INTRODUCTION

In this Infrastructure there is 3 Router ,4 Layer -2 switch and 2 layer-3

switch 1 Server and 13 computers and some automation devices like
wind detecter ,wind turbine ,fan and blower.

Each 3 computers is connected to 1 switch which is of layer-2 switch

and other 3 computers is connected to other layer-2 switch.These
computers is connected to switch interface which is fastethernet
with Straight-through cable.

Now layer-3 Switch is connected to layer-2 switch with copper cross-

over cable and interface is fastethernet and layer-3 switch is also
connected to router with straight-through cable.But in this,layer-3
switch uses fastethernet and Router uses Gigabitethernet.

Now Router 0 is connected to other router that is router 1 with

copper cross-over cable and interface is gigabitethernet.And router 1
is connected to other router as well as server in which all the
information is stored.

After that, where the 2nd router is connected to the the 3rd one ,from
that other office of the same company is started and its network is
also different. The 3rd router is connected to core switch and that
switch is connected to layer-2 switch and that switch is connected to
the computers.

3
But there is only 1 server for the two offices and all the data will
store in that server and can access the server which has
authentication .

Now , In this infrastructure I have applied following topics and its

configuration -:

 Static Routing
 Vlan Concept
 Intervlan concept
 DHCP (Dynamic host configuration Protocol)
 ACL (Access-Control list)
 Etherchannel
 Default Routing
 OSPF (Open shortest path first)
 EIGRP (Enhance interior gateway routing protocol)
 Redistribution
 Port Security
 Telnet
 SSH
 Privilege level

Static Routing
Static routing is a Routing Protocol which is used to give the route or
direction where the traffic will be forward.It is statically or manually
configure the router the path of direction.

4
Static routing is a form of routing that occurs when a router uses a
manually-configured routing entry, rather than information from a
dynamic routing traffic.[1] In many cases, static routes are manually
configured by a network administrator by adding in entries into
a routing table, though this may not always be the case

dynamic routing, static routes are fixed and do not change if the
network is changed or reconfigured. Static routing and dynamic
routing are not mutually exclusive. Both dynamic routing and static
routing are usually used on a router to maximise routing efficiency
and to provide backups in the event that dynamic routing
information fails to be exchanged. Static routing can also be used
in stub networks, or to provide a gateway of last resort.

Static routing is a form of routing that occurs when a router uses a

manually-configured routing entry, rather than information from a
dynamic routing traffic.[1] In many cases, static routes are manually
configured by a network administrator by adding in entries into
a routing table, though this may not always be the case

static routes are manually configured by a network administrator by

adding in entries into a routing table, though this may not always be
the case.

5
Configuration

Router>enable

Router#configure terminal

Router(config)# ip route 192.168.10.1 255.255.255.0 100.100.100.1

It means any ip address of any subnet mask will directly go to the

100.100.100.5.This is how we give the route.

VLAN
VLAN stands for virtual local area network.Vlan is used to divide the
broadcast domain of switch by configuration. Vlan concept is used,
when there is 5 department and 10 users and each deparments have

6
2 users.

So each department will use 1 switch for communication.So 5

departments will use 5 switches and its cost should be very high and
if 1 switch will damage than buy another switch.So it will be very
costly for the company and when any architecturer will come in your
office it will reject your infratecture.

So rather than using 5 switch we will use 1 switch and breaks into 5
vlans.we have to create 5 vlans like vlan 10,vlan 20,vlan 30,vlan
40,vlan 50 and configure the vlan command on switch.In my secenrio
there is 2 vlan so configuration is given below -:

So rather than using 5 switch we will use 1 switch and breaks into 5
vlans.we have to create 5 vlans like vlan 10,vlan 20,vlan 30,vlan
40,vlan 50 and configure the vlan command on switch.

Vlan 10

Vlan 20

Exit

These commands will show on switch like this -:

Switch>enable

Switch#configure terminal

Switch(config)#vlan 10

Switch(config-vlan)#vlan 20

7
Switch(config-vlan)#exit

So these are the commands to create vlans.

We can have 4096 vlan and vlan 1 is default vlan.

This is how we create vlans but we have to put interfaces of switches

in different vlans.

Configuration that how to put interfaces of switches in vlans or

Assigning ports -:

Switch>enable

Switch#configure terminal

Switch(config)#interface fastethernet0/1

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config)#interface fastethernet0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Suppose thers is so many ports then

Switch(config)#interface range 0/1 – 5.

8
A VLAN allows several networks to work virtually as one LAN. One of
the most beneficial elements of a VLAN is that it removes latency in
the network, which saves network resources and increases network
efficiency. In addition, VLANs are created to provide segmentation
and assist in issues like security, network management and
scalability.

Traffic patterns can also easily be controlled by using VLANs.

The key benefits of implementing VLANs include:

9
  Allowing network administrators to apply additional security to
network communication
 Making expansion and relocation of a network or a network
device easier
 Providing flexibility because administrators are able to
configure in a centralized environment while the devices might
be located in different geographical locations
 Decreasing the latency and traffic load on the network and the
network devices, offering increased performance

VLANs also have some disadvantages and limitations as listed below:

 High risk of virus issues because one infected system may

spread a virus through the whole logical network
 Equipment limitations in very large networks because
additional routers might be needed to control the workload
 More effective at controlling latency than a WAN, but less
efficient than a LAN

VLANs also have some disadvantages and limitations as listed below:

 High risk of virus issues because one infected system may

spread a virus through the whole logical network
 Equipment limitations in very large networks because
additional routers might be needed to control the workload
 More effective at controlling latency than a WAN, but less
efficient

10
Intervlan
Now Layer-2 switch is connected to layer-3 switch

And by default different vlans cannot communicate with each other

but if we want their communication we will use layer-3 device ,
either router or layer-3 switch. So intervlan concept is used to make
communication between different vlans.

I have also created vlan 10 and vlan 20 on layer-3 switch. Now after
creating vlan we have to create trunk port on both the switches

We define inter-VLAN routing as a process of forwarding network

traffic from one VLAN to another VLAN using a router or layer 3
device.

In the previous pages, we learned about how to configure VLANs on

a network switch. To allow devices connected to the
various VLANs to communicate with each other, you need to connect
a router.
As we’ve learned that each VLAN is a unique broadcast domain, so,
computers on separate VLANs are, by default, not able to
communicate. There is a way to permit these computers to
communicate; it is called inter-VLAN routing.

One of the ways of the ways to carry out inter-VLAN routing is by

connecting a router to the switch infrastructure. VLANs are
associated with unique IP subnets on the network.

This subnet configuration enables the routing process in a multi-

VLAN environment. When using a router to facilitate inter-VLAN

11
routing, the router interfaces can be connected to separate VLANs.

This subnet configuration enables the routing process in a multi-

VLAN environment. When using a router to facilitate inter-VLAN
routing, the router interfaces can be connected to separate VLANs.

Devices on those VLANs communicates with each other via the

router.

Trunk port command on layer-3 switch-:

Switch>enable

Switch#configure terminal

Switch(config)#interface fastethernet 0/1

Switch(config-if)#switchport trunk encapsulation

dot1q

Switch(config-if)#switchport mode trunk

Trunk port command on layer-2 switch-:

Switch>enable

Switch#configure terminal

Switch(config)#interface fastethernet 0/1

12
Switch(config-if)#switchport mode access

Switch(config-if)#switchport mode trunk

Now I have assigned ip address to the interface of layer-3 switch.

Because layer-3 switch works on internet layer and it is based on the
ip address.

Now layer-3 switch is connected to router0 with straight though

cable and we have to put some commands on router or configure
the router.

Router configuration -:

Router>enable

Router#configure terminal

Router(config)#interface gigabitethernet 0/1

Router(config-if)#ip address 192.168.10.1 255.255.255.0

Router(config-if)#no shutdown

Router(config)#exit

Because router has 2 interface so we have to configure another ip

address also.

13
Router>enable

Router#configure terminal

Router(config)#interface gigabitethernet 0/2

Router(config-if)#ip address 100.100.100.1 255.0.0.0

Router(config-if)#no shutdown

Router(config)#exit0

Now this router is connected to another router that is router1 and

configure the router1.

Router1 configuration -:

Router>enable

Router#configure terminal

Router(config)#interface gigabitethernet 0/1

Router(config-if)#ip address 100.100.100.2 255.0.0.0

Router(config-if)#no shutdown

Router(config)#exit

Now configuration of another interface of this router.

14
Router>enable

Router#configure terminal

Router(config)#interface gigabitethernet 0/2

Router(config-if)#ip address 200.200.200.1 255.255.255.0

Router(config-if)#no shutdown

Router(config)#exit

Now this router is connected to server and there is no configuration

of server and just assign the ip address and its ip address is
200.200.200.2 after that assign the ip address of computers and its
gateway and given a static route that any packet comes of any
network it will forward to 192.168.1.1 which is of router 0 ip now

route 0 has also gave ip route that any network of any subnet mask

comes it will forward to the 100.100.100.2 which is of router 1 ip

address now router1 also gave ip route that any network of any
subnet mask will come then forward it to 200.200.200.2 which is of
server ip address and users will access the server or

communication will be happened.

Now this router is connected to server and there is no configuration

of server and just assign the ip address and its ip address is
200.200.200.2 after that assign the ip address of computers and its

15
gateway and given a static route that any packet comes of any
network it will forward to 192.168.1.1 which is of router 0 ip now

DHCP
DHCP stands for dynamic host configuration protocol and i have
applied DHCP on layer-3 switch.we can apply DHCP either on router
or layer-3 switch.

We can do ip addressing either manually or DHCP.DHCP

automatically takes ip address.This is layer-7 protocol tahi
application layer and work at transport layer for UDP(user datagram
protocol).Its port is 67 for DHCP server and 68 for DHCP client.

The Dynamic Host Configuration Protocol (DHCP) is a network

management protocol used on UDP/IP networks whereby a DHCP
server dynamically assigns an IP address and other network
configuration parameters to each device on a network so they can
communicate with other IP networks.[1] A DHCP server enables
computers to request IP addresses and networking parameters
automatically from the Internet service provider (ISP), reducing the
need for a network administrator or a user to manually assign IP
addresses to all network devices.[1] In the absence of a DHCP server,
a computer or other device on the network needs to be manually
assigned an IP address, or to assign itself an APIPA address, which
will not enable it to communicate outside its local subnet.

16
DHCP Configuration -:

Switch>enable

Switch#configure terminal

Switch(config)#ip dhcp pool ABC

Switch(dhcp-config)#network 192.168.10.0 255.255.255.0

Switch(dhcp-config)#network 192.168.20.0 255.255.255.0

Switch(dhcp-config)#default-router 192.168.10.1

Switch(dhcp-config)#default-router 192.168.20.1

Switch(dhcp-config)#dns-server 8.8.8.8

17
ACL
ACL stands for Access-Control list. I have applied ACL on router for
computer 192.168.10.2 .

ACL is apply to deny any host or computer that it cannot access the
server.I have just applied on 1 pc and i can also apply ACL to whole
network which result is that any ip address of any network will be
denied.It means any pc cannot take access of server.But i have
applied it on only for 1 pc. So instead of this 1 pc all pc will be
allowed to take access of server.

Network ACLs. A network access control list (ACL) is an optional

layer of security for your VPC that acts as a firewall for controlling
traffic in and out of one or more subnets. You might set up network
ACLs with rules similar to your security groups in order to add an
additional layer of security to your VPC.

Access-list (ACL) is a set of rules defined for controlling the network

traffic and reducing network attack. ACLs are used to filter traffic
based on the set of rules defined for the incoming or out going of the
network.

ACL features –

1. The set of rules defined are matched serial wise i.e matching
starts with the first line, then 2nd, then 3rd and so on.
2. The packets are matched only until it matches the rule. Once a
rule is matched then no further comparison takes place and that
rule will be performed.

18
There is an implicit deny at the end of every ACL, i.e., if no condition
or rule matches then the packet will be discarded.
Once the access-list is is built, then it should be applied to inbound or
outbound of the interface:
 Inbound access lists – When an access list is applied on inbound
packets of the interface then first the packets will processed
according to the access list and then routed to the outbound
interface.

 Outbound access lists – When an access list is applied on

outbound packets of the interface then first the packet will be
routed and then processed at the outbound interface.

Types of ACL –

There are two main different types of Access-list namely:

1. Standard Access-list – These are the Access-list which are made

using the source IP address only. These ACLs permit or deny the
entire protocol suite. They don’t distinguish between the IP
traffic such as TCP, UDP, Https etc. By using numbers 1-99 or
1300-1999, router will understand it as a standard ACL and the
specified address as source IP address.

2. Extended Access-list – These are the ACL which uses both

source and destination IP address. In these type of ACL, we can
also mention which IP traffic should be allowed or denied. These
use range 100-199 and 2000-2699.

19
ACL Configuration -:

Router>enable
Router# configure terminal
Router (config) # access-list 1 deny host 192.168.10.2
Router (config) # access-list 1 permit any
Router (config) # ip access-list standard deny
Router ( config ) # deny 192.0.0.0 0.255.255.255
Router (config) # deny host 192.168.10.2
Router (config) # permit any
Router (config) #interface gigabit ethernet 0/1
Router (config-if) #ip access-group 1 out
18

20
Ethernet channel or Ether-channel

I have also applied ether-channel in my infrastructure. It

Is very important feature for any network . Because , in this we can
make 2 or more 2 links or can apply upto 8 links.
It combines all link and make it one logical link.
Suppose 1 link speed is 100 mbps then 2 link send the traffic upto 200
mbps after combined the link into logical link means increase
bandwidth.
And its main advantage is that if 1 link will be failed then other link
will be use for forwarding the traffic.

There is 2 modes of ether channel -:

1) Manual – In this we have to statically or manually ON the ports on
both sides
2) Dynamic – In this there is 2 protocols
PAGP – Port aggregation Protocol
LACP – Link aggregation control protocol
PAGP is Cisco proprietary means there should Cisco device on both
the sides and there is also 2 mode by which they will communicate.
DESIRABLE and AUTO
DESIRABLE means it will initiate for the message first and also reply
for the message.
21
AUTO means it will not initiate for the message only reply to the
message.

LACP is not Cisco proprietary it means the device may or may not be
of Cisco proprietary and there is also 2 modes -:
ACTIVE and PASSIVE
ACTIVE means it will initiate for the message first and also reply for
the message.
PASSIVE means it will initiate for the message first and also reply for
the message.

EtherChannel is a port link aggregation technology or port-

channel architecture used primarily on Cisco switches. It allows
grouping of several physical Ethernet links to create one logical
Ethernet link for the purpose of providing fault-tolerance and high-
speed links between switches, routers and servers

Ether channel Configuration -:

Switch>enable

Switch#configure terminal

Switch(config)#interface fastethernet 0/1

Switch (config-if) #channel-group 1 mode desirable
22
After these commands we have to make that port trunk , So that
communication occurs. Layer – 3 switch has different command and
layer – 2 switch has different commands for making trunk.

...

DEFAULT ROUTING
In computer networking, the default route is a setting on a
computer that defines the packet forwarding rule to use when
no specific route can be determined for a given Internet
Protocol (IP) destination address
It means ,we will set a default route on router or switch that any ip
address of any subnet mask will go to the ISP or any destination
address which client wants to give.
23
COMMAND –
Router ( config ) #ip route 0.0.0.0 0.0.0.0 100.100.100.1

OSPF (open shortest path first) -:

Open Shortest Path First (OSPF) is a routing protocol for
Internet Protocol (IP) networks. It uses a link state routing
(LSR) algorithm and falls into the group of interior gateway
protocols (IGPs), operating within a single autonomous system
(AS).
This is layer 3 protocols that is network layer and its AD value is
24
110.It is open standard routing protocol.

Routers connect networks using the Internet Protocol (IP), and OSPF
(Open Shortest Path First) is a router protocol used to find the best
path for packets as they pass through a set of connected networks.
OSPF is designated by the Internet Engineering Task Force (IETF) as
one of several Interior Gateway Protocols (IGPs) -- that is,
protocolsaimed at traffic moving around within a larger autonomous
system network like a single enterprise's network, which may in turn
be made up of many separate local area networks linked through
routers

OSPF neighbourship process -:

 Area number/ID
 Router ID
 Hello
 Dead .

OSPF States OSPF Message

 Down Database description(DBD)
 Init Link state request (LSR)
 Two-way Link state update (LSU)
 Ex-start Link state acknowledgement
 Exchange
 Loading
 Full
OSPF terms –
25
 1. Router I’d – It is the highest active IP address present on the
router. First, highest loopback address is considered. If no
loopback is configured then the highest active IP address on the
interface of the router is considered.

2. Router priority – It is a 8 bit value assigned to a router operating

OSPF, used to elect DR and BDR in a broadcast network.

3. Designated Router (DR) – It is elected to minimize the number

of adjacency formed. DR distributes the LSAs to all the other
routers. DR is elected in a broadcast network to which all the
other routers shares their DBD. In a broadcast network, router
requests for an update to DR and DR will respond to that
request with an update.

4. Backup Designated Router (BDR) – BDR is backup to DR in a

broadcast network. When DR goes down, BDR becomes DR and
performs its functions.

DR and BDR election – DR and BDR election takes place in broadcast

network or multi access network. Here is the criteria for the election:
1. Router having the highest router priority will be declared as DR.
2. If there is a tie in router priority then highest router I’d will be
considered. First, highest loopback address is considered. If no
loopback is configured then the highest active IP address on the
interface of the router is considered.

OSPF states – The device operating OSPF goes through certain

states. These states are:
26
1. Down – In this state, no hello packet have been received on the
interface.
Note – The Down state doesn’t mean that the interface is
physically down. Her, it means that OSPF adjacency process has
not started yet.

2. INIT – In this state, hello packet have been received from the
other router.

3. 2WAY – In the 2WAY state, both the routers have received the
hello packets from other routers. Bidirectional connectivity has
been established.

Note – In between the 2WAY state and Ex-start state, the DR

and BDR election takes place.

4. Ex-start – In this state, NULL DBD are exchanged.In this state,

master and slave election take place. The router having the
higher router I’d becomes the master while other becomes the
slave. This election decides Which router will send it’s DBD first
(routers who have formed neighbourship will take part in this
election).

5. Exchange – In this state, the actual DBDs are exchanged.

6. Loading – In this sate, LSR, LSU and LSA (Link State

Acknowledgement) are exchanged.

Important – When a router receives DBD from other router, it

compares it’s own DBD with the other router DBD. If the

27
 received DBD is more updated than its own DBD then the router
will send LSR to the other router stating what links are needed.
The other router replies with the LSU containing the updates
that are needed. In return to this, the router replies with the
Link State Acknowledgement.

7. Full – In this state, synchronization of all the information takes

place. OSPF routing can begin only after the Full state.

OSPF Configuration-:

Router1 configuration -:

Router>enable

Router#configure terminal
Router (config) #router ospf 1

Router (config-router) #network 192.168.60.0 0.0.0.255 area 0

Router (config-router network 192.168.50.0 0.0.0.255 area 0

Router (config) #exit

28
.

EIGRP (Enhance interior gateway routing protocol)-

Enhanced Interior Gateway Routing Protocol (EIGRP) is an
advanced distance-vector routing protocol that is used on a
computer network for automating routing decisions and
configuration. The protocol was designed by Cisco Systems as
a proprietary protocol, available only on Cisco routers.

EIGRP (Enhanced Interior Gateway Routing Protocol) is a

network protocol that lets routers exchange information more
efficiently than with earlier network protocols. EIGRP evolved from
IGRP (Interior Gateway Routing Protocol) and routers using either

29
EIGRP and IGRP can interoperate because the metric (criteria used
for selecting a route) used with one protocol can be translated into
the metrics of the other protocol. EIGRP can be used not only for
Internet Protocol (IP) networks but also for AppleTalk and
Novell NetWare networks

Using EIGRP, a router keeps a copy of its neighbor's routing tables. If

it can't find a route to a destination in one of these tables, it queries
its neighbors for a route and they in turn query their neighbors until
a route is found. When a routing table entry changes in one of the
routers, it notifies its neighbors of the change only (some earlier
protocols require sending the entire table). To keep all routers aware
of the state of neighbors, each router sends out a periodic "hello"
packet. A router from which no "hello" packet has been received in a
certain period of time is assumed to be inoperative.

EIGRP uses the Diffusing-Update Algorithm (DUAL) to determine the

most efficient (least cost) route to a destination. A DUAL finite state
machine contains decision information used by the algorithm to
determine the least-cost route (which considers distance and
whether a destination path is loop-free

-Open Standard
-Network layer protocol
-AD value 90,170

30
EIGRP is a classless, distance-vector protocol that uses the concept of
AS to describe a set of contiguous router that run the same routing

Protocols and share routing information. It also includes subnet mask

init route update.

EIGRP has default hop count =100 with a maximum 255. EIGRP
doesn’t reply on hop count like RIP does.
PARAMETERS or NEIGHBOURSHIP -:
 AS number
 K-value
 Hello or ACK

TIMERS IN EIGRP -:
 Hello -5seconds
 Hold down -15 seconds

EIGRP Message -:

 Hello
 Update
 Acknowledgement
 Query
 Reply
31
EIGRP COMMAND
Router eigrp 1
Network 192.168.10.0
Network 192.168.20.0
Exit

30

32
REDISTRIBUTION
Often, using a single routing protocol in an organisation is
preferred but there are some conditions in which we have to
use multi protocol routing. These conditions include multiple
administrator running multiple protocols, company mergers or
usage of multi-vendors devices. Therefore, we have to
advertise a route learned through a routing protocol or by any
other means (like static route or directly connected route) in
different routing protocol. This process is called redistribution.
Redistribution is used in the large organisation , when there are

multiple routing protocol are used in different network. It

basically combine the two routing protocols when use in single
router or switch.

. 33
 REDISTRIBUTION COMMAND
Router eigrp 1
Redistribute ospf 1 metric 1 1 1 1 1
Router ospf 1
Redistribute eigrp 1 subnets tag 1
Router ospf 1
Redistribution static subnets tag 1
Router eigrp 1
Redistribution static metric 1 1 1 1 1

PORT SECURITY
Attackers task is comparatively very easy when they can enter
the network they want to attack. Ethernet LANs are very much
vulnerable to attack as the switch ports are open to use by
default. Various attacks such as Dos attack at layer 2, address
spoofing can take place. If the administrator has control over
the network then obviously the network is safe. To take total
control over the switch ports, user can use feature called port-
security.
Port Security helps secure the network by preventing unknown
devices from forwarding packets. When a link goes down, all
dynamically locked addresses are freed. The port security feature
offers the following benefits:
 You can limit the number of MAC addresses on a given port.
Packets that have a matching MAC address (secure packets) are
34
forwarded; all other packets (unsecure packets) are restricted.

Port security –

Switches learn MAC addresses when the frame is forwarded

through a switch port. By using port security, user can limit the
number of MAC addresses that can be learned to a port, set
static MAC addresses and set penalties for that port if it is used
by an unauthorised user. User can either use restrict, shut
down or protect port-security commands.
Let’s discuss these violation modes:

 protect –

This mode drops the packets with unknown source mac

address until you remove enough secure mac addresses to
drop below the maximum value.

 restrict –

This mode performs the same function as protect, i.e drops

packets until enough secure mac addresses are removed
to drop below the maximum value.In addition to this, it will
generate a log message, increment the counter value and
will also send SNMP trap.

 shut down –

This mode is mostly preferred as compared to other modes

as it shut down the port immediately if unauthorised access
is done. It will also generate a log, increment counter value
and send a SNMP trap. This port will remain in shut down
state until the administrator will perform “no shutdown”
35
 command.

 Sticky –

This is not a violation mode. By using sticky command,

user provides static Mac address security without typing
the absolute Mac address. For example, if user provides
maximum limit of 2 then the first 2 Mac addresses learned
on that port will be placed in running-configuration. After
the 2nd learned Mac address, if 3rd user want to access
then the appropriate action will be taken according to the
violation mode applied.

36
 TELNET

Telnet is a protocol that allows you to connect to remote

computers (called hosts) over a TCP/IP network (such as the
internet). Using telnet client software on your computer, you
can make a connection to a telnet server (that is, the remote
host).

Telnet is a user command and an underlying TCP/IP protocol for

accessing remote computers. Through Telnet, an administrator or
another user can access someone else's computer remotely. On
the Web, HTTP and FTP protocols allow you to request specific
files from remote computers, but not to actually be logged on as a
user of that computer. With Telnet, you log on as a regular user
with whatever privileges you may have been granted to the
specific application and data on that computer.

Telnet is a protocol that allows you to connect to remote

computers (called hosts) over a TCP/IP network (such as the
internet). Using telnet client software on your computer, you
can make a connection to a telnet server (that is, the remote
host).

37
o The main task of the internet is to provide services to users. For
example, users want to run different application programs at
the remote site and transfers a result to the local site. This
requires a client-server program such as FTP, SMTP. But this
would not allow us to create a specific program for each
demand.
o The better solution is to provide a general client-server
program that lets the user access any application program on a

38
 remote computer. Therefore, a program that allows a user to
log on to a remote computer. A popular client-server program
Telnet is used to meet such demands. Telnet is an abbreviation
for Terminal Network.

o Telnet provides a connection to the remote computer in such a

way that a local terminal appears to be at the remote side.

There are two types of login:

Local Login

o When a user logs into a local computer, then it is known

as local login.
o When the workstation running terminal emulator, the
keystrokes entered by the user are accepted by the
terminal driver. The terminal driver then passes these
characters to the operating system which in turn, invokes
the desired application program.
o However, the operating system has special meaning to
special characters. For example, in UNIX some
combination of characters have special meanings such as
control character with "z" means suspend. Such situations
do not create any problem as the terminal driver knows
the meaning of such characters. But, it can cause the
problems in remote login.

39
Remote login

o When the user wants to access an application program on

a remote computer, then the user must perform remote
login.

How remote login occurs

At the local site
The user sends the keystrokes to the terminal driver, the
characters are then sent to the TELNET client. The TELNET
client which in turn, transforms the characters to a universal
character set known as network virtual terminal characters and
delivers them to the local TCP/IP stack

At the remote site

The commands in NVT forms are transmitted to the TCP/IP at
the remote machine. Here, the characters are delivered to the
operating system and then pass to the TELNET server. The
TELNET server transforms the characters which can be
understandable by a remote computer. However, the
characters cannot be directly passed to the operating system as
a remote operating system does not receive the characters
from the TELNET server. Therefore it requires some piece of
software that can accept the characters from the TELNET
server. The operating system then passes these characters to
the appropriate application program.

40
 Network Virtual Terminal (NVT)

o The network virtual terminal is an interface that defines

how data and commands are sent across the network.
o In today's world, systems are heterogeneous. For
example, the operating system accepts a special
combination of characters such as end-of-file token
running a DOS operating system ctrl+z while the token
running a UNIX operating system is ctrl+d.
o TELNET solves this issue by defining a universal interface
known as network virtual interface.
o The TELNET client translates the characters that come
from the local terminal into NVT form and then delivers
them to the network. The Telnet server then translates
the data from NVT form into a form which can be
understandable by a remote computer.

TELNET COMMAND

line vty 04/anything

Password -------/Cisco
login local
exit
enable secret Cisco /or any password

you can also give username like

41
Username Ccna password ccnp
Username ccnp password ccie

Pc >telnet ip address of router /gateway

SSH

Secure Shell (SSH) is a cryptographic networkprotocol for

operating network services securely over an
unsecured network.

The SSH protocol (also referred to as Secure Shell) is a

method for secure remote login from one computer to another.
It provides several alternative options for strong authentication,
and it protects the communications security and integrity with
strong encryption. It is a secure alternative to the non-protected
login protocols (such as telnet, rlogin) and insecure file transfer
methods (such as FTP).

Secure Shell (SSH) is a cryptographic network protocol for operating

network services securely over an unsecured network.[1] Typical
applications include remote command-line login and remote
command execution, but any network service can be secured with
SSH.
SSH provides a secure channel over an unsecured network in
a client–server architecture, connecting an SSH client application
42
with an SSH server.[2] The protocol specification distinguishes

between two major versions, referred to as SSH-1 and SSH-2. The

standard TCP port for SSH is 22. SSH is generally used to access Unix-
like operating systems, but it can also be used on Microsoft
Windows. Windows 10 uses OpenSSH as its default SSH client.[3]

SSH was designed as a replacement for Telnet and

for unsecured remote shell protocols such as the Berkeley rlogin, rsh,
and rexecprotocols. Those protocols send information,
notably passwords, in plaintext, rendering them susceptible to
interception and disclosure using packet
analysis.[4] The encryption used by SSH is intended to provide
confidentiality and integrity of data over an unsecured network, such
as the Internet, although files leaked by Edward Snowden indicate
that the National Security Agency can sometimes decrypt SSH,
allowing them to read the contents of SSH sessions.[5]

44
SSH COMMAND

hostname ISP/or anything

Ip domain-name amit.com
Crypto key generate rsa 512
Username orange password red
Username blue password black
line vty 0 15
transport input Ssh telnet/all
login local
exit

enable secret Cisco

how to take remote=

pc >ssh -login username ip address of router/gateway

PRIVILEGE LEVEL
Cisco Internetwork Operating System (IOS) currently has 16
privilege levels that range from 0 through 15. Users have
access to limited commands at lower privilege levels compared

45
 to higher privilege levels. To illustrate this, think of being on a
mountain, when you're at the bottom (Level 0) you see very
little around you. As soon as you make your way to the top of
the mountain (Level 15), you see a whole lot more, having
access to commands assigned to level 15 and below. Using the
command "show privilege" allows the user to determine what
privilege level a user is currently assigned, here are two
examples:

Router>
Router>show privilege
Current privilege level is 1
Router>

Once we type "enable", we are assigned a higher privilege

level. (By default, this level is 15; we can also use the
command "enable 15" to specifically elevate our privilege level
to 15.)

Router>enable 15
Router#
Router# show privilege

Current privilege level is 15

 Level 15: Full Access to all commands, such as the "Reload"

command, and the ability to make configuration changes.
 Level 1: Read-only, and access to limited commands, such as the
"Ping" command.

Now comes the fun part, we can create the "middle ground" by
defining arbitrary roles through customization of privilege levels 2
through 14. For this example, we'll enable privilege level 2, then
47
 reassign both "Ping" and "Reload" commands.

 Level 2: Read-only, and the ability to use "Ping" to test connectivity

and "Reload" to restart the router.

Router>
Router>enable 15
Router#
Router# configure terminal
Router (config)#enable secret level 2 0 cisco123! (I've enabled level
2 with password or cisco123!)
Router (config)#

Now, let's take the "ping" and "reload" commands and reassign
them to level 2:

Router (config)#privilege exec level 2 ping

Router (config)#privilege exec level 2 reload

.
After applying the changes, users must have a minimum privilege
level of 2 or above to execute "ping" and "reload", let's check the
results:

Router>
Router>show privilege
Current privilege level is 1
Router>ping
Translating "ping"
Translating "ping"
Translating "ping"

48
% Unknown command or computer name, or unable to find computer
address (Failure, the "ping" command is unavailable. We've
essentially changed the privilege level requirements for this command
to work.)

Router>

With the use of the "enable 2" command, we elevate our privilege
level specifically to level 2:

Router>
Router>show privilege
Current privilege level is 1
Router>enable 2
Password: Enter the password "cisco123!"
Router# (Notice the command prompt has changed from ">" to "#",
however, let’s check the privilege level to confirm we were indeed
assigned privilege level 2)

Router# show privilege

Current privilege level is 2
Router# ping

Protocol [ip]: (Success, again we are able to utilize the "ping"

command)

49
50
AIM
In my architecture, there is two office of a company on different
location and my Aim is to provide communication between these
devices. It must to ping from each other or any device like computer
to server.
I have made some policies according to the client like -:
VLAN
INTERVLAN ROUTING
STATIC ROUTING
DEFAULT ROUTING
OSPF
EIGRP
REDISTRIBUTION
ACL AND DHCP
ETHERCHANNEL
PORT SECURITY
TELNET
SSH
PRIVILEGE LEVEL