- Interior Gateway Protocol -- routing between routers in the same Autonomous System (AS).

49
- EGP -- Exterior Gateway Protocol -- routing between different Autonomous Systems. BGP (Border Gateway Protocol) is an example of an EGP. - Administrative Distance -- a number from 0 to 255, where 0 is most reliable, 255 is blocked. - If two advertised routes for the same network have the same ADs, the router makes a decision by looking at hop count or bandwidth. - AD values: - 0 -- Connected interface. - 1 -- Static route. - 90 -- EIGRP. - 100 -- IGRP. - 110 -- OSPF. - 120 -- RIP. - 170 -- External EIGRP. - 255 -- Unknown -- this one will never be used. - Routing Protocol Types: - Distance Vector -- distance is measured in hops. Examples -- RIP, IGRP. - Link State -- also called Shortest Path First -- 3 tables per router -- 1 for directly attached neighbors, 1 for network topology, and 1 for routing. Examples -- OSPF. - Hybrid -- these use a combination of both methods -- EIGRP. - Distance Vector Routing Protocols -- they use "routing by rumor" -- exchange of routing tables. RIP looks at ADs first, then at hop count. If everything is equal, it performs round-robin load balancing for up to 6 equal cost links. - Pinhole Congestion -- with RIP routing, if a 56K link has less hops than a T1 link, the 56K link will be used -- this is bad, and happens because hop count is the only metric used with RIP routing. - Slow Convergence is another problem of RIP. While the routers are converging (synchronizing their routing tables), no data is passed. - RIP Routing table fields -- network number, exit interface, and hop count. - Routing loops are also a common problem in RIP. They result from the slow convergence of RIP. - Maximum Hop Count -- RIP has this set to 15. After that, a packet is dropped. Maximum Hop Count is a good feature to decrease the severe effects of routing loops. - Split Horizon -- information cannot be sent back in the direction from which it was received. This method is able to prevent routing loops. - Route Poisoning -- when a network becomes unreachable, the first directly attached router places a "16" entry (unreachable) for this network in its routing table, and then advertises it to all other routers. They reply with a "poison reverse" (acknowledgement). - Holddowns -- these prevent regular update messages from a flapping network, router, or interface. Thus, the flow of information continues. - Holddown behavior: - Holddowns have a timer. When it expires, the link is reinstated. - If another update is received, with a better metric, the link is reinstated. If the metric is the same, nothing happens. - If a flush timer removes the bad route from the routing table (if it happens to expire -- coincidence), the link is reinstated. - RIP is a true distance-vector routing protocol. It sends the complete routing table to all active interfaces every 30 seconds. - RIP Version 1 uses only classful routing. RIP Version 2 provides prefix routing (classless routing) -- no subnet mask is sent with the updates. - RIP Timers: - Route update timer -- how often to send out updates -- default is 30 seconds. - Route invalid timer -- when there are no updates for a specific route over a time period (default is 90 seconds), the route is advertised as invalid. - Route flush timer -- how long after a route becomes invalid before it is removed from the routing table -- default is 240 seconds. - Configure RIP routing -- Make sure there are no static routes, as they take precedence. Then -- "config t", "router rip", "network 172.16.0.0" -- "network" tells the router which network to advertise. - RIP is configured with classful routing network addresses -- ALL subnet masks must be the same on all devices on the network. - "sh ip route" displays something like this -- "R 172.16.50.0 [120/3] via 172.16.10.2, FastEthernet0/0" -- "[120/3]" is the AD and the hop count. - Blocking RIP advertisements after a certain point of the network -- "config t", "router rip", "network 172.16.0.0", "passiveinterface serial 0" -- serial 0 will stop advertising, but will still receive updates. - IGRP -- Cisco proprietary, maximum hop count of 255 with default of 100, helpful in larger networks. IGRP uses bandwidth and delay of the line as metrics -- this combination is called a composite metric. - IGRP can also use other metrics, but they are not used by default -- reliability, load, and MTU.

50
- IGRP Timers: - Update timer -- how frequently routing-update messages should be sent -- default is 90 seconds. - Invalid timer -- how long a router should wait before declaring a route invalid -- default is 3 x update timer. - Holddown timer -- specifies the holddown period -- default is 3 x update timer + 10 seconds. - Flush timer -- how long before a route is flushed from the routing table -- default is 7 x update timer. - Configure IGRP -- "config t", "router igrp 10", "network 172.16.0.0" -- "10" is the Autonomous System (AS). All routers must be in the same AS in order to communicate. - You must ALWAYS use a classful network number when configuring IGRP. Example -- if you type "172.16.10.0", the router will change it to "172.16.0.0". Still, DO NOT type anything like this. - IGRP can load balance up to 6 unequal links (while with RIP, they must be equal). The "variance" command controls the load balancing between the best and the worst metric. - If both RIP and IGRP are enabled on a router, it will always use IGRP, as IGRP has higher precedence. Therefore, when using IGRP, disable RIP in order to spare resources. - Commands to troubleshoot routing: - "show ip route" -- displays the routing table. - "show protocols" -- displays hardware information and link status. - "show ip protocols" -- lots of routing information, including various parameters. - "debug ip rip" -- sends debugging messages to the console. Can be redirected to the terminal via "terminal monitor". Disable with "undebug all". - "debug ip igrp events" -- debug summary of IGRP. Disable with "undebug" or "undebug all". - "debug ip igrp transactions" -- full debug of IGRP. Again, disable with "undebug all". LAYER 2 SWITCHING - Switching breaks up a large collision domain into smaller ones. Switches operate at the Data Link Layer via the use of MAC addresses. - Spanning Tree Protocol -- eliminates loops in a Layer-2 switched network. - Collapsed backbone (pre-switch design) -- all hosts needed to go via the backbone to reach any network services. - Switches use ASICs (Application Specific Integrated Circuits) to build and maintain their filter tables. - Switches are faster than routers because they only look at MAC addresses. There is no modification to the data packet. - Bridges are software based, while switches are hardware based. Bridges can only have one Spanning Tree instance per bridge, switches can have many. Bridges can only have up to 16 ports. - Important Layer-2 switch functions: - Address learning -- the source MAC address of each received frame is placed in a forward/filter table. - Forward/filter decisions -- after the destination MAC address is found in the table, a packet is sent through the appropriate exit interface. - Loop avoidance -- with the help of STP (Spanning Tree Protocol). - If no loop avoidance scheme is in place, broadcast storms are possible. - Thrashing -- when a switch is so busy updating the MAC table that is fails to forward a frame. - Spanning Tree Protocol -- DEC (now known as Compaq) created the original version of STP. Later, IEEE introduced 802.1d, which is what all Cisco switches use. 802.1d is not compatible with the DEC version. - STP uses the spanning-tree algorithm (STA) to create a topology database, and then find and destroy redundant links. - Spanning Tree terms: - Spanning Tree Protocol -- a bridge protocol that uses the STA to find redundant links and create a topology database. - Root Bridge -- this is the bridge with the lowest Bridge ID -- all decisions are made from the perspective of this bridge. - Bridge Protocol Data Unit (BPDU) -- switches exchange control information in BPDUs. - Bridge ID -- 8 bytes long -- a combination of the bridge priority (32768 by default on all switches) and the base MAC addresses. The lowest Bridge ID becomes the root bridge. - Non-root Bridge. - Root port -- a link directly connected to the root bridge, or the shortest path to the root bridge. If more than 1 port, bandwidth is checked. The lowest cost port becomes a root port. - Designated port -- a forwarding port (can be a root port too) -- if a bridge has 2 ports and it is not a root bridge, one of the ports is root, and the other is designated (forwarding). - Port Cost -- determined by the bandwidth of a link. - Non-designated port -- can be blocking or forwarding. - Forwarding port. - Blocked port -- a port that will not forward frames in order to prevent loops. - BPDUs are sent every 2 seconds. - Calculating STP cost -- new and original values: - 10Gbps -- new cost 2, originally 1.

51
- 1Gbps -- new cost 4, originally 1. - 100Mbps -- new cost 19, originally 10. - 10Mbps -- new cost 100, originally 100. - The 1900 series switches still use the original cost specifications. - Spanning Tree Port States: - Blocking -- a blocked port does not forward frames. It just listens to BPDUs. - Listening -- the port listens to BPDUs. - Learning -- the port learns MAC addresses and builds a filter table, but does not forward frames. - Forwarding -- the port sends and receives all data. - Switch ports are most often in either blocking or forwarding state, unless a change to the network has just been made. - Convergence -- the time it takes for a port to switch from blocking to forwarding mode, or vice versa -- usually 50 seconds. No data is forwarded during this time. It is NOT recommended to change the default STP timers. - A root bridge ALWAYS has every port in forwarding mode. - Switching Modes: - Cut-Through -- the switch looks up the destination MAC address in the MAC filter table and starts forwarding the frame immediately -- before the frame is over -- 13 bytes into the frame. This method is fastest, but has no error checking. - FragmentFree (Modified Cut-Through) -- the switch reads 64 bytes from the frame (waits for the collision window to pass) and then forwards the frame. This is the default method for 1900 series switches. The first 64 bytes is where almost all errors happen. - Store-and-Forward -- a complete frame is received, a CRC is run (invalid CRC is either < 64 bytes, or > 1518 bytes). This is the slowest method, but with the most error checking. Catalyst 5000 switches use this method, and the setting CANNOT be modified. Managing a Cisco Internetwork - Cisco Router Components -- Bootstrap, POST, ROM Monitor (all in ROM); Mini-IOS (RXBOOT, or bootloader), RAM, ROM, Flash, NVRAM, Configuration register. - Cisco Router Boot Sequence -- POST; Bootstrap loads the IOS; the IOS loads a configuration ("startup-config", if present in NVRAM). - Configuration register -- 16 bits, read 15-0 from left to right. Default is 0x2102 = 0010 0001 0000 0010 -- load IOS from flash and look for "startup-config". - Configuration register common values in bits (and hex): - 0-3 -- 0x0000-0x000F -- Boot field, as follows: - 00 -- ROM monitor mode -- register = 2100. You must manually boot the router with the "b" command. - 01 -- Boot image from ROM -- register = 2101. - 02-F -- Specifies a default boot filename. - 6 -- 0x0040 -- ignore NVRAM contents. - 7 -- 0x0080 -- OEM bit enabled. - 8 -- 0x0100 -- Break disabled. - 10 -- 0x0400 -- IP broadcast with all zeros. - 11-12 -- 0x0800-0x1000 -- console line speed. - 13 -- 0x2000 -- Boot default ROM software if network boot fails. - 14 -- 0x4000 -- IP broadcasts do not have net numbers. - 15 -- 0x8000 -- Enable diagnostic messages and ignore NVM contents. - "sh version" shows the current value of the configuration register. - Change the config register (run this from "config t" mode) -- "config-register 0x0101" -- Boot into ROM mode and then show the current config register value. - Recovering Passwords: - Perform a "break" while the router boots -- you should see "rommon 1 >". - "confreg 0x2142" -- turns on bit 6 -- ignore NVRAM contents. Note: On a Cisco 2500 router, type "o" after the break, then "o/r 0x2142". ! To boot from a different file, use "boot system <ios_name>", or "boot system tftp <ios_name> <ip_address>". - Reboot the router -- "reset" ("I" on a 2500 -- meaning "initialize"). - Fix password and reboot -- "copy start run", "config t", "enable secret <new_pass>", "config-register 0x2102", Ctrl-Z, "copy run start", "reload". - Back up and Restore the Cisco IOS: - Check the flash and the TFTP server -- "sh flash", "ping 192.168.1.4". - Backup the IOS image -- "copy flash tftp". - Restore of Upgrade the Cisco Router IOS -- "copy tftp flash" (you may be asked to erase existing flash data). You can also

52
erase it manually with "erase flash:". - Set up a Cisco router to be a TFTP server -- "config t", "tftp-server flash:." - Back up or Restore the Cisco Configuration -- "copy run tftp", "copy tftp run". Erase the startup config -- "erase start". - Cisco Discovery Protocol (CDP) -- collect hardware and protocol information about neighbor devices. "sh cdp" shows CDP values: - CDP timer -- how often CDP packets are transmitted to all active interfaces (default 60 seconds) -- "config t", "cdp timer 90". - CDP holdtime -- how long to hold packets received from neighbor devices (default 180 seconds) -- "config t", "cdp holdtime 240". - "sh cdp nei" (or "show cdp neighbor") shows CDP information ONLY about directly connected devices. "sh cdp neighbor detail" = "sh cdp entry *" BOTH display extended information ("sh cdp entry *" does NOT work on a 1900 switch). - "sh cdp traffic" shows CDP traffic summary. "sh cdp interface" shows interface CDP information. - CDP is enabled by default. Disable globally -- "no cdp run". To disable per interface -- "config t", "int s0", "no cdp enable". - "telnet 192.168.2.100" = "192.168.2.100" -- "telnet" can be skipped, it is assumed. - Connect via telnet to several routers simultaneously -- "telnet 192.168.1.100", "Ctrl-Shift-6 then x" (suspend), "telnet 192.168.2.100". - "sh sessions" shows telnet connections from your router to another device. "sh users" shows telnet sessions in your router. - "disconnect <ID>" disconnects a session. "clear line <ID>" disconnects a telnet session in your router. - Use a host table to resolve addresses -- "config t", "ip host myrouter 192.168.1.100". Then you can telnet via "telnet myrouter", or just "myrouter". Remove with "no ip host myrouter". - Using a DNS server for name resolution -- "config t", "ip domain-lookup", "ip name-server 192.168.1.4", "ip domain-name mydomain.com". - "sh hosts" displays the host table, or DNS information, if set up. - "ping" and "traceroute" can be used from user mode and enable mode, but not from config mode. - If you try to run traceroute with IPX or AppleTalk, you will get an error. Those two are not supported yet. VLANS - Flat network -- when a broadcast reaches all segments of a network (in a Layer-2 switched network). If a router is present, a broadcast is confined to the originating segment. - VLANs -- logically grouped switch ports. Without a router, there can be no communication between VLANs. - VLAN basic features: - A VLAN can group several broadcast domains into multiple logical subnets. - Network adds, moves, and changes are achieved by configuring a port into the appropriate VLAN. - A group of users needing high security can be put into a separate VLAN. - VLANs can be considered independent from their physical or geographic location. - Broadcast Control -- broadcast-intensive applications can be placed in a separate VLAN, so they don't put a load on the rest of the network. - Security -- Administrators have full control over every switch port. In addition, switches can be configured to notify a management station of any unauthorized access. - Flexibility and Scalability -- Users can be added to a specific VLAN, regardless of their physical location. Also, a VLAN can be split into more VLANs, if necessary. - VLAN 1 is an administrative VLAN. Cisco recommends you use it for administrative purposes only. So, usable VLANs start from 2. - Static VLANs -- Each switch port is statically assigned to a particular VLAN, and this relationship never changes. This is how usually VLANs are set up. Monitoring is easy. - Dynamic VLANs -- All MAC addresses are initially entered into a centralized VLAN management application. Then, when a host is plugged into a switch, VLAN association happens automatically. - VLAN Management Policy Server (VMPS) -- contains the VMPS database maps, containing MAC addresses and their association with VLANs. - Types of VLAN links: - Access links -- Each switch port has a single native VLAN (access link). Whatever machine is connected to this port is unaware of the network design. It can ONLY communicate with machines on the same VLAN. - Trunk links -- 100Mbps (FastE) or 1000Mbps (GigE). They can carry multiple VLANs (1 to 1005). Switches are "trunked" together via the trunk links. A server can be attached to a trunk link in order to be a direct member of 2 or more VLANs. - Switch fabric -- a group of switches sharing the same VLAN information. - Frame tagging -- each frame is assigned a tag, called a "VLAN ID" or a "color". When the frame reaches the destination port, the switch removes this ID, thus making the process transparent to the connected machines. - VLAN Identification Methods:

53
- Inter-Switch Link (ISL) -- proprietary to Cisco switches, used for FastE or GigE links only. ISL routing can be used on a switch port, router interfaces, or server interface cards. - IEEE 802.1q -- a standard method that inserts a field into the frame to identify the VLAN. IEEE 802.1q must be used if you are trunking between a Cisco switch an a different brand of switch. - LAN emulation (LANE) -- used to communicate multiple VLANs over ATM. - 802.10 (FDDI) -- proprietary to Cisco devices -- used for sending VLAN information over FDDI. - 80/20 rule -- 80 percent of the data traffic should stay on the local segment, while 20 percent or less can cross a segmentation device. - A trunked server can be on multiple VLANs simultaneously, so there is no need for a router to access this server. - Inter-Switch Link (ISL) Protocol -- provides low-latency, full wire-speed performance, in contrast to FastE, which uses either half- or full-duplex mode: - When using ISL, the original frame is encapsulated with a new 26-byte ISL header, plus a 4-byte frame check sequence (FCS) field. Only ISL-aware devices can read the frame, which can be as large as 1522 bytes (larger than the max 1518 byte frame on an Ethernet segment). - ISL NICs are used in trunked servers. This eliminates the need for a router. - ISL VLAN information is added to a frame only if the frame is forwarded out a port configured as a trunk link. This information is removed when the frame reaches an access link. - VLAN Trunk Protocol (VTP) -- allows centralized VLAN management. An administrator can add, delete, and rename VLANs. VTP is NOT Cisco proprietary. Features: - Consistent VLAN configuration across all switches in the network. - VLANs can be trunked over mixed networks, like Ethernet to ATM LANE or FDDI. - Accurate tracking and monitoring of VLANs. - Dynamic reporting of added VLANs to all switches. - Plug-and-Play VLAN adding. - A VTP server uses a VTP domain. A switch can only be in one VTP domain. A VTP domain can be used if you have more than one switch. However, if all your switches are using a single VLAN, there is no need for VTP. - VTP transparent mode -- switches forward VTP information through trunk ports, but do NOT accept information updates, or update their VTP databases. - Passwords can be set up with VTP to prevent unauthorized adding of switches to a VTP domain, but this can be timeconsuming. - Switches detect VLAN information within a VTP advertisement, and then listen on their trunk ports for additional updates. - VTP updates include a VLAN ID, 802.10 SAID fields, or LANE information. - VTP updates are sent out as revision numbers that are the notification plus 1. Anytime a switch sees a higher revision number, it knows the received information is more current, and the switch will overwrite its current database. - VTP Modes of Operation: - Server -- default for all Catalyst switches -- the switch can update VTP information and push it to the whole VTP domain. At least one server is needed per VTP domain. - Client -- receives information from a VTP server. None of the ports on a client switch can be added to a VLAN without information from the VTP server, which notifies the switch of the new VLAN. ! Hint -- if you want a switch to become a server, make it a client first. After it receives all VLAN information, change it to a server. - Transparent -- switches in transparent mode do not participate in the VTP domain, but they still forward VTP advertisements. They can add and delete VLANs, but those VLANs are unique per switch, they don't propagate in the VTP domain. - Server and Transparent configuration is saved in NVRAM, while client configuration is not saved in NVRAM. - VTP Pruning -- only send broadcast, multicast, unicast information to trunk links that absolutely need this information. VTP Pruning preserves bandwidth: - If switch A does not have any ports configured for VLAN 5, and a broadcast is sent throughout VLAN 5, that broadcast will not pass the trunk port of switch A. - By enabling pruning on a VTP server, you enable it for the entire domain. By default, VLANs 2-1005 are pruning-eligible. VLAN 1 cannot prune, as it is the administrative VLAN. - Routing between VLANs -- there are several possibilities: - A router that has an interface for each VLAN. - A router that supports ISL routing and has at least a FastE interface -- the least expensive one is the 2600 series. 1600, 1700, and 2500 series do not support ISL routing. - A Route Switch Module (RSM) for a 5000 series switch. The RSM can support up to 1005 VLANs and runs on the backplane of the switch. - "Router-on-a-stick" -- Router connecting all Vlans together allowing for inter-vlan communication, using only one router interface. -all ports on a switch are members of vlan 1, by default'

54
IP ROUTING - Typically, in a large network, a combination of both static and dynamic routing is used. - A packet can also be dropped on the RETURN trip. Example -- if you ping a host and it doesn't answer, that doesn't necessarily mean the forward path is broken. - Static Routing -- an entry is added to the routing table of each router, for each remote network. - Static Routing Advantages -- no overhead on the router CPU, no bandwidth usage between routers, security. Primarily used in small networks (< 10 routers). - Static Routing Disadvantages -- Time-consuming, therefore not appropriate for large networks (100 routers for example). - Static Routing Syntax -- "ip route [destination_network] [mask] [next_hop or exit_interface] [administrative_distance] [permanent]" - Static Routing Example -- "ip route 172.16.20.0 255.255.255.0 172.16.10.2". Display the current routing table -- "sh ip route". - Default Routing -- can only be used on stub networks (only one exit port out of the network). - Before setting up a default route, remove any static routing entries -- "no ip route 172.16.20.0 255.255.255.0 172.16.10.2". - Set up a default route -- "ip route 0.0.0.0 0.0.0.0 172.16.10.2". Verify the changes -- "sh ip route" -- the default route shows as "S*". - ALWAYS remember to use "ip subnet-zero" and "ip classless" -- both are enabled by default in Cisco IOS 12.x. - Dynamic Routing -- happens automatically, but uses CPU and network resources. - Dynamic Routing Protocols within a network: - RIP -- Routing Information Protocol. - IGRP -- Interior Gateway Routing Protocol -- Cisco proprietary. - EIGRP -- Enhanced Interior Gateway Routing Protocol -- Cisco proprietary. - OSPF -- Open Shortest Path First -- non-proprietary. - Dynamic Routing Protocols across networks: - IGP -- Interior Gateway Protocol -- routing between routers in the same Autonomous System (AS). - EGP -- Exterior Gateway Protocol -- routing between different Autonomous Systems. BGP (Border Gateway Protocol) is an example of an EGP. - Administrative Distance -- a number from 0 to 255, where 0 is most reliable, 255 is blocked. - If two advertised routes for the same network have the same ADs, the router makes a decision by looking at hop count or bandwidth. - AD values: - 0 -- Connected interface. - 1 -- Static route. - 90 -- EIGRP. - 100 -- IGRP. - 110 -- OSPF. - 120 -- RIP. - 170 -- External EIGRP. - 255 -- Unknown -- this one will never be used. - Routing Protocol Types: - Distance Vector -- distance is measured in hops. Examples -- RIP, IGRP. - Link State -- also called Shortest Path First -- 3 tables per router -- 1 for directly attached neighbors, 1 for network topology, and 1 for routing. Examples -- OSPF. - Hybrid -- these use a combination of both methods -- EIGRP. - Distance Vector Routing Protocols -- they use "routing by rumor" -- exchange of routing tables. RIP looks at ADs first, then at hop count. If everything is equal, it performs round-robin load balancing for up to 6 equal cost links. - Pinhole Congestion -- with RIP routing, if a 56K link has less hops than a T1 link, the 56K link will be used -- this is bad, and happens because hop count is the only metric used with RIP routing. - Slow Convergence is another problem of RIP. While the routers are converging (synchronizing their routing tables), no data is passed. - RIP Routing table fields -- network number, exit interface, and hop count. - Routing loops are also a common problem in RIP. They result from the slow convergence of RIP. - Maximum Hop Count -- RIP has this set to 15. After that, a packet is dropped. Maximum Hop Count is a good feature to decrease the severe effects of routing loops. - Split Horizon -- information cannot be sent back in the direction from which it was received. This method is able to prevent routing loops. - Route Poisoning -- when a network becomes unreachable, the first directly attached router places a "16" entry (unreachable) for this network in its routing table, and then advertises it to all other routers. They reply with a "poison

55
reverse" (acknowledgement). - Holddowns -- these prevent regular update messages from a flapping network, router, or interface. Thus, the flow of information continues. - Holddown behavior: - Holddowns have a timer. When it expires, the link is reinstated. - If another update is received, with a better metric, the link is reinstated. If the metric is the same, nothing happens. - If a flush timer removes the bad route from the routing table (if it happens to expire -- coincidence), the link is reinstated. - RIP is a true distance-vector routing protocol. It sends the complete routing table to all active interfaces every 30 seconds. - RIP Version 1 uses only classful routing. RIP Version 2 provides prefix routing (classless routing) -- no subnet mask is sent with the updates. - RIP Timers: - Route update timer -- how often to send out updates -- default is 30 seconds. - Route invalid timer -- when there are no updates for a specific route over a time period (default is 90 seconds), the route is advertised as invalid. - Route flush timer -- how long after a route becomes invalid before it is removed from the routing table -- default is 240 seconds. - Configure RIP routing -- Make sure there are no static routes, as they take precedence. Then -- "config t", "router rip", "network 172.16.0.0" -- "network" tells the router which network to advertise. - RIP is configured with classful routing network addresses -- ALL subnet masks must be the same on all devices on the network. - "sh ip route" displays something like this -- "R 172.16.50.0 [120/3] via 172.16.10.2, FastEthernet0/0" -- "[120/3]" is the AD and the hop count. - Blocking RIP advertisements after a certain point of the network -- "config t", "router rip", "network 172.16.0.0", "passiveinterface serial 0" -- serial 0 will stop advertising, but will still receive updates. - IGRP -- Cisco proprietary, maximum hop count of 255 with default of 100, helpful in larger networks. IGRP uses bandwidth and delay of the line as metrics -- this combination is called a composite metric. - IGRP can also use other metrics, but they are not used by default -- reliability, load, and MTU. - IGRP Timers: - Update timer -- how frequently routing-update messages should be sent -- default is 90 seconds. - Invalid timer -- how long a router should wait before declaring a route invalid -- default is 3 x update timer. - Holddown timer -- specifies the holddown period -- default is 3 x update timer + 10 seconds. - Flush timer -- how long before a route is flushed from the routing table -- default is 7 x update timer. - Configure IGRP -- "config t", "router igrp 10", "network 172.16.0.0" -- "10" is the Autonomous System (AS). All routers must be in the same AS in order to communicate. - You must ALWAYS use a classful network number when configuring IGRP. Example -- if you type "172.16.10.0", the router will change it to "172.16.0.0". Still, DO NOT type anything like this. - IGRP can load balance up to 6 unequal links (while with RIP, they must be equal). The "variance" command controls the load balancing between the best and the worst metric. - If both RIP and IGRP are enabled on a router, it will always use IGRP, as IGRP has higher precedence. Therefore, when using IGRP, disable RIP in order to spare resources. - Commands to troubleshoot routing: - "show ip route" -- displays the routing table. - "show protocols" -- displays hardware information and link status. - "show ip protocols" -- lots of routing information, including various parameters. - "debug ip rip" -- sends debugging messages to the console. Can be redirected to the terminal via "terminal monitor". Disable with "undebug all". - "debug ip igrp events" -- debug summary of IGRP. Disable with "undebug" or "undebug all". - "debug ip igrp transactions" -- full debug of IGRP. Again, disable with "undebug all". Subnetting Masks Binary /24 0 0000 0000 /25 128 1000 0000 /26 192 1100 0000 /27 224 1110 0000 /28 240 1111 0000 /29 248 1111 1000 /30 252 1111 1100 /31 254 1111 1110 /32 255 1111 1111 Networks:Hosts 1:256 2:128 4:64 8:32 16:16 32:8 64:4 128:2

256:1