CCNA Notes Guide Updated Imp

1
Chapter 1
Internetworking OSI
History:
When networks first came into being, computers could typically
communicate only with computers from the same manufacturer.
For example:
companies ran either a complete DECnet solution or an IBM
solution—not both together. In the late 1970s, the
Open Systems Interconnection (OSI) reference model
was created by the International Organization for
Standardization (ISO) to break this barrier.
The OSI model is the primary architectural model for networks.
Reference model:
_is a conceptual blueprint of how communications should take
place? The primary purpose of all such models, especially the
OSI model, is to allow different vendors’ networks to
interoperate.
_It divides the network communication process into smaller and
simpler components, thus aiding component development,
design, and troubleshooting.
_It allows multiple-vendor development through standardization
of network components.
2
_It encourages industry standardization by defining what

functions occur at each layer of
the model.
_It allows various types of network hardware and software to
communicate.
_It prevents changes in one layer from affecting other layers, so
it does not hamper development.
The upper layers:
1. Application • Provides a user interface
2. Presentation •Presents data, Handles processing such as
encryption
3. Session • Keeps different applications, data separate
4. Transport
5. Network
6. Data Link
7. Physical
_The OSI has seven different layers, divided into two groups.
The top three layers define how the applications within the end
stations will communicate with each other and with users. The
bottom four layers define how data is transmitted end-to-end.
Layer Function Diagram
3
The Application Layer:

The Application layer of the OSI model marks the spot where
users actually communicate to the computer Example’s are
HTML, FTP etc. The Application layer is also responsible for
identifying and establishing the availability of the intended
communication partner, and determining whether sufficient
resources for the intended communication exist
The Presentation Layer:
The Presentation layer gets its name from its purpose. It
presents data to the Application layer and is responsible for data
translation and code formatting. This layer is essentially a
translator and provides coding and conversion functions.
for example, EBCDIC to ASCII), PICT TIFF images:>JPEG
Photo etc.
The Session Layer:
The Session layer is responsible for setting up, managing, and
then tearing down sessions between Presentation layer entities.
This layer also provides dialogue control between devices, or
nodes. The following are some examples of Session layer
protocols and interfaces (according to Cisco):
Network File System (NFS) Developed by Sun Microsystems
and used with TCP/IP and Unix workstations to allow
transparent access to remote resources.
Structured Query Language (SQL) Developed by IBM to
provide users with a simpler way to define their information
requirements on both local and remote systems.
Remote Procedure Call (RPC) A broad client/server
redirection tool used for disparate service environments. Its
procedures are created on clients and performed on servers.
4
X Window Widely used by intelligent terminals for

communicating with remote Unix computers, allowing them to
operate as though they were locally attached monitors.
AppleTalk Session Protocol (ASP) Another client/server
mechanism, which both establishes and maintains sessions
between AppleTalk client and server machines.
Digital Network Architecture Session Control Protocol
(DNA SCP) A DECnet Session layer protocol.
The Transport Layer:
The Transport layer segments and reassembles data into a data
stream. Services located in the Transport layer both segment and
reassemble data from upper-layer applications and unite it onto
the same data stream. They provide end-to-end data transport
services and can establish a logical connection between the
sending host and destination host on an internetwork.
The term “reliable networking” can be used at the Transport
layer. It means that acknowledgments, sequencing, and flow
control will be used. Data integrity is ensured at the Transport
layer by maintaining flow control and by allowing users to
request reliable data transport between systems. Flow control
prevents a sending host on one side of the connection from
overflowing the buffers in the receiving host.
_ The segments delivered are acknowledged back to the sender
upon their reception.
_ Any segments not acknowledged are retransmitted.
_ Segments are sequenced back into their proper order upon
arrival at their destination.
_ A manageable data flow is maintained in order to avoid
congestion, overloading, and data loss.
Connection-Oriented Communication
5
In reliable transport operation, a device that wants to transmit

sets up a connection-oriented communication with a remote
device by creating a session. The transmitting device first
establishes a connection-oriented session with its peer system,
which is called a call setup, or a threeway handshake as
illustrated in below diagram. Data is then transferred; when
finished, a call termination takes place to tear down the virtual
circuit.
Flow Control:
Three types of flow control are buffering, windowing &
congestion avoidance:
+ Buffering: If a device receives packets too quickly for it to
handle then it can store them in a memory section called a buffer
and proceed them later.
6
+ Windowing: a window is the quantity of data segments that

the transmitting device is allowed to send without receiving an
acknowledgment for them. For example:
With the window size of 1, the sending device sends 1 segment
and the receiving device must reply with 1 ACK before the
sending device can send the next segment. This “waiting” takes
some time.
By increasing the window size to 3, the sending device will send
up to 3 segments before waiting an ACK -> helps reduce the
waiting time.
+ Congestion avoidance: lower-priority traffic can be discarded
when the network is overloaded -> minimize delays.
In fundamental, reliable, connection-oriented data transfer,
datagrams are delivered to the receiving host in exactly the same
sequence they’re transmitted—and the transmission fails if this
order is breached! If any data segments are lost, duplicated, or
damaged along the way, a failure will transmit. This problem is
solved by having the receiving host acknowledge that it has
received each and every data segment.
_ A virtual circuit is set up (e.g., a three-way handshake).

_ It uses sequencing.
7
_ It uses acknowledgments.
_ It uses flow control.
Window The quantity of data segments (measured in bytes) that
the transmitting. machine is allowed to send without receiving
an acknowledgment for them is called a window. Windows are
used to control the amount of outstanding, unacknowledged data
segments.
Acknowledgments
Reliable data delivery ensures the integrity of a stream of data
sent from one machine to the other through a fully functional
data link. It guarantees that the data won’t be duplicated or lost.
This is achieved through something called positive
acknowledgment with retransmission—a technique
The Network Layer:
The Network layer (also called layer 3) manages device
addressing, tracks the location of devices on the network, and
determines the best way to move data, which means that the
Network layer must transport traffic between devices that aren’t
locally attached.
Network addresses Protocol-specific network addresses. A
router must maintain a routing table for individual routing
8
protocols because each routing protocol keeps track of a

network with a different addressing scheme.
Interface The exit interface a packet will take when destined

for a specific network.
Metric The distance to the remote network. Hop count, cost and
bandwith are used for term metric.
 Here are some points about routers that you should really
commit to memory:
_Routers, by default, will not forward any broadcast or multicast
packets.
_Routers use the logical address in a Network layer header to
determine the next hop router
to forward the packet to.
_Routers can use access lists, created by an administrator, to
control security on the types of packets that are allowed to enter
or exit an interface.
_Routers can provide layer 2 bridging functions if needed and
can simultaneously route through the same interface.
9
_Layer 3 devices (routers in this case) provide connections

between virtual LANs (VLANs).
_Routers can provide quality of service (QoS) for specific types
of network traffic.
The Data Link Layer:
The Data Link layer provides the physical transmission of the
data and handles error notification, network topology, and flow
control. This means that the Data Link layer will ensure that
messages are delivered to the proper device on a LAN using
hardware addresses, and translates messages from the Network
layer into bits for the Physical layer to transmit. The Data Link
layer formats the message into pieces, each called a data frame,
and adds a customized header containing the hardware
destination and source address
Media Access Control (MAC) 802.3 Defines how packets are
placed on the media. Contention media access is “first come/first
served” access where everyone shares the same bandwidth—
hence the name. Physical addressing is defined here, as well as
logical topologies. What’s a logical topology?
It’s the signal path through a physical topology. Line discipline,
error notification (not correction), ordered delivery of frames
and optional flow control can also be used at this sublayer.
Logical Link Control (LLC) 802.2 Responsible for identifying
Network layer protocols and then encapsulating them. An LLC
header tells the Data Link layer what to do with a packet once a
frame is received. It works like this: A host will receive a
frame and look in the LLC header to find out where the packet
is destined for—say, the IP protocol at the Network layer. The
LLC can also provide flow control and sequencing of control
bits.
Switches and Bridges at the Data Link Layer
10
Layer 2 switching is considered hardware-based bridging

because it uses specialized hardware
called an application-specific integrated circuit (ASIC). ASICs
can run up to gigabit speeds with very low latency rates.
Latency is the time measured from when a frame enters a port
to the time it exits a port.
Bridges and switches read each frame as it passes through the
network. The layer 2 device then puts the source hardware
address in a filter table and keeps track of which port the frame
was received on. This information (logged in the bridge’s or
switch’s filter table) is what helps the machine determine the
location of the specific sending device. Figure 1.12 shows a
switch in an internetwork.
Collision domain and broadcast domain
Definition: Broadcast is a type of network communication,
where an Ethernet Frame sent from one computer in delivered to
all the devices in a LAN. Broadcast means "deliver a copy to all
devices". Networks need broadcasts to function. Router breaks
up(divides) the broadcast domains. Each interface (network or
subnetwork) of the router is a broadcast domain.
A collision domain is the set of LAN interfaces whose frames
could collide with each other, but not with frames sent by any
other devices in the network. The collision is happened when
two computers in same the time want to use bandwidth. The
CSMA/CD algorithm that deals with the issue of collisions, and
some of the differences between how hubs and switches operate
to create either a single collision domain (hubs) or many
collision domains (switches).
Switch has multiple collision domain, because each port of
switch is a collision domain.
11
Generally speaking in easy terms, A collision domain is a set of

network interface cards (NIC) for which a frame sent by one
NIC could result in a collision with a frame sent by any other
NIC in the same collision domain.
Only one device in the collision domain may transmit at any one
time, and the other devices in the domain listen to the network in
order to avoid data collisions. Because only one device may be
transmitting at any one-time, total network bandwidth is shared
among all devices. Collisions also decrease network efficiency
on a collision domain; if two devices transmit simultaneously, a
collision occurs, and both devices must retransmit at a later time.
Modern wired networks use a network switch to eliminate
collisions. By connecting each device directly to a port on the
switch, either each port on a switch becomes its own collision
domain (in the case of half duplex links) or the possibility of
collisions is eliminated entirely in the case of full duplex links.
For example, you might have ten PCs with 10/100 Ethernet
NICs. If you connect all ten PCs to ten different ports on a single
100-Mbps hub, you have one collision domain, and the PCs in
that collision domain share the 100 Mbps of bandwidth.
12
The real estate business is all about location, location,

location, and it’s the same way for both layer 2 and layer 3
devices. Though both need to be able to negotiate the network,
it’s crucial to remember that they’re concerned with very
different parts of it. Primarily, layer 3 machines (such as routers)
need to locate specific networks, whereas layer 2 machines
(switches and bridges) need to eventually locate specific
devices. So, networks are to routers as individual devices are to
switches and bridges. And routing tables that “map” the
internetwork are for routers, as filter tables that “map”
individual devices are for switches and bridges.
After a filter table is built on the layer 2 device, it will only
forward frames to the segment where the destination hardware
address is located. If the destination device is on the same
segment as the frame, the layer 2 device will block the frame
from going to any other segments. If the destination is on a
different segment, the frame can only be transmitted to that
segment. This is called Transparent Bridging.
When a switch interface receives a frame with a destination
hardware address that isn’t found in the device’s filter table, it
will forward the frame to all connected segments. If the
unknown device that was sent the “mystery frame” replies to
this forwarding action, the switch updates its filter table
regarding that device’s location. But in the event the destination
address of the transmitting frame is a broadcast address, the
switch will forward all broadcasts to every connected segment
by default.
All devices that the broadcast is forwarded to are considered to
be in the same broadcast domain. This can be a problem; layer 2
devices propagate layer 2 broadcast storms that choke
performance, and the only way to stop a broadcast storm from
13
propagating through an internetwork is with a layer 3 device—a

router.
The biggest benefit of using switches instead of hubs in your
internetwork is that each switch port is actually its own collision
domain. (Conversely, a hub creates one large collision domain.)
But even armed with a switch, you still can’t break up broadcast
domains. Neither switches nor bridges will do that. They’ll
typically simply forward all broadcasts instead.
The Physical Layer:
Finally arriving at the bottom, we find that the Physical layer
does two things: It sends bits and receives bits. Bits come only
in values of 1 or 0—a Morse code with numerical values. The
Physical layer communicates directly with the various types of
actual communication media.
Hub: A hub is really a multiple-port repeater.
Repeater: A repeater receives a digital signal and reamplifies or

regenerates that signal, and then forwards the digital signal out
all active ports without looking at any data.
Note : Hub works on a single broadcast domain and multiple
collision domain, as it cannot read the headers means the
address which is carried by the frames and packets, so it simply
broadcasts them in the network due to this it works on layer 1.
Switch works on layer 2 as it can read the frames i.e. it can read
14
the address and simply passes that required frame to only that
machine who required it. So, it simply shows that it works node
to node without disturbing the whole network. this simply means
Switch has single broadcast and multiple collosion domain as it
works node to node in a LAN.
Routers are layer 3 devices which breaks the broadcast domains
to create multiple networks and to provide inter network
connectivity
Case Study:
Note An example for Broadcasting would be DHCP Request
from a Client PC. The Client is asking for a IP Address, but the
client does not know how to reach the DHCP Server. So, the
client sends a DHCP Discover packet to EVERY PC in the local
subnet (Broadcast). But only the DHCP Server will answer to
the Request. Another simple example is if we have LAN
segment 192.168.100.0/24, then we can say that all IP addresses
range of 192.168.100.0/24 are in the same broadcast domain.
Collision Domain on Switch:
Each connection from a single PC to a Layer 2 switch is ONE
Collision domain. For example, if 2 PCs are connected with
separate cables to a switch, so we have 2 Collision domains. If
this switch is connected to another switch or a
router, we have one collision domain more (3
collision domain in total). Please refer to figure
1.1.1.Figure Collision Domain on Switch
Collision Domain on Hub:

If 2 Devices are connected to a Hub, this is ONE
Collision Domain. Each device that is connected
to a Layer 1 device (repeater, hub) will reside in
15
ONE single collision domain. If a hub or repeater connected to a

switch on LAN, the collision domain on LAN will remain the
same. Hub or repeater just extend collision domain from
switch’s port connected to it. Please refer to figure 1.1.2.
Figure Collision Domain on Hub

Broadcast Domain:
A broadcast domain is a logical division of a computer network,
in which all nodes can reach each other by broadcast at the data
link layer.
A broadcast domain can be within the same LAN segment or it
can be bridged to other LAN segments.
No matter how many hosts or devices are connected together, if
they are connected with a repeater, hub, switch or bridge, all
these devices are in ONE Broadcast domain (assuming a single
VLAN). A Router is used to separate Broadcast-Domains (we
could also call them Subnets - or call them VLANs). So, if a
router stands between all these devices, we have TWO broadcast
domains. Please refer to figure.
16
Figure Broadcast Domain

Question: Which of the following statements describe the
network shown in the graphic? (Choose two)
Answer: 2 Broadcast domains and 7 collsion domains in the

network.
Question: How many broadcast domains are shown in the
graphic assuming only the default vlan is configured on the
switches?
17
Answer: One broadcast domain in the network

Question: Refer to the exhibit. How many broadcast and
collision domains exist in the topology?
Answer: 5 broadcast domains and 10 collision domains.

18
Ethernet Networking
Ethernet is a contention media access method that allows all
hosts on a network to share the same bandwidth of a link.
Ethernet is popular because it’s readily scalable, meaning that
it’s comparatively easy to integrate new technologies, such as
Fast Ethernet and Gigabit Ethernet, into an existing network
infrastructure.
Ethernet networking uses Carrier Sense Multiple Access with
Collision Detection (CSMA/CD), a protocol that helps devices
share the bandwidth evenly without having two devices transmit
at the same time on the network medium. CSMA/CD was
created to overcome the problem of those collisions that occur
19
when packets are transmitted simultaneously from different

nodes. When a host wants to transmit over the network, it first
checks for the presence of a digital signal on the wire. If all is
clear (no other host is transmitting), the host will then proceed
with its transmission. But it doesn’t stop there. The transmitting
host constantly monitors the wire to make sure no other hosts
begin transmitting. If the host detects another signal on the wire,
it sends out an extended jam signal that causes all nodes on the
segment to stop sending data (think busy signal). The nodes
respond to that jam signal by waiting a while before attempting
to transmit again. Backoff algorithms determine when the
colliding stations can retransmit. If collisions keep occurring
after 15 tries, the nodes attempting to transmit will then time
out. When a collision occurs on an Ethernet LAN
_ A jam signal informs all devices that a collision occurred.
_ The collision invokes a random backoff algorithm.
_ Each device on the Ethernet segment stops transmitting for a
short time until the timers expire.
_The effects of having a CSMA/CD network sustaining heavy
collisions include
_ Delay
_ Low throughput
_ Congestion
Backoff on an 802.3 network is the retransmission delay that’s
enforced when a collision occurs. When a collision occurs, a
host will resume transmission after the forced time delay has
expired.
Half- and Full-Duplex Ethernet:
20
Half-duplex Ethernet is defined in the original 802.3 Ethernet;

Cisco says it uses only one wire pair with a digital signal
running in both directions on the wire. It also uses the
CSMA/CD protocol to help prevent collisions and to permit
retransmitting if a collision does occur. If a hub is attached to a
switch, it must operate in half-duplex mode because the end
stations must be able to detect collisions. Half-duplex Ethernet
—typically 10BaseT—is only about 30 to 40 percent efficient as
Cisco sees it, because a large 10BaseT network will usually only
give you 3 to 4Mbps—at most but full-duplex Ethernet uses two
pairs of wires, instead of one wire pair like half duplex.
And full duplex uses a point-to-point connection between the
transmitter of the transmitting device and the receiver of the
receiving device. This means that with full-duplex data transfer,
you get a faster data transfer compared to half duplex. And
because the transmitted data is sent on a different set of wires
than the received data, no collisions will occur. Full-duplex
Ethernet requires a point-to-point connection when only two
nodes are present. You can run full duplex with just about any
device except a hub.
Ethernet at the Data Link Layer:
Ethernet at the Data Link layer is responsible for Ethernet
addressing, commonly referred to as hardware addressing or
MAC addressing. Ethernet is also responsible for framing
packets received from the Network layer and preparing them for
transmission on the local network through the Ethernet
contention media access method. There are four different types
of Ethernet frames available:
_ Ethernet_II
_ IEEE 802.3
_ IEEE 802.2
21
_ SNAP
I’ll go over all four of the available Ethernet frames in the
upcoming sections.
Ethernet Addressing:
Here’s where we get into how Ethernet addressing works. It uses
the Media Access Control (MAC) address burned into each and
every Ethernet Network Interface Card (NIC). The MAC, or
hardware address, is a 48-bit (6-byte) address written in a
hexadecimal format. Figure 1.14 shows the 48-bit MAC
addresses and how the bits are divided.
FIGURE Ethernet addressing using MAC addresses
Organizationally Unique Identifier (OUI) (Assigned by IEEE)
24 bits 24 bits I/G G/L Vendor assigned
Ethernet standard 802.3

100BaseTX, 10 Bast T ----> 10mbps for 100-meter distance
maxx to desktop like Rj45
Ethernet Cabling:
straight throgh :>>> sw-->R, SW..>computer, cross over
R>>R, R>>computer rolled cable for console purpose. from
pc to switch /router
22
Wireshark: this software is a simulator tool to anlyze network

traffic.
Data Encapsulation:
When a host transmits data across a network to another device,
the data goes through encapsulation:it is wrapped with protocol
information at each layer of the OSI model. Each layer
communicates only with its peer layer on the receiving device.
To communicate and exchange information, each layer uses
Protocol Data Units (PDUs).
These hold the control information attached to the data at each
layer of the model. They are usually attached to the header in
front of the data field but can also be in the trailer, or end, of it.
At a transmitting device, the data encapsulation method works

like this:
1. User information is converted to data for transmission on the
network.
2. Data is converted to segments and a reliable connection is set
up between the transmitting
and receiving hosts.
23
3. Segments are converted to packets or datagrams, and a logical

address is placed in the
header so each packet can be routed through an internetwork.
4. Packets or datagrams are converted to frames for transmission
on the local network. Hardware
(Ethernet) addresses are used to uniquely identify hosts on a
local network segment.
5. Frames are converted to bits, and a digital encoding and
clocking scheme is used.
To explain this in more detail using the layer addressing as
shown in below figure
Bit 1011011100011110000
The Cisco Three-Layer Hierarchical Model
The following are the three layers and their typical functions:
_ The core layer: Backbone
_ The distribution layer: Routing
_ The access layer: Switching
Task of building a reliable, scalable, and less expensive
hierarchical internetwork because rather than focusing on packet
construction, it focuses on the three functional areas, or layers,
of your network:
24
Core layer: This layer is considered the backbone of the

network and includes the high-end switches and high-speed
cables such as fiber cables. This layer of the network does not
route traffic at the LAN. In addition, no packet manipulation is
done by devices in this layer. Rather, this layer is concerned
with speed and ensures reliable delivery of packets.
 Cisco switches such as 7000, 7200, 7500, and 12000 (for
WAN use)
 Catalyst switches such as 6000, 5000, and 4000 (for LAN
use)
 T-1 and E-1 lines, Frame relay connections, ATM
networks, Switched Multimegabit Data Service (SMDS)
Distribution layer: This layer includes LAN-based routers and
layer 3 switches. This layer ensures that packets are properly
routed between subnets and VLANs in your enterprise. This
layer is also called the Workgroup layer.
Examples of Cisco-specific distribution layer equipment include
2600,4000, 4500 series routers. The distribution layer is
responsible for routing. It also provides policy-based network
connectivity, including:
 Packet filtering (firewalling): Processes packets and
regulates the transmission of packets based on its source and
destination information to create network borders.
 QoS: The router or layer 3 switches can read packets and
prioritize delivery, based on policies you set.
 Access Layer Aggregation Point: The layer serves the
aggregation point for the desktop layer switches.
25
 Control Broadcast and Multicast: The layer serves as the

boundary for broadcast and multicast domains.
 Application Gateways: The layer allows you to create
protocol gateways to and from different network
architectures.
 The distribution layer also performs queuing and provides
packet manipulation of the network traffic.
Access layer: This layer includes hubs and switches. This layer
is also called the desktop layer because it focuses on
connecting client nodes, such as workstations to the network.
This layer ensures that packets are delivered to end user
computers. This figure displays the three layers of the Cisco
hierarchical model. When you implement these layers, each
layer might comprise more than two devices or a single device
might function across multiple layers.
Examples of devices (switches) at this layer are Swtich
2960,2970 etc.
At the access layer, you can:
 Enable MAC address filtering: It is possible to program a
switch to allow only certain systems to access the connected
LANs.
 Create separate collision domains: A switch can create
separate collision domains for each connected node to
improve performance.
 Share bandwidth: You can allow the same network
connection to handle all data.
26
 Handle switch bandwidth: You can move data from one

network to another to perform load balancing.
The benefits of the Cisco hierarchical model include:
 High Performance: You can design high performance
networks, where only certain layers are susceptible to
congestion.
 Efficient management & troubleshooting: Allows you to
efficiently organize network management and isolate causes
of network trouble.
 Policy creation: You can easily create policies and specify
filters and rules.
 Scalability: You can grow the network easily by dividing
your network into functional areas.
 Behavior prediction: When planning or managing a
network, the model allows you determine what will happen to
the network when new stresses are placed on it.
27
This page is intentionally left blank.
End of Chapter 1
_____________________________
After mid
Chapter 2
Internet Protocols
The Process/Application Layer Protocols:
In this section, I’ll describe the different applications and
services typically used in IP networks.
The different protocols and applications covered in this section
include the following:
_Telnet
_FTP
28
_TFTP
_NFS
_SMTP
_LPD
_X Window
_SNMP
_DNS
_DHCP/BootP
 Telnet
Telnet is the chameleon of protocols—its specialty is terminal
emulation. It allows a user on a remote client machine, called
the Telnet client, to access the resources of another machine, the
Telnet server.
 File Transfer Protocol (FTP)
File Transfer Protocol (FTP) is the protocol that actually lets us
transfer files, and it can accomplish this between any two
machines using it. But FTP isn’t just a protocol; it’s also a
program. Operating as a protocol, FTP is used by applications.
 Trivial File Transfer Protocol (TFTP)
Trivial file transfer protocol(TFTP) is a simplified version of
FTP that allows files to be transferred from one computer to
another over a network, usually without the use of client
authentication (for example, username and password). It uses
UDP.
 Network File System (NFS)
Network file system (NFS) is a jewel of a protocol specializing in
file sharing. It allows two differenttypes of file systems to
interoperate. Typically example we see in virtualized
environment where files on window or unix system is used in
both sytem.
29
 Simple Mail Transfer Protocol (SMTP)

Simple Mail Transfer Protocol (SMTP) answering our
ubiquitous call to e-mail, uses a spooled, or queued, method of
mail delivery. Once a message has been sent to a destination, the
message is spooled to a device—usually a disk. The server
software at the destination posts a vigil, regularly checking this
queue for messages. When it detects them, it proceeds to deliver
them to their destination. SMTP is used to send mail; POP3 is
used to receive mail.
 Line Printer Daemon (LPD)
The Line Printer Daemon (LPD) protocol is designed for printer
sharing. The LPD, along with the LPR (Line Printer) program,
allows print jobs to be spooled and sent to the network’s printers
using TCP/IP.
 X Window
Designed for client-server operations, X Window defines a
protocol for writing client/server applications based on a
graphical user interface (GUI). The idea is to allow a program
called a client, to run on one computer and have it display things
through a window server on another computer.
 Simple Network Management Protocol (SNMP)
The Simple Network Management Protocol (SNMP) is an
application layer protocol that facilitates the exchange of
management information between network devices. It is part of
the Transmission Control Protocol/Internet Protocol (TCP/IP)
protocol suite. SNMP enables network administrators to manage
network performance, find and solve network problems, and
plan for network growth.
_This protocol can also stand as a watchdog over the network,
quickly notifying managers of any sudden turn of events. These
network watchdogs are called agents, and when aberrations
30
occur, agents send an alert called a trapto the management

station.
Building a working network is important but monitoring its
health is as important as building it. Luckily, we have tools to
make administrator’s life easier and SNMP is one among of
them. SNMP presents in most of the network regardless of the
size of that network. And understanding how SNMP works is
really important and that what we will learn in this tutorial.
Understand SNMP
SNMP consists of 3 items:
+ SNMP Manager (sometimes called Network Management
System – NMS): a software runs on the device of the network
administrator (in most case, a computer) to monitor the network.
+ SNMP Agent: a software runs on network devices that we
want to monitor (router, switch, server…)
+ Management Information Base (MIB): is the collection of
managed objects. This component makes sure that the data
exchange between the manager and the agent remains
structured. In other words, MIB contains a set of questions that
the SNMP Manager can ask the Agent (and the Agent can
understand them). MIB is commonly shared between the Agent
and Manager.
31
For example, in the topology above you want to monitor a

router, a server and a Multilayer Switch. You can run SNMP
Agent on all of them. Then on a PC you install a SNMP
Manager software to receive monitoring information. SNMP is
the protocol running between the Manager and Agent. SNMP
communication between Manager and Agent takes place in form
of messages. The monitoring process must be done via a MIB
which is a standardized database and it contains
parameters/objects to describe these networking devices (like IP
addresses, interfaces, CPU utilization, …). Therefore, the
monitoring process now becomes the process of GET and SET
the information from the MIB.
SNMP Versions
SNMP has multiple versions but there are three main versions:
+ SNMP version 1
+ SNMP version 2c
+ SNMP version 3
SNMPv1 is the original version and is very legacy so it should
not be used in our network. SNMPv2c updated the original
protocol and offered some enhancements. One of the noticeable
32
enhancement is the introduction of INFORM and GETBULK

messages which will be explain later in this tutorial.
Both SNMPv1 and v2 did not focus much on security and they
provide security based on community string only. Community
string is really just a clear text password (without encryption).
Any data sent in clear text over a network is vulnerable to packet
sniffing and interception. There are two types of community
strings in SNMPv2c:
+ Read-only (RO): gives read-only access to the MIB objects
which is safer and preferred to other method.
+ Read-write (RW): gives read and write access to the MIB
objects. This method allows SNMP Manager to change the
configuration of the managed router/switch so be careful with
this type.
The community string defined on the SNMP Manager must
match one of the community strings on the Agents in order for
the Manager to access the Agents.
SNMPv3 provides significant enhancements to address the
security weaknesses existing in the earlier versions. The concept
of community string does not exist in this version. SNMPv3
provides a far more secure communication using entities, users
and groups. This is achieved by implementing three new major
features:
+ Message integrity: ensuring that a packet has not been
modified in transit.
+ Authentication: by using password hashing (based on the
HMAC-MD5 or HMAC-SHA algorithms) to ensure the message
is from a valid source on the network.
33
+ Privacy (Encryption): by using encryption (56-bit DES

encryption, for example) to encrypt the contents of a packet.
Note: Although SNMPv3 offers better security but SNMPv2c
however is still more common. Cisco has supported SNMPv3 in
their routers since IOS version 12.0.3T.
In the next part we will learn the SNMP messages used in each
version.
SNMP Messages
SNMP Messages are used to communicate between the SNMP
Manager and Agents. SNMPv1 supports five basic SNMP
messages:
+ SNMP GET
+ SNMP GET-NEXT
+ SNMP GET-RESPONSE
+ SNMP SET
+ SNMP TRAP
In general, the GET messages are sent by the SNMP Manager to
retrieve information from the SNMP Agents while the SET
messages are used by the SNMP Manager to modify or assign
the value to the SNMP Agents.
Note: GET-NEXT retrieves the value of the next object in the
MIB.The GET-RESPONSE message is used by the SNMP
Agents to reply to GET and GET-NEXT messages.
Unlike GET or SET messages, TRAP messages are initiated
from the SNMP Agents to inform the SNMP Manager on the
occurrence of an event. For example, suppose you want to be
alarmed when the CPU usage of your server goes above 80%.
But it would be very annoying if the administrator has to
34
actively use the GET message to check the CPU usage from
time to time. In this case, the TRAP message is very suitable for
that purpose because the administrator would only be informed
from the CPU itself when that event occurs. The figure below
shows the direction of SNMP messages:
From SNMPv2c, two new messages were added: INFORM and

GETBULK.
INFORM: A disadvantage of TRAP message is unreliable.
SNMP communicates via UDP so it is unreliable because when
the SNMP Agents send TRAP message to the SNMP Manager it
cannot know if its messages arrive to the SNMP Manager. To
amend this problem, a new type of message, called INFORM,
was introduced from SNMPv2. With INFORM message, the
SNMP Manager can now acknowledge that the message has
been received at its end with an SNMP response protocol data
unit (PDU). If the sender never receives a response, the
INFORM can be sent again. Thus, informs are more likely to
reach their intended destination.
GETBULK: The GETBULK operation efficiently retrieve large
blocks of data, such as multiple rows in a table. GETBULK fills
35
a response message with as much of the requested data as will

fit.
Note: There is no new message types on SNMPv3 compared to
SNMPv2c.
SNMP Configuration
In the last part we will go through a simple SNMP configuration
so that you can have a closer look at how SNMP works.
SNMPv2c is still more popular than SNMPv3 so we will
configure SNMPv2c.
1. Configure a community string
Router(config)#snmp-server community 9tut ro
In this case our community string named “9tut”. The ro stands
for read-only method.
2. Configure the IP address of a host receiver (SNMP
Manager) for SNMPv2c TRAPs or INFORMs
Router(config)#snmp-server host 10.10.10.12 version 2c
TRAPCOMM
“TRAPCOMM” is the community string for TRAP.
3. Enable the SNMP Traps
Router(config)#snmp-server enable traps
If we don’t want to enable all trap messages we can specify
which traps we want to be notified. For example, if you only
want to receive traps about link up/down notification type then
use this command instead:
36
Router(config)#snmp-server
enable traps link cisco
Of course, we have to configure an SNMP Manager on a
computer with these community strings so that they can
communicate.
Domain Name Service (DNS)
Domain Name Service (DNS) resolves hostnames—specifically,
Internet names, such as www.routersim.com You don’t have to
use DNS; you can just type in the IP address of any device you
want to communicate with. An IP address identifies hosts on a
network and the Internet as well. DNS is used to resolve a fully
qualified domain name (FQDN)
for example, www.lammle.com or todd.lammle.com. An
FQDN is a hierarchy that can logically locate a system based on
its domain identifier.
Dynamic Host Configuration Protocol (DHCP)/BootP
(Bootstrap Protocol)
In IP environment, before a computer can communicate to
another one, they need to have their own IP addresses. There are
two ways of configuring an IP address on a device:
+ Statically assign an IP address. This means we manually type
an IP address for this computer
+ Use a protocol so that the computer can obtain its IP address
automatically (dynamically).
The most popular protocol nowadays to do this task is
called Dynamic Host Configuration Protocol (DHCP) and we
will learn about it in this tutorial.
37
A big advantage of using DHCP is the ability to join a network

without knowing detail about it. For example, you go to a
coffee shop, with DHCP enabled on your computer, you can go
online without doing anything. Next day you go online at your
school and you don’t have to configure anything either even
though the networks of the coffee shop and your school are
different (for example, the network of the coffee shop is
192.168.1.0/24 while that of your company is 10.0.0.0/8). Really
nice, right? Without DHCP, you have to ask someone who
knows about the networks at your location then manually
choosing an IP address in that range. In bad situation, your
chosen IP can be same as someone else who is also using that
network and an address conflict may occur. So how can DHCP
obtain a suitable IP address for you automatically? Let’s find
out.
How DHCP works

1. When a client
boots up for the
first time (or try to
join a new
network), it needs
to obtain an IP
address to
communicate. So,
it first transmits
a DHCPDISCOV
ER message on its
local subnet.
Because the client
38
has no way of knowing the subnet to which it belongs, the

DHCPDISCOVER is an all-subnets broadcast (destination IP
address of 255.255.255.255, which is a layer 3 broadcast
address) and a destination MAC address of FF-FF-FF-FF-FF-FF
(which is a layer 2 broadcast address). The client does not have
a configured IP address, so the source IP address of 0.0.0.0 is
used. The purpose of DHCPDISCOVER message is to try to
find out a DHCP Server (a server that can assign IP addresses).
2. After receiving the discover message, the DHCP Server will

dynamically pick up an unassigned IP address from its IP pool
and broadcast a DHCPOFFER message to the client (*).
DHCPOFFER message could contain other information such as
subnet mask, default gateway, IP address lease time, and domain
name server (DNS).
(*)
Note: In fact, the DHCPOFFER is a layer 3 broadcast
message (the IP destination is 255.255.255.255) but a layer 2
unicast message (the MAC destination is the MAC of the DHCP
39
Client, not FF-FF-FF-FF-FF-FF). So, in some books they may

say it is a broadcast or unicast message.
3. If the client accepts the offer, it then broadcasts
a DHCPREQUEST message saying it will take this IP address.
It is called request message because the client might deny the
offer by requesting another IP address. Notice that
DHCPREQUEST message is still a broadcast message because
the DHCP client has still not received an acknowledged IP.
Also, a DHCP Client can receive DHCPOFFER messages from
other DHCP Servers so sending broadcast DHCPREQUEST
message is also a way to inform other offers have been rejected.
4. When the DHCP Server receives the DHCPREQUEST

message from the client, the DHCP Server accepts the request
by sending the client a
unicast DHCPACKNOWLEDGEMENT message
(DHCPACK).
40
In conclusion there are four messages sent between the DHCP

Client and DHCP Server: DHCPDISCOVER, DHCPOFFER,
DHCPREQUEST and DHCPACKNOWLEDGEMENT. This
process is often abbreviated as DORA (for Discover, Offer,
Request, Acknowledgement).
After receiving DHCPACKNOWLEDGEMENT, the IP address
is leased to the DHCP Client. A client will usually keep the
same address by periodically contacting the DHCP server to
renew the lease before the lease expires.
If the DHCP Server is not on the same subnet with the DHCP
Client, we need to configure the router on the DHCP client side
to act as a DHCP Relay Agent so that it can forward DHCP
messages between the DHCP Client & DHCP Server. To make a
router a DHCP Relay Agent, simply put the “ip helper-address
<IP-address-of-DHCP-Server>” command under the interface
that receives the DHCP messages from the DHCP Client.
As we know, router does not forward broadcast packets (it drops

them instead) so DHCP messages like DHCPDISCOVER
message will be dropped. But with the “ip helper-address …”
command, the router will accept that broadcast message and
cover it into a unicast packet and forward it to the DHCP Server.
The destination IP address of the unicast packet is taken from
the “ip helper-address …” command.
41
When a DHCP address conflict occurs

During the IP assignment process, the DHCP Server uses ping to
test the availability of an IP before issuing it to the client. If no
one replies then the DHCP Server believes that IP has not been
allocated and it can safely assign that IP to a client. If someone
answers the ping, the DHCP Server records a conflict, the
address is then removed from the DHCP pool and it will not be
assigned to a client until the administrator resolves the conflict
manually.
Configure a DHCP Server on Cisco router
Instead of using a separate computer/server as a DHCP Server,
we can save the cost and configure a Cisco router (even a Layer
3 Cisco switch) to work as a DHCP Server. The following
example configuration will complete this task:
Configuration Description
Router(config)#ip Create a DHCP Pool named

dhcp pool CLIENTS CLIENTS
Router(dhcp-config) Specifies the subnet and mask of the

#network 10.1.1.0 /24 DHCP address pool
Router(dhcp-config) Set the default gateway of the DHCP

#default-router Clients
10.1.1.1
Router(dhcp-config) Configure a Domain Name Server

#dns-server 10.1.1.1 (DNS)
Router(dhcp-config) Configure a domain-name

42
#domain-name
9tut.com
Router(dhcp-config) Duration of the lease (the time during

#lease 0 12 which a client computer can use an
assigned IP address). The syntax is
“lease {days[hours] [minutes] |
infinite}”. In this case the lease is 12
hours. The default is a one-day lease.
Before the lease expires, the client
typically needs to renew its address
lease assignment with the server
Router(dhcp-config)
#exit
Router(config)# ip The IP range that a DHCP Server

dhcp excluded- should not assign to DHCP Clients.
address 10.1.1.1 Notice this command is configured
10.1.1.10 under global configuration mode
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP) takes large blocks of
information from an application and breaks them into segments.
It numbers and sequences each segment so that the destination’s
TCP protocol can put the segments back into the order the
application intended. After these segments are sent, TCP (on the
transmitting host) waits for an acknowledgment of the receiving
end’s TCP virtual circuit session, retransmitting those that aren’t
acknowledged.
43
TCP provides full-duplex, acknowledged, and flow-controlled

service to upper-layer protocols. It moves data in a continuous,
unstructured byte stream in which bytes are identified by
sequence numbers. TCP can support numerous simultaneous
upper-layer conversations. The TCP packet format is shown in
Figure 7-6.
The fields of the TCP packet are described here:
• Source port and destination port—Identify the points
(sockets) at which upper-layer source and destination
processes receive TCP services.
• Sequence number—Usually specifies the number assigned
to the first byte of data in the current message. Under certain
circumstances, it can also be used to identify an initial
sequence number to be used in the upcoming transmission.
• Acknowledgment number—Contains the sequence number
of the next byte of data that the sender of the packet expects
to receive.
• Data offset—Indicates the number of 32-bit words in the
TCP header.
• Reserved—Is reserved for future use.
• Flags—Carries a variety of control information.
• Window—Specifies the size of the senders receive window
(buffer space available for incoming data).
• Checksum—Provides information used to determine whether
the header was damaged in transit.
• Urgent pointer—Points to the first urgent data byte in the
packet.
• Options—Specifies various TCP options.
44
• Data—Contains upper-layer information.

UDP
UDP is a much simpler protocol than TCP and is useful in
situations in which the reliability mechanisms of TCP are not
necessary. The UDP header has only four fields: Source Port,
Destination Port, Length, and UDP Checksum. The Source and
Destination Port fields serve the same functions as they do in the
TCP header. The Length field specifies the length of the UDP
header and data, and the UDP Checksum field allows packet
integrity checking. The UDP checksum is optional.
Upper-Layer Protocols
The Internet Protocol suite includes many upper-layer protocols
representing a wide variety of applications, including network
management, file transfer, distributed file services, terminal
emulation, and electronic mail. Table 7-1 maps the best-known
Internet upper-layer protocols to the applications that they
support.
Table 7-1 Internet Protocol/Application

Mapping (with Common Port Numbers)
Application Protocols
WWW browser HTTP (TCP port 80)
The Hypertext Transfer Protocol (HTTP) is used
by Web browsers and servers to transfer the files
that make up web pages.
File transfer FTP (TCP ports 20 and 21)
The File Transfer Protocol (FTP) provides a way
45
to move files between computer systems. Telnet

allows virtual terminal emulation.
Terminal Telnet (TCP port 23)
emulation
The Telnet protocol provides terminal emulation
services over a reliable TCP stream. The Telnet
protocol also specifies how a client and server
should negotiate the use of certain features and
options.
Electronic mail SMTP (TCP port 25), POP3
(TCP port 110), IMAP4 (TCP
port 143)
The Simple Mail Transfer Protocol (SMTP) is
used to transfer electronic mail between mail
servers, and is used by mail clients to send mail.
Mail clients do not generally use SMTP to receive
mail. Instead, they use either the Post Office
Protocol version 3 (POP3) or the Internet Message
Access Protocol (IMAP); this will be discussed in
greater detail later in this chapter.
Network SNMP (UDP port 161)
management
The Simple Network Management Protocol
(SNMP) is a network management protocol used
for reporting anomalous network conditions and
setting network threshold values.
Distributed file NFS, XDR, RPC (UDP port
46
services 111), X Windows (UDP ports

6000-6063)
X Windows is a popular protocol that permits
intelligent terminals to communicate with remote
computers as if they were directly attached.
Network file system (NFS), external data
representation (XDR), and remote-procedure call
(RPC) combine to allow transparent access to
remote network resources.
These and other network applications use the services of TCP/IP

and other lower-layer Internet protocols to provide users with
basic network service.
Comparison of TCP and UDP
In most cases we will want to be reliable in web accessing,
email communicating, file uploading… as we don’t expect a few
corrupted packets would destroy our whole work. With TCP,
these corrupted packets will be resent or repaired to make sure
everything is correct. Yes, TCP is really nice to ensure your
work is accurate!
But with a price…
To guarantee the sending segments is free of error, TCP adds
some bits for tracking and checking purpose so that the other
end can verify and ask for missing pieces of segments. As a
result of this, the segments become larger, consume more
bandwidth and CPU resources to proceed.
Although UDP cannot guarantee everything is accurate like TCP
but UDP is faster than TCP because it does not require
47
additional bits for tracking and checking purpose. So which

tasks need speed? Video (streaming) and audio are ideal for this
task because they are considered real-time applications. Suppose
you are talking to your friend, surely you want your voice to
reach your friend without any delay. It would be very weird if
your friend can only hear your voice after a few seconds.
Note: Segment is the name of the data packet at Transport
layer
TCP can also slow down the transmission if it sees the path to
the destination is too crowded. You don’t want TCP to slow
down your voice in traffic-jam hours either. For example, when
you say “Hello, how are you?”, your friend at the other end may
hear “Hellooooo…… hooooooooow arrrrrrrre yyyyyoou”. What
is an awful conversation!
Losing a few packets for voice or video is acceptable. For
example, if you say the word “Hello” in one second, an IP
phone generates about 25 to 100 packets (just an estimation, it
depends on the codec and sampling frequency) so your friend
can still understand what you say even if a few packets are
missing. Moreover, re-transmission the missing packets is not
useful as voice and video are real-time applications and the
receiving end cannot wait for the missing segments to be resent.
So now we have some basic understanding of TCP and UDP. In
the next part we will learn more about TCP. Let’s start with how
TCP set up and terminate a connection.
TCP three-way handshake (to start the communication)
Suppose host A wants to start communicating with host B using
TCP. Before they can send real data, a three-way handshake
must be established first. Let’s see how this process takes place:
48
1. First host A will send a SYN message (a TCP segment with

SYN flag set to 1, SYN is short for SYNchronize) to indicate it
wants to setup a connection with host B. This message includes
a sequence (SEQ) number for tracking purpose. This sequence
number can be any 32-bit number (range from 0 to 2 32) so we
use “x” to represent it.
2. After receiving SYN message from host A, host B replies
with SYN-ACK message (some books may call it “SYN/ACK”
or “SYN, ACK” message. ACK is short for ACKnowledge).
This message includes a SYN sequence number and an ACK
number:
+ SYN sequence number (let’s called it “y”) is a random number
and does not have any relationship with Host A’s SYN SEQ
number.
+ ACK number is the next number of Host A’s SYN sequence
number it received, so we represent it with “x+1”. It means “I
received your part. Now send me the next part (x + 1)”.
The SYN-ACK message indicates host B accepts to talk to host
A (via ACK part). And ask if host A still wants to talk to it as
well (via SYN part).
49
3. After Host A received the SYN-ACK message from host B, it

sends an ACK message with ACK number “y+1” to host B.
This confirms host A still wants to talk to host B.
If you are still unclear about this process, let’s assign: x = 1 and
y = 50:
In this process, three messages need to be sent so we often call it

“three-way handshake”.
Nice, now you really understand TCP three-way handshake,
right? Host A can start sending real traffic to host B after the
three-way handshake process.
TCP also does nearly the same thing when one end wants to
terminate the connection with TCP four-way termination
process.
TCP four-way termination (to end the communication)
50
Suppose Host A wants to end the connection to host B, Host A

will send a FIN message (a TCP segment with FIN flag set to 1),
FIN is short for FINISH. The purpose of FIN message is to
enable TCP to gracefully terminate an established connection.
Host A then enters a state called the FIN-WAIT state. In FIN-
WAIT state, Host A continues to receive TCP segments from
Host B and proceed the segments already in the queue, but Host
A will not send any additional data.
Device B will confirm it has received the FIN message with an
ACK (with sequence x+1). From this point, Host B will no
longer accept data from Host A. Host B can continue sending
data to Host A. If Host B does not have any more data to send, it
will also terminate the connection by sending a FIN message.
Host A will then ACK that segment and terminate the
connection.
TCP requires to establish and terminate the connection before
and after exchanging real traffic so it is called connection-
oriented protocol. UDP does not support these features so it is
called connectionless protocol.
More formally, these terms can be defined as follows:
+ Connection-oriented protocol: requires a logical connection
51
to be established between the two processes before data is

exchanged
+ Connectionless protocol: allow data to be exchanged without
setting up a link between processes
In conclusion, TCP requires the establishment (via three-way
handshake) and termination (via four-way termination) of a
connection.
TCP Features
Some popular TCP features we will learn here
are: Multiplexing using port numbers, Flow control using
windowing and Reliability (Error Detection and Error
recovery)
Multiplexing using port numbers
Suppose you are using a laptop for web browsing, email
communicating and FTP uploading at the same time. All of
them require using TCP while your laptop only has one IP
address (with one network card) so how your laptop knows
which packets received from the Internet are dedicated for
which application?
Above question is solved with port numbers. Each application
will use a different and available port number to communicate
with outside world. For example, your laptop can choose port
50000 for web browsing, port 50001 for email communicating
and port 50002 for FTP uploading.
52
Notice that your laptop can choose any available source port but
it must use pre-defined destination ports for well-known
services. Port numbers are defined in three ranges:
+ Well-known port numbers (0 through 1023): assigned to key
or core services that systems offer
+ Registered port numbers (1024 through 49151): assigned to
industry applications and processes. For example: 1433 is
assigned for Microsoft SQL Server process)
+ Dynamic port numbers (49152 through 65535): used as
temporary ports for specific communications. Our laptop can
use these ports for communication
The table below lists TCP ports for well-known services:
TCP Description Port
Service
FTP File Transfer Protocol 20, 21
SSH Secure shell 22
Telnet Terminal network 23

53
SMTP Simple Mail Transfer Protocol 25
DNS Domain Name Server 53
HTTP Hyper Text Transfer Protocol 80
NTP Network Time Protocol 123
HTTPS Hyper Text Transfer Protocol Secure 443

Note: There are some other well-known ports that are not listed
here. The well-known ports are assigned by the Internet
Assigned Numbers Authority (IANA) in the range of 0 to 1023.
Multiplexing relies on a concept called a socket. A socket
consists of three things:
+ An IP address
+ A transport protocol
+ A port number
So, suppose the IP address on our laptop is 123.1.1.1 and use
TCP to access web server with port 50000, we may write the
socket (123.1.1.1, TCP, 50000). For web server application
running on the Web Server with IP 200.1.1.1 the socket should
be (200.1.1.1, TCP, 80) as the web server uses the well-known
port 80 for HTTP.
The socket on each computer is unique so the connection
between two sockets on two computers identify a unique
connection between them. Therefore, you can use multiple
applications on the same computer at the same time. Each
application will use a unique source port so they cannot interfere
54
with each other. We only mentioned about source ports but

notice TCP header requires both source port and destination
port. That means if our laptop wants to connect to a Web Server
it must include the destination port in TCP header as well. The
destination port for Web Server in this case is 80. When the
Web Server replies to our laptop, it uses the laptop’s source port
as its destination port (50000 in this case).

Note: Both TCP and UDP use multiplexing with port numbers
for their services.
Flow-control using windowing
In the TCP header there is a field called “Window” which plays
an important role in the TCP transmission. A “Window”
specifies the number of segments the sender can forward
without receiving an acknowledgment. It is the key to transfer
data and flow control efficiently. Let’s see how it works!
After the TCP connection has been established, both the client
and server use this Window field to tell the other how many
bytes of data it is willing to receive at one time before sending
an acknowledgement to the sender. The larger the window size
number (in bytes), the greater the amount of data that the host
can transmit. For example, with a Window size of 1 (byte),
every one byte must be acknowledged before sending the next
one.
55
But waiting for ACK after each segment would be very

inefficient. So, TCP tries to increase the Window size to 3
(bytes), which means every three bytes can be received before
sending the acknowledgement.
As you can see, the bigger the Window size, the fewer ACKs
needed to be sent and the more efficient the transmission is. So,
the receiver will try to increase the Window size after each
successful transmission so that the sender can send more. But
the Window size cannot increase forever, TCP stops increasing
56
the Window size when the receiver does not send an ACK
(within a specific time period) or when the Window size reaches
its maximum value. If a congestion occurs on the link then TCP
may decrease the Window size.
The window size is variable during the lifetime of a connection
so we often refer it as a “sliding window”.
If the sender does not receive the ACK in time, it knows that the
segments should be resent, and that the transmission rate should
be slowed down. Suppose Host A did not receive the expecting
ACK 7 then it knows segments 4, 5, 6 should be resent.
Reliability (Error Detection and Error recovery)

This is the most important feature of TCP. TCP must recover
from data that is damaged, lost, duplicated during the
transmission. But please grasp the difference between error
detection and error recovery first:
+ Error detection: the detection of errors during the
transmission. Error detection does not repair corrupted data, it
57
just detects it
+ Error recovery: the detection of errors and repair them
To achieve error detection, TCP adds some extra bits to the data,
called checksum. A TCP sender computes the checksum value
based on the contents of the TCP header and data fields. This
16-bit value will be compared with the value the receiver
generates using the same computation. If the values match, the
receiver can believe that segment arrived intact. If the values do
not match, the receiver indicates an error occurred and the
segment is discarded and a notification will be sent to the
receiver depending on how the TCP stack is implemented on the
receiver’s operating system.
To achieve error recovery, TCP uses the Sequence number (at
the sender’s side) and Acknowledgement fields (at the receiver’s
side) in the TCP header. These two fields are also used to find
out lost, duplicated segments. Let’s see an example.
In the transmission below, host A sends three segments 1, 2, 3 to
host B. Segment 2 was lost while segment 3 arrived to Host B.
Then Host B replied with an ACK 2, implying that it is
expecting segment 2 next. Host A can re-send another segment 2
to recover the lost segment. If Host B receive that segment it
will ask for the segment 4 (because it already has segment 3).
58
Error recovery
You may ask “what will happen if the ACK 2 sent from Host B
is also lost?” In fact, after sending each segment Host A sets a
retransmission timer, just in case the ACK is lost (or all the
sending segments are lost; Host B would not send ACK in this
case because it did not receive anything). If this timer expires,
Host A will send all the segments again.
Note: UDP does support error detection (via checksum) but it
does not support error recovery. If UDP finds a corrupted
segment, it just simply drops it.
Let’s sum up all things we learned about TCP and UDP so far.
Same:
+Both TCP and UDP operate at Transport Layer
+ Both TCP and UDP use Multiplexing via port numbers
Difference:
TCP UDP
59
Reliable Unreliable
Connection-oriented Connectionless
Segment retransmission and No retransmission or

flow control through windowing windowing
Segment sequence No sequencing
Acknowledge segment No acknowledgement
Start and end the communication No action is required

by three-way handshake and before and after sending
four-way termination real data
Finally, we show the TCP and UDP header in detail for your
reference. There are some fields which are out of scope of this
tutorial.
TCP Header
(20 bytes)
Notice about the FLAG fields (between the “Reserved” and
“Window Size” fields). If SYN bit is turned on, it is a SYN
message. If ACK bit is turned on, it is an ACK message. If both
SYN and ACK bits are turned on, it is a SYN-ACK message.
And this is the UDP header:
60
UDP Header
(8 bytes)
For more details about TCP please visit Cisco site

http://www.cisco.com/c/en/us/td/docs/ios
xml/ios/ipapp/configuration/xe-3s/iap-xe-3s-book/iap
tcp.html
Internet Protocol (IP):

Internet Protocol (IP) essentially is the Internet layer. The other
protocols found here merely exist to support it. IP holds the big
picture and could be said to “see all,” in that it’s aware of all the
interconnected networks. It can do this because all the machines
on the network have a software, or logical, address called an IP
address, which I’ll cover more thoroughly later in this chapter.
_IP looks at each packet’s address. Then, using a routing table, it
decides where a packet is to be sent next, choosing the best path.
_The protocols of the Network Access layer at the bottom of the
DoD model don’t possess IP’s enlightened scope of the entire
network; they deal only with physical links (local networks).
_Identifying devices on networks requires answering these two
questions: Which network is it on? And what is its ID on that
network? The first answer is the software address, or logical
address (the correct street). The second answer is the hardware
address (the correct mailbox).
_IP receives segments from the Host-to-Host layer and
fragments them into datagrams (packets) if necessary. IP then
61
reassembles datagrams back into segments on the receiving side.

Each datagram is assigned the IP address of the sender and of
the recipient. Each router (layer 3 device) that receives a
datagram makes routing decisions based on the packet’s
destination IP address.
Figure 2.6 shows an IP header. This will give you an idea of
what the IP protocol has to go through every time user data is
sent from the upper layers and is to be sent to a remote network.
The following fields make up the IP header:
Version IP version number.
Header Length Header length (HLEN) in 32-bit words.
ToS with IP Precedence Bits Type of Service tells how the
datagram should be handled. The first 3 bits are the priority bits.
Total length Length of the packet including header and data.
Identifier Unique IP-packet value.
Flags Specifies whether fragmentation should occur.
Frag offset Provides fragmentation and reassembly if the packet
is too large to put in a frame. It also allows different maximum
transmission units (MTUs) on the Internet.
62
TTL the time to live (TTL) is set into a packet when it is

originally generated. If it doesn’t get to where it wants to go
before the TTL expires, boom—it’s gone. This stops IP packets
from continuously circling the network looking for a home.
Protocol Port of upper-layer protocol (TCP is port 6 or UDP is
port 17 [hex]). Also supports Network layer protocols.
Header checksum Cyclic redundancy check (CRC) on header
only.
Source IP address 32-bit IP address of sending station.
Destination IP address 32-bit IP address of the station this
packet is destined for.
IP options Used for network testing, debugging, security, and
more.
Data After the IP option field will be the upper-layer data.
Internet Control Message Protocol (ICMP) ICMP works at
the Network layer and is used by IP for many different
63
services. ICMP is a management protocol and messaging service

provider for IP.
Its messages are carried as IP datagrams.
ICMP performs a number of tasks within an IP internetwork, the
principal of which is reporting routing failures back to the
source of a datagram. In addition, ICMP provides helpful
messages such as the following:
• Echo and reply messages to test node reachability across an
internetwork
• Redirect messages to stimulate more efficient routing
• Time exceeded messages to inform sources that a datagram
has exceeded its allocated time to exist within the
internetwork
• Router advertisement and router solicitation messages to
determine the addresses of routers on directly attached
subnetworks
Example
ICMP echo request and reply diagram.
64
The following are some common events and messages that

ICMP relates to:
Destination Unreachable If a router can’t send an IP datagram
any further, it uses ICMP to send a message back to the sender,
advising it of the situation. For example, if a router receives
a packet destined for a network that the router doesn’t know
about, it will send an ICMP Destination Unreachable message
back to the sending station.
Buffer Full If a router’s memory buffer for receiving incoming
datagrams is full, it will use ICMP to send out this message until
the congestion finishes.
Hops Each IP datagram is allotted a certain number of routers,
called hops, to pass through.
If it reaches its limit of hops before arriving at its destination,
the last router to receive that datagram deletes it. The
executioner router then uses ICMP to send an obituary message,
informing the sending machine of the demise of its datagram.
In simple, hop counts 15 is considered the last hope count in RIP
protocol so beyond that router sends back ICMP to all routers
that destination is unreachable.
Ping Ping (Packet Internet Groper) uses ICMP echo messages to
check the physical and logical connectivity of machines on an
internetwork.
Example: ping hostname /domain or ip ------> to check its
availablity
Traceroute: Using ICMP timeouts, traceroute is used to
discover the path a packet takes as it passes an internetwork or
network(s).
ICMP messages are sent in several situations: for example, when
a datagram cannot reach its destination, when the gateway does
65
not have the buffering capacity to forward a datagram, and when

the gateway can direct the host to send traffic on a shorter route.
The Internet Protocol is not designed to be absolutely reliable.
The purpose of these control messages is to provide feedback
about problems in the communication environment, not to make
IP reliable. There are still no guarantees that a datagram will be
delivered or a control message will be returned. Some datagrams
may still be undelivered without any report of their loss. The
higher-level protocols that use IP must implement their own
reliability procedures if reliable communication is required. The
ICMP messages typically report errors in the processing of
datagrams. To avoid the infinite regress of messages about
messages etc. no ICMP messages are sent about ICMP
messages.
IP implementations are required to support this protocol. ICMP
is considered an integral part of IP, although it is architecturally
layered upon IP. ICMP provides error reporting, flow control
and first-hop gateway redirection.
MAC header IP header ICMP header Data :::
ICMP header:
00000000001111111111222222222233
01234567890123456789012345678901
Type Code ICMP header checksum
Data :::
66
Type. 8 bits.
Specifies the format of the ICMP message.
Type Description References

0 Echo reply. RFC 792
1
2
3 Destination unreachable. RFC 792
4 Source quench. RFC 792
5 Redirect. RFC 792
6 Alternate host address.
7
8 Echo request. RFC 792
9 Router advertisement. RFC 1256
10 Router solicitation. RFC 1256
11 Time exceeded. RFC 792
12 Parameter problem. RFC 792
13 Timestamp request. RFC 792
14 Timestamp reply. RFC 792
15 Information request. Obsolete. RFC 792
67
16 Information reply. Obsolete. RFC 792

17 Address mask request. RFC 950
18 Address mask reply. RFC 950
19 reserved (for security).
20
- reserved (for robustness experiment).
29
30 Traceroute. RFC 1393
31 Conversion error. RFC 1475
32 Mobile Host Redirect.
33 IPv6 Where-Are-You.
34 IPv6 I-Am-Here.
35 Mobile Registration Request.
36 Mobile Registration Reply.
37 Domain Name request. RFC 1788
38 Domain Name reply. RFC 1788
39 SKIP Algorithm Discovery Protocol.
40 Photuris, Security failures. RFC 2521
41 Experimental mobility protocols. RFC 4065
42 Reserved.
68
-
255
Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) finds the hardware address
of a host from a known IP address. Here’s how it works: When
IP has a datagram to send, it must inform a Network Access
protocol, such as Ethernet or Token Ring, of the destination’s
hardware address on the local network. (It has already been
informed by upper-layer protocols of the destination’s IP
address.) If IP doesn’t find the destination host’s hardware
address in the ARP cache, it uses ARP to find this information.
As IP’s detective, ARP interrogates the local network by
sending out a broadcast asking the machine with the specified IP
address to reply with its hardware address. So basically, ARP
translates the software (IP) address into a hardware address_for
example, the destination machine’s Ethernet board address and
from it, deduces its whereabouts on LAN by broadcasting for
this address.
Figure ARP
69
Reverse Address Resolution Protocol (RARP)

When an IP machine happens to be a diskless machine, it has no
way of initially knowing its IP address. But it does know its
MAC address. Reverse Address Resolution Protocol (RARP)
discovers the identity of the IP address for diskless machines by
sending out a packet that includes its MAC address and a
request for the IP address assigned to that MAC address. A
designated machine, called a RARP server, responds with the
answer, and the identity crisis is over.
RARP uses the information it does know about the machine’s
MAC address to learn its IP address and complete the machine’s
ID portrait.
Proxy Address Resolution Protocol (Proxy ARP)

On a network, your hosts can’t have more than one default
gateway configured. Think about this. What if the default-
gateway (router) happens to go down? The host won’t just start
sending to another router automatically—you’ve got to
reconfigure that host. But Proxy ARP can actually help
70
machines on a subnet reach remote subnets without configuring

routing or even a default gateway.
Binary to Decimal and Hexadecimal Conversion
Before we continue discussing the TCP/IP protocol stack and IP
addressing, it’s really important for you to truly understand the
differences between binary, decimal, and hexadecimal numbers,
and how to convert one format into the other.\ So, we’ll start
with binary numbering. It’s pretty simple, really. The digits used
are limited to either a 1 (one) or a 0 (zero), with each digit being
called one bit (short for binary digit). Typically, you count either
4 or 8 bits together, with these being referred to as a nibble or a
byte, respectively.
What interests us in binary numbering is the value represented in
a decimal format—the typical decimal format being the base 10
number scheme that we’ve all used since kindergarten. The
binary numbers are placed in a value spot: starting at the right
and moving left, with each spot having double the value of the
previous spot. Table 2.4 shows the decimal values of each bit
location in a nibble and a byte. Remember, a nibble is 4 bits and
a byte is 8 bits.
Let me clarify things. If we have a 1 placed in each spot of our
nibble, we would then add up
8 + 4 + 2 + 1, to give us a maximum value of 15. Another
example for our nibble values would
be 1010, which means that the 8 bits and the 2 bits are turned on,
which equals a decimal value of 10. If we have a nibble binary
value of 0110, then our decimal value would be 6, because the 4
and 2 bits are turned on. But the byte values can add up to a
value that’s significantly higher than 15. This is how: If we
counted every bit as a one (1), then the byte binary value would
look like this (remember, 8 bits equal a byte): 11111111 We
71
would then count up every bit spot because each is turned on. It
would look like this:
128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255
which demonstrates the maximum value of a byte.
There are plenty of other decimal values that a binary number
can equal. Let’s work through a few examples:
10010110
Which bits are on? The 128, 16, 4, and 2 bits are on, so we’ll
just add them up: 128 + 16 +
4 + 2 = 150.
01101100
Which bits are on? The 64, 32, 8, and 4 bits are on, so we just
need to add them up: 64 + 32 +
8 + 4 = 108.
11101000
Which bits are on? The 128, 64, 32 and 8 bits are on, so just add
the values up: 128 + 64 +
32 + 8 = 232
Table 2.5 is a table you should memorize before braving the
subnetting section in Chapter 3.
TABLE 2. 5 Binary to Decimal Memorization Chart
Binary Value Decimal Value
10000000 128
11000000 192
11100000 224
11110000 240
11111000 248
11111100 252
11111110 254
11111111 255
72
Hexadecimal Value Binary Value Decimal Value

0 0000 0
1 0001 1
2 0010 2
3 0011 3
4 0100 4
5 0101 5
6 0110 6
7 0111 7
8 1000 8
9 1001 9
A 1010 10
B 1011 11
C 1100 12
D 1101 13
E 1110 14
F 1111 15
Example Conversion binary to hexadecimal
10110101 B5
IP Addressing
One of the most important topics in any discussion of TCP/IP is
IP addressing. An IP address is a numeric identifier assigned to
each machine on an IP network. It designates the specific
location of a device on the network.
An IP address is a software address, not a hardware address—
the latter is hard-coded on a Network Interface Card (NIC) and
used for finding hosts on a local network.
IP Terminology
73
Throughout this chapter you’ll learn several important terms

vital to your understanding of the Internet Protocol. Here are a
few to get you started:
Bit A bit is one digit, either a 1 or a 0.
Byte A byte is 7 or 8 bits, depending on whether parity is used.
For the rest of this chapter, always assume a byte is 8 bits.
Octet An octet, made up of 8 bits, is just an ordinary 8-bit
binary number. In this chapter, the terms byte and octet are
completely interchangeable.
Network address This is the designation used in routing to send
packets to a remote network—for example, 10.0.0.0,
172.16.0.0, and 192.168.10.0.
Broadcast address the address used by applications and hosts
to send information to all nodes
on a network is called the broadcast address. Examples include
255.255.255.255, which is all networks, all nodes;
172.16.255.255, which is all subnets and hosts on network
172.16.0.0; and 10.255.255.255, which broadcasts to all subnets
and hosts on network 10.0.0.0
The Hierarchical IP Addressing Scheme
An IP address consists of 32 bits of information. These bits are
divided into four sections, referred to as octets or bytes, each
containing 1 byte (8 bits). You can represent an IP address using
any of below methods:
_ Dotted-decimal, as in 172.16.30.56
_ Binary, as in 10101100.00010000.00011110.00111000
Network Addressing
The network address (which can also be called the network
number) uniquely identifies each network. Every machine on the
same network shares that network address as part of its IP
74
address. In the IP address 172.16.30.56, for example, 172.16 is

the network address.
Network Addressing
The network address (which can also be called the network
number) uniquely identifies each network. Every machine on the
same network shares that network address as part of its IP
address. In the IP address 172.16.30.56, for example, 172.16 is
the network address.
The node address is assigned to, and uniquely identifies, each
machine on a network. This part of the address must be unique
because it identifies a particular machine—an individual—as
opposed to a network, which is a group.
The node address is assigned to, and uniquely identifies, each
machine on a network. This part of the address must be unique
because it identifies a particular machine—an individual—as
opposed to a network, which is a group. This number can also be
referred to as a host address. In the sample IP address
172.16.30.56, the 30.56 is the node address.
Network Address Range: Class A
The designers of the IP address scheme said that the first bit of
the first byte in a Class A network address must always be off,
or 0. This means a Class A address must be between 0 and 127,
inclusive.
75
0xxxxxxx
If we turn the other 7 bits all off and then turn them all on, we’ll
find the Class A range of network addresses:
00000000 = 0
01111111 = 127
So, a Class A network is defined in the first octet between 0 and
127, and it can’t be less or more. (yes, I know 0 and 127 are not
valid in a class A network—I’ll talk about illegal addresses in a
minute.)
Network Address Range: Class B
In a Class B network, the RFCs state that the first bit of the first
byte must always be turned on, but the second bit must always
be turned off. If you turn the other 6 bits all off and then all on,
you will find the range for a Class B network:
10000000 = 128
10111111 = 191
As you can see, a Class B network is defined when the first byte
is configured from 128 to 191.
Network Address Range: Class C
For Class C networks, the RFCs define the first 2 bits of the first
octet as always turned on, but the third bit can never be on.
Following the same process as the previous classes, convert
76
from binary to decimal to find the range. Here’s the range for a
Class C network:
11000000 = 192
11011111 = 223
So, if you see an IP address that starts at 192 and goes to 223,
you’ll know it is a Class C IP address.
Network Address Ranges: Classes D and E
The addresses between 224 and 255 are reserved for Class D
and E networks. Class D (224–239) is used for multicast
addresses and Class E (240–255) for scientific purposes, but I’m
not going into these types of addresses in this book (and you
don’t need to know them).
Network Addresses: Special Purpose
Some IP addresses are reserved for special purposes, so network
administrators can’t ever assign these addresses to nodes. Table
2.7 lists the members of this exclusive little club and the reasons
why they’re included in it.
Class A Addresses
In a Class A network address, the first byte is assigned to the
network address, and the three remaining bytes are used for the
node addresses. The Class A format is:
network. node.node.node.TABLE 2. 7 Reserved IP Addresses
Address Function
Network address of all 0s Interpreted to mean “this network or
segment.” Network address of all 1s Interpreted to mean “all
networks.”
_Network 127.0.0.1 Reserved for loopback tests. Designates the
local node and allows that node to send a test packet to itself
without generating network traffic.
_Node address of all 0s Interpreted to mean “network address”
or any host on specified network.
77
_Node address of all 1s Interpreted to mean “all nodes” on the

specified network; for example, 128.2.255.255 means “all
nodes” on network 128.2 (Class B address).
_Entire IP address set to all 0s Used by Cisco routers to
designate the default route. Could also mean “any network.”
Entire IP address set to all 1s (same as 255.255.255.255)
_Broadcast to all nodes on the current network; sometimes
called an “all 1s broadcast” or limited broadcast.
IP Addressing 91
For example, in the IP address 49.22.102.70, the 49 is the
network address, and 22.102.70 is the node address. Every
machine on this particular network would have the distinctive
network address of 49. Class A network addresses are one byte
long, with the first bit of that byte reserved and the 7 remaining
bits available for manipulation (addressing). As a result, the
maximum number of Class A networks that can be created is
128. Why? Because each of the 7 bits positions can be either a 0
or a 1, thus 27 or 128. To complicate matters further, the
network address of all 0s (0000 0000) is reserved to designate
the default route (see Table 2.7 in the previous section).
_Additionally, the address 127, which is reserved for
diagnostics, can’t be used either, which means that you can
really only use the numbers 1 to 126 to designate Class A
network addresses. This means the actual number of usable
Class A network addresses is 128 minus 2, or 126.
_Each Class A address has three bytes (24-bit positions) for the
node address of a machine.
This means there are 224—or 16,777,216—unique combinations
and, therefore, precisely that many possible unique node
addresses for each Class A network. Because node addresses
with the two patterns of all 0s and all 1s are reserved, the actual
78
maximum usable number of nodes for a Class A network is 224

minus 2, which equals 16,777,214. Either way, that’s a huge
number of hosts on a network segment!
Private IP Addresses
The people who created the IP addressing scheme also created
what we call private IP addresses. These addresses can be used
on a private network, but they’re not routable through the
Internet. This is designed for the purpose of creating a measure
of well-needed security, but it also conveniently saves valuable
IP address space. In order to translate the private ip addresses to
public ip address (internet address), we use NAT TING(NAT)
_We discuss it later.
Address Class Reserved address space
Class A 10.0.0.0 through 10.255.255.255
Class B 172.16.0.0 through 172.31.255.255
Class C 192.168.0.0 through 192.168.255.255
Broadcast Addresses
Even though I’ve referred to broadcast addresses throughout
Chapters 1 and 2, I really haven’t gone into their different terms
and uses. Here are the four different types I’d like to define:
Layer 2 broadcasts These are sent to all nodes on a LAN.
Broadcasts (layer 3) These are sent to all nodes on the network.
Unicast These are sent to a single destination host.
Multicast These are packets sent from a single source, and
transmitted to many devices on different networks.
First, understand that layer 2 broadcasts are also known as
hardware broadcasts—they only go out on a LAN, and they
usually don’t go past the LAN boundary (router) unless they
become a unicast packet (discussed in a minute). The typical
hardware address is 6 bytes (48 bits) and looks something like
79
0c.43.a4.f3.12.c2. The broadcast would be all 1s in binary and

all Fs in hexadecimal, as in FF.FF.FF.FF.FF.FF.
Network Address Translation NAT Tutorial
To go to the Internet, we need to get a public IP address and it is
unique all over the world. If each host in the world required a
unique public IP address, we would have run out of IP address
years ago. But by using Network Address Translation (NAT) we
can save tons of IP addresses for later uses. We can understand
NAT like this:
“NAT allows a host that does not have a valid registered IP
address to communicate with other hosts through the Internet”
For example, your computer is assigned a private IP address of
10.0.0.9 and of course this address can not be routed on the
internet but you can still access the internet. This is because your
router (or modem) translates this address into a public IP
address, 123.12.23.1 for example, before routing your data into
the internet.
Of course, when your router receives a reply packet destined for

123.12.23.1 it will convert back to your private IP 10.0.0.9
before sending that packet to you.
Maybe you will ask “hey, I don’t see any difference of using
NAT to save tons of IP addresses because you still need a public
IP address for each host to access the Internet and it doesn’t save
you anything, why you need to use NAT?”
80
Ok, you are right :), in the above example we don’t see its
usefulness but you now understand the fundamental of NAT!
Let’s take another example!
Suppose your company has 500 employees but your Internet
Service Provider (ISP) only gives you 50 public IP addresses. It
means that you can only allow 50 hosts to access the internet at
the same time. Here NAT comes to save your life!
One thing you should notice that in real life, not all of your
employees uses internet at the same time. Say, maybe 50 of
them use internet to read newspaper at the morning; 50 others
use internet at noon for checking mail… By using NAT, you can
dynamically assign these 50 public IP addresses to those who
really need them at that time. This is called dynamic NAT. But
the above NAT solution does not solve our problem completely
because in some days there can be more than 50 people surfing
web at the morning. In this case, only the first 50 people can
access internet, others must wait to their turns. Another problem
is, in fact, your ISP only gives you much lesser IP addresses
than the number 50 because each public IP is very precious now.
To solve the two problems above, another feature of NAT can
be used: NAT Overload or sometimes called Port Address
Translation (PAT)
PAT permits multiple devices on a local area network (LAN) to
be mapped to a single public IP address with different port
numbers. Therefore, it’s also known as port address translation
(PAT). When using PAT, the router maintains unique source
port numbers on the inside global IP address to distinguish
between translations. In the below example, each host is
81
assigned to the same public IP address 123.1.1.1 1 but with

different port numbers (from 1000 to 1002).
Note: Cisco uses the term inside local for the private IP

addresses and inside global for the public IP addresses replaced
by the router. The outside host IP address can also be changed
with NAT. The outside global address represents the outside
host with a public IP address that can be used for routing in the
public Internet. The last term, outside local address, is a private
address of an external device as it is referred to by devices on its
local network. You can understand outside local address as the
inside local address of the external device which lies at the other
end of the Internet.
Maybe you will ask how many ports can we use for each IP?
Well, because the port number ﬁeld has 16 bits, PAT can
support about 216 ports, which is more than 64,000 connections
using one public IP address.
Now you have learned all the most useful features of NAT but
we should summary all features of NAT:
There are two types of NAT translation: dynamic and static.
82
Static NAT: Designed to allow one-to-one mapping between

local and global addresses. This flavor requires you to have one
real Internet IP address for every host on your network.
Dynamic NAT: Designed to map an unregistered IP address to
a registered IP address from a pool of registered IP addresses.
You don’t have to statically configure your router to map an
inside to an outside address as in static NAT, but you do have to
have enough real IP addresses for everyone who wants to send
packets through the Internet. With dynamic NAT, you can
configure the NAT router with more IP addresses in the inside
local address list than in the inside global address pool. When
being defined in the inside global address pool, the router
allocates registered public IP addresses from the pool until all
are allocated. If all the public IP addresses are already allocated,
the router discards the packet that requires a public IP address.
PAT (NAT Overloading): is also a kind of dynamic NAT that
maps multiple private IP addresses to a single public IP address
(many-to-one) by using different ports. Static NAT and
Dynamic NAT both require a one-to-one mapping from the
inside local to the inside global address. By using PAT, you can
have thousands of users connect to the Internet using only one
real global IP address. PAT is the technology that helps us not
run out of public IP address on the Internet. This is the most
popular type of NAT.
Besides NAT gives you the option to advertise only a single
address for your entire network to the outside world. Doing this
effectively hides the internal network from the public world
really well, giving you some additional security for your
network.
83
NAT terms:
* Inside local address – The IP address assigned to a host on
the inside network. The address is usually not an IP address
assigned by the Internet Network Information Center (InterNIC)
or service provider. This address is likely to be an RFC 1918
private address.
* Inside global address – A legitimate IP address assigned by
the InterNIC or service provider that represents one or more
inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as
it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host
on the outside network. The owner of the host assigns this
address.
Subnetting Basics
In Chapter 2, you learned how to define and find the valid host
ranges used in a Class A, Class B, and Class C network address
by turning the host bits all off and then all on. This is very good,
but here’s the catch: You were only defining one network. What
happens if you wanted to take one Subnetting Basics
107 network addresses and create six networks from it? You
would have to do something called subnetting, because that’s
what allows you to take one larger network and break it into a
bunch of smaller networks. There are loads of reasons in favor
of subnetting. Some of the benefits include:
Reduced network traffic
We all appreciate less traffic of any kind. Networks are no
different. Without trusty routers, packet traffic could grind the
entire network down to a near standstill. With routers, most
traffic will stay on the local network; only packets destined for
84
other networks will pass through the router. Routers create

broadcast domains. The more broadcast domains you create, the
smaller the broadcast domains and the less network traffic on
each network segment.
Optimized network performance
This is a result of reduced network traffic.
Simplified management
It’s easier to identify and isolate network problems in a group of
smaller connected networks than within one gigantic network.
Facilitated spanning of large geographical distances
Because WAN links are considerably slower and more
expensive than LAN links, a single large network that spans
long distances can create problems in every area listed above.
Connecting multiple smaller networks makes the system more
efficient.
How to Create Subnets
To create subnetworks, you take bits from the host portion of the
IP address and reserve them to define the subnet address. This
means fewer bits for hosts, so the more subnets, the fewer bits
available for defining hosts.
Subnet Masks
For the subnet address scheme to work, every machine on the
network must know which part of the host address will be used
as the subnet address. This is accomplished by assigning a
subnet mask to each machine. A subnet mask is a 32-bit value
that allows the recipient of IP packets to distinguish the network
ID portion of the IP address from the host ID portion of the IP
address.
The network administrator creates a 32-bit subnet mask
composed of 1s and 0s. The 1s in the subnet mask represent the
positions that refer to the network or subnet addresses.
85
Class Format Default Subnet Mask

A
network.node.node.node
255.0.0.0
B
network.network.node.node
255.255.0.0
C
network.network.network.node
255.255.255.0
Classless Inter-Domain Routing (CIDR)
Another term you need to familiarize yourself with is Classless
Inter-Domain Routing (CIDR).
It’s basically the method that ISPs (Internet Service Providers)
use to allocate an amount of addresses to a company, a home—a
customer. They provide addresses in a certain block size,
something I’ll be going into in greater detail later in this chapter.
When you receive a block of addresses from an ISP, what you
get will look something like this: 192.168.10.32/28. This is
telling you what your subnet mask is. The slash notation (/)
means how many bits are turned on (1s). Obviously, the
maximum could only be /32 because a byte is 8 bits and there
are four bytes in an IP address: (48 = 32). But keep in mind
that the largest subnet mask available (regardless of the class of
address) can only be a /30 because you’ve got to keep at least 2
bits for host bits.
Subnet Mask CIDR Value
255.0.0.0 /8
255.128.0.0 /9
255.192.0.0 /10
255.224.0.0 /11
86
255.240.0.0 /12
255.248.0.0 /13
255.252.0.0 /14
255.254.0.0 /15
255.255.0.0 /16
255.255.128.0 /17
255.255.192.0 /18
255.255.224.0 /19
255.255.240.0 /20
255.255.248.0 /21
255.255.252.0 /22
255.255.254.0 /23
255.255.255.0 /24
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
For subnetting, one must familiar with Binary and decimal
system.
Binary sytem:
it is base on two digits (0,1) e.g 179 = 1011 0011
How it works
(10110011) base 2 2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
working on the place value /mapping, we add on bits to get
decimal number =179
2^7+2^5 +2^4 +2^1+2^0=
((2*2*2*2*2**2*2)+(2*2*2*2*2)+(2*2*2*2)+(2*1)+1)=128+3
2+16+2=179
Decimal System:
87
it is based on 10 digits (0,1,2,3,4,5,6,7,8,9) with base 10.

000000179
10^8 10^7 10^6 10^5 10^4 10^3 10^2 10^1 10^0
(1*100) +(7*10) +(9*1) =100+70+9=179
we need binary number scheme for subnetting
2^7 2^6 2^5 2^4 2^3 2^2 2^1 2^0
128 64 32 16 8 4 2 1
if all bit on place values is ON, we get 255 number after adding
them.
Lets take another example of binary and decimal.
234 base 10 = 11101010 base 2
43 base 10 = 00101011 base 2
IP addresses & Binary
ip address is 32 bits ,4 octets and each octet are 8 bits.
For example, Ip address: in decimal 192.168.1.101 in binary
11000000. 10101000.00000001.01100101
Network Address:
By ANDING IP address and Net mask we get Network address
For example, IP address is 192.168.1.101 & subnet mask is /24
means 255.255.255.0
Let do bolean algebric AND operation
1100000 10101000 00000001 01100101

1111111 11111111 11111111 00000000
-------------------------------------------------------
1100000 10101000 00000001 00000000
192.168.1.0 is a network address.
Note: This is router job to take the ip address AND with the
subnet mask to find the network address.
Subnetting – The quick & easy way
88
One important thing we should notice is that a valid subnet mask

must have all bit “1” s and “0” s successive, in which bit “1” s
must be on the left; bit “0” s must be on the right. Therefore, we
only have 8 situations:
Table 2 – lists all valid subnet masks

This is a very important table to do subnet quickly! Please take
some time to learn it by heart. Make sure you remember the
right-most bit “1” position (the least significant bit 1, which are
in red in the above table) and their equivalent decimal values.
In most cases, this table is used to quickly convert a number
from decimal to binary value without any calculation. For
example, you can quickly convert the 4th octet of the subnet
mask 255.255.255.248 to 11111000. Or if you are given a
subnet of /29 you will know it equals to 255.255.255.248 (by
thinking “/24 is the default subnet mask of class C so /29 will
have the right-most bit “1” at 5th position).
Try to practice with these questions:
+ “/28” in binary form?
+ “255.255.224.0” in binary form?
+ “255.192.0.0” in slash notation form?
89
+ “/26” in binary form?

+ “255.128.0.0” in binary form?
+ “248.0.0.0” in slash notation form?
(Please try to solve by yourself before reading the solution)
Answers:
+ /28 -> 1111 1111.1111 1111.1111 1111.1111 0000
+ 255.255.224.0 -> 1111 1111.1111 1111.1110 0000.0000 0000
+ 255.192.0.0 -> /10
+ /26 -> 1111 1111.1111 1111.1111 1111.1100 0000
+ 255.128.0.0 -> 1111 1111.1000 0000.0000 0000.0000 0000
+ 248.0.0.0 -> /5
How to find out the increment number?
The increment is the heart of subnetting; if you can find out the
increment, you can find all the information to solve a subnetting
question. So, it is usually the first thing you must find out in a
subnetting question.
The increment number is the number specifying how “big” your
subnets are. Let’s take an example of the increment number! Did
you remember the subnets in “Exercise 3” in the previous part?
By changing bits in the Network part, we found out 4 subnets:
+ First subnet: 198.23.16.0/30 (the 4th octet is 00000000)
+ Second subnet: 198.23.16.4/30 (the 4th octet is 00000100)
+ Third subnet: 198.23.16.8/30 (the 4th octet is 00001000)
+ Fourth subnet: 198.23.16.12/30 (the 4th octet is 00001100)
In this case the increment is 4 (in the 4th octet) because the
“difference” between two successive subnets is 4 (from 0 -> 4;
from 4 -> 8; from 8 -> 12)
There are 2 popular ways to find out the increment number:
90
1) Use the formula:

Increment = 256 – x
In which “x” is the first octet (counting from the left) which is
smaller than 255 in a subnet mask. For example:
+ In a subnet mask of 255.224.0.0 -> x = 224
+ In a subnet mask of /29 -> x = 248 (because /29 =
255.255.255.248)
+ In a subnet mask of 1111 1111.1111 1100.0000 0000.0000
0000 -> x = 252
In the case you see a subnet mask of 255.255.255.255 (which is
very rare in CCNA), x = 255
Note: Also remember which octet “x” belongs to because we
have to plus the increment to that octet.
Now let’s solve Exercise 3 again by using this formula:
Exercise 3 one again (with the formula 256 – x):
Your company has just been assigned the network
198.23.16.0/28. How many subnets and hosts-per-subnet you
can create with a subnet mask of 255.255.255.252?
The subnet mask is 255.255.255.252 -> x = 252 (x belongs to
4th octet) Therefore, the Increment = 256 – 252 = 4
The initial network 198.23.16.0/28 is also the first subnet, so:
+ The first subnet: 198.23.16.0/30
+ The second subnet: 198.23.16.4/30 because the increment is 4
so we plus the network address with it to get the next network
address (0 + 4 = 4)
+ The third subnet: 198.23.16.8/30 (4 + 4 = 8)
+ The fourth subnet: 198.23.16.12/30 (8 + 4 = 12)
91
Note: We know there are only 4 subnets because we borrow 2

bits.
2) Learn by heart the decimal value of the rightmost bit “1”
in the subnet mask:
Another way to find the increment value is to write “x” in
binary: 11110000. Consider the rightmost bit “1”, the decimal
value of this bit is the increment value. In this case it equals to
16.
The table below summarizes the decimal values of bit “1”
depending on its position. To use this method, you should learn
by heart this table:
Table 3 – How to find out increment based on the “least-

significant” (rightmost) bit 1
Now let’s solve Exercise 3 again by using this method:
Exercise 3 one again (with the “decimal value of the rightmost
bit 1” method):
Your company has just been assigned the network
198.23.16.0/28. How many subnets and hosts-per-subnet you
can create with a subnet mask of 255.255.255.252?
First use Table 2 to convert 252 to 1111 1100. The decimal
value of the rightmost bit “1” is 4 (according to Table 3) -> The
Increment is 4.
After finding out the increment we can deduce 4 subnets it
creates.
92
The initial network 198.23.16.0/28 is also the first subnet, so:

+ The first subnet: 198.23.16.0/30
+ The second subnet: 198.23.16.4/30 because the increment is 4
so we plus the network address with it to get the next network
address (0 + 4 = 4)
+ The third subnet: 198.23.16.8/30 (4 + 4 = 8)
+ The fourth subnet: 198.23.16.12/30 (8 + 4 = 12)
Note: We should only choose one method to use and try to
practice, practice & practice more with it. Practice until you can
solve any subnetting questions within 20 seconds!
Maybe you will ask why 256 can help you find the increment. In
fact, by using the formula Increment = 256 – x you are trying to
separate the rightmost bit “1” from other bits:
256 – x = 255 – x + 1
In which “255 – x” will convert all bit “0” s to bit “1” s and all
bit “1” s to “0” s while “+1” part will make our result have only
one bit “1” left. For example, if x = 240 then:
So, in fact we can say two above methods are the same!
Subnetting Class C Addresses
There are many different ways to subnet a network. The right
way is the way that works best for you. First, I’ll show you how
to use the binary method, and then we’ll look at an easier way to
do the same thing. In a Class C address, only 8 bits are available
for defining the hosts. Remember that subnet bits start at the left
93
and go to the right, without skipping bits. This means that the
only Class C subnet masks can be the following:
Binary Decimal CIDR
---------------------------------------------------------
10000000 = 128 /25
11000000 = 192 /26
11100000 = 224 /27
11110000 = 240 /28
11111000 = 248 /29
11111100 = 252 /30
We can’t use a /31 or /32 because we have to have at least 2 host
bits for assigning IP
addresses to hosts. I
Examples 1: 192.168.3.55/24
255.255.255.0 Given in exam question.
Question: In which network this host ip address belong?
Solution: convert ip address and subnet mask in to binary

number first.
192 . 168 . 3 . 55
11000000 . 10101000 . 00000011 . 0011 0111
255 255 255 0
11111111 . 11111111. 11111111 . 00000000
-----------------------------------------
After Logical AND operation.
11000000 . 10101000 . 00000011 . 00000000
94
Equal to decimal
192 . 168 . 3 . 0
Example 2. On which network the given ip address belong to:
192.168.3.55/28
255.255.255.240
1100000. 10101000.00000011.00110111
1111111. 11111111.11111111.11110000
After logical AND operation
----------------------------------------------------
11000000.10101000.00000011.00110000
192.168.3.48
Answer
"1" digit in the red color in the subnetmask indicates the
magic number which we will discuss later on.
Example 3:
Given IP address =192.168.1.55
N N N H
Note: N=Network, H=Host,
subnet mask =255.255.255.192/26
Solution: we know default subnetmask of Classful C address
is 255.255.255.0 so we borrow two subnet bits from host
95
portion.192 or /26 = 11000000 ,here 11 in the interested

octet(last octet of subnetmask) are borrowed bits.
So, question is, Is above ip address a useable host or network
or else. we also answer it later.
subnets = 2*subnet bits =2*2= 4 shows total number of
subnetworks.
How many hosts per network?
2*host bits (blue colored)
=2*2*2*2*2*2=64 host /network
Important things are what is magic number that is tricky here is
on 7th place of subnetmask 192 =11000000 so, we find decimal
value of 7th place of the binary system for this octet.
1 1 0 0 0 0 0 0
128 64 32 16 8 4 2 1
So, magic number (MN) is 64 and our subnet work start from 0
and goes by increment of 64 for 4 subnetworks as listed below.
But it is started from 0 network.
Subnetwork 1: 192.168.1.0
Useable/valid Host: 192.168.1.1 - 192.168.1.62
Subnetwork 2: 192.168.1.64 192.168.1.65 - 192.168.1.126
Subnetwork 3:192.168.1.128 192.168.1.129 - 192.168.1.190
Subnetwork 4:192.168.1.192 192.168.1.193 - 192.168.1.254
96
As 192+64= 256 -1=broadcast in the last octet of subnetwork 4

similarly we guess broadcast for first 3 subnetworks in the same
fashion as listed below.
BroadCast addresses:
For Subnetwork 1 = 192.168.1.63
Subnetwork 2 =192.168.1.125
Subnetwork 3 =192.168.1.191
Subnetwork 4 =192.168.1.255
Conclusion: we conclude from the above subnetworks that ip
address 192.168.1.55 is valid host address in a 1st network
192.168.1.0
Practice Example #3: 255.255.255.240 (/28) A another
method for subneting.
Let’s practice on another one:
192.168.10.0 = Network address
255.255.255.240 = Subnet mask
_ Subnets? 240 is 11110000 in binary. 24 = 16.
_ Hosts? 4 host bits, or 24 – 2 = 14.
_ Valid subnets? 256 – 240 = 16. Start at 0. 0 + 16 = 16. 16 + 16
= 32. 32 + 16 = 48. 48 + 16 =
64. 64 + 16 = 80. 80 + 16 = 96. 96 + 16 = 112. 112 + 16 = 128.
128 + 16 = 144. 144 + 16 =
160. 160 + 16 = 176. 176 + 16 = 192. 192 + 16 = 208. 208 + 16
= 224. 224 + 16 = 240.
_ Broadcast address for each subnet?
_ Valid hosts?
To answer questions 4 and 5, check out the following table. It
gives you the subnets, valid hosts, and broadcast addresses for
97
each subnet. First, find the address of each subnet using the
block size (increment). Second, find the broadcast address of
each subnet increment (it’s always the number right before the
next valid subnet), then just fill in the host addresses. The
following table shows the available subnets, hosts, and broadcast
addresses provided from a Class C 255.255.255.240 mask.
Cisco has figured out the most people cannot count in sixteens
and therefore have a hard time finding valid subnets, hosts, and
broadcast addresses with the Class C 255.255.255.240 mask.
You’d be wise to study this mask.
Practice Example #4: 255.255.255.248 (/29)
Let’s keep practicing:
192.168.10.0 = Network address
255.255.255.248 = Subnet mask
_ Subnets? 248 in binary = 11111000. 25 = 32.
_ Hosts? 23 – 2 = 6.
_ Valid subnets? 256 – 248 = 0, 8, 16, 24, 32, 40, 48, 56, 64, 72,
80, 88, 96, 104, 112, 120,
128, 136, 144, 152, 160, 168, 176, 184, 192, 200, 208, 216, 224,
232, 240, and 248.
_ Valid hosts?
Subnet 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224
240
First host 1 17 33 49 65 81 97 113 129 145 161 177 193 209
225 241
Last host 14 30 46 62 78 94 110 126 142 158 174 190 206 222
238 254
Broadcast 15 31 47 63 79 95 111 127 143 159 175 191 207 223
239 255
98
Scenario based Question 1

Q Admin network has 44 users and teacher network has 123
users. which CIDR slash notation subnetmask is appropriate to
accomodate users.
a. /24
b. /25
c. /27
d./26
Answer
b.
Explanation: /24 supports 255 hosts, /25 accomodates 128 host,
/26 supports 64 hosts and /27 accomodates 32 hosts. b option is
more closed as magic number is 128 and useable hosts are 126
Q which one is a usable host address?
a.192.168.2.224/28
b.192.168.2.47/28
c.192.168.2.160/28
d.192.168.2.192/28
Answer: none of the above.
Explanation: /28=255.255.255.240
128 64 32 16 8 4 2 1
In binary 11111111.11111111.11111111.11110000
octet of interest is 4th ,240 (11110000) and Magic number here
is 16
99
subnets= 2*2*2*2=16
Hosts = 2*2*2*2=16
subnets
1. 192.168.2.0 11. 192.168.2.160
2.192.168.2.16 12. 192.168.2.176
3. 192.168.2.32 13. 192.168.2.192
4. 192.168.2.48 14. 192.168.2.208
5. 192.168.2.64 15. 192.168.2.224
6. 192.168.2.80 16. 192.168.2.240
7. 192.168.2.96
8. 192.168.2.112
9. 192.168.2.128
10. 192.168.2.144
Valid hosts per network
Broadcast
Ntetwork (192.168.2.0):
192.168.2.1 - 192.168.2. 14 192.168.2.15
Subnetwork 2 192.168.2.17 - 192.168.2. 30 192.168.2.31
3. 192.168.2.33 - 192.168.2.46 192.168.2.47 and so on.
.224 is network address,.47 is broadcast address,.160 is network
address and .192 is also network address and we can not assign
it for host.
100
Q. Given network address 192.224.10.0/29 Find the first usable

host in the fifth subnet.
Solution: Octet of interest is 4th for classful C subnetting in the
subnet mask 255.255.255.248.
binary is 11111111.11111111.11111111.11111000
Magic number = 8
subnet bits = 5 bits
host bits = 3bits
increment value for next subnet =8+8=16 and so on
Total number of subnets = 2*subnet bit= 2*2*2*2*2=32
Total hosts per subnet= 2*2*2=8
Subnets 1. 192.224.10.0
2 .192.224.10.8
3.192.224.10.16
4.192.224.10.24
5.192.224.10.32
6.192.224.10.40
Valid host s
For subnetwork 1. 192.224.10.1 - 192.224.10.6
2.192.224.10.9 -192.224.10.14
3. 192.224.10.17 - 192.224.10.22
4. 192.224.10.25 - 192.224.10.30
5. 192.224.10.33 - 192.224.10.38
Answer is in 5 th subnet first usable host address is
192.224.10.33
Subnetting Class B Addresses
Before we dive into this, let’s look at all the possible Class B
subnet masks first. Notice that we have a lot more possible
subnet masks than we do with a Class C network address:
255.255.128.0 (/17) 255.255.255.0 (/24)
101
255.255.192.0 (/18) 255.255.255.128 (/25)

255.255.224.0 (/19) 255.255.255.192 (/26)
255.255.240.0 (/20) 255.255.255.224 (/27)
255.255.248.0 (/21) 255.255.255.240 (/28)
255.255.252.0 (/22) 255.255.255.248 (/29)
255.255.254.0 (/23) 255.255.255.252 (/30)
We know the Class B network address has 16 bits available for
host addressing. This means we can use up to 14 bits for
subnetting (because we have to leave at least 2 bits for host
addressing).
Example: 196.16.144.99/23
Question: Is above ip address a host, network or broadcast
address.
subnetmask 255.255.254.0
Octet of interest for subnetting is 3rd (.254)
subnetmask in binary =
11111111.11111111.11111110.00000000
Magic number =2, subnets bits =1111111 = 7bits, hostbits (off
bits) =9bits.
number of Subnets =2*2*2*2*2*2*2=128
Hosts = 2*2*2*2*2*2*2*2*2=512 per network
Subnetworks
1. 196.16.0.0
2.196.16.2.0
3.196.16.4.0
4.196.16.6.0
102
5.196.16.8.0
6.196.16.10.0
goes by increment of 2 even number
192.168.144.0 & so on.
valid hosts:
1. 196.16.0.1 - 196.16.1.254, broad cast address 196.16.1.255
2. 196.16.2.1 - 196.16.3.254 broad cast address 196.16.3.255
3. 196.16.4.1 - 196.16.5.254, broad cast address 196.16.5.255
Concluding remarks
and so on. and in between one subnet is 196.16.144.0 and valid
hosts are
196.16.144.1 - 196.16.145.254 and broad cast address will be
196.16.145.255
Hence 196.16.144.99 is a valid host.
Practice Example #2: 255.255.240.0 (/20), 10.0.0.0 ip,
Another method
255.255.240.0 gives us 12 bits of subnetting and leaves us 12
bits for host addressing.
_ Subnets? 212 = 4096.
_ Hosts? 212 – 2 = 4094.
_ Valid subnets? 256 – 240 = 16. The subnets in the second
octet are a block size of 1 and the subnets in the third octet are 0,
16, 32, etc.
_ Valid hosts?
The following table shows some examples of the host ranges—
the first three and the last subnets:
103
Subnet 10.0.0.0 10.0.16.0 10.0.32.0 … 10.255.240.0

First host 10.0.0.1 10.0.16.1 10.0.32.1 … 10.255.240.1
Last host 10.0.15.254 10.0.31.254 10.0.47.254 …
10.255.255.254
Broadcast 10.0.15.255 10.0.31.255 10.0.47.255 …
10.255.255.255
Subnetting Class A Addresses
Class A subnetting is not performed any differently from
Classes B and C, but there are 24 bits to play with instead of the
16 in a Class B address and the 8 in a Class C address.
Let’s start by listing all the Class A subnets:
255.128.0.0 (/9) 255.255.240.0 (/20)
255.192.0.0 (/10) 255.255.248.0 (/21)
255.224.0.0 (/11) 255.255.252.0 (/22)
255.240.0.0 (/12) 255.255.254.0 (/23)
255.248.0.0 (/13) 255.255.255.0 (/24)
255.252.0.0 (/14) 255.255.255.128 (/25)
255.254.0.0 (/15) 255.255.255.192 (/26)
255.255.0.0 (/16) 255.255.255.224 (/27)
255.255.128.0 (/17) 255.255.255.240 (/28)
255.255.192.0 (/18) 255.255.255.248 (/29)
255.255.224.0 (/19) 255.255.255.252 (/30)
Question Is this IP address 110.8.67.101/15 a host, network or
broad cast address.
subnet mask 255.254.0.0
Solutions:
Let's start with subnetmask /15 =
11111111.11111110.00000000.00000000
104
Magic number = 2
Octet of interest in subnet =2nd (.254)
number of subnet bits = 7 bits
Number of host bits = 17 bits
increment value for next subnet =2+2=4 and so on.
Subnets = 2*2*2*2*2*2*2**2 =128
Hosts per subnet = 2^17=131072
Subnet
1. 110.0.0.0
2. 110.4.0.0
3.110.6.0.0
4.110.8.0.0
5.110.10.0.0
6.110.12.0.0 and so on '
Valid hosts:
for subnet
1. 110.0.0.1 - 110.3.255.254
2. 110.4.0.1 - 110.5.255.254
3. 110.6.0.1 - 110.7.255.254
4.110.8.0.1 - 110.9.255.254
So, 110.8.67.101 is a valid host address on subnet 110.8.0.0 (4th
subnet)
105
------------------------------------------------------------------------------
--------------------------
Variable Length Subnet Masks (VLSMs)
creating many networks from single network using subnet masks
of different lengths on different types of network designs is
called VLSM networking. Two terms are used for VLSM are,
classful and classless.
it assumes that all interfaces within the classful address space
have the same subnet mask. This is called classful routing, and
RIP and IGRP are both considered classful routing protocols.
Classless routing protocols, however, do support the
advertisement of subnet information. Therefore, you can use
VLSM with routing protocols such as RIPv2, EIGRP, or OSPF.
_ (EIGRPand OSPF) will be discussed later.
In short, all subnets will use the same subnetmask in classful
address whereas in Classful subnets will use different size of
subnets to save the addresses.
In real life scenario, some subnets may require large number of
host addresses while other may require only few addresses.
Example:
Company has three departments connected with wan links.
 Development department has 74 computers.
 Production department has 52 computers.
 Administrative department has 28 computers.
 All departments are connected with each other via
wan link.
 Each wan link requires two IP addresses.
106
Steps for VLSM Subnetting

 Find the largest segment. Segment which need
largest number of hosts address.
 Do Subnetting to fulfill the requirement of largest
segment.
 Assign the appropriate subnet mask for the largest
segment.
 For second largest segments, take one of these
newly created subnets and apply a different, more
appropriate, subnet mask to it.
 Assign the appropriate subnet mask for the second
largest segment.
 Repeat this process until the last network.
VLSM Example
107
Now you know the steps of VLSM Subnetting. Let's understand

it with above example. Our company requires 6 subnets and 160
hosts.
Step 1: - Oder all segments according the hosts requirement
(Largest to smallest).
Subnet Segment Hosts
1 Development 74
2 Production 52
3 Administrative 28
4 Wan link 1 2
5 Wan link 2 2
6 Wan link 3 2
Step 2: - Do subnetting for largest segment. Our largest segment

needs 74 host addresses. /25 provide us two subnets with 126
hosts in each subnet.
192.168.1.0/25
Subnet Subnet 1 Subnet 2
Network ID 192.168.1.0 192.168.1.128
First host address 192.168.1.1 192.168.1.129

108
Last host address 192.168.1.126 192.168.1.254
Broadcast ID 192.168.1.127 192.168.1.255
Step 3: - Assign subnet mask to the largest segment. As you can

see in above table, subnet 1 fulfill our largest segment
requirement. Assign it to our segment.
Segment Development
Requirement 74
CIDR /25
Subnet mask 255.255.255.128
Network ID 192.168.1.0
First hosts 192.168.1.1
Last hosts 192.168.1.126
Broadcast ID 192.168.1.127
Step 4: - Do subnetting for second largest segment from next

available subnet. Next segment requires 52 host addresses.
Subnetting of /25 has given us two subnets with 126 hosts in
each, from that we have assigned first subnet to development
segment. Second segment is available, we would do subnetting
of this. /26 provide us 4 subnets with 62 hosts in each subnet.
192.168.1.0/26
109
Subnet Subnet 1 Subnet 2 Subnet 3 Subnet 4
Network ID 0 64 128 192
First address 1 65 129 193
Last address 62 126 190 254
Broadcast ID 63 127 191 255
We cannot use subnet 1 and subnet 2 (address from 0 to 127) as

they are already assigned to development department. We can
assign subnet 3 to our production department.
Segment Production
Requirement 52
CIDR /26
Subnet mask 255.255.255.192
Network ID 192.168.1.128
Last hosts 192.168.1.190
110
Step 5: - Our next segment requires 28 hosts. From above

subnetting we have subnet 3 and subnet 4 available. Do
subnetting for the requirement of 28 hosts.
192.168.1.0/27
Subnet Sub Sub Sub Sub Sub Sub Sub Sub
1 2 3 4 5 6 7 8
Net ID 0 32 64 96 128 160 192 224
First Host 1 33 65 95 129 161 193 225
LastHost 30 62 94 126 158 190 222 254
Broadcast 31 63 95 127 159 191 223 255

ID
Subnets 1 to 6 [ address from 0 to 191] are already occupied by

previous segments. We can assign subnet 7 to this segment.
Segment Administrative
Requirement 28
CIDR /27
Subnet mask 255.255.255.224
Network ID 192.168.1.192

111
Last hosts 192.168.1.222
Step 6: - Our last three segments require 2 hosts per subnet. Do

subnetting for these. 192.168.1.0/30 Valid subnets are:
0,4,8,12,16,20,24,28,32,36,40,44,48,52,56,60,64,68,72,76,80,84
,88,92,96,100,104,108,112,116,120,124,128,132,136,140,144,1
48,152,156,160,164,168,172,176,180,184,188,192,196,200,204,
208,212,216,220,224,228,232,236,240,244,248,252,256
From these subnets, subnet 1 to subnet 56 (Address from 0 -
220) are already assigned to previous segments. We can use
224,228, and 232 for wan links.
Subnet Subnet 57 Subnet 58 Subnet 59
Network ID 224 228 232
First host 225 229 233
Last host 226 230 234
Broadcast ID 227 231 235
Assign these subnets to wan links.

Wan Link 1
Segments Wan Link 1
Requirement 2
112
CIDR /30
Subnet mask 255.255.255.252
Network ID 192.168.1.224
Last hosts 192.168.1.226
Wan Link 2
Segments Wan Link 2
Requirement 2
CIDR /30
Subnet mask 255.255.255.252
Network ID 192.168.1.228
Last hosts 192.168.1.230
113
Wan link 3
Segments Wan Link 3
Requirement 2
CIDR /30
Subnet mask 255.255.255.252
Network ID 192.168.1.232
Last hosts 192.168.1.234
We have assigned IP addresses to all segments, still we have 20

addresses available. This is the magic of VLSM.
114
End chapter 2
___________________________________________________
Chapter 3 Switching Technologies
Topic to be covered:
 3.1 Describe layer-2 switching
 3.2 Describe address learning in layer-2 switches

115
 3.3 Understand when a layer-2 switch will forward or

filter a frame
 3.4 Describe network loop problems in layer-2 switched

networks
 3.5 Describe the Spanning-Tree Protocol
 3.6 List the LAN switch types and describe how they
work with
layer-2 switches
 3.7 Configure and verify initial switch configuration
including remote access management
-hostname
- mgmt ip address
-ip default-gateway
-local user and password
-enable secret password
- console and VTY logins
- exec-timeout
-service password encryption
-copy run start
 3.8 Describe how VLANs create logically separate
networks and the need for routing between them
- Explain network segmentation and basic traffic management
concepts
- Configure and verify VLANs
- Configure and verify trunking on Cisco switches
116
- dtp (topic)
- auto-negotiation
 3.9 Identify enhanced switching technologies
- RSTP
- PVSTP
- Etherchannels
- Configure and verify PVSTP operation
- Describe root bridge election
- Spanning tree mode
Definition:
Layer-2 switching is hardware based, which means it uses the
MAC address from the host’s NIC cards to filter the network.
Switches use Application-Specific Integrated Circuits (ASICs)
to build and maintain filter tables. It is OK to think of a layer-2
switch as a multiport bridge. Layer-2 switches are fast because
they do not look at the Network layer header information,
looking instead at the frame’s hardware addresses before
deciding to either forward the frame or drop it.
Layer-2 switching provides the following:
 Hardware-based bridging (MAC)
 Wire speed
 Low latency
 Low cost
Limitation L2 Switching
Layer-2 switches (bridges) cannot break up broadcast domains,
which can cause performance issues and limit the size of your
network. Broadcasts and multicasts, along with the slow
117
convergence of spanning tree, can cause major problems as the

network grows. Because of these problems, layer-2 switches
cannot completely replace routers (layer-3 devices) in the
internetwork.
Bridging versus LAN Switching
Layer-2 switches are really just bridges with more ports.
However, there are
some important differences you should be aware of:
 Bridges are software based, while switches are hardware
based because they use an ASICs chip to help make
filtering decisions.
 Bridges can only have one spanning-tree instance per

bridge, while switches can have many. (We cover spanning
tree later in this chapter.)
 Bridges can only have up to 16 ports, whereas a switch can

have hundreds.
Three Switch Functions at Layer 2
There are three distinct functions of layer-2 switching:
Address learning
Layer-2 switches and bridges remember the source hardware
address of each frame received on an interface and enter this
information into a MAC database.
Forward/filter decisions
When a frame is received on an interface, the switch looks at the
destination hardware address and finds the exit interface in the
MAC database.
Loop avoidance
If multiple connections between switches are created for
redundancy, network loops can occur. The Spanning-Tree
118
Protocol (STP) is used to stop network loops and allow

redundancy.
Address Learning
When a switch is powered on, switch's CAM table (MAC) is
empty and observe the following
1. Switch places source MAC address of sender and interface in
its MAC table where frames have come from.
2. switch will f lood the frames to all interfaces in network.
3.Only receiver information who replies with frame will be
entered by switch in CAM table and connection point to point
between sender and receiver will be established. CAM table has
source and destination MAC addresses for both of them along
with interfaces details as shown in below figure.
1.Host 1 sends a frame to Host 3. Host 1’s MAC address is

0000.8c01.1111; Host 3’s MAC address is 0000.8c01.2222.
2.The switch receives the frame on the E0/1 interface (interface
addressing is covered in Appendix B) and places the source
address in the MAC address table.
3.Since the destination address is not in the MAC database, the
frame is forwarded out all interfaces.
119
4.Host 3 receives the frame and responds to Host 1. The switch

receives this frame on interface E0/3 and places the source
hardware address in the MAC database.
5.Host 1 and Host 3 can now make a point-to-point connection
and only the two devices will receive the frames. Hosts 2 and 4
will not see the frames.
If the two devices do not communicate to the switch again
within a certain amount of time, the switch will flush the entries
from the database to keep it as current as possible.
Forward/Filter Decisions
When a frame arrives at a switch interface, switch checks the
destination MAC address if it exists in table after checking table
then frame is only forwarded to that destination 's interface.
Switch will not send frames to all interfaces except detination. It
will preserve the bandwidth also known as Frame Filtering.
Note: If the destination hardware address is not listed in the
MAC database, then the frame is broadcasted out all active
interfaces except the interface the frame was received on. If a
device answers the broadcast, the MAC database is updated with
the device location (interface).
Broadcast and Multicast Frames
Broadcast and multicast frames do not have a destination
hardware address specified. The source address will always be
the hardware address of the device transmitting the frame, and
the destination address will either be all 1s (broadcast), or with
the network or subnet address specified and the host address all
1s (multicast).
For example:
Broadcast
11111111.11111111.11111111.11111111 255.255.255.255
Multicast
120
10101100.00010000.11111111.11111111 172.16.255.255
Frames are sent to only specific network 172.16.
Loop Avoidance
Redundant links (multiple links) are built between switches
devices cause Loop. As a result, switch broadcast frames
(broadcast storm) to other switch device and get confused and it
can't distinguish host MAC address location. This phenomenon
is called thrashing the MAC table.
The advantage of redundant links is for failover if one link goes
down then other link takes up the responsibility of failure link.
But at the same time loop occurs.
How to avoid loop in Redundant topology

To provide for fault tolerance, many networks implement
redundant paths between devices using multiple switches.
However, providing redundant paths between segments causes
packets to be passed between the redundant paths endlessly.
This condition is known as a bridging loop.
(Note: the terms bridge, switch is used interchangeably when
discussing STP)
121
To prevent bridging loops, the IEEE 802.1d committee defined a

standard called the spanning tree algorithm (STA), or spanning
tree protocol (STP). Spanning-Tree Protocol is a link
management protocol that provides path redundancy while
preventing undesirable loops in the network. For an Ethernet
network to function properly, only one active path can exist
between two stations.
Let’s see a situation when there is no loop-avoidance process in
operation. Suppose you have two switches connected with
redundant links. One switch connected to PC A and the other
switch connected to PC B.
Now PC A wants to talk to PC B. It then sends a broadcast, say
an Address Resolution Protocol (ARP) to find out where the
location of PC B, the green arrow shows a broadcast frame sent
by PC A.
When the switch A receives a broadcast frame, it forwards that
frame to all ports except the port where it receives the request ->
SwA forwards that ARP frame out of fa0/0 and fa0/1 ports.
Suppose SwB receives the broadcast frame from fa0/0 first then
it will forward that frame to the two other links ( fa0/1 and fa0/5
of SwB).
122
The other broadcast frame from SwA comes to fa0/1 of SwB so

SwB forwards it to fa0/0 and fa0/5.
As you can see, SwA has sent 2 broadcast frames out of its fa0/0
and fa0/1, SwB receives each of them, creates 2 copies and
sends one of them back to SwA (the other is sent to PC B).
When SwA receives these broadcast frames it continues
broadcasting them again to its other interfaces, this will keep
going on forever until your shutdown the network. This
phenomenon is called a broadcast storm.
Broadcast storm consumes entire bandwidth and denies
bandwidth for normal network traffic. Broadcast storm is a
serious network problem and can shut down entire network in
seconds.
Other problems:
Multiple frame transmission: Multiple copies of unicast
frames may be delivered to destination stations. Many protocols
expect to receive only a single copy of each transmission.
Multiple copies of the same frame can cause unrecoverable
errors. In the above example, if the first frame is not a ARP
broadcast but a unicast and SwA and SwB haven’t learned about
the destination in that frame yet then they flood the frame on all
ports except the originating port. The same phenomenon occurs
and PC B will receive more than one copy of that frame.
123
MAC Database Instability: MAC database instability results

when multiple copies of a frame arrive on different ports of a
switch. We can see it in the above example too when the two
ports on SwB (fa0/0 and fa0/1) receive the same frame.
Now you learned about problems when there is no looping-
avoidance mechanism running on the network. All of these
problems can be solved with the Spanning Tree Protocol (STP)
STP prevents loop by blocking one of switch’s port. For
example, by blocking port fa0/0 of SwA, no data traffic is sent
on this link and the loop in the network is eliminated.
But how STP decides which port should be blocked. The whole
process is more complex than what is shown above. We will
learn it in the next part.
How Spanning Tree Protocol (STP) works
SPT must performs three steps to provide a loop-free network
topology:
1. Elects one root bridge: one RB/netwoks
2. Select one designated port on each network segment: one
DP/Segment
3. Select one root port per nonroot bridge:
one RP/NRB
Now let’s have a closer look from the beginning, when you have
just turned on the switches…
124
BPDU L4 fields of Interest

Root Bridge Cost Sender Port ID
ID Bridge ID
Example 19 32768-A Fa 0/1-128
32768-A
Switch Cost
Formula =10^9/Bandwidth.
BPDU factory is root bridge and Root port always accept Best
BPDU on port by differenciating superior and inferior BPDU
sent by initially Root bridge.
1. Elects one root bridge
A fun thing is that when turned on, each switch claims itself as
the root bridge immediately and starts sending out multicast
frames called Bridge Protocol Data Units (BPDUs), which are
used to exchange STP information between switches.
A BPDU contains many fields but there are 4 most important

fields for STP to operate correctly:
125
* The Bridge IDs of the Root Bridge and the Bridge ID of

the Transmitting Bridge:
In the initial stage, each switch claims itself as a root bridge so
the bridge ID of the root bridge and the bridge ID of the
transmitting bridge are the same.
The Bridge ID is composed of the bridge priority value (0-
65535, 2 bytes) and the bridge MAC address (6 bytes).
Bridge ID = Bridge Priority + MAC Address
For example:
+ The bridge priority of SwA is 32768 and its MAC address is
0000.0000.9999 -> the bridge ID of SwA is
32768:0000.0000.9999
+ The bridge priority of SwB is 32768 and its MAC address is
0000.0000.1111 -> the bridge ID of SwB is
32768:0000.0000.1111
The root bridge is the bridge with the lowest bridge ID.
To compare two bridge IDs, the priority is compared first. If two
bridges have equal priority, then the MAC addresses are
compared. In the above example, both SwA and SwB have the
same bridge ID (32768) so they will compare their MAC
addresses. Because SwB has lower MAC address it will become
root bridge.
126
On the root bridge, all ports are designated ports. Designated

ports are in the forwarding state and can send and receive traffic.
Note: The default bridge priority value is 32768. An
administrator can decide which bridge will become the root
bridge by lowering the priority value (thus lowering Bridge ID).
For example, we can lower SwA’s bridge priority to
28672(smaller than 32768) to make it root bridge. But notice
that the bridge priority number can be incremented only in step
of 4096.
In conclusion, STP decides which switch will become root
bridge by comparing the Bridge ID in the BPDUs. The bridge
priorities are compare first; if they are equal then the MAC
addresses will be used. Because each switch has a unique MAC
address so surely one root bridge will be elected.
* The cost to reach the root from this bridge (Root Path
Cost): This value is set to 0 at the beginning of STP root bridge
election process since all bridges claim to be the root. The cost
range is 0-65535.
Link Cost (Revised IEEE Cost (Previous IEEE
Speed Specification) Specification)
127
10 Gbps 2 1
1 Gbps 4 1
100 19 10
Mbps
10 Mbps 100 100

The root path cost is used to elect root port and we will discuss
in the next part.
* The Port ID: The transmitting switch port ID, will be
discussed later.
2. Select one root port per nonroot bridge
Root port is the port that is closest to the root bridge, which
means it is the port that receiving the lowest-cost BPDU from
the root.
Every non-root bridge must have a root port. All root ports are
placed in forwarding state.
In the below example, if we suppose the upper link (between
two fa0/0 interfaces) are 10Mbps and the lower link (between
two fa0/1 interfaces) is 100Mbps link then fa0/1 of SwA will
become root port as it has lower cost than fa0/0 (cost 19 < cost
100).
128
3. Select one designated port on each network segment

STP selects one designated port per segment to forward traffic.
Other switch ports on the segment typically become
nondesignated ports and are blocked. Therefore, interface fa0/0
of SwA will become nondesignated port (blocking state). In
blocking state, although switches cannot send data traffic but
can still receive BPDUs.

Now the network reaches a state called convergence.
Convergence in STP occurs when all ports on bridges and
switches have transitioned to either forwarding or blocking
states. No data is forwarded until convergence is complete so the
time for convergence when network topology changes is very
important. Fast convergence is very desirable in large networks.
The normal convergence time is 50 seconds for 802.1D STP
(which is rather slow) but the timers can be adjusted.
Example
129
total Segment in a given network =5

Cost of every link =4
Step1
One RB/whole network
suppost Switch-A is Root bridge (RB) as it has lower MAC
address /priority and other will be Non Root bridge (NRB).The
ports of RB will always be root ports and designating ports.
BPDU will be originated from this root bridge (sometimes
called BPDU factory) .Here best BPDU is from A--->B & A-----
>E
Step 2
One DP/Segement
Segment 1(A---B). A.------>B
130
BPDU = A/0/A/1 (best & DP)

B------->A
A/16/B/1 (bad)
Segment 2 (B----C)
B.--------->C
A/4/B/1 (best & DP)
C---------->B
A/12/C/3 (bad)
Segment 3(A----E)
A.------>E (best & DP)
A/0/A/2
E------>A(bad)
A/16/E/2
Segment 4 (C-----D)
C----->D (best & DP)
A/8/C/2
D------>C (bad)
A/8/D/2
Segment 5 (E-----D)
E.----->D (best & DP)
A/4/E/1
D------->E
A/12/D/1(bad)
131
Step 3
ONE RP/NRB (when BPDU enters and leaves in Switch), RP=
is a port which accepts best BPDU on port.
Switch A: will generate BPDUs
Switch B: will receive two BPDU, A/4/A/1 (from A),
A/16/C/3(from C)
Switch E: A/4/A/2(from A), A/16/D/1(From D)
Switch C: A/8/B/3(from B), A/12/D/2(From D)
Switch D: A/12/C/2(From C), A/8/E/1(from E)
D---C is blocking port as it is not DP nor RP and will shut
down in STP election after convergence.
STP switch port states
When STP is enabled, every switch in the network goes through
the blocking state and the transitory states of listening and
learning. The ports then stabilize to the forwarding or blocking
state.
* Blocking – no user data is sent or received but it may go into
forwarding mode if the other links in use fail and the spanning
tree algorithm determines the port may transition to the
forwarding state. BPDU data is still received in blocking state
but discards frames, does not learn MAC address.
* Listening – The switch processes BPDUs and awaits possible
new information that would cause it to return to the blocking
state, discards frames and MAC address.
132
* Learning – receives and transmits BPDUs and learns MAC

addresses but does not yet forward frames.
* Forwarding – receives and sends data, normal operation,
learns MAC address, receives and transmits BPDUs.
Below is a quick summary of STP states:
State Can Learn Timer Transitory
forward MAC? or Stable
data? State?
Blocking No No Max Age Stable

(20 sec)
Listening No No Forward Transitory

Delay (15
sec)
Learning No Yes Forward Transitory

Delay
Forwarding Yes Yes Stable

* MaxAge – How long any bridge should wait, after beginning
to not hear hellos, before trying to change the STP topology.
Usually this is a multiple of the hello time; the default is 20
seconds.
* Forward Delay – Delay that affects the time involved when
an interface changes from blocking state to forwarding state. A
port stays in listening state and then learning state for the
133
number of seconds deﬁned by the forward delay. This timer is

covered in more depth shortly.
The spanning tree algorithm provides the following benefits:
* Eliminates bridging loops
* Provides redundant paths between devices
* Enables dynamic role configuration
* Recovers automatically from a topology change or device
failure
* Identifies the optimal path between any two network devices
Now let’s take an example using the same network as above but
we suppose that the bottom 100Mbps connection is broken.
When the lower link is broken, SwA must wait for Max Age
seconds before it begins to transition fa0/0 interface from
blocking to listening state. In listening state, it must wait for the
Forward Delay seconds to move to the Learning state. Next it
continues waiting for more Forward Delay seconds. If no BPDU
is received, it is then placed in forwarding state. These three
waiting periods of (by default) 20, 15, and 15 seconds create
STP’s relatively slow convergence.
Now let’s consider how BPDU are sent when there are 3
switches in the network. Cisco has a good flash to demonstrate it
so please watch it
134
at http://www.cisco.com/image/gif/paws/10556/spanning_tree1.
swf
How STP performs when a link fails
Suppose we have a topology with three switches as shown
below:
In which SwA is elected the root bridge, the link between SwB
and SwC is being blocked. When STP is converged, the port
roles are shown above.
Now suppose the link between SwA and SwB goes down, let us
see what and how STP will perform
1. First, P1 on SwB immediately goes down and SwB declares

its link to SwA as down.
2. SwB considers its link to SwC (which is being blocked) as an
alternate link to root port. SwB starts to transition P2 from the
135
blocking state to listening state -> learning state -> forwarding

state. Each of these stages lasts 15 seconds by default.
Therefore, port P2 on SwB will be hold blocking for 30 seconds
before the network converges again. This downtime of the
network is rather long (although we can tune the timers to 14
second downtime) and the users can feel it.
Rapid Spanning Tree Protocol (RSTP)
One big disadvantage of STP is the low convergence which is
very important in switched network. To overcome this problem,
in 2001, the IEEE with document 802.1w introduced an
evolution of the Spanning Tree Protocol: Rapid Spanning Tree
Protocol (RSTP), which significantly reduces the convergence
time after a topology change occurs in the network. While STP
can take 30 to 50 seconds to transit from a blocking state to a
forwarding state, RSTP is typically able to respond less than 10
seconds of a physical link failure.
RSTP works by adding an alternative port and a backup port
compared to STP. These ports are allowed to immediately enter
the forwarding state rather than passively wait for the network to
converge.
RSTP bridge port roles:
* Root port – A forwarding port that is the closest to the root
bridge in terms of path cost
* Designated port – A forwarding port for every LAN segment
* Alternate port – A best alternate path to the root bridge. This
path is different than using the root port. The alternative port
moves to the forwarding state if there is a failure on the
designated port for the segment.
* Backup port – A backup/redundant path to a segment where
136
another bridge port already connects. The backup port applies

only when a single switch has two links to the same segment
(collision domain). To have two links to the same collision
domain, the switch must be attached to a hub.
* Disabled port – Not strictly part of STP, a network
administrator can manually disable a port
Now let’s see an example of three switches below:
Suppose all the switches have the same bridge priority so the
switch with lowest MAC address will become root bridge ->
Sw1 is the root bridge and therefore all of its ports will be
Designated ports (forwarding).
Two ports fa0/0 on Sw2 & Sw3 are closest to the root bridge (in
terms of path cost) so they will become root ports.
On the segment between Sw2 and Sw3, because Sw2 has lower
MAC than Sw3 so it will advertise better BPDU on this segment
-> fa0/1 of Sw2 will be Designated port and fa0/1 of Sw3 will
be Alternative port.
137
Now for the two ports connecting to the hub, we know that there
will have only one Designated port for each segment (notice that
the two ports fa0/2 & fa0/3 of Sw2 are on the same segment as
they are connected to a hub). The other port will be Backup port
according to the definition of Backup port above. But how does
Sw2 select its Designated and Backup port? The decision
process involves the following parameters inside the BPDU:
* Lowest path cost to the Root
* Lowest Sender Bridge ID (BID)
* Lowest Port ID
Well, both fa0/2 & fa0/3 of Sw2 has the same “path cost to the
root” and “sender bridge ID” so the third parameter “lowest port
ID” will be used. Because fa0/2 is inferior to fa0/3, Sw2 will
select fa0/2 as its Designated port.

138
Note: Alternative Port and Backup Port are in discarding state.

RSTP Port States:
There are only three port states left in RSTP that correspond to
the three possible operational states. The 802.1D disabled,
blocking, and listening states are merged into the 802.1w
discarding state.
* Discarding – the port does not forward frames, process
received frames, or learn MAC addresses – but it does listen for
BPDUs (like the STP blocking state)
* Learning – receives and transmits BPDUs and learns MAC
addresses but does not yet forward frames (same as STP).
* Forwarding – receives and sends data, normal operation,
learns MAC address, receives and transmits BPDUs (same as
STP).
STP State RSTP State (802.1w)
(802.1d)
139
Blocking Discarding
Listening Discarding
Learning Learning
Forwarding Forwarding
Disabled Discarding
Although the learning state is also used in RSTP but it only
takes place for a short time as compared to STP. RSTP
converges with all ports either in forwarding state or discarding
state.
RSTP Quick Summary:
RSTP provides faster convergence than 802.1D STP when
topology changes occur.
* RSTP defines three port states: discarding, learning, and
forwarding.
* RSTP defines five port roles: root, designated, alternate,
backup, and disabled.
Note: RSTP is backward compatible with legacy STP 802.1D. If
a RSTP enabled port receives a (legacy) 802.1d BPDU, it will
automatically configure itself to behave like a legacy port. It
sends and receives 802.1d BPDUs only.
LAN Switch Types:
Store and forward the complete data frame is received on the
switch’s buffer, a CRC is run, and then the destination address is
looked up in the MAC filter table.
140
Cut-through the switch only waits for the destination hardware

address to be received and then looks up the destination address
in the MAC filter table.
FragmentFree the default for the Catalyst 1900 switch, it is
sometimes referred to as modified cut-through. Checks the first
64 bytes of a frame for fragmentation (because of possible
collisions) before forwarding the frame.
Etherchannel
Reference:
http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tec
h_note09186a0080094714.shtml
 EtherChannel allows multiple physical Ethernet links to

combine into one logical channel, which allows the links in
the channel to share traffic load, as well as redundancy in
the event that one or more links in the channel fail.
 You can use EtherChannel to interconnect LAN switches,
routers, servers, and clients via unshielded twisted pair
(UTP) wiring or single-mode and multimode fiber.
EtherChannel Negotiation Protocols
 PAgP (Cisco Proprietary)
 LACP (IEEE 802.3ad)
Note: A maximum of 8 Fast Ethernet or 8 Gigabit Ethernet ports
can be grouped together when forming an EtherChannel. There
are three mechanisms you can choose to configure
EtherChannel:
 Port Aggregation Protocol (PAgP)
 Link Aggregation Control Protocol (LACP)
 Static (“On”)
141
EtherChannel Modes in Switches:

Negotiation
Mode Protocol Explanation
Enables EtherChannel
unconditionally.
Recommended if the
Workstation/Server does not
support any negotiation
on None protocols.
Disabled EtherChannel
off None unconditionally.
Initiates negotiation by
sending LACP packets.
Recommended if the
Workstation/Server support
active LACP LACP.
If remote end sends LACP

packets, negotiation will
passive LACP start.
142
Initiates negotiation by
sending PAgP packets.
Recommended if the
Workstation/Server support
desirable PAgP PAgP.
If remote end sends PAgP

packets, negotiation will
auto PAgP start.
(“On”)
Example
Let’s take an example to see the benefits of this technology:
Suppose your company has two switches connecting with each
other via a FastEthernet link (100Mbps):
Your company is growing and you need to transfer more than

100 Mbps between these switches. If you only connect other
links between the two switches it will not work because
Spanning-tree protocol (STP) will block
redundant links to prevent a loop:
143
 To extend the capacity of the link you have two ways:

Buy two 1000Mbps (1Gbps) interfaces
 Use EtherChannel technology to bundle them into a bigger
link the first solution is expensive with the new hardware
installed on the two switches.
By using EtherChannel you only need some more unused ports
on your switches:
Example: EtherChannel on Catalyst switches
EtherChannel bundles the physical links into one logical link

with the combined bandwidth and it is awesome! STP sees this
link as a single link so STP will not block any links!
EtherChannel also does load balancing among the links in the
channel automatically. If a link within the EtherChannel bundle
fails, traffic previously carried over the failed link is carried over
the remaining links within the EtherChannel. If one of the links
in the channel fails but at least one of the links is up, the logical
link (EtherChannel link) remains up. EtherChannel also works
well for router connections:

144
When an EtherChannel is created, a logical interface will be

created on the switches or routers representing for that
EtherChannel. You can configure this logical interface in the
way you want. For example, assign access/trunk mode on
switches or assign IP address for the logical interface on
routers…
Note: A maximum of 8 Fast Ethernet (1600 MBPS) or 8 Gigabit
Ethernet ports(16GBPS) can be grouped together when forming
an EtherChannel.
LACP is the IEEE Standard (IEEE 802.3ad) and is the most
common dynamic ether-channel protocol, whereas PAgP is a
Cisco proprietary protocol and works only between supported
vendors and Cisco devices. All ports in an EtherChannel must
use the same protocol; you cannot run two protocols on two
ends. In other words, PAgP and LACP are not compatible so
both ends of a channel must use the same protocol.
The Static Persistence (or “on” mode) bundles the links
unconditionally and no negotiation protocol is used. In this
mode, neither PAgP nor LACP packets are sent or received
Port Aggregation Protocol (PAgP)
PAgP dynamically negotiates the formation of a channel. There
are two PAgP modes:
Auto Responds to PAgP messages but does not

aggressively negotiate a PAgP EtherChannel. A
channel is formed only if the port on the other end
is set to Desirable. This is the default mode.
145
Desirabl Port actively negotiates channeling status with the

e interface on the other end of the link. A channel is
formed if the other side is Auto or Desirable.
The table below lists if an EtherChannel will be formed or not

for PAgP:
PAgP Desirable Auto

Desirabl Yes Yes
e
Auto Yes No
Link Aggregation Protocol (LACP)

LACP also dynamically negotiates the formation of a channel.
There are two LACP modes:
Passiv Responds to LACP messages but does not

e aggressively negotiate a LACP EtherChannel. A
channel is forms only if the other end is set to
Active
Active Port actively negotiates channeling with the
interface on the other end of the link. A channel is
formed if the other side is Passive or Active
The table below lists if an EtherChannel will be formed or not

for LACP:
LACP Active Passive

Active Yes Yes
Passiv Yes No
146
In general, Auto mode in PAgP is the same as Passive mode in

LACP and Desirable mode is same as Active mode. Auto =
Passive Desirable = Active
Static (“On”)
 In this mode, no negotiation is needed. The interfaces
become members of the EtherChannel immediately. When
using this mode make sure the other end must use this
mode too because they will not check if port parameters
match. Otherwise the EtherChannel would not come up and
may cause some troubles (like loop…). Note: All interfaces
in an EtherChannel must be configured identically to form
an EtherChannel. Specific settings that must be identical
include:
 Speed settings
 Duplex settings
 STP settings
 VLAN membership (for access ports)
 Native VLAN (for trunk ports)
 Allowed VLANs (for trunk ports)
 Trunking Encapsulation (ISL or 802.1Q, for trunk ports)
147
Configuring Layer 2 EtherChannels

You configure Layer 2 EtherChannels by assigning ports to a
channel group with the channel-group interface configuration
command. This command automatically creates the port-channel
logical interface.
If you enabled PAgP on a port in the auto or desirable mode,
you must reconfigure it for either the on mode or the LACP
mode before adding this port to a cross-stack EtherChannel.
PAgP does not support cross-stack EtherChannels.
This example shows how to configure an EtherChannel on a
single switch in the stack. It assigns two ports as static-access
ports in VLAN 10 to channel 5 with the PAgP mode desirable:
Switch# configure terminal
Switch(config)# interface range gigabitethernet2/0/1 -2
Switch(config-if-range) # switchport mode access
Switch(config-if-range) # switchport access vlan 10
Switch(config-if-range) # channel-group 5 mode desirable
non-silent
Switch(config-if-range) # end
148
This example shows how to configure an EtherChannel on a

single switch in the stack. It assigns two ports as static-access
ports in VLAN 10 to channel 5 with the LACP mode active:
Switch(config-if-range) # channel-group 5 mode active
Switch(config-if-range) # end
This example shows how to configure a cross-stack
EtherChannel. It uses LACP passive mode and assigns two ports
on stack member 2 and one port on stack member 3 as static-
access ports in VLAN 10 to channel 5:
Switch(config-if-range) # channel-group 5 mode active
Switch(config-if-range) # exit
Switch(config) # interface gigabitethernet3/0/3
Switch(config-if) # switchport mode access
149
Switch(config-if) # switchport access vlan 10Switch

(config-if) # channel-group 5 mode active
Switch(config-if) # exit
Configuring Layer 3 EtherChannels
To configure Layer 3 EtherChannels, you create the port-
channel logical interface and then put the Ethernet ports into the
port-channel as described in the next two sections.
Note Layer 3 EtherChannels are not supported on switches

running the LAN base feature set.
Creating Port-Channel Logical Interfaces

When configuring Layer 3 EtherChannels, you should first
manually create the port-channel logical interface by using
the interface port-channel global configuration command. Then
you put the logical interface into the channel group by using
the channel-group interface configuration command.
Note : To move an IP address from a physical port to an
EtherChannel, you must delete the IP address from the physical
port before configuring it on the port-channel interface.
Example: In this example, we will create an EtherChannel via
LACP between SwA & SwB with the topology shown below:
150
SwA Configuration SwB Configuration
//Assign EtherChannel group //Assign EtherChannel group

1 to fa0/0 and fa0/1 and set 2 to fa0/5 and fa0/6 and set
Active mode on them Passive mode on them
SwA(config)#interface range SwB(config)#interface range
fa0/0 – 1 fa0/5 – 6
SwA(config-if-range) SwB(config-if-range)
#channel-group 1 mode #channel-group 2 mode
active passive
Creating a port-channel Creating a port-channel
interface Port-channel 1 interface Port-channel 2
//Next configure the //Next configure the
representing port-channel representing port-channel
interface as trunk interface as trunk
SwA(config)#interface port- SwB(config)#interface port-
channel 1 channel 2
SwA(config-if)#switchport SwB(config-if)#switchport
trunk encapsulation dot1q trunk encapsulation dot1q
SwA(config-if)#switchport SwB(config-if)#switchport
mode trunk mode trunk
That is all the configuration for the EtherChannel to work well
on both switches. We can verify with the “show etherchannel
<port-channel number> port-channel” or “show etherchannel
summary” command.
SwA# show etherchannel 1 port-channel
Port-channels in the group:
151
----------------------------
Port-channel: Po1
Age of the Port -channel = 0d:00h:02m:37s
Logical slot/port = 2/1 Number of ports = 2
GC = 0x00010001 HotStandBy port = null
Port state = Port-channel Ag -Inuse
Protocol = LACP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits

------+------+------+------------------ +-----------
0 00 Fa0/0 Active 0
0 00 Fa0/1 Active 0
Time since last port bundled: 0d:00h:02m:27s Fa0/1
The “show etherchannel number port-channel” command can

be used to display information about a specific port channel (in
this case port-channel 1). From the command above, we can see
Port-channel 1 consists of Fa0/0 & Fa0/1 and they are in Active
state.
SwA# show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand -alone s - suspended
152
H - Hot -standby (LACP only)

R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met

u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1

Number of aggregators: 1
Group Port-channel Protocol Ports

------+------------- +-----------
+-----------------------------------------------
1 Po1(SU) LACP Fa0/0(P) Fa0/1(P)
The “show etherchannel summary” can be used to simply
display one line of information per port-channel. In this case we
learn from the last line that Group 1 uses LACP. This is a Layer
2 EtherChannel (symbolized by “SU”, in which “S” means
“Layer2” & “U” means this port-channel is up.
EtherChannel Load-Balancing
EtherChannel load-balances traffic among port members of the
same channel. Load balancing between member interface is
based on:
+ Source MAC address
+ Destination MAC address
+ Source IP address
153
+ Destination IP address
+ Combination of Source and Destination MAC address
+ Combination of Source and Destination IP address
Note: Some old switch/router flatforms do not support all the
load-balancing methods above. To configure load-distribution
method, use the command port-channel load-balance under
global configuration mode. For example, to load-balance based
on destination MAC use the command:
Router(config)#port-channel load-balance dst-mac
End of Chapter 3
_________________________________________________
Chapter 4
Introduction to the Cisco IOS
_This chapter will cover the following topics.
Understanding and configuring the Cisco Internetwork
Operating System (IOS)
_Connecting to a router
_Bringing up a router
_Logging into a router
_Understanding the router prompts
_Understanding the CLI prompts
_Performing editing and help features
_Gathering basic routing information
_Setting administrative functions
_Setting hostnames
_Setting banners
154
_Setting passwords
_Setting interface descriptions
_Performing interface configurations
_Viewing, saving, and erasing configurations
_Verifying routing configurations
Cisco IOS
The IOS is what runs Cisco routers as well as some Cisco
switches, and it’s what allows you to configure the devices
including switches (2960.2950 etc), routers (2800 ,7200 etc) as
well as firewall such as 5400 series.
Some of the important things that the Cisco router IOS software
is responsible for include
_Carrying network protocols and functions
_Connecting high-speed traffic between devices
_Adding security to control access and stop unauthorized
network use
_Providing scalability for ease of network growth and
redundancy
_Supplying network reliability for connecting to network
resources
You can access the Cisco IOS through the console port of a
router, from a modem into the auxiliary (or Aux) port, or even
through Telnet or Console port. Access to the IOS command
line is called an EXEC session
Connecting to a Cisco Router
There are different ways to do this, but most often, the first place
you would connect to is the console
port. The console port is usually an RJ-45 (8-pin modular)
connection located at the back of the router—by default, there’s
no password set.
155
.
Bringing Up a Router or Switch
When you first bring up a Cisco router, it will run a power-on
self-test (POST). If it passes, it will then look for and load the
Cisco IOS from flash memory—if an IOS file is present. (Just in
case you don’t know, flash memory is an electronically erasable
programmable read-only memory— an EEPROM.) After that,
the IOS loads and looks for a valid configuration—the startup-
config— that’s stored by default in nonvolatile RAM, or
NVRAM.
Types of memory
Generally, Cisco routers (and switches) contain four types of
memory:
Read-Only Memory (ROM): ROM stores the router’s bootstrap
startup program, operating system software, and power-on
diagnostic test programs (POST).
Flash Memory: Generally referred to simply as “flash”, the IOS
images are held here. Flash is erasable and reprogrammable
ROM. Flash memory content is retained by the router on reload.
156
Random-Access Memory (RAM): Stores operational

information such as routing tables and the running configuration
file. RAM contents are lost when the router is powered down or
reloaded.
Non-volatile RAM (NVRAM): NVRAM holds the router’s
startup configuration file. NVRAM contents are not lost when
the router is powered down or reloaded.
Some comparisons to help you remember easier:
+ RAM is a volatile memory so contents are lost on reload,
where NVRAM and Flash contents are not.
+ NVRAM holds the startup configuration file, where RAM
holds the running configuration file.
+ ROM contains a bootstrap program called ROM Monitor (or
ROMmon). When a router is powered on, the bootstrap runs a
hardware diagnostic called POST (Power-On Self Test).
Router boot process
The following details the router boot process:
1. The router is powered on.
2. The router first runs Power-On Self Test (POST)
3. The bootstrap checks the Configuration Register value to
specify where to load the IOS. By default (the default value of
Configuration Register is 2102, in hexadecimal), the router first
looks for “boot system” commands in startup-config file. If it
finds these commands, it will run boot system commands in
order they appear in startup-config to locate the IOS. If not, the
IOS image is loaded from Flash. If the IOS is not found in Flash,
the bootstrap can try to load the IOS from TFTP server or from
ROM (mini-IOS).
4. After the IOS is found, it is loaded into RAM.
157
5. The IOS attempts to load the configuration file (startup-

config) from NVRAM to RAM. If the startup-config is not
found in NVRAM, the IOS attempts to load a configuration file
from TFTP. If no TFTP server responds, the router enters Setup
Mode (Initial Configuration Mode).
And this is the process we can see on our screen when the router
is turned on:
158
159
In short, when powered on the router needs to do:

1. Run POST to check hardware
2. Search for a valid IOS (the Operating System of the router)
3. Search for a configuration file (all the configurations applied
to this router)
Specify how much RAM, NVRAM and Flash of a router
Also, from the information shown above, we can learn some
information about router’s model, RAM, Flash, NVRAM
memories as shown below:
Note: The “show version” command also gives us this

information. All the above information is straight-forwarding
except the information of RAM. In some series of routers, the
RAM information is displayed by 2 parameters (in this case
60416K/5120K). The first parameter indicates how much RAM
is in the router while the second parameter (5120K) indicates
how much DRAM is being used for Packet memory. Packet
memory is used for buffering packets. So, from the output above
we can learn:
Amount of RAM: 60416 + 5120 = 65536KB / 1024 = 64MB
Amount of NVRAM: 239KB
Amount of Flash: 62720KB
160
After that, the router will allow us to type commands but in

different modes we can only used specific commands. So, in this
tutorial we will learn about the Command Line Interface (CLI)
and different modes in a Cisco router/switch.
Below list popular modes in Cisco switch/router:
Router> User mode
Router# Privileged mode
Router(config)# Configuration mode
Router(config-if) # Interface level (within configuration

mode)
Router(config- Routing engine level (within

router) # configuration mode)
Router(config-line) Line level (vty, tty, async) within

# configuration mode
Now let’s discuss each mode in more detail
User mode (Unprivileged mode)
In most case this is the mode you will see on the screen after
connecting to it. This mode provides limited access to the router.
You are provided with a set of nondestructive commands that
allow examination of certain router configuration parameters
(mostly to view statistics). You cannot, however, make any
changes to the router configuration.
Privileged mode
Also known as the Enabled mode, this mode allows greater
161
examination of the router and provides a more robust command

set than the User mode. In Privileged mode, you have access to
the configuration commands supplied in the Global
Configuration mode, meaning you can edit the configuration for
the router.
Configuration mode
Also called the Global Configuration mode, this mode is entered
from the Privileged mode and supplies the complete command
set for configuring the router. In this mode you can access
interface level, routing engine level, line level…
Interface level
In some books, this level is also referred as “interface
configuration mode” or “interface mode”. In fact, it is a level
inside Configuration mode so you can see the “configuration”
part in its prompt (config-if). This level can be accessed by
typing a specific interface in Configuration mode. For example:
Router(config)#interface fa0/0
Router(config-if) #
But notice that the prompt doesn’t give you information about
which interface is being configured so be careful with this level
while you are configuring! This lack of information can make
you configure wrong interface easily!
Routing engine level
This is the level where we configure dynamic routing protocols
(RIP, OSPF, EIGRP…). You will learn about them later in
CCNA.
Line level
162
In this level we can configure Telnet, Console, AUX port

parameters. Also notice that the prompt (config-line) is used for
all “lines” on the router so you must be careful about which line
you are configuring!
Note: The “line” here can be a physical Console port or a virtual
connection like Telnet.
The image below shows how to access each mode and popular
levels inside Configuration mode:
Router(config)#line vty 0 4
Router(config)#
Learning about modes is not difficult and you will get familiar
with them while configuring routers & switches. Just pay a little
attention to them each time you practice and surely you can
grasp them easily.
Note: By default, the enable secret password is encrypted, and
the enable password is not.
Hostname and Interface IP Address
Router(config)#hostname Comnetss
(show ip interface brief command on priviledge mode will
provide the details of all interfaces of the device).
Router(config)#ip add 192.168.10.1 255.255.255.0
163
(ip address with subnetmask on the interface)

Descriptions
Setting descriptions on an interface is helpful to the
administrator and, like the hostname, only locally significant.
The description command is a helpful one because you can, for
instance, use it to keep track of circuit numbers.
Here’s an example:
Atlanta(config)#int e0
Atlanta(config-if) #description Sales Lan
Atlanta(config-if) #int s0
Atlanta(config-if) #desc Wan to Miami circuit:6fdda4321
You can view the description of an interface either with the
show running-config command
or the show interface command:
Atlanta#sh run
"Sh run " will display information of running configuration files.
Configure Passwords on the Line
To specify a password on a line, use the password command in
line configuration mode. To enable password checking at login,
use the login command in line configuration mode.
Note: To find additional information on the commands used in
this document, use the Command Lookup
Tool (registered customers only) .
Configuration Procedure
In this example, a password is configured for all users
attempting to use the console.
Here’s an example of setting the enable passwords:
Router(config)#enable secret todd
Router(config)#enable password todd
The enable password you have chosen is the same as your
enable secret. This is not recommended. Re-enter the
164
enable password.
1. From the privileged EXEC (or "enable") prompt, enter
configuration mode and then switch to line configuration mode
using the following commands. Notice that the prompt changes
to reflect the current mode.
2. router#configure terminal
3. Enter configuration commands, one per line. End with
CNTL/Z.
4. router(config)#line con 0
router(config-line) #
5. Configure the password, and enable password checking at
login.
6. router(config-line) #password letmein
7. router(config-line) #login
8. Exit configuration mode.
9. router(config-line) #end
10. router#
%SYS-5-CONFIG_I: Configured from console by console
Note: Do not save configuration changes to line con 0 until
your ability to log in has been verified.
Note: Under the line console configuration, login is a required
configuration command to enable password checking at login.
Console authentication requires both thepassword and
the login commands to work.
Verify the Configuration
Examine the configuration of the router to verify that the
commands have been properly entered:
Certain show commands are supported by the Output Interpreter
Tool (registered customers only) , which allows you to view an
analysis of show command output.
165
 show running-config - displays the current configuration

of the router.
 router#show running-config
 Building configuration...
 ...

 !--- Lines omitted for brevity


 !
 line con 0
 password letmein
 login
 line 1 8
 line aux 0
 line vty 0 4
 !
end
To test the configuration, log off the console and log in again,
using the configured password to access the router:
router#exit
router con0 is now available
Press RETURN to get started.
User Access Verification
Password:
!--- Password entered here is not displayed by the router
router>
Note: Before performing this test, ensure that you have an
alternate connection into the router, such as Telnet or dial-in,
in case there is a problem logging back into the router.
166
Troubleshoot Login Failure

If you cannot log back into the router and you have not saved
the configuration, reloading the router will eliminate any
configuration changes you have made.
If the configuration changes were saved and you cannot login to
the router, you will have to perform a password recovery.
See Password Recovery Procedures to find instructions for your
particular platform.
Configure Local User-Specific Passwords
To establish a username-based authentication system, use
the username command in global configuration mode. To
enable password checking at login, use the login local command
in line configuration mode.
Configuration Procedure
In this example, passwords are configured for users attempting
to connect to the router on the VTY lines using Telnet.
1. From the privileged EXEC (or "enable") prompt, enter
configuration mode and enter username/password
combinations, one for each user for whom you want to allow
access to the router:
2. router#configure terminal
3. Enter configuration commands, one per line. End with
CNTL/Z.
4. router(config)#username russ password montecito
5. router(config)#username cindy password belgium
6. router(config)#username mike password rottweiler
7. Switch to line configuration mode, using the following
commands. Notice that the prompt changes to reflect the
current mode.
8. router(config)#line vty 0 4
167
router(config-line) #
9. Configure password checking at login.
10. router(config-line) #login local
11. Exit configuration mode.
12. router(config-line) #end
13. router#
%SYS-5-CONFIG_I: Configured from console by console
Note: In order to disable auto Telnet when you type a name on
the CLI, configure no logging preferred on the line that is
used. While transport preferred noneprovides the same
output, it also disables auto Telnet for the defined host that are
configured with the ip host command. This is unlike the no
logging preferredcommand, which stops it for undefined
hosts and lets it work for the defined ones.
Verify the Configuration
Examine the configuration of the router to verify that the
commands have been properly entered:
 show running-config - displays the current configuration
of the router.
 router#show running-config
 Building configuration...
 !




 !
 username russ password 0 montecito
 username cindy password 0 belgium
168
 username mike password 0 rottweiler

 !




 !
 line con 0
 line 1 8
 line aux 0
 line vty 0 4
 login local
 !
 end
To test this configuration, a Telnet connection must be made to
the router. This can be done by connecting from a different
host on the network, but you can also test from the router itself
by telnetting to the IP address of any interface on the router
that is in an up/up state as seen in the output of the show
interfaces command.
Here is a sample output if the address of interface ethernet
0 were 10.1.1.1:
router#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Username: mike
Password:
!--- Password entered here is not displayed by the router
Encrypting Your Passwords
169
Because only the enable secret password is encrypted by default,

you’ll need to manually configure
the user-mode and enable passwords for encryption.
To manually encrypt your passwords, use the service
passwordencryption command. Here is an example of how to
perform manual password encryption:
Router#config t
Enter configuration commands, one per line. End with
CNTL/Z.
Router(config)#service password-encryption
Router(config)#enable password todd
Router(config)#line vty 0 197
Router(config-line)#login
Router(config-line)#password todd2
Router(config-line)#line con 0
Router(config-line)#password todd1
Router(config-line)#line aux 0
Router(config-line)#password todd
Router(config-line)#exit
Router(config)#no service password-encryption
Router(config)#^Z (Control Z)
Banners
A banner is more than just a little cool—one very good reason
for having a banner is to give any and all who dare attempt to
telnet or dial into your internetwork a little security notice. And
you can create a banner to give anyone who shows up on the
router exactly the information you want them to have.
Router(config)#banner?
LINE c banner-text c, where 'c' is a delimiting character exec
170
Set EXEC process creation banner incoming Set incoming

terminal line banner login Set login banner motd Set Message of
the Day banner Router(config)#banner motd #
Enter TEXT message. End with the character '#'.
Viewing, Saving, and Erasing Configurations
If you run through setup mode, you’ll be asked if you want to
use the configuration you just created.
If you say Yes, then it will copy the configuration running in
DRAM (known as the running-config) into NVRAM and name
the file startup-config. You can manually save the file from
DRAM to NVRAM by using the copy runningconfig startup-
config command (you can use the shortcut copy run start also):
Atlanta#copy run start
Useful Commands
Router-Command History
Command Meaning
Up arrow: Shows last command entered
Down arrow: Shows previous commands entered
show history: Shows last 10 commands entered by default
show terminal Shows terminal configurations and history buffer
size
erase [file name]: will delete the startup file etc
Reload: will restart the router/switch
sh version: The command show version will provide basic
configuration for the system
hardware as well as the software version,
End of chapter 4
____________________________________________
171
CHAPTER 5 IP Routing
This chapter covers following the following topics :

 Configure and verify routing configuration for a static or
default route given specific routing requirements.
 Static vs. dynamic
 Link state vs. distance vector
 next hop
 ip routing table
 Passive Interfaces (how they work)
 Admin distance
 split horizon
 metric
 Resolve network loops in distance-vector routing
protocols
 Configure and verify RIP routing, IGRP, EIGRP,
RIPV2, OSPF and BGP
 Configure and verify OSPF
 Benefit of OSPF of single area
 Configure OSPv2
 Configure OSPv3
 Router ID
 Passive Interface
 Discuss multi-area OSPF
 Understand LSA types and purpose
IP routing
IP routing is the process of moving packets from one network to
another network and delivering the packets to hosts. Routing is
used for taking a packet from one device and sending it through
the network to another device on a different network. Routers
172
route traffic to all the networks in your internetwork. To be able

to route packets, a router must know, at a minimum, the
following:
1. Destination address
2. Neighbor routers from which it can learn about remote
networks
3. Possible routes to all remote networks
4. The IP Routing Process
5. The best route to each remote network
6. How to maintain and verify routing information
The IP Routing Process
The figure describes step by step what happens when Host A
wants to communicate with Host B on a different network.
1. From a command prompt, the user types ping 172.16.20.2. A

packet is generated on the Host A machine using the IP and
ICMP Network layer protocols.
2. IP works with the ARP protocol and comes to know packet
will be sent to remote host and it is not local host to whom
packet is destined for.
3. For Host A to send the packet to the router, it must know the
hardware address of the router’s interface located on the local
network. Remember that the Network layer will hand the packet
and the destination hardware address to the Data Link layer for
framing and transmitting on a local host. To get the hardware
173
address, the host looks in a location in memory called the ARP

cache.
4. If the IP address has not already been resolved to a hardware
address and is not in the ARP cache, the host sends an ARP
broadcast looking, for the hardware address of IP address
172.16.10.1. This is why the first Ping usually times out, and the
other four are successful. After the address is cached, no
timeouts usually occur.
5. The router gives reply with hardware address of its ethernet
connected to the host A and after getting hardware address of
router interface, host will send packet out on local network
(where host connnects E0).
6. The Data Link layer creates a frame, which encapsulates the
packet with the control information needed to transmit on the
local network. This includes the source and destination hardware
addresses and the type field specifying the Network layer
protocol (it is a type field since IP uses an Ethernet_II frame by
default). The below figure shows the frame that will be
generated by the Data Link layer and sent out on the local
media.
174
In figure, all of the information needed to communicate to the

router is shown: the source and destination hardware addresses,
the source and destination IP addresses, and finally, the data and
the frame’s CRC inside the Frame Check Sequence (FCS) field.
7.The Data Link layer of Host A hands the frame to the Physical
layer, which encodes the 1s and 0s into a digital signal and
transmits this out on the local physical network.
8.The signal is picked up by the router’s Ethernet 0 interface,
and the interface synchronizes on the digital signal preamble and
extracts the frame. The router’s interface, after building the
frame, runs a CRC and, at the end of the frame, checks the FCS
field to make sure that the CRC matches and no fragmentation
or collisions occurred.
9. The destination hardware address is checked. Since this will
be a match, the type field in the frame will be checked to see
what the router should do with the data packet. IP is, of course,
in the type field, and the router hands the packet to the IP
protocol running on the router. The frame is discarded, and the
original packet that was generated by Host A now sits in the
router's buffer.
10. IP looks at the packet's destination IP address to determine if
the packet is for the router. Since the destination IP address is
172.16.20.2, the router determines from the routing table that
172.16.20.0 is a directly connected network on interface
Ethernet 1.
11. The router places the packet in the buffer of interface
Ethernet 1. The router needs to create a frame to send the packet
to the destination host. First, the router looks in the ARP cache
to determine whether the hardware address has already been
resolved from a prior communication. If it is not in the ARP
175
cache, the router sends an ARP broadcast out Ethernet 1 to find

the hardware address of 172.16.20.2.
12. Host B responds with the hardware address of its network
interface card with an ARP reply. The router’s Ethernet 1
interface now has everything it needs to send the packet to the
final destination. The below figure shows the frame that was
generated and sent out on the physical network.
13. Host B receives the frame and runs a CRC. If that checks
out, it discards the frame and hands the packet to IP. IP will then
check the destination IP address. Since the IP destination
address matches the IP configuration of Host B, it looks in the
protocol field of the packet to determine what the purpose of the
packet is.
14. Since the packet is an ICMP echo request, Host B generates
a new ICMP echo-reply packet with a source IP address of
Host B and a destination IP address of Host A. The process
starts all over again, except that it goes in the opposite direction.
However, the hardware address of each device along the path is
176
already known, so each device only needs to look in its ARP

cache to determine the hardware address of each interface.
Note: If you had a much larger network, the process would be
the same, with the packet simply going through more hops
before it finds the destination host.
Types of Routing If you understand the different routing types,
you will be able to decide what fits best in your business
requirements. The different types of routing you will learn about
in this chapter include
the following:
 Static routing
 Default routing
 Dynamic routing
Static Routing: is the process of an administrator manually
adding routes in each router’s routing table.
Static routing has the following benefits:
 No overhead on the router CPU
 No bandwidth usage between routers
 Security (because the administrator only allows routing to
certain
 networks)
Static routing has the following disadvantages:
 The administrator must really understand the internetwork
and how
 each router is connected to configure the routes correctly.
 If one network is added to the internetwork, the

administrator must add a route to it on all routers.
 It’s not feasible in large networks because it would be a
full-time job.
The command used to add a static route to a routing table is
177
Syntax: ip route [destination_network] [mask]

[next_hop_address or
exitinterface] [administrative_distance] [permanent]
Example
Boston(config)#ip route 172.16.30.0 Configures a static route

255.255.255.0 172.16.20.2 using the next-hop address
Boston(config)#ip route 172.16.40.0

255.255.255.0 172.16.20.2
Boston(config)#ip route 172.16.50.0

255.255.255.0 172.16.20.2
Boston(config)#exit
Boston#copy run start
Buffalo Router
Buffalo>en
Buffalo#config t
Configures a
Buffalo(config)#ip route 172.16.10.0
static route using
255.255.255.0 s1
the exit interface
178
Buffalo(config)#ip route 172.16.50.0

255.255.255.0 s0
Boston(config)#exit
Boston#copy run start
exit interface Used in place of the next hop
address if desired. Must be on a point-to-point
link, such as a WAN. This command does not
work on a LAN; for example, Ethernet.
Bangor Router
Bangor>en
Bangor#config t
Bangor(config)#ip route 0.0.0.0 Configures a static route using
0.0.0.0 s1 the default route
Bangor(config)#exit
Bangor#copy run start
Default Routing
Default routing is used to send packets with a remote destination
network not in the routing table to the next hop router. You can
only use default routing on stub networks, which means that
they have only one exit port out of
the network.
Verficiation
Bangor#sh ip route
The S in the routing table entries means that the network is a
static entry.
179
The [1/0] is the administrative distance and hops to the remote

network,
which is 0.
Dynamic Routing
Dynamic routing is the process of using protocols to find and
update routing tables on routers. This is easier than static or
default routing, but you use it at the expense of router CPU
processes and bandwidth on the network links. AN routing
protocol defines the set of rules used by a router when it
communicates between neighbor routers.
Example: routing protocols are RIPv1, IGRP, RIPV2, EIGRP
and OSPF.
Administrative Distances
Administrative distance is the first criterion that a router uses to
determine which routing protocol to use if two protocols provide
route information for the same destination. Administrative
distance is a measure of the trustworthiness of the source of the
routing information. Administrative distance has only local
significance, and is not advertised in routing updates.
It is an integer from 0 to 255,0 is best and 255 worst.
This table lists the administrative distance default values of the
protocols that Cisco supports:
Default
Distance
Route Source Values
Connected interface 0
Static route 1
Enhanced Interior 5
Gateway Routing
180
Protocol (EIGRP)
summary route
External Border
Gateway Protocol
(BGP) 20
Internal EIGRP 90
IGRP 100
OSPF 110
Intermediate
System-to-
Intermediate System
(IS-IS) 115
Routing Information
Protocol (RIP) 120
Exterior Gateway
Protocol (EGP) 140
On Demand Routing
(ODR) 160
External EIGRP 170
Internal BGP 200
Unknown* 255
* If the administrative distance is 255, the router does not
believe the source of that route and does not install the route in
the routing table
Routing Protocols
There are three classes of routing protocols:
181
Distance vector the distance-vector routing protocols use a

distance to a remote network to find the best path. Each time a
packet goes through a router, it’s called a hop. The route with
the least number of hops to the network is determined to be the
best route. The vector is the determination of direction to the
remote network. Examples of distance-vector routing protocols
are RIP and IGRP.
Link state Typically called shortest path first, the routers each
create three separate tables. Three tables are built by router
1.Neighbor table
2.Topology table
3.Routing table.
Link-state routers know more about the internetwork than any
distance-vector routing protocol. An example of an IP routing
protocol that is completely link state is OSPF.
Hybrid Uses aspects of distance vector and link state, for
example, EIGRP.
Routing Loops
Distance-vector routing protocols keep track of any changes to
the internetwork by broadcasting periodic routing updates to all
active interfaces. This broadcast includes the complete routing
table. This works fine, although it takes up CPU process and
link bandwidth. However, if a network outage happens,
problems can occur. The slow convergence of distance-vector
routing protocols can cause inconsistent routing tables and
routing loops.
Routing loops can occur because every router is not updated
close to the same time. we will discuss routing loops prevention
methods later in this chapter.
Routing Information Protocol (RIP)
182
Routing Information Protocol (RIP) is a distance-vector routing

protocol. RIP sends the complete routing table out to all active
interfaces every 30 seconds. RIP only uses hop count (the
number of routers) to determine the best way to a remote
network.
Note: RIP v1 is a classful routing protocol but RIP v2 is a
classless routing protocol.
Classful routing protocols do not include the subnet mask with
the network address in routing updates, which can cause
problems with discontiguous subnets or networks that use
Variable-Length Subnet Masking (VLSM). Fortunately, RIPv2
is a classless routing protocol so subnet masks are included in
the routing updates, making RIPv2 more compatible with
modern routing environments.
Distance vector protocols advertise routing information by
sending messages, called routing updates, out the interfaces on a
router
RIP Operation
A big problem with distance vector routing protocol is routing
loop. Let’s take a look at how a routing loop occurs.
Here we have routers A, B and C. Notice that at the beginning
(when a routing protocol is not turned on) there are only directly
connected networks in the routing tables of these routers. For
example, in the routing table of router A, network 1.0.0.0 has
already been known because it is directly connected
through interface E0 and the metric (of a directly connected
network) is 0 (these 3 parameters are shown in the routing tables
below).
183
Also, B knows networks 2.0.0.0 & 3.0.0.0 with a metric of 0.

Also C knows networks 3.0.0.0 & 4.0.0.0 with a metric of 0.
Now we turn on RIP on these routers (we will discuss the
configuration later. In the rest of this article, we will call
network 1.0.0.0 network 1, 2.0.0.0 network 2 and so on).
RIP sends update every 30 seconds so after 30 sec goes by, A
sends a copy of its routing table to B, B already knew about
network 2 but now B learns about network 1 as well. Notice the
metric we have here for directly connected networks, since
we’re using RIP, we’re using a metric of hop count. Remember
a hop count (or a hop) is how many routers that these packets
will have to go through to reach the destination. For example,
from router A to network 1 & 2 (which are directly connected) it
goes to 0 hop, router B has now learned about network 1 from A
via E0 interface so the metric now will be 1 hop.
184
Each router receives a routing table from its direct neighbor. For
example, Router B receives information from Router A about
network 1 and 2. It then adds a distance vector metric (such as
the number of hops), increasing the distance vector of these
routes by 1.
B also exchanges its routing table with A about network 2 and 3.
B then passes the routing table to its other neighbor, Router C.

185
C also sends its update to B and B sends it to A.
Now the network is converged.

Now let’s assume network 4 down suddenly.
186
When network 4 fails, Router C detects the failure and stops

routing packets out its E1 interface. However, Routers A and B
have not yet received notification of the failure. Router A still
believes it can access 4.0.0.0 through Router B. The routing
table of Router A still refects a path to network 10.4.0.0 with a
distance of 2 and router B has a path with a distance of 1.
There will be no problem if C sends an update earlier than B and
inform that network is currently down but if B sends its update
first, C will see B has a path to network 4 with a metric of 1 so it
updates its routing table, thinking that “if B can go to network 4
by 1 hop than I can go to network 4 by 2 hops” but of course this
is totally wrong.
187
The problem does not stop here. In turn, C sends an update to B

and informs it can access network 4 by 2 hops. B learns this and
think “if C can access network 4 by 2 hops than I can access by
3 hops”.
This same process occurs when B continually sends its update to

C and the metric will increase to infinity so this phenomenon is
called “counting to infinity”.
Routing Loops Prevention Methods
Below list some methods to prevent this phenomenon:
SPLIT HORIZON:
A router never sends information about a route back in same
direction which is original information came, routers keep track
of where the information about a route came from. Means when
router A sends update to router B about any failure network,
router B does not send any update for same network to router A
in same direction.
ROUTE POISONING:
Router consider route advertised with an infinitive metric to
have failed (metric=16) instead of marking it down. For
example, when network 4 goes down, router C starts route
188
poisoning by advertising the metric (hop count) of this network

as 16, which indicates an unreachable network. When router B
receives this advertising, it continues advertising this network
with a metric of 16.
POISON REVERSE:
The poison reverse rule overwrites split horizon rule. For
example, if router B receives a route poisoning of network 4
from router C then router B will send an update back to router C
(which breaks the split horizon rule) with the same poisoned hop
count of 16. This ensures all the routers in the domain receive
the poisoned route update.
Notice that every router performs poison reverse when learning
about a downed network. In the above example, router A also
performs poison reverse when learning about the downed
network from B.
HOLD DOWN TIMERS:
After hearing a route poisoning, router starts a hold-down timer
for that route. If it gets an update with a better metric than the
originally recorded metric within the hold-down timer period,
the hold-down timer is removed and data can be sent to that
network. Also, within the hold-down timer, if an update is
received from a different router than the one who performed
route poisoning with an equal or poorer metric, that update is
ignored. During the hold-down timer, the “downed” route
appears as “possibly down” in the routing table.
For example, in the above example, when B receives a route
poisoning update from C, it marks network 4 as “possibly
down” in its routing table and starts the hold-down timer for
network 4. In this period if it receives an update from C
189
informing that the network 4 is recovered then B will accept that

information, remove the hold-down timer and allow data to go
to that network. But if B receives an update from A informing
that it can reach network by 1 (or more) hop, that update will be
ignored and the hold-down timer keeps counting.
Note: The default hold-down timer value = 180 second.
TRIGGERED UPDATE:
When any route failed in network, do not wait for the next
periodic update instead send an immediate update listing the
poison route.
COUNTING TO INFINITY:
Maximum count 15 hops after it will not be reachable.
RIP Timers
RIP uses several timers to regulate its operation. These timers
are described below:
Update timer: how often the router sends update. Default
update timer is 30 seconds
Invalid timer (also called Expire timer): how much time must
expire before a route becomes invalid since seeing a valid
update; and place the route into holddown. Default invalid timer
is 180 seconds
Holddown timer: if RIP receives an update with a hop count
higher (poorer) than the hop count recording in the routing table,
RIP does not “believe in” that update. Default holddown timer is
180 seconds
Flush timer: how much time since the last valid update, until
RIP deletes that route in its routing table. Default Flush timer is
240 seconds
190
Configuring RIP
Router(config)#router rip Enter router RIP configuration
mode
Router(config-router) Identify networks that will

#network <address> participate in the router protocol.
Notice that you identify networks,
and not interfaces.
NOTE: You need to advertise only the classful network
number, not a subnet:
Router(config-router) #network 172.16.0.0 not
Router(config-router)#network 172.16.10.0
If you advertise a subnet, you will not receive an error message,
because the router will automatically convert the subnet to the
classful network address.
Key points:
 RIP uses hop counts to calculate optimal routes (a hop is a
router).
 RIP routing is limited to 15 hops to any location (16 hops
indicates the network is unreachable).
 RIP uses the split horizon with poison reverse method to
prevent the count-to-infinity problem.
 RIP uses only classful routing (But RIPV2 uses classless
VLSM), so it uses full address classes, not subnets.
 RIP broadcasts updates to the entire network.
 RIP can maintain up to six multiple paths to each network,
but only if the cost is the same.
 RIP supports load balancing over same-cost paths.
191
 The update interval default is 30, the invalid timer default

is 180, the holddown timer default is 180, and the flush
timer default is 240.
passive-interface
This command prevents RIP update broadcasts from being sent
out a defined interface, but that same interface
can still receive RIP updates.
You may not want your RIP network advertised everywhere on
your LAN and WAN. For instance, there is no advantage to
advertising your RIP network to the Internet. There are a few
different ways to stop unwanted RIP updates from propagating
across your LANs and WANs. The easiest way to do this is
through the passive-interface command.
For example
RouterA(config-router) #passive-interface serial 0
The above command will stop RIP updates from being
propagated out serial interface 0, but serial interface 0 can still
receive RIP updates.
RIPV2
As I said earlier RIPv2 is a classless routing protocol so subnet
masks are included in the routing updates, making RIPv2 more
compatible with modern routing environments. The other
characteristic of RIPV2 is manual route summarization.The
configuration is almost same as RIPV1 except we add extra
command to make RIP Version2 on Cisco routers.
Router (config)# Version 2
Interior Gateway Routing Protocol (IGRP)
Gateway Routing Protocol (IGRP) is a Cisco
proprietary distance-vector routing protocol. This means that all
your routers must be Cisco routers to use IGRP in your network.
192
Cisco created this routing protocol to overcome the problems

associated with RIP.
Features
 maximum hop count of 255 with a default of 100
 uses a different metric from RIP
 uses bandwidth and delay of the line by default as a metric
for determining the best route to an internetwork
 Reliability, load, and Maximum Transmission Unit (MTU)
can also be used, although they are not used by default.
 The default update timer is 90 seconds to send update
message to other IGRP routers
 Holddown timer is 10 seconds
Configuring IGRP Routing

The command used to configure IGRP is the same as the one
used to configure RIP routing with one important difference:
you use an autonomous system (AS) number.
 All routers within an autonomous system must use the

same AS number, or they will not communicate with
routing information.
 The AS number can be any number from 1 to 65535. A
router can be a member of as many ASs as you need it to be
 IGRP uses classful routing, which means that subnet mask
information is not sent with the routing protocol updates.
193
We will run IGRP in all Cisco routers .The internetwork

diagram along interfaces ip addresses are shown in topology and
tables. All the basic configurations of Ip addresses on interfaces
are already done.
ON RA
RouterA# conf ter
RouterA(config)#router igrp 10
RouterA(config-router)#network 1.0.0.0
RouterA(config-router)#network 2.0.0.0
RouterA(config-router)#^Z
ON RB
RouterB# conf ter
RouterB(config)#router igrp 10
RouterB(config-router)#network 2.0.0.0
RouterB(config-router)#network 3.0.0.0
RouterB(config-router)#^Z
ON RC
RouterC# conf ter
RouterC(config)#router igrp 10
RouterC(config-router)#network 3.0.0.0
RouterC(config-router)#network 4.0.0.0
RouterC(config-router)#^Z
Verification
RouterA#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M –
[output cut]
U - per-user static route, o - ODR
Gateway of last resort is not set
194
I 3.0.0.0 [100/160350] via 2.0.0.2, 00:00:49, E0

C 1.0.0.0 is directly connected, E0
C 2.0.0.0 is directly connected, E1
Also check for Router B and C.
EIGRP Routing Protocol
In the past, Enhanced Interior Gateway Routing Protocol
(EIGRP) is a Cisco-proprietary routing protocol but from
March-2013 Cisco opens up EIGRP as an open standard in order
to help companies operate in a multi-vendor environment.
EIGRP is a classless routing protocol, meaning that it sends the
subnet mask of its interfaces in routing updates, which use a
complex metric based on bandwidth and delay.
 EIGRP is referred to as a hybrid routing protocol because
it has the characteristics of both distance-vector and link-
state protocols but now Cisco refers it as an advanced
distance vector protocol.
 Notice: the term “hybrid” is misleading because EIGRP is
not a hybrid between distance vector and link-state routing
protocols. It is a distance vector routing protocol with
enhanced features.
 EIGRP is a powerful routing protocol and it is really
standout from its ancestor IGRP. The main features are
listed below
 Support VLSM and discontiguous networks
 Use Reliable Transport Protocol (RTP) to delivery and
reception of EIGRP packets
Use the best path selection Diffusing Update Algorithm
(DUAL), guaranteeing loop-free paths and backup paths
throughout the routing domain Discover neighboring
195
devices using periodic Hello messages to discover and

monitor connection status with its neighbors
 Exchange the full routing table at startup and send partial*
triggered updates thereafter (not full updates like
distance-vector protocols) and the triggered updates are
only sent to routers that need the information.
 This behavior is different from the link-state protocol in
which an update will be sent to all the link-state routers
within that area.
 For example, EIGRP will send updates when a new link
comes up or a link becoming unavailable
 Supports multiple protocols: EIGRP can exchange routes
for IPv4, IPv6, AppleTalk and IPX/SPX networks
 Load balancing: EIGRP supports unequal metric load
balancing, which allows administrators to better distribute
traffic flow in their networks.
* Notice: The term “partial” means that the update only includes
information about the route changes.
EIGRP use metrics composed of bandwidth, delay, reliability,
and load. By default, EIGRP uses only bandwidth and delay.
EIGRP use five types of packets to communicate:
Hello: used to identify neighbors. They are sent as periodic
multicasts
Update: used to advertise routes, only sent as multicasts when
something is changed.
Ack: acknowledges receipt of an update. In fact, Ack is Hello
packet without data. It is always unicast and uses UDP.
196
Query: used to find alternate paths when all paths to a

destination have failed
Reply: is sent in response to query packets to instruct the
originator not to recompute the route because feasible successors
exist. Reply packets are always unicast to the originator of the
query
EIGRP sends every Query and Reply message using RTP, so
every message is acknowledged using an EIGRP ACK message.
EIGRP Route Discovery
Suppose that our network has 2 routers and they are configured
to use EIGRP. Let’s see what will happen when they are turned
on.
Firstly, the router will try to establish a neighboring relationship
by sending “Hello” packets to others running EIGRP. The
destination IP address is 224.0.0.10 which is the multicast
address of EIGRP. By this way, other routers running EIGRP
will receive and proceed these multicast packets. These packets
are sent over TCP.
After hearing “Hello” from R1, R2 will respond with another

“Hello” packet.
197
R2 will also send its routing table to R1 by “Update” packets.

Remember that R2 will send its complete routing table for the
first time.
R1 confirms it has received the Update packet by an “ACK”

message.
R1 will also send to R2 all of its routing table for the first time
R2 sends a message saying it has received R1’s routing table.
Now both R1 & R2 learn all the paths of the neighbor and
the network is converged. But there are some notices you
should know:
 After the network
converged, “Hello”
messages will still be
sent to indicate that the
it is still alive.
 When something in
the network changes,
198
routers will only send partial updates to routers which

need that information.
 Hellos are sent as periodic multicasts and are not
acknowledged directly.
 The first hellos are used to build a list of neighbors;
thereafter, hellos indicate that the neighbor is still alive
 To become a neighbor, the following conditions must be
met:
1. The router must hear a Hello packet from a neighbor.
2. The EIGRP autonomous system must be the same.
3. K-values must be the same.
EIGRP builds and maintains three tables:
1. Neighbor table: lists directly connected routers running
EIGRP with which this router has an adjacency
2.Topology table: lists all routes learned from each EIGRP
neighbor
3.Routing table: lists all best routes from the EIGRP topology
table and other routing processes
Configuring EIGRP
Router(config)#router Syntax: router eigrp <AS
eigrp 1 number>
Turn on the EIGRP process
1 is the Autonomous System
(AS) number. It can be from 1 to
65535.
All routers in the same network
must use the same AS number.
199
Router(config- Router will turn on EIGRP 1

router)#network process on all the interfaces
192.168.1.0 belonging to 192.168.1.0/24
network.
Feasible Distance (FD) and Advertised Distance (AD)

In the next part, we will define these terms and take an example
to make them clear.
1. Advertised distance (AD): the cost from the neighbor to the
destination.
2. Feasible distance (FD): The sum of the AD plus (+) the cost
between the local router and the next-hop router (FD=AD+Cost
between local router and next hop router).
3. Successor: The primary route used to reach a destination. The
successor route is kept in the routing table. Notice that successor
is the best route to that destination.
4. Feasible successor: The backup route. To be a feasible
successor, the route must have an AD less than the FD of the
current successor route i.e route=AD<FD(successor)
Maybe it’s a bit confused with these terms so below is an
example to make it clear.
200
Suppose you are in NEVADA and want to go to IOWA. From

NEVADA you need to specify the best path (smallest cost) to
IOWA.
In this topology, suppose router A & B are exchanging their
routing tables for the first time. Router B says “Hey, the best
metric (cost) from me to IOWA is 50 and the metric from you to
IOWA is 90” and advertises it to router A. Router A considers
the first metric (50) as the Advertised distance. The second
metric (90), which is from NEVADA to IOWA (through
IDAHO), is called the Feasible distance.
NEVADA also receives the cost path from NEVADA ->
OKLAHOMA -> IOWA advertised by router C with the
Advertised distance of 70 and Feasible distance of 130.
All of these routes are placed in the topology table of router A:
Route Advertised Feasible
distance distance
NEVADA -> IDAHO -> 50 90

IOWA
NEVADA -> 70 130

OKLAHOMA -> IOWA
Router A will select the route to IOWA via IDAHO as it has the
lowest Feasible distance and put it into the routing table.
The last thing we need to consider is if the route NEVADA ->
OKLAHOMA -> IOWA will be considered as a feasible
successor. To achieve this, it must satisfy the feasibility
condition:
201
Note: “To qualify as a feasible successor, a router must have

an AD < FD of the current successor route”
Maybe you will ask “why do we need this feasibility condition?”
Well, the answer is because it guarantees a loop-free path to the
destination; in other words, it must not loop back to the current
successor.
If the route via the successor becomes invalid (because of a
topology change) or if a neighbor changes the metric, DUAL
checks for feasible successors to the destination route. If one is
found, DUAL uses it, avoiding the need to recompute the route
as the re-computation can be processor-intensive. If no suitable
feasible successor exists, a re-computation must occur to
determine the new successor.
EIGRP calls these alternative, immediately usable, loop-free
routes feasible successor routes, because they can feasibly be
used as a new successor route when the current successor route
fails. The next-hop router of such a route is called the feasible
successor.
In this case, the route NEVADA -> OKLAHOMA -> IOWA has
an AD (70) less than the FD of the successor route (90) so it
becomes the feasible successor route.
Of course, in some cases the feasibility condition will wrongly
drop loop-free paths. For example, if the metric between
OKLAHOMA and IOWA is greater than 90 then the route
NEVADA -> OKLAHOMA -> IOWA will not be considered as
a feasible successor route although it is loop-free. But this
condition is necessary because it can guarantee the feasible
successor routes are loop-free.
202
Notice that the feasible successors are placed in the topology

table, not in the routing table.
Now router A has 3 complete tables as follows (we only
consider route to IOWA network)
First, we make EIGRP Network topology on Gns3/Packet

Tracer, configurations are almost same as we have done for RIP.
Diagram EIGRP
203
This lab consists of 5 routers and we need to configure EIGRP

among them. It is done when we can successfully ping among
R2, R3, R4 & R5 and the routing tables of these routers show
that they are running EIGRP (with letter “D”).
IOS used in this tutorial: c2600-bin-mz.123-6f.bin (with a
minimum of 64 MB RAM) but you can use other IOS.
first IP addresses of routers:
R1:
Interface ip address
s0/0 – 192.168.30.12/28
s0/1 – 192.168.30.18/28
s0/2 – 192.168.30.35/28
f0/0 – 192.168.60.10/28
R2:
s0/0 – 192.168.30.13/28
R3:
204
f0/0 – 192.168.60.13/28
R4:
s0/0 – 192.168.30.20/28
R5:
s0/0 – 192.168.30.40/28
Some important points about EIGRP:
 All routers must use the same Autonomous System (AS)
number to recognize each other. In this case the chosen AS
is 100.

The major network in this lab is 192.168.30.0 &
192.168.60.0 so there will be discontiguous networks ->
need to use the “no auto-summary” command.
Now let’s begin the lab!
Step 1 – Configuring IP addresses on the routers
On R1:
R1#config t
R1(config)#int s0/0
R1(config-if)#ip address 192.168.30.12 255.255.255.240
R1(config-if)#no shut
R1(config-if)#int s0/1
R1(config-if)#int s0/2
R1(config-if)#int f0/0
205

On R2:
R2#config t
R2(config)#int s0/0
On R3:
R3#config t
R3(config)#int f0/0
On R4
R4#config t
R4(config)#int s0/0
On R5:
R5#config t
R5(config)#int s0/0
Now all the interfaces are up. We should check the interfaces on
R1 to confirm this with the “show ip int brief” command
206
Notice that all both the “Status” and “Protocol” of the connected
interfaces were up.
We can see all the neighbors of R1 with the “show cdp
neighbors” command on R1:
At this time, we can ping between two directly connected

interfaces. For example, a ping from s0/0 of R1 to s0/0 of R2
(192.168.30.13) will be successful.
but a ping between two far-away interfaces is not successful. For

example, a ping from R2 to s0/0 of R4 (192.168.30.20) will be
unsuccessful.
207
If we use the “show ip route” on these routers we will only see

directly connected link.
Step 2 – Enable EIGRP on all the routers
On R1
R1(config)#router eigrp 100
R1(config-router)#network 192.168.30.0
R1(config-router)#no auto-summary
On R2
On R3
On R4
On R5
208

After typing above commands, we will see the neighbor’s
adjacency on these routers are up. For example, on R1 we will
see
Now the EIGRP process is up and we can ping from anywhere.

For example, a ping from R2 to s0/0 of R4 (192.168.30.20) will
be successful now.
By checking the routing table of R2, R3, R4 & R5 we can

confirm EIGRP has been implemented successfully. For
example, using the “show ip route” command on R5 we see
209
Notice that the routes to 192.168.30.16 & 192.168.60.0 are

marked with a letter “D”, meaning it is learned via EIGRP.
Maybe you are wondering “why is the letter “D” used for
EIGRP, not “E”? Well, the answer is the letter “E” has been
“stolen” for EGP – an external routing protocol – but it is not
popular nowadays :)
We can check the neighbor relationships on these routers with
the “show ip eigrp neighbors” command. Below is an example
of R1:
To see the topologies of these routers, use the “show ip eigrp

topology” command. Below is the output of R4
210
The letter “P” as the left margin of each route entry stands for
“Passive”. Passive state indicates that the route is in silent mode,
implying that the route is known to be good and that no
activities are taking place with respect to the route. When we
talk about AD for every entry for example first entry, "
2172416/28160" value , The 2172416 is FD or metric for given
route to the destination and 28160 is AD .
Q: how to calculate the metric of EIGRP
EIGRP Metric Calculation
"Sh ip protocol command" is used to see the Eigrp metric weight
values K 1, K2, K3, K4 and K5 as shown in below picture as an
example.
Note: By default, K1 =K3= 1, K2 = K4 = K5 = 0 which means

that the default values use only bandwidth(BW) & delay
211
parameters while others are ignored. The metric formula is now

reduced:
So, let's look at the metric calculation:
EIGRP Metric = 256*((K1*Bw) + (K2*Bw)/(256-Load) +
(K3*Delay) + (K5/(Reliability + K4)))
K1 part: 256*(1*BW) = 256*Bw
K2 part: (0*BW)/(256-Load) = 0/anything = 0
K3 part: (1*Delay) = Delay
K4 & K5 part: (0/Reliability+0) = 0/anything = 0
=256*(BW+0+Delay+0)
Reduced formula for EIGRP Metric value = 256*(Bw + Delay)
Example
We will discuss three table neighbor table, toplogy table and
routing table of EIGRP protocol in our below example.
Neighbor Table
Check the neighbor table of Router0 with the show ip eigrp
neighbors command
212
Let’s analyze these columns:

 H: lists the neighbors in the order this router was learned
 Address: the IP address of the neighbors
 Interface: the interface of the local router on which this
Hello packet was received
Hold (sec): the amount of time left before neighbor is

considered in “down” status
 Uptime: amount of time since the adjacency was
established
 SRTT (Smooth Round Trip Timer): the average time in
milliseconds between the transmission of a packet to a
neighbor and the receipt of an acknowledgement.
 RTO (Retransmission Timeout): if a multicast has failed,
then a unicast is sent to that particular router, the RTO is
the time in milliseconds that the router waits for an
acknowledgement of that unicast.
 Queue count (Q Cnt): shows the number of queued EIGRP
packets. It is usually 0.
 Sequence Number (Seq Num): the sequence number of the
last update EIGRP packet received. Each update message is
given a sequence number, and the received ACK should
have the same sequence number. The next update message
to that neighbor will use Seq Num + 1.
213
we only care about 4 columns: Address, Interface, Hold &

Uptime.
Notice that you can see a line “IP-EIGRP neighbors for process
100”. “Process 100” here means “AS 100”.
Topology Table
we will analyze the EIGRP topology with the "show ip eigrp
topology" command. The output of Router0 is shown below
Each route shows the number of the successor it has. For

example, the network 192.168.2.0, 192.168.1.0,192.168.3.0 &
192.168.4.0 have only 1 successor (and no feasible successor).
Only network 192.168.5.0 has 2 successors.
We notice that there are 2 numbers inside the brackets
(30720/28160). The first one is the metric from Router0 to the
destination, the second is the AD of this route, advertised by the
neighbor. For example, the third route entry has:
214
To change these values, use the “metric weights tos k1 k2 k3 k4

k5” in the EIGRP router mode.
EIGRP uses the slowest bandwidth of the outgoing
interfaces of the route to calculate the metric. In this case we
need to find out the bandwidth of Fa0/0 of Router0 & Fa0/1 of
Router1 as the destination network is 192.168.3.0/24.
Find the bandwidth

We can find the bandwidth of each interface by the “show
interfaces “. Below is an output of the “show interfaces fa0/0”
on Router0.
215
All the interfaces in this topology have the bandwidth of

100,000 Kbps so we will get the same result on interface Fa0/1
of Router1 -> The slowest bandwidth here is 100,000 Kbps.
Now we can calculate the first portion of the formula:
Notice that if the result is not an integer then the result will be
rounded down. For example, 10,000,000 divided by 1024 (the
speed of T1) equals 9765.625. The result will be rounded down
to 9765.
Find the delay
EIGRP also used the delay of the outgoing interfaces and it can
also be found with the “show interfaces “, the delay lies next to
the bandwidth value (for example, DLY 100usec). In this case,
the delay value of both Fa0/0 of Router0 & Fa0/1 of Router1 is
100 usec (microsecond) so the sum of delay is 100 + 100 = 200
usec. The second portion of the formula is:
216
Note: “usec” here means microsecond (which is 1/1000

miliseconds). According to this Get the metric
Now just sum up two portions of the formula and multiplied by
256 to get the result:
The result is 30720 and it matches the value shown in the

topology table of the route to 192.168.3.0/24
Using the formula above, we can easily calculate the AD of that

route (with slowest bandwidth = 100,000Kpbs; sum of delay =
10)
AD = (100 + 10) * 256 = 28160
This metric matches with the second parameter of the above
route.
Note: The output of “show ip eigrp topology” command shows
only feasible successors while the output of “show ip eigrp
217
topology all-links” shows all neighbors, whether feasible

successors or not.
EIGRP Routing table
The last table we will discuss is the routing table. This is the
most used table to check the operation of EIGRP. Here is the
output of the show ip route command on Router0:
The routing table has two parameters [90/30720] but the first
one is the administrative distance of EIGRP. EIGRP has a
default administrative distance of 90 for internal routes and it is
often the most preferred routing protocol because it has the
lowest administrative distance.
Administrative distance is the measure used by Cisco routers
to select the best path when there are two or more different
routes to the same destination from two different routing
protocols.
Below are the administrative distances of the most popular
routing protocols used nowadays. Notice that the smaller is the
better.
218
So, if a network running two routing protocols at the same time,

for example EIGRP and OSPF, which routing protocol will the
router choose? Well, the answer is EIGRP as it has lower
Administrative Distance than OSPF (90 < 110).
The second parameter, as you can guess, is the metric of that
route as we discussed above.
“no auto-summary” with EIGRP
One of the features of EIGRP is “support VLSM and
discontiguous networks”. Discontiguous networks are networks
that have subnets of a major network separated by a different
major network. Below is an example of discontiguous networks
where subnets 10.10.1.0/24 and 10.10.2.0/24 are separated by a
2.0.0.0/8 network.
Now let’s see what will happen when we turn on EIGRP on both
of the routers. To turn on EIGRP you will use these commands:
R1(config-router)#network 10.10.1.0 (or network 10.0.0.0)
219
R2(config-router)#network 10.10.2.0 (or network 10.0.0.0)
You can try to use the more specific “network 10.10.1.0” instead
of “network 10.0.0.0”, hoping that EIGRP will understand it is a
sub-network. But if we check the configuration with the “show
running-config” command we will notice that EIGRP has auto-
summarized our network.
R1#show running-config
-> Network 10.10.1.0 has been summarized to network 10.0.0.0

because it knows 10.x.x.x network belongs to class A.
The same thing happens for R2. Now we should check the
routing table of R1 with the “show ip route” command
R1#show ip route
From the output above we learn that R1 only knows about the
directly connected 10.10.1.0/24 network but it doesn’t have any
information about the far-away 10.10.2.0/24 network and a ping
to 10.10.2.1 cannot be successful (but notice that we can ping to
that directly connected network, 10.10.1.2, for example).
So, we can conclude that if a router receives the same route with
what it is advertising then it will not learn that route. In the
above example, the “collision” occurs because both of the
routers summarize into network 10.0.0.0/8 and advertise it to
220
another router. The neighboring router realizes that it is also

advertising this network so it drops this network information.
Now if we use the “no auto-summary” command on both routers
then the problem will surely be solved but first let’s try to use
that command only on R1 router.
R1#show ip route
-> Nothing changes!

R2#show ip route
-> R2 has just learned about the new “10.10.1.0/24” network

which is advertised from R1 so R2 can ping this network
In conclusion when we enable “no auto-summary” on R1 then

R1 will advertise its network with their subnet mask so R2 can
learn them correctly.
Open Shortest Path First (OSPF)
Open Shortest Path First (OSPF) is an open standard routing
protocol that’s been implemented by a wide variety of network
vendors, including Cisco on the world. It is a public (non-
221
proprietary) routing protocol while its biggest rival, EIGRP, is a

Cisco proprietary protocol so other vendor can’t use it (edit:
EIGRP has become a public routing protocol since 2013).
OSPF is a complex link-state routing protocol. Link-state
routing protocols generate routing updates only when a change
occurs in the network topology. When a change in network link
occurs, the device that identifies the change builds a link-state
advertisement (LSA) concerning that link and sends to all
neighboring devices using a special multicast address 224.0.0.5.
We will discuss LSA in details later on. Each devices in the
domain will receive the changes, updates its link-state database
(LSDB), and forwards the LSA to all neighboring devices.
OSPF is supposed to be designed in a hierarchical fashion,
which basically means that you can separate the larger
internetwork into smaller internetworks called areas. This is the
best design for OSPF.
The reasons for creating OSPF in a hierarchical design include:
 It consists of areas(segments) and autonomous system(AS)
 To decrease routing overhead
 To speed up convergence
 To confine network instability to single areas of the
network
 This does not make configuring OSPF easier, but more
elaborate and difficult.
Key Points:
 OSPF allows for better load balancing
 Has unlimited hop count
 updates of OSPF are triggered and incremental.
 Allows multi-vendor deployment (open standard)
 OSPF routers use LSA (Link State Advertisement) to
describe its link state. LSDB stores all LSAs.
222
 A router uses Router LSA to describe its interface IP

addresses.
 Minimizes routing update traffic
 Allows scalability
 After OSPF is started on a router, it creates LSDB that
contains one entry: this router’s Router LSA.
 Is a public (non-proprietary) routing protocol.
 Is the only link-state routing protocol?
 This works by using the Dijkstra algorithm
 OSFP uses multicasting within areas.
 administrative distance value is 110
 After the process of Initialization OSFP routing, it only
sends updates on routing table sections upon the occurring
of changes but it does not send the entire routing table. I
 Information about its neighbors (local connectivity) is sent
to the entire network using multicasting
 Routing information is shared through Link-state updates
(LSAs)
 HELLO messages are used to maintain adjacent neighbors.
By default, OSPF routers send Hello packets every 10
seconds on multiaccess and point-to-point segments and
every 30 seconds on non-broadcast multiaccess (NBMA)
segments (like Frame Relay, X.25, ATM).
 Is a classless routing protocol because it does not assume
the default subnet masks are used? It sends the subnet mask
in the routing update.
 Supports VLSM/CIDR and Manual route summarization
(for reducing routing table size, route summarization is
used by OSPF)
 Uses COST as a Metric which CISCO defines as the
inverse of the bandwidth
223
cost= 10000 0000/bandwith in bps, 10^8/Reference

Bandwidth, higher the cost lowest the bandwith
 Uses AREAs to subdivide large networks, providing a
hierarchical structure and limit the multicast LSAs within
routers of the same area — Area 0 is called backbone
area and all other areas connect directly to it. All OSPF
networks must have a backbone area
 Only support IP but it’s not bad as we are all using IP,
right? :)
 Area Border Routers (ABR) are any routers that have one
interface in one area and another interface in another area
 Wild Card masks are commonly used with OSPF routers
for network size or subnet, it is also used for ACL
especially for Cisco routers in a network.
OSPF Diagram
There are five routers in OSPF network. Router A has two

interfaces which are in area 0. Router B and C has two
interfaces , each one the interface of both routers are in area
224
0 and in area 1.Router D has one interface that is in area 1.

Router E has one interface that is in area 2.
Example 2
For example, R1 wants to find out if it has any neighbor running
OSPF it sends a Hello message to the multicast address
224.0.0.5. This is the multicast address for all OSPF routers and
all routers running OSPF will proceed this message.
Configuration of OSPF Protocol

OSPF basic configuration is very simple. Like with other
routing protocols covered so far (RIP, EIGRP) first you need
to enable OSPF on a router. This is done by using
the router ospf PROCESS-ID global configuration command.
Next, you need to define on which interfaces OSPF will run
and what networks will be advertised. This is done by using
the network IP_ADDRESS WILDCARD_MASK
AREA_ID command from the ospf configuration mode.
SUMMARY STEPS
1. enable
2. configure terminal
3. router ospf process-id
225
4. network ip-address wildcard-mask area area-id
5. end
NOTE – the OSPF process number doesn’t have to be the

same on all routers in order to establish a neighbor
relationship, but the Area ID has to be the same on all
neighboring routers in order for routers to become neighbors.
Let’s get started with the basic OSPF configuration.
First, we need to enable OSPF on both routers. Then we need

to define what network will be advertised into OSPF. This can
be done by using the following sequence of commands on both
routers:
The network commands entered on both routers include

subnets directly connected to both routers. We can verify that
the routers have become neighbors by typing the show ip ospf
neighbors command on either router:
To verify if the routing updated were exchanged, we can use

the show ip route command. All routes marked with the
character „O“ are OSPF routes. For example, here is the output
of the command on R1:
226
You can see that R1 has learned about the network

192.168.0.0/24 through OSPF.
Configuring OSPF 2
Although basic OSPF configuration can be very simple, OSPF
provides many extra features that can get really complex. In
this example, we will configure multiarea OSPF network and
some other OSPF features.
Consider the following multiarea OSPF network.
In this example we have two OSPF areas, area 0 and area 1. As

you can see from the network topology depicted above,
Routers R1 and R3 are in the area 0 and area 1, respectively.
Router 2 connects to both areas, which makes him an ABR
(Area Border Router). Our goal is to advertise the subnets
directly connected to R1 and R3. To do that, the following
configuration on R1 will be used:
227
NOTE – we have used the router-id 1.1.1.1 command to

manually specify the router ID of this router. OSPF process
will use that RID (router-id) when communicating with other
OSPF neighbors.
Because R1 connects only to R2, we only need to establish a
neighbor relationship with R2 and advertise directly connected
subnet into OSPF.
Configuration of R3 looks similar, but with one difference,
namely area number. R3 is in the area 1.
What about R2? Well, because R2 is an ABR, we need to

establish neighbor relationship with both R1 and R3. To do
that, we need to specify different area ID for each neighbor
relationship, 0 for R1 and 1 for R2. We can do that using the
following sequence of commands:
Now R2 should have neighbor relationship with both R1 and

R3. We can verify that by using the show ip ospf
neighbor command:
To verify if directly connected subnets are really advertised

into the different area, we can use the show ip route
ospf command on both R1 and R3:
228
Characters OIA in front of the routes indicate that these routes

reside in different areas.
NOTE – since they reside in different areas, R1 and R3 will
never establish a neighbor relationship.
If an OSPF router receives an OSPF Hello packet that satisfied
all its requirement then it will establish adjacency with the router
that sent the Hello packet. In this example, if R1 meet R2’s
requirements, meaning it has the same Hello interval, Dead
interval and AREA number, R2 will add R1 to its neighbor
table.
 Hello interval: indicates how often it sends Hello packets.
By default, OSPF routers send Hello packets every 10
seconds on multiaccess and point-to-point segments and
every 30 seconds on non-broadcast multiaccess (NBMA)
segments (like Frame Relay, X.25, ATM)
 Dead interval: number of seconds this router should wait
between receiving hello packets from a neighbor before
declaring the adjacency to that neighbor down
 AREA number: the area it belongs to
229
Now R1 and R2 are neighbors but they don’t exchange LSAs

immediately. Instead, they send Database Description (DD or
DBD) packets which contain an abbreviated list of the sending
router’s link-state database.
The neighbors also determine who will be the master and who
will be the slave. The router which higher router-id will become
master and initiates the database exchange. The receiver
acknowledges a received DD packet by sending an identical DD
packet back to the sender. Each DD packet has a sequence
number and only the master can increment sequence numbers.
230
R1 or R2 can send Request to get missing LSA from its

neighbors
R2 sends back an LSAck packet to acknowledge the packet

231
It does not use TCP for transmissions.
Shortest Path First Algorithm

OSPF uses a shorted path first algorithm in order to build and
calculate the shortest path to all known destinations. The
shortest path is calculated with the use of the Dijkstra algorithm.
The algorithm by itself is quite complicated. This is a very high
level, simplified way of looking at the various steps of the
algorithm:
1. Upon initialization or due to any change in routing
information, a router generates a link-state advertisement. This
advertisement represents the collection of all link-states on that
router.
2. All routers exchange link-states by means of flooding. Each
router that receives a link-state update should store a copy in
its link-state database and then propagate the update to other
routers.
3. After the database of each router is completed, the router
calculates a Shortest Path Tree to all destinations. The router
uses the Dijkstra algorithm in order to calculate the shortest
path tree. The destinations, the associated cost and the next
hop to reach those destinations form the IP routing table.
232
4. In case no changes in the OSPF network occur, such as cost

of a link or a network being added or deleted, OSPF should be
very quiet. Any changes that occur are communicated through
link-state packets, and the Dijkstra algorithm is recalculated in
order to find the shortest path.
The algorithm places each router at the root of a tree and
calculates the shortest path to each destination based on the
cumulative cost required to reach that destination. Each router
will have its own view of the topology even though all the
routers will build a shortest path tree using the same link-state
database.
Wild Card Mask (WCM)
The subnet mask is derived from subtracting subnet mask value
from 255. To get a wild card mask, in a given range of ip
addresses, we take first ip address and subtract its from ending
ip address. It is important to note that WCM for single ip
address is Zero.
Example:
Starting ip addresss :192.168.10.0
Ending ip address 192.168.10.255
11000000.10100010.00001010.00000000
11000000.10100010.00001010.11111111
-------------------------------------------------------
00000000.00000000.00000000.11111111
-------------------------------------------------------
0 . 0 .0 . 255
Drawbacks
 OSPF consumes processor resources to large extent.

233
 More amount of memory is utilized by OSPF to maintain

the multiple copies of routing information as compared to
other routing protocols.
 OSPF updates in case of links state is changed, it will have
to inform other routers every time.
The following are important OSPF terms to familiarize yourself
with before you proceed:
Link A link is a network or router interface assigned to any
given network. When an interface is added to the OSPF process,
it’s considered by OSPF to be a link. This link, or interface, will
have state information associated with it (up or down) as well as
one or more IP addresses.
Router ID the Router ID (RID) is an IP address used to identify
the router. If there is no highest loopback address in the interface
as a virtual address then next high physical address among the
interfaces of router will be considered as Router-ID of that
router. It is locally significant and significant is one process at
the time. Every Process of OSPF needs its identification.
Election Criteria for ROUTER ID in short:
1) Highest configured IP address of Logical Address.
2) Highest configured IP address of Physical Interface.
3) Hard Coded Router ID.
Example Configuration:
Router A(config)#router ospf 1
RouterA(config-router)#router-id 1.0.0.1 (hardcoded
router-id)
RouterA(config-router)#exit
234
Neighbors Neighbors are two or more routers that have an

interface on a common network, such as two routers connected
on a point-to-point serial link.
Adjacency An adjacency is a relationship between two OSPF

routers that permits the direct exchange of route updates. OSPF
is really picky about sharing routing information—unlike
EIGRP, which directly shares routes with all of its neighbors.
Instead, OSPF directly shares routes only with neighbors that
have also established adjacencies. And not all neighbors will
become adjacent—this depends upon both the type of network
and the configuration of the routers.
Hello protocol The OSPF Hello protocol provides dynamic

neighbor discovery and maintains
neighbor relationships. Hello packets and Link State
Advertisements (LSAs) build and maintain
the topological database. Hello packets are addressed to
224.0.0.5 and 224.0.0.6.
OSPF Tables
1. Neighborship Table: The neighborship database is a list of

all OSPF routers for which Hello packets have been seen. A
variety of details, including the Router ID and state, are
maintained on each router in the neighborship database.
2. Topology/ database Table: The topology database contains

information from all of the Link State Advertisement packets
that have been received for an area. The router uses the
information from the topology database as input into the
235
Dijkstra algorithm that computes the shortest path to every

network.
3.Routing Tables Also knows as forwarding database, it is

generated when an algorithm is run on the topology
database.The routing table for each router is unique .It also
contain Exchange LSDB’s list.
There are five types of OSPF Link-State Packets (LSPs).
 Hello: are used to establish and maintain adjacency with

other OSPF routers. They are also used to elect the
Designated Router (DR) and Backup Designated Router
(BDR) on multiaccess networks (like Ethernet or Frame
Relay).we will discuss DR,BDR and DR-Others later on.
 Database Description (DBD or DD): contains an
abbreviated list of the sending router’s link-state database
and is used by receiving routers to check against the local
link-state database.
 Link-State Request (LSR): used by receiving routers to
request more information about any entry in the DBD.
 Link-State Update (LSU): used to reply to LSRs as well
as to announce new information. LSUs contain seven
different types of Link-State Advertisements (LSAs)
 Link-State Acknowledgement (LSAck): sent to confirm
receipt of an LSU message
Types of Routers in OSPF Process
1. Backbone Routers (BR)
236
Router/s who has/have all its interfaces in area zero (area 0).
Area 0 is called backbone area and all other areas connect
directly to it. All OSPF networks must have a backbone area
0.In this area 0 ,BR router passes routing information to all other
routers .
2. IR Router: all interfaces in the particular area.
3. Area Border Router (ABR)
Router/s who have its interfaces in area 0 as well as in other area
,area 1,area 2 etc. It connects one or more other areas to
backbone area 0 .It contains multiple copies of state database in
memory to know which router is connected to which area . ABR
is always a Backbone router too.
4.Autonmous System Border Router (ASBR)
Router/s connects to more than one Atonomous system and
exchange routing information with other AS system routers. In
simple , The router which connects two or many different
networks (i.e. SPF and RIP) is called Autonomous system
border router (ASBR).
OSPF uses the concept of areas. An area is a logical grouping of
contiguous networks and routers. All routers in the same area
have the same topology table, but they don’t know about routers
in the other areas. The main benefits of creating areas is that the
size of the topology and the routing table on a router is reduced,
less time is required to run the SFP(Shortest Path First)
algorithm and routing updates are also reduced.
NOTE – in OSPF, manual route summarization is possible only
on ABRs and ASBRs.
237
To better understand the concept of areas, consider the following

example.
All routers are running OSPF. Routers R1 and R2 are inside the
backbone area (area 0). Router R3 is an ABR, because it has
interfaces in two areas, namely area 0 and area 1. Router R4 and
R5 are in area 1 whereas Router R6 is an ASBR, because it
connects OSFP network to another routing system or domain (an
EIGRP domain in this case). If the R1’s links directly connected
to other go down, R1 will send the routing updates only to R2
and R3, because all routing updates all centralized locally inside
the area 0. Then R3 will advertise summaries address to other its
neighboring areas here router R5 and R6 are in area1.
NOTE – the role of an ABR is to advertise address summaries
to neighboring areas. The role of an ASBR is to connect an
OSPF routing domain to another external network (e.g.
Internet, EIGRP network…).
238
LSA, LSU and LSR

The LSAs (Link-State Advertisements) are the basic means of
communication for OSPF routers to exchange topology
information. Each LSA contains routing and toplogy
information to describe a part of an OSPF network. When two
neighbors decide to exchange routes, they send each other a list
of all LSAa in their respective topology database. Each router
then checks its topology database and sends a Link State
Request (LSR) message requesting all LSAs not found in its
topology table. Other router responds with the Link State Update
(LSU) that contains all LSAs requested by the other neighbor.

The concept is explained in the following example:

After configuring OSPF on both routers, routers exchange LSAs
to describe their respective topology database. Router R1 sends
an LSA header for its directly connected network 10.0.1.0/24.
Router R2 check its topology database and determines that it
doesn’t have information about that network. Router R2 then
sends Link State Request message requesting further
239
information about that network. Router R1 responds with Link

State Update which contains information about subnet
10.0.1.0/24 (next hop address, cost…).
OSPF Neighbor State Reference:
The fact that routers are neighbors is not sufficient to guarantee
an exchange of link-state updates; they must form adjacencies to
exchange link-state updates. Adjacency is an advanced form of
neighborship formed by routers that are willing to exchange
routing information after negotiating parameters of such an
exchange. Routers reach a FULL state of adjacency when they
have synchronized views on a link-state database.
Interface type plays a major role in how the adjacencies are
formed. For example, neighbors on point-to-point links always
try to become adjacent, while routers attached to broadcast
media such as Ethernet can choose to become adjacent only with
a subset of neighboring routers on the interface.
Once a router decides to form an adjacency with a neighbor, it
starts by exchanging a full copy of its link-state database. The
neighbor, in turn, exchanges a full copy of its link-state database
with the router. After passing through several neighbor states,
the routers become fully adjacent.
Neighbor states
 Down: no hello has exchanged between router
 Attempt: router has sent own hello, but not received form
neighboring router
240
 Init: neighbor properties mismatch between routers, or other

router have no RID , The init state indicates that a router
sees HELLO packets from the neighbor, but two-way
communication has not been established.
 2 way: neighbor relationship passed, The 2-way state
indicates that the router has seen its own Router ID in the
Neighbor field of the neighbor's HELLO packet. Finally in
this state the DR/BDR election begins after the exchange of
Router-ID (via hello packets) between routers using
multacast address 224.0.0.5 .
 Exstart:"Who first will begin the communication " The
negotiation of Database Description DD squence starts
between routers and as a result , another election of
master/slave election starts. OSPF neighbors that are
in exstart or exchange state are trying to exchange DBD
packets. The router and its neighbor form a master and slave
relationship. The adjacency should continue past this state. If
it does not, there is a problem with the DBD exchange, such
as a maximum transmission unit (MTU) mismatch or the
receipt of an unexpected DBD sequence number.The routers
have the hight interface ip address becomes "Master"and
other neighbor comparatively with lower ip address
becomes Slaves (DR,BDR,DR-Other).
 Exchange: In this state, the router sends DD to neighbor and
DD packets contains the whole link state database .Every
squence number in DD corresponds to routing table entries .
 Loading: Router sends link state request (LSR) to neighbors
that are in loading state. The link state updates (LSU) and
241
information are exchanged between router and neighbor

routers followed by link state acknowledgement (LS-ACK).
At this step, Database Table is completed.
 Full: For best path calculation , a SPF works at this final
stage.After this,full adjacancy is completed and now
neighbor's routing table is completed.
Com
Reason for Neighbor Adjacency Problem Dia
OSPF is not configured on one of the routers. sho
OSPF is not enabled on an interface where it is needed. sho
OSPF HELLO or Dead timer interval values are mismatched. sho
ip ospf network-type mismatch on the adjoining interfaces. sho
sho
MTU mismatch between neighboring interfaces. typ
sho
OSPF area-type is stub on one neighbor, but the adjoining neighbor con
in the same area is not configured for stub. inte
sho
OSPF neighbors have duplicate Router IDs. inte
OSPF is configured on the secondary network of the neighbor, but sho
not on the primary network. This is an illegal configuration which inte
prevents OSPF from being enabled on the interface. con
sho
OSPF HELLOs are not processed due to a lack of resources, such as sum
high CPU utilization or not enough memory. pro
242
An underlying Layer problem prevents OSPF HELLOs from being

received. sho
Commands for diagnosing problems are

1. sh ip ospf neighbor
2.sh ip ospf
3.sh ip ospf interface
4.sh ip ospf database
5.sh ip route (To check routing table)
DR /BDR and DR-Others Election

In a multi-access segement (Ethernet LAN etc) , DR/BDR
election takes place to elect who's Designated Router(DR) and
who's are Back-up Designated Router (BDR) and DR-Others .
Each non-DR or non-BDR router will exchange routing
information only with the DR and BDR, instead of exchanging
updates with every router on the network segment. DR will then
distribute topology information to every other router inside the
same area. This greatly reduces OSPF traffic.
To send routing information to a DR or BDR, the multicast
address of 224.0.0.6 is used. DR sends routing updates to the
multicast address of 224.0.0.5. If DR fails, BDR takes over its
role of redistributing routing information.
243
Every router on a network segment establish a full neighbor

relationship with the DR and BDR. Non-DR and non-BDR
routers establish a two way neighbor relationship between
themselves.
The priority plays an important role for this election ,by default
Cisco routers have same priority number "1" .The router having
higher priority becomes DR and others routers having
comparatively lower priorities become BDR,DR-Others.
If routers have same priority then Router-id is a tie breaker ,then
the router having highest router-id become DR and same
election criteria goes to others neighbors routers for electing
BDR and DR-Others.
Of course we can change which router becomes the DR/BDR by
playing with the priority. Let’s say we have to change priority of
R1 in the DR:
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf priority 200
 A priority of 0 means you will never be elected as DR or
BDR.
 You need to use R1# clear ip ospf process before this
change takes effect.
Verification command : R1#show ip ospf neighbor
244
Note : There is no DR,BDR and DR-Other Election takes place

on point to point interfaces connection(serial links)
OSPF Network Types
There are four network types in OSPF
1.Broadcast Network
It specifies OSPF broadcast Multi-access network . Broadcast
(multi-access) networks such as Ethernet allow multiple devices
to connect to (or access) the same network, as well as provide a
broadcast ability in which a single packet is delivered to all
nodes on the network. In OSPF, a DR and a BDR must be
elected for each broadcast multi-access network.
2.Non-Broadcast
Non-Broadcast Multi-Access (NBMA) networks are types such
as Frame Relay, X.25, and Asynchronous Transfer Mode
(ATM). These networks allow for multi-access, but have no
broadcast ability like Ethernet. So, NBMA networks require
special OSPF configuration to function properly and neighbor
relationships must be defined.
3.Point to Multipoint
Point-to-multipoint refers to a type of network topology
consisting of a series of connections between a single interface
on one router and multiple destination routers.All of the
interfaces on all of the routers sharing the point-to-multipoint
connection belong to the same network.No DR/BDR election t
takes place
4.Point-to-Point
245
Point-to-point refers to a type of network topology consisting of

a direct connection between two routers that provides a single
communication path. The point-to-point connection can be
physical, as in a serial cable directly connecting two routers, or
it can be logical,as in two routers that are thousands of miles
apart yet connected by a circuit in a Frame Relay network.No
DR/BDR election takes place
OSPF Peering Issues
1) mismatch area
2) mismatch subnet
3) mismatch area type
4) mismatch timers
5) mismatch authentication
6) same router id
7) mismatch mtu
8) mismatch area stub type
Link State Advertisements(LSA)
OSPF uses "Link State Advertisements" (LSAs) to provide
information about links and link-costs to neighboring OSPF
speakers and basically a means of communication in OSPF for
ipv4. OSPF defines multiple LSAs, which all serve a different
purpose.
LSA Who Generates the LSA? What is Accomplished?
246
Type
How routers advertise their
Type 1 - Every router in every area
connected interfaces
Router E.g A0 in A0 , A1 in A1,
Every router in the same area
LSA A20 in A20
send updates to each other.
The DR collects all the Type 1
Type 2 - LSAs and sends out a single
DRs on all non-point-to-
Type 2 representing all of the
Network point(Multi-Access Switch)
routers on the link. This is
LSA LAN broadcast network .
used to build the Shortest Path
Tree
ABRs send a single LSA
representing all of the Type 1
Type 3 - and Type 2 LSAs in an area.
This reduces the number of
Network Area Border Routers (ABRs) LSAs on the routers in other
Summary areas.ABR send this LSA3
LSA summary between one area to
other area in OSPF running
network.
Type 4 - Type 4 LSAs are sent to other

ABRs connected to an area areas to build the Shortest
ASBR where external routes (Type Path Tree to an ASBR.
Summary 5) are originated Generated by ABR to get to
LSA know who is ASBR.
Type 5 - Routers(ASBR) with This represents any external
the redistribute command routes redistributed into
247
AS
External that are not in a NSSA area OSPF.
LSA
Type 7 - Type 5 LSAs are not allowed
Routers with
NSSA in Stub Areas. Type 7 LSAs
the redistribute command
External allow external information to
that are in a NSSA area
LSA pass through NSSA areas.
LSA1
 Internal router generates LSA1

 one router LSA type 1 for every router in an area inlcuding
list of directly attached links.Each link is identified by IP
prefix assigned to link and link type.
 LSA 1 floods within its area only ,it does not across the
ABR
 Identified by the router ID of the originating router
 shows "O" in routing table.
LSA2
248
 This LSA happene in broadcast networks

 one network Type 2 LSA for each transit broadcast or
multi-access network in an area
 Advertised by the DR of the transit network DR----------
>other
 Floods within its area only , does not across ABR
 Technically LSA 2 shows "O" in output of "sh ip route
ospf"
LSA3
 Type 3 LSAs are used to flood network information to

areas outside the originating area (Inter area )sending
249
updates from one area to another area (OIA routes in

routing table output)
 Describes network number and mask of link
 Contains network ID and subnet mask
 Regnerated by subsequent ABRs to flood thourghout the
AS(Autonomous system)
 By default routes are not summarized and there is one type
3 LSA for every subnet
 is listed with "OIA" of route in routing table
LSA4
 ABR floods the infomration of ASBR where the

redistributed routes are originated (LSA 5 )
 ABR sends LSA information across all the subsequent
routers of all areas
 ABR contains the next hop address to reach the ASBR so
that it could import external routes
 of ASBR
250
 The ASBR summary link advertisement informs the rest of

the OSPF domain how to get to the ASBR. The link-state
ID includes the router ID of the described ASBR
 LSA tells other routers that where is ASBR
 "OIA" represents this type of LSA4 in routing table
LSA5
 External (type 5) LSAs are used to advertise networks from

other AS (such as e.g EIGRP,RIP etc)
 LSA 5 are advertised and owned by the originating ASBR
 LSA5 flood across the all AS
 The advertising router ID (ASBR) is unchanged throughout
the autonomous system
 Type 4 LSA is needed to find the ASBR
 By default routes are not summarized
 LSA 5 are shown with OE1/OE2 in routing table as a
output.
251
LSA6(MOSPF)
Multicast OSPF LSA :Use in multicast routing ; Cisco routers
do not support it.
Multicast LSA6 use in PIM,MPLS TE ,MPLS BGP etc
LSA7
 Is Used in special area type Not -So-Stuby-Area (NSSA)
for external routes from ABRs.
 Dont receive information of external LSA from ABR but
sends information for redistribution.
 ABR tanslates the external routes to LSA type 5 to
propagate it throughout all the subsequent ABRs and
network .
LSA 8&9
Used in OSPFv3 for link-local addresses and intra-area prefix
LSA 10,11
Generic LSAs, also called opaque, which allow future
extensions of OSPF
Verification Commands R#sh ip route, R#sh ip ospf database
R#sh ip ospf database router
OSPF Special Areas Types

252
The characterisitics assingned to an area control the type of

route information that it receives.
The possible area types are
1.Standard Area
This default area accepts link updates, route summaries and
external routes.
2. Backbone Area(Transit Area)
The backbone area is the central entity to which all other areas
connect.
 The backbone area is labeled area 0 .
 All other areas connect to this area to exchange and route
information
253
 The OSPF backbone includes all the properties of a

standard OSPF area
3. STUB AREA
 This area does not accept infomation about routes external
to the autonomous system(AS), such as routes from non-
OSPF sources.
 External LSAs are stopped
 Default route is advertised in to stub area by the ABR.
 If routers need to route to networks outside the AS, they
use a default route, noted as 0.0.0.0(OI*A).
 Stud area can not contain autonomous system (AS)
boundary routers (ASBRs)(except that the area border
routers[ABRs] may also be ASBRS).
 Its database contains only internal(intra) routes, inter area
routes and a default route
 In routing table output of routes are shown as ‘’O’’,’’OIA’’
OIA*
Using Stub Areas
254
 configuring a stub area reduces the size of the LSBD inside

an ara , resulting in reduced meomory requirements for
routers in that ara.
 External ntework LSAs(type 5), such as those redistributed
form other routing protocols in to OSPF , are not
permitteed to flood in to a stub area.
 Routing from these areas to the outside is based on a
default route(0.0.0.0).If a packet is addressed to a netowrk
that is not in the routing table of an internal router, the
router automatically forwards the packets to the ABR that
sends a 0.0.0.0 LSA.
 Forwarding the packet to the ABR allows routers within the
stub to reduce the size of their routing tables because a
single default route replaces many external reoutes
255
 A stub area typically created when a hub-and-spoke

topology is used ,with the spoke being the stub area, such
as a branch office .
 In this case the branch office does not need to know about
the every network at the headquarters site because it can
use a default route to reach the networks.
-------------------------------
256
4. TOTALLY STUBBY AREA

 This area does not accept external AS routes or summary
routes from other areas internal to the AS.
 Totally Stubby area configuration prevents an ABR from
sending summary LSAs in to the stub area.By default, ABR
will advertise a default route.
 If the router needs to send a packet to a network external to
the area ,it sends the packet using a default route.
 Totally stubby areas can not contain ASBRs (except that
the ABRs may also be ASBRs).
 cisco prop,it contains routes only for its own area and a
default route.Routes shows with ‘’O’’ and OIA* only
257
 The totally stubby area technique is Cisco Proprietary

enhancement that further reduces the number of routes in
the routing table
 A totally Stubby area is a stub area that blocks external
type 5 ,summary LSA 3 and LSA 4 (inter area routes) from
entering the area.
 Totally stubby area recognizes only intra area routes and
the default route of 0.0.0.0
 ABRS inject the default route of 0.0.0.0
 ABRs inject the default summary link 0.0.0.0 in to the
totally stubby area.
 Each router picks the closest ABR as a gateway to
everything outside the area
258
 Totally stubby areas minimizes routing information further

than stub areas and increase stability and scalability of
OSPF internetworks.
 Using totally Stubby areas is typically a better solutions
than using stub areas as long as the ABR is Cisco router.
In above example of Totally Stubby area, R2 is advertised with a

lower cost to make it preferable .Router R3 requires the area 1
stub command, yet the no-summary extension is not
259
required.Only ABRs use no-summary to keep summary LSAs

from being propagated into another area.Remember that all
routers in a stub or totally stubby area must be configured as
stub.An OSPF adjacency will not form between stub and non-
stub routers.
Characteristic of Stubby and Totally Stubby Areas
 There is a single ABR, or if there is more than one ABR
suboptimal routing paths to other areas or external
autonomous systems are acceptable.
 All routers in the area are configured as stub routers.
 There is no ASBR in the area
 The area is not area 0
 no virtual links( a link to backbone router from other area
router) go through the area
NOT-SO-STUBBY(NSSA)
 This area defines a special LSA type 7. An NSSA offer
benefits that are similar to those of a stub or totally stubby
area.
 However, NSSAs allow ASBRs,which is against the rule in
a stub area.
 An NSSA ASBR generates this LSA, and an NSSA ABR
translates it into a type 5 LSA, which gets propagated in to
the other stub area features
260
 ABR sends a default route into the NSSA instead of

external routes from other ASBRs
 The type 7 LSA is described in the routing table as an O N2
or O N1(N means NSSA).
 N1 means that the metric is calculated like external type
1;N2 means that the metric is calcualted like external type
2. The default is O N 2.
 its database contains internal routes,redistributed and
optionally a default route
261
In above example, router R1 is the ASBR that is redistributing

RIP routes in to area 1, the NSSA.Router R2 is the NSSA
ABR .This router converts LSA type 7 in to type 5 for
advertisement in to the backbone area 0.Router R2 is also
configured to summarize the type 5 LSA that originate from the
RIP network.The 172.16.0.0 subnets will be summarized to
172.16.0.0/16 and advertised in to area 0. To cause router R2(the
NSSA ABR) to generate an O *N2 default route (O *N2
0.0.0.0/0) into the NSSA , use the default-information-
origination option on the area area-id nssa command on router
R2.
TOTALLY NSSA
It database contains routes of its own area, redistributed and a
default route . The NSSA totally stubby configuration is a Cisco
proprietary feature like the totally stubby area feature.
262
The below is an example NSSA Totally Stubby configuration

.The ABR (R2) is using the area 1 nssa no-summary
ocmmand.This command works exactly the same as the totally
stubby technique.A single default route replaces both inbound-
external type (LSA5) and summary (type 3 &4) LSAs into the
area.The NSSA ABR which is R2, automatically generates the
O*N2 default route in to the NSSA aea with no-summary option
configured at the ABR, so the default -information-originate
option is not required. All other routers in the NSSA area require
the area 1 nssa command only.
263
The below table differentiates between OSPF areas types

corresponding to LSAs.
Area Allow LSA Block Command Generate
types LSA
1. Stub 1, 2, 3 4, 5 On every stub router Default route
OIA * 0.0.0.0
2. Totally 1,2 3,4,5 Stub on every OIA * 0.0.0.0
stub &No-summary only
on ABR
3. NSSA 1,2,3,4,7(on) 5 Same as Stub but O *N2
key word used is 0.0.0.0/0
"nssa". Type 7 LSAs
that convert to Type
5 at the NSSA ABR
can traverse
4. NSSA 1,2 , 7 3,4 ,5 but Type 7 LSAs O*N 0.0.0.0
Totally that convert to Type
Stub 5 at the NSSA ABR
are allowed
264
Reference :
http://www.cisco.com/E-
Learning/bulk/public/ccnp/QLM_Configuring_OSPF_Special_
Area_Types_BSCI/player.html
265
CHAPTER : Virtual LANs (VLANs)

This chapter includes the following topics.
 Virtual LANs (VLANs)
 Types of Switch Ports
 VLAN Trunking: ISL and 802.1Q
 VLAN Trunking Protocol (VTP)
 Inter-VLAN Routing
 VLAN Configuration
 Inter-VLAN Routing Configuration
 VTP Troubleshooting
 Voice VLAN Configuration
VLAN
 is a logical grouping of network users and resources
connected to administratively defined ports on a switch. By
creating VLANs
 you are able to create smaller broadcast domains within a
switch by assigning different ports in the switch to different
subnetworks.
 frames broadcasted onto a network are only switched
between ports in the same VLAN.
 you’re no longer confined to creating workgroups by
physical locations. VLANs can be organized by location,
function, department, or even the application or protocol
used, regardless of where the resources or users are located.
 All devices in a VLAN are members of the same broadcast
domain and receive all broadcasts.
 Routers, layer-3 switches, or route switch modules (RSMs)
must be used in conjunction with switches to provide
266
connections between networks (VLANs), which can stop

broadcasts from propagating through the entire
internetwork.
 Any port can belong to a VLAN, and unicast, broadcast,
and multicast packets are forwarded and flooded only to
end stations in that VLAN.
 Each VLAN is considered a logical network. Packets
destined for stations that do not belong to the VLAN must
be forwarded through a router.
 VLANs allow you to break up switched environments into
multiple broadcast domains.
 A VLAN = A Broadcast Domain = An IP Subnet
There are many benefits to using VLANs in an organization,
some of which include the following:
 Increased performance: By reducing the size of the
broadcast domain, network devices run more efficiently.
 Improved manageability: The division of the network
into logical groups of users, applications, or servers allows
you to understand and manage the network better.
 Physical topology independence: VLANs allow you to
group users regardless of their physical location in the
campus network. If departments grow or relocate to a new
area of the network, you can simply change the VLAN on
their new ports without making any physical network
changes.
 Increased security: A VLAN boundary marks the end of a
logical subnet. To reach other subnets (VLANs), you must
pass through a routed (Layer 3) device. Any time you send
traffic through a router, you have the opportunity to add
267
filtering options (such as access lists) and other security

measures.
Example
Let’s take an example to understand the benefits of VLAN.
Suppose you are working in a big company with many
departments, some of them are SALES and TECHNICAL
departments. You are tasked to separate these departments so
that each of them can only access specific resources in the
company.
This task is really easy, you think. To complete this task, you
just need to use different networks for these departments and use
access-list to allow/deny that network to a specific resource. For
example, you assign network 192.168.1.0/24 for SALES and
192.168.2.0/24 for TECH. At the “Company router” you apply
an access-list to filter traffic from these networks. Below is the
topology of your network without VLANs:
Everything looks good and you implement this design to your

company. But after one month you receive many complaints
from both your colleagues and leaders.
268
 First, your department leaders need to access to additional

private resources which employees are not allowed.
 Second, the company has just recruited some new SALES
employees but now the SALES room is full so they have to
sit at the 1st floor (in the TECH area). They want to access
to SALES resources but they can only access to the TECH
resources because they are connecting to TECH switch.
To solve the first problem maybe you will create a new and
more powerful network for your leaders. But notice that each
leader sits at different floor so you will need to link all of them
to a switch -> what a mess!
The second problem is more difficult than the first one. Maybe
you have to create another network at the TECH area and apply
the same policy as the SALES department for these hosts ->
another mess in management!
Maybe you will be glad to know VLAN can solve all these
problems. VLAN helps you group users together according to
their function rather than their physical location. This means you
can use the same network for hosts in different floors (of course
they can communicate with each other).
In this design:
269
 you can logically create a new network with additional

permissions for your leaders (LEADER network) by adding
another VLAN.
 employees can sit anywhere to access the resources in their
departments, provided that you allow them to do so.
 computers in the same department can communicate with
each other although they are at different floors.
If these departments expand in the future you can still use the
same network in any other floor. For example, SALES needs to
have 40 more employees -> you can use 4th floor for this
expansion without changing the current network.
wait a minute, maybe you recognize something strange in the
above design? How can 2 computers connecting to 2 different
switches communicate? If one computer sends a broadcast
packet will it be flooded to other departments as switch doesn’t
break up broadcast domains?
The answer is “Yes, they can!” and it is the beauty of VLAN.
Hosts in the same VLAN can communicate normally even they
are connecting to 2 or more different switches. This makes the
management much more simple.
Although layer 2 switches can only break up collision domains
but VLANs can be used to break up broadcast domains. So if a
computer in SALES broadcasts, only computers in SALES will
receive that frame.
So we don’t need a router, right? The answer is “we still need a
router” to enable different VLANs to communicate with each
other. Without a router, the computers within each VLAN can
communicate with each other but not with any other computers
270
in another VLAN. For example, we need a router to transfer file

from LEADER to TECH. This is called “interVLAN routing”.
Vlan Trunking
VLANs are not a Cisco-only technology. Just about all managed
switch vendors support VLANs. In order for VLANs to operate
in a mixed-vendor environment, a common trunking or
"tagging" language must exist between them. This language is
known as 802.1Q. All vendors design their switches to
recognize and understand the 802.1Q tag, which is what allows
us to trunk between switches in any environment.
When using VLANs in networks that have multiple
interconnected switches, you need to use VLAN trunking
between the switches. With VLAN trunking, the switches tag
each frame sent between switches so that the receiving switch
knows which VLAN the frame belongs to. This tag is known as
a VLAN ID. A VLAN ID is a number which is used to identify
a VLAN.
Notice that the tag is only added and removed by the switches
when frames are sent out on the trunk links. Hosts don’t know
about this tag because it is added on the first switch and
removed on the last switch. The picture below describes the
process of a frame sent from PC A to PC B.
271
Note: Trunk link does not belong to a specific VLAN, rather it is

a conduit for VLANs between switches and routers.
To allow interVLAN routing you need to configure trunking on
the link between router and switch.
Therefore in our example we need to configure 3 links as
“trunk”.
Cisco switches support two different trunking protocols,

1. Inter-Switch Link (ISL)
Cisco created ISL before the IEEE standardized trunking
protocol. Because ISL is Cisco proprietary, it can be used only
between two Cisco switches
272
2. IEEE 802.1q. 802.1q is usually used in practical.In 802.1q

encapsulation, there is a concept called native VLAN that was
created for backward compatibility with old devices that don’t
support VLANs. Native VLAN works as follows:
 Frame belonging to the native VLAN is not tagged when
sent out on the trunk links
 Frame received untagged on the trunk link is set to the
native VLAN.
If a member of VLAN_GRAY sends a broadcast message, it

goes to all VLAN_GRAY ports on both switches. The same
holds true for VLAN_WHITE. To accommodate this, the
connection between the switches must carry traffic for multiple
VLANs. This type of port is known as a trunk port.
Trunk ports are often called tagged ports because the switches
send frames between each other with a VLAN "tag" in
place.Above diagam illustrates the following process:
273
1. HostA (in VLAN_GRAY) wants to send data to HostD

(also in VLAN_GRAY). HostA transmits the data to
SwitchA.
2. SwitchA receives the data and realizes that HostD is
available through the FastEthernet 0/24 port (because
HostD's MAC address has been learned on this port).
Because FastEthernet 0/24 is configured as a trunk port,
SwitchA puts the VLAN_GRAY tag in the IP header and
sends the frame to SwitchB.
3. SwitchB processes the VLAN_GRAY tag because the
FastEthernet 0/24 port is configured as a trunk. Before
sending the frame to HostD, the VLAN_GRAY tag is
removed from the header.
4. The tagless frame is sent to HostD.
Example
So if an old switch doesn’t support VLAN it can still

“understand” that frame and continue sending it (without
dropping it).
274
Every port belongs to at least one VLAN. If a switch receives

untagged frames on a trunkport, they are assumed to be part of
the native vlan. By default, VLAN 1 is the default and native
VLAN but this can be changed on a per port basis by
configuration.
VLAN Configuration
Creating VLAN
1st_Floor_Switch#configure terminal
1st_Floor_Switch(config)#vlan 2
1st_Floor_Switch(config-vlan)#name SALES
1st_Floor_Switch(config-vlan)#vlan 3
1st_Floor_Switch(config-vlan)#name TECH
1st_Floor_Switch(config-vlan)#vlan 10
1st_Floor_Switch(config-vlan)#name LEADER
Notice that we don’t need to exit out of “Vlan mode” to create
another VLAN.
We also use the above configuration for 3rd_Floor_Switch &
Main Sw.
Set VLAN Membership
Assign VLAN to each port:
1st_Floor_Switch(config)#interface f0/0
1st_Floor_Switch(config-if)#switchport access vlan 2
1st_Floor_Switch(config-if)#interface f0/1
1st_Floor_Switch(config-if)#switchport access vlan 3
Notice that for port connecting to host we must configure it as
access port.
Create Trunk Ports:
275
On 2950 & 2960 Switches: Switches 2950 & 2960 only have
802.1q encapsulation so to turn it on we simply use this
command:
Main_Sw(config-if)#switchport mode trunk
On 3550 & 3560 Switches: There are two encapsulation types in
3550 & 3560 Cisco switch: 802.1q and ISL but there are 3
encapsulation methods: 802.1q, ISL and negotiate.The default
encapsulation is negotiate. This method signals between the
trunk ports to choose an encapsulation method. ISL is preferred
over 802.1q so we have to configure to “dot1q” if we want to
use this standard.
Main_Sw(config-if)#switchport trunk encapsulation dot1q
Main_Sw(config-if)#switchport mode trunk
In fact, if you use VLAN Trunking Protocol (VTP) then you
only need to configure VLAN on the Main Sw, set the Main Sw
to “Server” mode and 2 other switches to “Client” mode.
VLAN Summaries
 VLANs are used to create logical broadcast domains and
Layer 3 segments in a given network.
 A VLAN is considered a logical segment because the
traffic it carries may traverse multiple physical network
segments
Cisco switches support two different trunking protocols, Inter-
Switch Link (ISL) and IEEE 802.1q. In 802.1q, native VLAN
frames are untagged.
The benefits of VLANs
 Segment networks into multiple smaller broadcast domains
without Layer 3 network devices such as routers. VLANs
276
make switched Ethernet networks more bandwidth-efficient

through this segmentation of broadcast domains.
 Group users together according to function rather than
physical location. In a traditional network, users in a given
work area are on the same network segment regardless of
their job description or department. Using VLANs,
however, you could have one salesperson in each work area
of the building sitting next to engineers in their work area,
yet on a separate logical network segment.
 The ability to reconfigure ports logically without the need
to unplug wires and move them around. If a user takes his
or her computer to a new work area, no cables need to be
swapped on the switch, just access the switch and issue
commands to change the VLAN assignments for the old
and new ports. VLANs thus simplify the process of adding,
moving, and deleting users on the network. They also
improve network security by avoiding cabling mishaps that
can arise when users are moved in traditional Ethernet
networks.
Creating, Deleting, and Modifying VLANs

VLANs are numbered from 1 to 4094. All configured ports
belong to the default VLAN when you first bring up the switch.
The default VLAN (VLAN1) uses only default values, and you
cannot create, delete, or suspend activity in the default VLAN.
You create a VLAN by assigning a number to it; you can delete
VLANs as well as moving them from the active operational state
to the suspended operational state. If you attempt to create a
VLAN with an existing VLAN ID, the switch goes into the
VLAN submode but does not create the same VLAN again.
277
Newly created VLANs remain unused until ports are assigned to

the specific VLAN. All the ports are assigned to VLAN1 by
default.
Depending on the range of the VLAN, you can configure the
following parameters for VLANs (except the default VLAN):
 VLAN name
 Shutdown or not shutdown
When you delete a specified VLAN, the ports associated to that
VLAN are shut down and no traffic flows. However, the system
retains all the VLAN-to-port mapping for that VLAN, and when
you reenable, orrecreate, the specified VLAN, the system
automatically reinstates all the original ports to that VLAN.
Verifying VLAN Configuration
To display VLAN configuration information, perform one of
these tasks:

Command Purpose
switch# show running-config
Displays VLAN
vlan [ vlan_id | vlan_range ] information.
switch# show Displays selected
vlan [ brief | id [ vlan_id | vlan_range]
configuration
| name name | summary ] information for
the defined
VLAN(s).
The following example shows all VLANs defined in the range
of 1-21.
switch# show running-config vlan 1-21
The following example shows the VLANs created on the switch
and their status:
278
switch# show vlan
The following example shows the details of VLAN 13 including
its member ports:
switch# show vlan id 13
The following example shows the VLAN settings summary:
switch# show vlan summary
Output
Number of existing VLANs : 2Number of existing
VTP VLANs : 2Number of existing extended VLANs : 0
VLAN Trunking Protocol(VTP)
“VTP allows a network manager to configure a switch so
that it will propagate VLAN configurations to other switches
in the network”
VTP minimizes misconfigurations and configuration
inconsistencies that can cause problems, such as duplicate
VLAN names or incorrect VLAN-type specifications. VTP
helps you simplify management of the VLAN database across
multiple switches.
VTP is a Cisco-proprietary protocol and is available on most of
the Cisco switches.
Why we need VTP?
To answer this question, let’s discuss a real and popular network
topology.
279
Suppose you are working in a medium company in a 5-floor

office. You assigned each floor to a switch for easy management
and of course they can be assigned to different VLANs. For
example, your bosses can sit in any floor and still access
Manage VLAN (VLAN 7). Your technical colleagues can sit
anywhere on the floors to access Technical VLAN (VLAN 4).
This is the best design because each person’s permission is not
limited by the physical location.

Now let’s discuss about VTP role in this topology! Suppose

VTP is not running on these switches. One day, your boss
decides to add a new department to your office, the Support
Department, and you are tasked to add a new SUPPORT VLAN
for this department. How will you do that? Well, without VTP
you have to go to each switch to enable this new VLAN.
280
Fortunately your office only has 5 floors so you can finish this
task in some hours :)
But just imagine if your company was bigger with 100-floor
office and some VLANs needed to be added every month! Well,
it will surely become a daunting task to add a new VLAN like
this. Luckily, Cisco always “thinks big” to create a method for
you to just sit at the “Main Sw”, adding your new VLANs and
magically, other switches automatically learn about this VLAN,
sweet, right? It is not a dream, it is what VTP does for you!
How VTP Works
To make switches exchange their VLAN information with each
other, they need to be configured in the same VTP domain.
Only switches belonging to the same domain share their VLAN
information. When a change is made to the VLAN database, it is
propagated to all switches via VTP advertisements.
To maintain domain consistency, only one switch should be
allowed to create (or delete, modify) new VLANs. This switch is
like the “master” of the whole VTP domain and it is operated
in Server mode. This is also the default mode.
Other switches are only allowed to receive and forward updates
from the “server” switch. They are operated in Client mode.
Switches in this mode cannot create, delete or modify VLANs.
281
In some cases, the network manager doesn’t want a switch to

learn VTP information from other switches. He can set it
to Transparent mode. In this mode, a switch maintains its own
VLAN database and never learn any VTP information from
other switches (even from the switch in VTP server mode).
However, it still forwards VTP advertisements from the server
to other switches (but doesn’t read that advertisement). A
transparent switch can add, delete and modify VLAN database
locally.
Now return to the example above, we can configure any

switches as the “server” but for our convenience, the “Main Sw”
should be assigned this function and we should place it in a safe
place.
282
As said above, VTP advertisements bring VLAN information to

all the switches in a VTP domain. Each VTP advertisement is
sent with a Revision number. This number is used in order to
determine whether the VTP advertisement is more recent than
the current version of that switch. Because each time you make a
VLAN change in a switch, the configuration revision is
incremented by one. So the higher the revision number, the
better your VTP advertisement.
For example, the first time the Main Sw sends a VTP
advertisement, its Revision number is 1. When you add a new
VLAN to the Main Sw, it will send a VTP advertisement with
the Revision number of 2. Client switches first receive the VTP
advertisement with the Revision number of 1, which is bigger
than its current Revision number (0) so it updates its VLAN
database. Next it receives the VTP advertisement with the
283
Revision number of 2, it continues comparing with its current

Revision number (1) -> it continues update its VLAN database.
One important thing you must know is when a switch receives a
better VTP advertisement, it deletes its whole VTP information
and copy the new information from the better VTP
advertisement to its VLAN database. A switch does not try to
compare its own VLAN database with information from the
received VTP advertisements to find out and update the
difference!
Note: VTP advertisements are sent as multicast frames and all
neighbors in that domain receive the frames.
The “show vtp status” command analysis
The most important command to view the status of VTP on
Cisco switches that each CCNA learners must grasp is the
“show vtp status” command. Let’s have a look at the output of
this command:
 VTP Version: displays the VTP version the switch is

running. By default, the switch runs version 1 but can be
set to version 2. Within a domain, the two VTP versions are
not interoperable so make sure to configure the same VTP
284
version on every switch in a domain.
 Configuration Revision: current Revision number on this

switch.
 Maximum VLANs Supported Locally: maximum number

of VLANs supported locally.
 Number of Existing VLANs: Number of existing VLANs.
 VTP Operating Mode: can be server, client, or

transparent.
 VTP Domain Name: name that identifies the

administrative domain for the switch.
 By default, a switch operates in VTP Server mode with a
NULL (blank) domain name with no password configured
(the password field is not listed in the output)
 VTP Pruning Mode: displays whether pruning is enabled
or disabled. We will discuss about VTP Pruning later.
 VTP V2 Mode: displays if VTP version 2 mode is enabled.

VTP version 2 is disabled by default.
 VTP Traps Generation: displays whether VTP traps are

sent to a network management station.
285
 MD5 Digest: a 16-byte checksum of the VTP

configuration.
Configuration Last Modified: date and time of the last

configuration modification. Displays the IP address of the
switch that caused the configuration change to the database.
VTP Pruning
To understand what VTP Pruning is, let’s see an example:
When PC A sends a broadcast frame on VLAN 10, it travels

across all trunk links in the VTP domain. Switches Server, Sw2,
and Sw3 all receive broadcast frames from PC A. But only Sw3
has user on VLAN 10 and it is a waste of bandwidth on Sw2.
Moreover, that broadcast traffic also consumes processor time
on Sw2. The link between switches Server and Sw2 does not
carry any VLAN 10 traffic so it can be “pruned”.
286
VTP Pruning makes more efficient use of trunk bandwidth by

forwarding broadcast and unknown unicast frames on a VLAN
only if the switch on the receiving end of the trunk has ports in
that VLAN. In the above example, Server switch doesn’t send
broadcast frame to Sw2 because Sw2 doesn’t have ports in
VLAN 10.
When a switch has a port associated with a VLAN, the switch
sends an advertisement to its neighbors to inform that it has
active ports on that VLAN. For example, Sw3 sends an
advertisement to Server switch to inform that it has active port
for VLAN 10. Sw2 has not advertised about VLAN 10 so Server
switch will prune VLAN 10 on the trunk to Sw2.
You only need to enable pruning on one VTP server switch in
the domain.
VTP Configuration
287
Main Sw(config)#vtp version 2

Main Sw(config)#vtp domain 9tut
Main Sw(config)#vtp mode server
Main Sw(config)#vtp password keepitsecret
On client switches
Client(config)#vtp version 2
Client(config)#vtp domain 9tut
Client(config)#vtp password keepitsecret
Client(config)#vtp mode client
Notice: Before configuring VTP make sure the links between
your switches are trunk links. Your trunk link can automatically
be formed if both of your switches are not 2960 or 3560 because
ports on the 2960 and 3560 switches are set to dynamic auto by
default. If both sides are set to dynamic auto, the link will
remain in access mode. To configure trunk between these ports,
use these commands:
Client(config)#interface fa0/1 (or the interface on the link you
want to be trunk)
Client(config-if)#switchport mode trunk
These commands only need to be used on one of two switches to
form the trunk.
Below summaries important notes about VTP:
 Whenever a change occurs in the VLAN database, the VTP
server increments its configuration revision number and
then advertises the new revision throughout the VTP
288
domain via VTP advertisements.
 VTP operates in one of three modes: server, transparent, or

client.
VTP modes:
* Server: The default mode. When you make a change to the
VLAN configuration on a VTP server, the change is propagated
to all switches in the VTP domain. VTP messages are
transmitted out of all the trunk connections. In Server mode we
can create, modify, delete VLANs.
* Client: cannot make changes to the VLAN configuration when
in this mode; however, a VTP client can send any VLANs
currently listed in its database to other VTP switches. VTP client
also forwards VTP advertisements (but cannot create VTP
advertisements).
* Transparent: When you make a change to the VLAN
configuration in this mode, the change affects only the local
switch and does not propagate to other switches in the VTP
domain. VTP transparent mode does forward VTP
advertisements that it receives within the domain.
VTP Pruning makes more efficient use of trunk bandwidth by
forwarding broadcast and unknown unicast frames on a VLAN
only if the switch on the receiving end of the trunk has ports in
that VLAN.
Configuration Revision Number
289
The revision number is the most important piece in the VTP

advertisement. The below figure shows an example of how a
revision number is used in an advertisement.
This figure shows a configuration revision number as “N.” As a

database is modified, the VTP server increments the revision
number by 1. The VTP server then advertises the database with
the new configuration revision number.
When a switch receives an advertisement that has a higher
revision number, it overwrites the database in NVRAM with the
new database being advertised.
Configuring Inter-VLAN Routing
By default, only hosts that are members of the same VLAN can
communicate. To change this and allow inter-VLAN
communication to be possible, you need a router or a layer 3
switch.
 To support ISL or 802.1Q routing on a Fast Ethernet

interface, the router’s interface is divided into logical
290
interfaces—one for each VLAN. These are called

subinterfaces.
 Note that no trunking happens between the 1900 and 2950
switch by default because the 1900 switch only supports
ISL routing and the 2950 switch only supports 802.1Q
routing.
 And these two trunking methods aren’t compatible by
default.
 Cisco doesn’t support ISL on their 2950 switch-a weird
thing, since ISL is a Cisco proprietary frame-tagging
method!
Lets look at below example of intervlan routing.
Diagram Inter-vlan
IP addresses ,subnets and gateway for all hosts .

HostA: 192.168.1.66, 255.255.255.192, default gateway
192.168.1.65
HostB: 192.168.1.67, 255.255.255.192, default gateway
192.168.1.65
HostC: 192.168.1.130, 255.255.255.224, default gateway
192.168.1.129
291
Remember following points for router connected to switch.

1. The router is connected to the switch using subinterfaces.
2. The switch port connecting to the router is a trunk port.
3. The switch ports connecting to the clients and the hub are
access ports, not trunk ports.
4. when you create a trunked link, all VLANs are allowed to
pass data by default.
Configuration
Switch configuration after creating vlan 1 and 2 that we learnt

already .
3550(config)#interface fa0/1
3550(config-if)#switchport mode trunk
3550(config-if)#switchport trunk encapsulation dot1q
3550(config)#interface fa 0/2
3550(config-if)#switchport access vlan 1
Router configuration
Router(config)#interface fastethernet 0/1

Router(config-if)#no ip
Router(config-if)#no shutdown
Router(config-if)#int f0/1.1
Router(config-subif)#encapsulation dot1q 1
292
Router(config-subif)#ip address 192.1681.65 255.255.225.192
Router(config-subif)#int f0/1.10
Router(config-subif)#encapsulation dot1q 1
Router(config-subif)#ip address 192.1681.129 255.255.225.224
Voice VLAN
It is a common and recommended practice to separate voice and
data traffic by using VLANs. The switch built into Cisco IP
Phone for VOIP has much of the same hardware that exists
inside of a full Cisco switch.
The voice VLAN feature enables access ports to carry IP voice

traffic from an IP phone. When the switch is connected to a
Cisco 7960 IP Phone, the phone sends voice traffic with Layer 3
IP precedence and Layer 2 class of service (CoS) values, which
are both set to 5 by default. Because the sound quality of an IP
phone call can deteriorate if the data is unevenly sent, the switch
supports quality of service (QoS) based on IEEE 802.1p CoS.
QoS uses classification and scheduling to send network traffic
from the switch in a predictable manner.
293
Beginning in privileged EXEC mode, follow these steps to

configure voice traffic on a port:
Command Purpose
Step 1 configure terminal Enter global
configuration
mode.
Step 2 interface interface-id Specify the
interface
connected to
the phone,
and enter
interface
configuration
mode.
Step 3 mls qos trust cos Configure
the interface
to classify
incoming
traffic
packets by
using the
packet CoS
value. For
untagged
packets, the
port default
CoS value is
used.
Note Before
294
configuring
the port trust
state, you
must first
globally
enable QoS
by using
the mls
qos global
configuration
command.
Step 4 switchport Configure
voice {detectcisco-phone how the
[full-duplex]| vlan {vlan-id Cisco IP
| dot1p | none | untagged} Phone
} carries voice
traffic:
• detect—
Configure
the interface
to detect and
recognize a
Cisco IP
phone.
• cisco-
phone—
When you
initially
implement
the
295
switchport
voice detect
command,
this is the
only allowed
option. The
default is no
switchport
voice detect
cisco-phone
[full-
duplex].
• full-
duplex—
(Optional)
Configure
the switch to
only accept a
full-duplex
Cisco IP
phone.
• vlan-id—
Configure
the phone to
forward all
voice traffic
through the
specified
VLAN. By
default, the
Cisco IP
296
Phone
forwards the
voice traffic
with an IEEE
802.1Q
priority of 5.
Valid VLAN
IDs are 1 to
4094.
• dot1p—
Configure
the phone to
use IEEE
802.1p
priority
tagging for
voice traffic
and to use
the default
native
VLAN
(VLAN 0) to
carry all
traffic. By
default, the
Cisco IP
Phone
forwards the
voice traffic
with an IEEE
802.1p
297
priority of 5.
• none—
Allow the
phone to use
its own
configuration
to send
untagged
voice traffic.
• untagged
—Configure
the phone to
send
untagged
voice traffic.
Step 5 end Return to
privileged
EXEC mode.
Step 6 show interfaces interface- Verify your
id switchport or voice VLAN
show running-config entries.
interface interface-id Verify your
QoS and
voice VLAN
entries.
Step 7 copy running-config (Optional)
startup-config Save your
entries in the
configuration
298
file.
This example shows how to configure a port connected to a
Cisco IP Phone to use the CoS value to classify incoming traffic,
to use IEEE 802.1p priority tagging for voice traffic, and to use
the default native VLAN (VLAN 0) to carry all traffic:
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mls qos trust cos
Switch(config-if)# switchport voice vlan dot1p
Switch(config-if)# end
299
300
Chapter – IP Services
This chapter covers the following topics.
 High Availability – VRRP, HSRP, GLBP
 Cisco IOS NetFlow
High Availability (HA)
This Technologies provide network redundancy and fault
tolerance. Reliable network devices, redundant hardware
components with automatic failover.It providees the alternative
way for rersources (e.g software, hardware , servers ) to make
sure those are available all the time in network in case if
failover occurs in main link.In other words, If primary
gateway(router link to hosts) for hosts in network gets down ,
then alternative secondary link of another router should be
available for devices automatically to access the resources
without disruption.
Advantages of HA
301
 Productivity Cost and Saving

An enterprise requires its network to be highly available to
ensure that its mission-critical applications are available.
Increased availability translates into higher productivity, and
perhaps higher revenues and cost savings. Reliability implies
that the system performs its specified task correctly; availability,
on the other hand, means that the system is ready for immediate
use.
Today's networks need to be available 24 hours a day, 365 days
a year. To meet that objective, 99.999 or 99.9999 percent
availability is expected. Each availability rate translates to, in
terms of days, hours, and minutes; the bottom two rows (which
are shaded), namely 99.999 percent and 99.9999 percent
availability, represent highly available networks.
Why we need HA
Most of the company in the world has a connection to the
Internet. The picture below shows a most simple topology of
such a company:
To make above topology work we need to:

302
 Configure IP addresses on two interfaces of the Router.

Suppose the IP address of Fa0/0 interface (the interface
connecting to the switch) is 192.168.1.1.

Assign the IP addresses, default gateways and DNS servers
on all PCs. In this case we have to set the default gateways
to Fa0/0 interface (with the IP address 192.168.1.1) of the
router. This can be done manually or automatically via
DHCP.
After some time, your boss wants to implement some redundant
methods so that even the Router fails, all PCs can still access the
Internet without any manual configuration at that time. So we
need one more router to connect to the Internet as the topology
below:
But now we have a problem: There is only one default gateway

on each host, so if Router1 is down and we want to access the
Internet via Router2, we have to change the default gateway (to
192.168.1.2). Also, when Router1 comes back we have to
manually change back to the IP address on Router1. And no one
303
can access to the Internet in the time of changing the default

gateway. HSRP can solve all these problems!
In STP we learnt how to manipulate the election of root bridges
and load balance across redundant links.
Virtual Router , Virtual IP address and MAC Address
In addition to Layer 1 and Layer 2 redundancy, a high-
availability network might also implement Layer 3 redundancy
by sharing the default gateway responsibility across multiple
devices. Through the use of a virtual IP address, two Layer 3
devices(routers) can share the default gateway responsibility ,
and router having such virutal ip address and Mac address is
called "Virtual Router".
HSRP Background
One way to achieve near-100 percent network uptime is to use
HSRP, which provides network redundancy for IP networks,
ensuring that user traffic immediately and transparently recovers
from first hop failures in network edge devices or access
circuits.
By sharing an IP address and a MAC (Layer 2) address, two or
more routers can act as a single "virtual" router. The members of
the virtual router group continually exchange status messages.
This way, one router can assume the routing responsibility of
another, should it go out of commission for either planned or
unplanned reasons. Hosts continue to forward IP packets to a
consistent IP and MAC address, and the changeover of devices
doing the routing is transparent.
304
Proxy Address Resolution Protocol

The ARP request from host will be sent to virtual router which
was configured as default gateway on workstation to know the
MAC address of the virtual router .
Behind Virtual router, firstly, active router provides MAC
address of virtual router,secondly, in case of active router is
down, second, standby router in that group is responsible to give
MAC address of virutal router to hosts in that network.
HSRP working
 Using HSRP, a set of routers works in concert to present
the illusion of a single virtual router to the hosts on the
LAN.
 This set is known as an HSRP group or a standby group.
 A single router elected from the group is responsible for
forwarding the packets that hosts send to the virtual router.
This router is known as the Active router.
 Another router is elected as the Standby router. In the event
that the Active router fails, the Standby assumes the packet-
forwarding duties of the Active router.
 Although an arbitrary number of routers may run HSRP,
only the Active router forwards the packets sent to the
virtual router.
 To minimize network traffic, only the Active and Standby
routers send periodic HSRP messages once the protocol has
completed the election process.
 If the Active router fails, the Standby router takes over as
the Active router. If the Standby router fails or becomes the
305
Active router, then another router is elected as the Standby

router.
Standby group routers
 On a particular LAN, multiple hot standby groups may
coexist and overlap. Each standby group emulates a single
virtual router. The individual routers may participate in
multiple groups. In this case, the router maintains separate
state and timers for each group.
 Each standby group has a single, well-known MAC
address, as well as an IP address.
HSRP Addressing
In most cases when you configure routers to be part of an HSRP
group, they listen for the HSRP MAC address for that group as
well as their own burned-in MAC address. The exception is
routers whose Ethernet controllers only recognize a single MAC
address (for example, the Lance controller on the Cisco 2500
and Cisco 4500 routers). These routers use the HSRP MAC
address when they are the Active router, and their burned-in
address when they are not.
HSRP uses the following MAC address on all media except
Token Ring:
0000.0c07.ac** (where ** is the HSRP group number)
Token Ring interfaces use functional addresses for the HSRP
MAC address. Functional addresses are the only general
multicast mechanism available. There are a limited number of
Token Ring functional addresses available and many of them are
306
reserved for other functions. You can use the following three
addresses with HSRP:
c000.0001.0000 (group 0)
c000.0002.0000 (group 1)
c000.0004.0000 (group 2)
Example
With HSRP, two routers Router1 and Router2 in this case will
be seen as only one router. HSRP uses a virtual MAC and IP
address for the two routers to represent with hosts as a single
default gateway. For example, the virtual IP address is
192.168.1.254 and the virtual MAC is 0000.0c07.AC0A. All the
hosts will point their default gateway to this IP address.
One router, through the election process, is designated as active

router while the other router is designated as standby router.
Both active and standby router listen but only the active router
proceeds and forwards packets. Standby router is backup when
307
active router fails by monitoring periodic hellos sent by the

active router (multicast to 224.0.0.2, UDP port 1985) to detect a
failure of the active router.
When a failure on the active router detected, the standby router

assumes the role of the forwarding router. Because the new
forwarding router uses the same (virtual) IP and MAC
addresses, the hosts see no disruption in communication. A new
standby router is also elected at that time (in the case of there are
more than two routers in a HSRP group).
Note: All routers in a HSRP group send hello packets. By
default, the hello timer is set to 3 seconds and the dead timer is
set to 10 seconds. It means that a hello packet is sent between
the HSRP standby group devices every 3 seconds, and the
standby device becomes active when a hello packet has not been
received for 10 seconds
308
Note: The virtual MAC address of HSRP version 1

is 0000.0C07.ACxx, where xx is the HSRP group number in
hexadecimal based on the respective interface. For example,
HSRP group 10 uses the HSRP virtual MAC address of
0000.0C07.AC0A. HSRP version 2 uses a virtual MAC address
of 0000.0C9F.FXXX (XXX: HSRP group in hexadecimal). But
please notice that the virtual MAC address can be configured
manually.
HSRP version 1 hello packets are sent to multicast address
224.0.0.2 while HSRP version 2 hello packets are sent to
multicast address 224.0.0.102. Currently HSRPv1 is the default
version when running HSRP on Cisco devices.
HSRP configuration
Let's look at the example of HSRP configuration in below
network scenario which is available at networktut.com site.
309
IOS used: c3640-jk9s-mz.124-16.bin

Tasks in this lab:
 Configure IP addresses as shown and run EIGRP on R2,
R3, R4
 Configure HSRP: R2 is the Active HSRP while R3 is the
Standby HSRP
 Tracking route to 4.4.4.4, traffic should goes to R3 once the
route to 4.4.4.4 is lost in R2 or the metric to R4’s loopback
interface increases.
IP Address and EIGRP Configuration
R1 (configured as a host) R2
no ip routing interface
ip default- FastEthernet0/0
gateway 123.123.123.254 //This is the ip address
virtual IP of HSRP group 123.123.123.2
interface FastEthernet0/0 255.255.255.0
ip address 123.123.123.1 no shutdown
255.255.255.0 !
310
no shutdown interface
FastEthernet1/0
ip address 24.24.24.2
255.255.255.0
no shutdown
!
router eigrp 1
network 24.0.0.0
network 123.0.0.0
R3 R4
interface FastEthernet0/0 interface Loopback0
ip address 123.123.123.3 ip address 4.4.4.4
255.255.255.0 255.255.255.0
no shutdown !
! interface
interface FastEthernet1/0 FastEthernet0/0
ip address 34.34.34.3 255.255.255.0 ip address 24.24.24.4
no shutdown 255.255.255.0
! no shutdown
router eigrp 1 !
network 34.0.0.0 interface
network 123.0.0.0 FastEthernet1/0
255.255.255.0
no shutdown
!
router eigrp 1
network 4.0.0.0
network 24.0.0.0
311
network 34.0.0.0
HSRP Configuration
R2 R3
interface FastEthernet0/0 interface FastEthernet0/0
standby 10 ip standby 10 ip
123.123.123.254 123.123.123.254
standby 10 priority 200 standby 10 priority 150
standby 10 preempt standby 10 preempt
Note: The virtual IP address of HSRP group must be in the same
subnet of the IP address on this interface (Fa0/0)
After entering above commands we will see R2
takes Active state after going from Speak to Standby:
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state
Speak -> Standby
*Mar 1 00:10:22.487: %HSRP-5-STATECHANGE:
FastEthernet0/0 Grp 10 state Standby -> Active
*Mar 1 00:10:22.871: %SYS-5-CONFIG_I: Configured from
console by console
The “show standby” command on R2 confirms its state:
312
Now R2 is in HSRP Active state with virtual MAC address of

00000c07.ac0a. Notice that the last two numbers of the MAC
address (0a) is the HSRP group number in hexadecimal form (0a
in hexa = 10 in decimal)
The “show standby” command on R3 reveals it is
in Standby state:
Now we will see what happens if we turn off interface Fa0/0 on

R2:
R2(config)#interface fa0/0
R2(config-if)#shutdown
313
As we can see, the HSRP state of R2 went back to Init while the

HSRP state of R3 moved to Active.
HSRP Tracking IP Route
In this part instead of tracking an interface going up or down we
can track if the metric of a route to a destination changes or not.
In particular we will try to track the route to the loopback
interface of R4 (4.4.4.4). First we should check the routing table
of R2:
314
We learn that the metric to the loopback interface of R4 (4.4.4.4)

is 156160 and is summarized to 4.0.0.0/8 prefix because EIGRP
summarizes route by default.
Now add tracking ip routing to R2
R2(config)#track 1 ip route 4.0.0.0 255.0.0.0 metric threshold
R2(config-track)#threshold metric up 61 down 62
and on interface fa0/0 add these commands to apply the track:
R2(config)#interface fa0/0
R2(config-if)#standby 10 track 1 decrement 60
The command track ip route metric threshold is used to track
the metric change of a route. For example in this case the second
command threshold metric up 61 down 62 specifies the low
and high thresholds.
up: Specifies the up threshold. The state is up if the scaled
metric for that route is less than or equal to the up threshold. The
default up threshold is 254.
315
down: Specifies the down threshold. The state is down if the

scaled metric for that route is greater than or equal to the down
threshold. The default down threshold is 255.
Then, how do we indicate the up value should be 61
and down value should be 62? This is because EIGRP routes are
scaled by means of 2560 so if we divide the EIGRP metric
(156160 in this case) by 2560 we will get 61 (156160 / 2560 =
61). 2560 is the default metric resolution value for EIGRP and
can be modified by the track resolution command (for
example: track resolution ip route eigrp 400). The table below
lists the metric resolution for popular routing protocols.
Routing Metric Resolution
protocol
Static 10
EIGRP 2560
OSPF 1
RIP is scaled directly to the range from 0 to 255

because its maximum metric is less than 255
In this case if the metric for route to 4.0.0.0/8 in the routing table
is less than or equal to 61 then the state is up. If the metric is
greater or equal to 62, the state is down. We can verify if the
track is working correctly by the show track command.
316
When the state is Down, R2’s priority will be deduced by 60:

200 – 60 = 140 which is less than the priority of R3 (150) -> R3
will take the Active state of R2.
A very important note we wish to mention here is: the route for
tracking should be exactly same as displayed in the routing table
or the track would go down because no route is found. For
317
example if we try tracking the route to the more specific route

4.4.4.0/24 or 4.4.4.4/24 the track would go down because
EIGRP summarizes route by default before advertising through
another major network. Let’s try this!
R2(config)#no track 1 ip route 4.0.0.0 255.0.0.0 metric
threshold
R2(config)#track 1 ip route 4.4.4.0 255.255.255.0 metric
threshold
R2(config-track)#threshold metric up 61 down 62
Now check if the track is working or not:
The track on R2 goes down so R2’s priority is reduced by 60

which causes R3 takes the Active state.
In this case if we wish to bring up the track route to 4.4.4.0/24
we just need to use the “no auto-summary” command on R4
which causes R4 to advertise the more specific route of
4.4.4.0/24.
Now R4 advertises the detailed 4.4.4.0/24 network and it
matches with our tracking process so the tracking process will
go up.
318
HSRP States
HSRP consists of 6 states:
 Initial: HSRP is not running.
 Learn: The router does not know the virtual IP address and
is waiting to hear from the active router.
 Listen: The router knows the IP and MAC of the virtual

router, but it is not the active or standby router.
319
 Speak: Router sends periodic HSRP hellos and participates

in the election of the active router.
 Standby: Router monitors hellos from active router and
assumes responsibility if active router fails.
 Active: Router forwards packets on behalf of the virtual
router.
Please notice that not all routers in a HSRP group go through all
states above. In a HSRP group, only one router reaches active
state and one router reaches standby state. Other routers will
stop at listen state.
Now let’s take an example of a router passing through these
states. Suppose there are 2 routers A and B in the network;
router A is turned on first. It enters the initial state. Then it
moves to listen state in which it tries to hear if there are already
active or standby routers for this group. After learning no one
take the active or standby state, it determines to take part in the
election by moving to speak state. Now it starts sending hello
messages containing its priority. These messages are sent to the
multicast address 224.0.0.2 (which can be heard by all members
in that group). When it does not hear a hello message with a
higher priority it assumes the role of active router and moves
to active state. In this state, it continues sending out periodic
hello messages.
Now router B is turned on. It also goes through initial and listen
state. In listen state, it learns that router A has been already the
active router and no other router is taking standby role so it
enters speak state to compete for the standby router -> it
promotes itself as standby router.
320
Suppose router A is in active state while router B is in standby

state. If router B does not hear hello messages from router A
within the hold time (10 seconds by default), router B goes into
speak state to announce its priority to all HSRP members and
compete for the active state. But if at some time it receives a
message from the active router that has a lower priority than its
priority (because the administrator change the priority in either
router), it can take over the active role by sending out a hello
packet with parameters indicating it wants to take over the active
router. This is called a coup hello message.
Quick summarization:
 HSRP is Cisco proprietary which allows several routers or
multilayer switches to appear as a single gateway IP
address.
 HSRP has 5 states: Initial, listen, speak, standby and active.
 HSRP allows multiple routers to share a virtual IP and
MAC address so that the end-user hosts do not realize when
a failure occurs.
 The active (or Master) router uses the virtual IP and MAC
addresses.
 Standby routers listen for Hellos from the Active router. A
hello packet is sent every 3 seconds by default. The hold
time (dead interval) is 10 seconds.
 Virtual MAC of 0000.0C07.ACxx , where xx is the
hexadecimal number of HSRP group.
The group numbers of HSRP version 1 range from 0 to
255.
 HSRP does support group number of 0 (we do check it and
in fact, it is the default group number if you don’t enter
group number in the configuration) so HSRP version 1
321
supports up to 256 group numbers. HSRP version 2

supports 4096 group numbers.
Virtual Router Rundandancy Protocol(VRRP)
VRRP allows for transparent failover at the first-hop IP router
by configuring a group of routers to share a virtual IP address.
VRRP selects a master router in that group to handle all packets
for the virtual IP address. The remaining routers are in standby
and take over if the master router fails.
 Unlike HSRP a Cisco Proprietary protocol, VRRP is IEEE
standard for router redundancy
 In HSRP there are one active router and other backup
router but in VRRP it has only one active router (master
router) and other routers in VRRP group are backup routers
 In a VRRP group for redundancy ,a real ip address of a
master router or router is used among other VRRP router
members.
 Master router has highest priority value that is manually
configured on it, if not , then change default priority 100 to
higher value in order to make it master router, and lower
priority for other back up routers.
 VRRP is used in most of the ethernet type network as well
as in VPN and MPLS.
 The valid priority range for a virtual router is from 1 to 254
(1 is the lowest priority and 254 is the highest). The default
priority value for backups is 100.
How does VRRP work

322
A LAN client can determine which router should be the first hop
to a particular remote destination by using a dynamic process or
static configuration. Examples of dynamic router discovery are
as follows:
 Proxy ARP—The client uses Address Resolution Protocol
(ARP) to get the destination it wants to reach, and a router
responds to the ARP request with its own MAC address.
 Routing protocol—The client listens to dynamic routing
protocol updates (for example, from Routing Information
Protocol [RIP]) and forms its own routing table.
 ICMP Router Discovery Protocol (IRDP) client—The client
runs an Internet Control Message Protocol (ICMP) router
discovery client.
The disadvantage to dynamic discovery protocols is that they
incur some configuration and processing overhead on the LAN
client. Also, if a router fails, the process of switching to another
router can be slow.
An alternative to dynamic discovery protocols is to statically

configure a default router on the client. Although, this approach
simplifies client configuration and processing, it creates a single
point of failure. If the default gateway fails, the LAN client is
limited to communicating only on the local IP network segment
and is cut off from the rest of the network.
VRRP can solve the static configuration problem by enabling a

group of routers (a VRRP group) to share a single virtual IP
address. You can then configure the LAN clients with the virtual
IP address as their default gateway.
323
The below figure shows a basic VLAN topology. In this

example, Routers A, B, and C form a VRRP group. The IP
address of the group is the same address that was configured for
the Ethernet interface of Router A (10.0.0.1).
Figure :Basic VRRP Topology

VRRP Configuration
SUMMARY STEPS
 1. configure terminal
 2. interface interface-type slot/port
 3. vrrp number
 4. shutdown
 5. priority leve l [ forwarding-threshold lower lower-
value upper upper-value ]
 6. no shutdown
 7. (Optional) show vrrp
 8. (Optional) copy running-config startup-config
324
We already taken care of basic configuration (interfaces ip

addresses , default gateway on host, run EIGRP on all routers to
avoid any connectivity issue)
ON RA
RA(config)#interface fa 0/0 //interface towards host1
RA(config-if)#vrrp 1 ip 10.0.0.1
RA(config-if)#vrrp 1 priority 200
RA(config-if)#vrrp 1 preempt
ON RB
RB(config)#interface fa 0/0
RB(config-if)#vrrp 1 ip 10.0.0.1
RB(config-if)#vrrp 1 priority 100 //optional
RB(config-if)#vrrp 1 preempt
ON RC
RC(config)#interface fa 0/0
RC(config-if)#vrrp 1 ip 10.0.0.1
RC(config-if)#vrrp 1 preempt
Verification command
R#sh vrrp all
325
R#sh vrrp brief

Because the virtual IP address uses the IP address of the
physical Ethernet interface of Router A, Router A is the master
(also known as the IP address owner). As the master, Router A
owns the virtual IP address of the VRRP group and forwards
packets sent to this IP address. Clients 1 through 3 are
configured with the default gateway IP address of 10.0.0.1.
Routers B and C function as backups. If the master fails, the
backup router with the highest priority becomes the master and
takes over the virtual IP address to provide uninterrupted service
for the LAN hosts. When router A recovers, it becomes the
master again.
VRRP Benefits
The benefits of VRRP are as follows:
 Unlike HSRP a Cisco Proprietary protocol, VRRP is IEEE
standard for router redundancy
 In HSRP there are one active router and other backup
router but in VRRP it has only one active router (master
router) and other routers in VRRP group are backup routers
 Redundancy—Enables you to configure multiple routers as
the default gateway router, which reduces the possibility of
a single point of failure in a network.
 Load sharing—Allows traffic to and from LAN clients to
be shared by multiple routers. The traffic load is shared
more equitably among available routers.
 Multiple VRRP groups—Supports up to 255 VRRP groups
on a router physical interface if the platform supports
multiple MAC addresses. Multiple VRRP groups enable
326
you to implement redundancy and load sharing in your

LAN topology.
 Multiple IP addresses—Allows you to manage multiple IP
addresses, including secondary IP addresses. If you have
multiple subnets configured on an Ethernet interface, you
can configure VRRP on each subnet.
 Preemption—Enables you to preempt a backup router that
has taken over for a failing master with a higher priority
backup router that has become available.
 Advertisement protocol—Uses a dedicated Internet
Assigned Numbers Authority (IANA) standard multicast
address (224.0.0.18) for VRRP advertisements. This
addressing scheme minimizes the number of routers that
must service the multicasts and allows test equipment to
accurately identify VRRP packets on a segment. IANA has
assigned the IP protocol number 112 to VRRP.
 VRRP tracking—Ensures that the best VRRP router is the
master for the group by altering VRRP priorities based on
interface states.
Multiple VRRP Groups
You can configure up to 255 VRRP groups on a physical
interface. The number of VRRP groups that a router interface
can support depends on the following factors:
 Router processing capability
 Router memory capability
In a topology where multiple VRRP groups are configured on a
router interface, the interface can act as a master for one VRRP
group and as a backup for one or more other VRRP groups.The
below Figure shows a LAN topology in which VRRP is
configured so that Routers A and B share the traffic to and from
327
clients 1 through 4. Routers A and B act as backups to each

other if either router fails.
Figure Load Sharing and Redundancy VRRP Topology
This topology contains two virtual IP addresses for two VRRP

groups that overlap. For VRRP group 1, Router A is the owner
of IP address 10.0.0.1 and is the master. Router B is the backup
to Router A. Clients 1 and 2 are configured with the default
gateway IP address of 10.0.0.1.
For VRRP group 2, Router B is the owner of IP address 10.0.0.2
and is the master. Router A is the backup to router B. Clients 3
and 4 are configured with the default gateway IP address of
10.0.0.2.
Gateway Load Balancing Protocol(GLBP)

Reference
:http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5
_x/nx-os/unicast/configuration/guide/l3_cli_nxos/l3_glbp.html
 GLBP provides automatic gateway backup for IP hosts
configured with a single default gateway on an IEEE 802.3
LAN.
328
 Multiple routers on the LAN combine to offer a single

virtual first-hop IP gateway while sharing the IP packet
forwarding load. Other routers on the LAN might act as
redundant GLBP gateways that become active if any of the
existing forwarding gateways fail.
 GLBP performs a similar function to the Hot Standby
Redundancy Protocol (HSRP) and the Virtual Router
Redundancy Protocol (VRRP). HSRP and VRRP allow
multiple routers to participate in a virtual group configured
with a virtual IP address.
 These protocols elect one member as the active router to
forward packets to the virtual IP address for the group. The
other routers in the group are redundant until the active
router fails.
 GLBP performs an additional load balancing function that
the other protocols do not provide.
 GLBP load balances over multiple routers (gateways) using
a single virtual IP address and multiple virtual MAC
addresses.
 GLBP shares the forwarding load among all routers in a
GLBP group instead of allowing a single router to handle
the whole load while the other routers remain idle.
 You configure each host with the same virtual IP address,
and all routers in the virtual group participate in forwarding
packets. GLBP members communicate between each other
using periodic hello messages.
 For switch, GLBP is supported only on Cisco 4500 and
6500 series.
GLBP Active Virtual Gateway

329
 GLBP prioritizes gateways to elect an active virtual

gateway ( AVG). If multiple gateways have the same
priority, the gateway with the highest real IP address
becomes the AVG.
 The AVG assigns a virtual MAC address to each member
of the GLBP group. Each member is the active virtual
forwarder ( AVF) for its assigned virtual MAC address,
forwarding packets sent to its assigned virtual MAC
address.
 The AVG also answers Address Resolution Protocol (ARP)
requests for the virtual IP address. Load sharing is achieved
when the AVG replies to the ARP requests with different
virtual MAC addresses.
Note Packets received on a routed port destined for the GLBP
virtual IP address terminate on the local router, regardless of
whether that router is the active GLBP router or a redundant
GLBP router. This termination includes ping and Telnet traffic.
Packets received on a Layer 2 (VLAN) interface destined for the
GLBP virtual IP address terminate on the active router.
GLBP Virtual MAC Address Assignment

 The AVG assigns the virtual MAC addresses to each
member of the group. The group members request a virtual
MAC address after they discover the AVG through hello
messages.
 The AVG assigns the next MAC address based on the load-
balancing algorithm selected (GLBP Load Balancing and
Tracking).
 A gateway that is assigned with a virtual MAC address by
the AVG is the primary virtual forwarder. The other
members of the GLBP group that learn the virtual MAC
330
addresses from hello messages are secondary virtual

forwarders.
GLBP Virtual Gateway Redundancy
 GLBP provides virtual gateway redundancy. A member in
a group can be in the active, standby, or listen state.
 GLBP uses a priority algorithm to elect one gateway as the
AVG and elect another gateway as the standby virtual
gateway.The remaining gateways go into the listen state.
You can configure the GLBP priority on each gateway. If
the GLBP priority is identical on multiple gateways, GLBP
uses the gateway with the highest IP address as the AVG.
 If an AVG fails, the standby virtual gateway assumes
responsibility for the virtual IP address. GLBP elects a new
standby virtual gateway from the gateways in the listen
state.
GLBP Virtual Forwarder Redundancy
 GLBP provides virtual forwarder redundancy. Virtual

forwarder redundancy is similar to virtual gateway
redundancy with an active virtual forwarder (AVF). If
the AVF fails, a secondary virtual forwarder in the listen
state assumes responsibility for the virtual MAC address.
 This secondary virtual forwarder is also a primary virtual
forwarder for a different virtual MAC address.
 GLBP migrates hosts away from the old virtual MAC
address of the failed AVF, using the following two
timers:
 Redirect timer—Specifies the interval during which the AVG
continues to redirect hosts to the old virtual MAC address.
When the redirect time expires, the AVG stops using the old
331
virtual MAC address in ARP replies, although the secondary

virtual forwarder continues to forward packets that were sent
to the old virtual MAC address.
 Secondary hold timer—Specifies the interval during which
the virtual MAC address is valid. When the secondary hold
time expires, GLBP removes the virtual MAC address from
all gateways in the GLBP group and load balances the traffic
over the remaining AVFs. The expired virtual MAC address
becomes eligible for reassignment by the AVG.
GLBP uses hello messages to communicate the current state of

the timers.In below figure, router A is the AVG for a GLBP
group and is responsible for the virtual IP address 192.0.2.1.
Router A is also an AVF for the virtual MAC address
0007.b400.0101. Router B is a member of the same GLBP
group and is designated as the AVF for the virtual MAC address
0007.b400.0102. Client 1 has a default gateway IP address of
192.0.2.1, the virtual IP address, and a gateway MAC address of
0007.b400.0101 that points to router A. Client 2 shares the same
default gateway IP address but receives the gateway MAC
address 0007.b400.0102 because router B is sharing the traffic
load with router A.
Figure GLBP Topology

332
If router A becomes unavailable, client 1 does not lose access to

the WAN because router B assumes responsibility for
forwarding packets sent to the virtual MAC address of router A
and for responding to packets sent to its own virtual MAC
address. Router B also assumes the role of the AVG for the
entire GLBP group. Communication for the GLBP members
continues despite the failure of a router in the GLBP group.
GLBP Authentication
GLBP has three authentication types:
 MD5 authentication
 Plain text authentication
 No authentication
MD5 authentication provides greater security than plain text
authentication. MD5 authentication allows each GLBP group
member to use a secret key to generate a keyed MD5 hash that is
part of the outgoing packet. At the receiving end, a keyed hash
of an incoming packet is generated. If the hash within the
333
incoming packet does not match the generated hash, the packet
is ignored. The key for the MD5 hash can either be given
directly in the configuration using a key string or supplied
indirectly through a key chain.
You can also choose to use a simple password in plain text to
authenticate GLBP packets, or choose no authentication for
GLBP.
GLBP rejects packets in any of the following cases:
 The authentication schemes differ on the router and in the
incoming packet.
 MD5 digests differ on the router and in the incoming packet.
 Text authentication strings differ on the router and in the
incoming packet.
GLBP Load Balancing and Tracking
You can configure the following load-balancing methods for
GLBP:
 Round-robin—GLBP cycles through the virtual MAC
addresses sent in ARP replies, load balancing the traffic
across all the AVFs.
 Weighted—AVG uses the advertised weight for an AVF to
decide the load directed to the AVF. A higher weight means
that the AVG directs more traffic to the AVF.
 Host dependent—GLBP uses the MAC address of the host to
determine which virtual MAC address to direct the host to
use. This algorithm guarantees that a host gets the same
virtual MAC address if the number of virtual forwarders does
not change.
The default for IPv4 networks is round-robin. You can disable
all load balancing for GLBP on an interface. If you do not
configure load balancing, the AVG handles all traffic for the
334
hosts while the other GLBP group members are in standby or

listen mode.
You can configure GLBP to track an interface or routes and

enable the secondary virtual forwarder to take over if a tracked
link goes down. GLBP tracking uses weighted load-balancing to
determine whether a GLBP group member acts as an AVF. You
must configure the initial weighting values and optional
thresholds to enable or disable this group member as an AVF.
You can also configure the interface to track and the value that
reduces the interface’s weighting if the interface goes down.
When the GLBP group weighting drops below the lower
threshold, the member is no longer an AVF and a secondary
virtual forwarder takes over. When the weighting rises above the
upper threshold, the member can resume its role as an AVF.
figure shows an example of GLBP tracking and weighting.
Figure GLBP Object Tracking and Weighting

335
In above figure, the Ethernet 1/2 interface on router 1 is the

gateway for host 1 (the AVF for virtual MAC address, vMAC1),
while Ethernet 2/2 on router 2 acts as a secondary virtual
forwarder for Host 1. Ethernet 1/2 tracks Ethernet 3/1, which is
the network connection for router 1. If Ethernet 3/1 goes down,
the weighting for Ethernet 1/2 drops to 90. Ethernet 2/2 on
router 2 preempts Ethernet 1/2 and takes over as AVF because it
has the default weighting of 100 and is configured to preempt
the AVF.
336
GLBP Configuration
Assume we already have taken care of basic configuraiton and
EIGRP or any protocol is running on all routers.
R(config)#interface fa 0/0
R(config-if)#glbp 1 ip 10.1.1.250 // should not be real ip
address of AVG interface .it can be any in subnet.
R(config-if)#glbp 1 priority 200
R(config-if)#glbp 1 preempt
R(config-if)#glbp 1 timer [interval time ] msec [holdtime ] msec
R(config-if)#glbp 1 weighting 200 //set weighting for
AVF according to your choice for priority
Verification command
R#sh glbp brief
337
NetFlow
One of the most important tasks of a network administrator is to
monitor the health of our networks, learn how our bandwidth is
being used, what applications are consuming it, when it needs
upgrade… Although monitoring protocols like SNMP and
SPAN (port mirroring) can help us answer some questions but
they are not enough to give us an insightful view of our
networks. Luckily we have another amazing tool: NetFlow!
"NetFlow is a networking analysis protocol that gives the ability
to collect detailed information about network traffic as it flows
through a router interface. NetFlow helps network
administrators answers the questions of who (users), what
(application), when (time of day), where (source and destination
IP addresses) and how network traffic is flowing."
338
Let’s take an example! In the topology below, when traffic from

Network 1, 2, 3… passes through the interfaces of a NetFlow
enabled device, relevant information is captured and stored in
the NetFlow cache. NetFlow collects IP traffic information as
records and sends them to a NetFlow collector for traffic flow
analysis.
NetFlow components
 NetFlow Monitor: a component applied to an interface and
collects information about flows. Flow monitors consist of
a record and a cache. You add the record to the flow
monitor after the flow monitor is created. In the topology
above, we can apply the NetFlow Monitors to the s0/0,
Fa0/0 and Fa0/1 interfaces of the router to collect traffic
information of these interfaces

NetFlow Exporter: aggregates packets into flows, stores
IP flow information in its NetFlow cache and exports them
in the form of flow records to the NetFlow collector

NetFlow Collector: collects flow records sent from the
NetFlow exporters, parsing and storing the flows. Usually a
collector is a separate software running on a network
339
server. NetFlow records are exported to a NetFlow

collector using User Datagram Protocol (UDP)

NetFlow Sampler: used to reduce the number of packets
that are selected for analysis. It is applied to a NetFlow
Monitor to reduce the overhead load because the number of
packets that the flow monitor must analyze is reduced. But
notice that the accuracy of the information stored in the
flow monitor’s cache is also reduced correspondingly.
Note: The term “flows” here should be understood as
“unidirectional streams of related packets”
The most important component of NetFlow is the NetFlow
Exporter (and its NetFlow cache) so we will discuss more about
it.
How NetFlow Exporter works
When packets arrive at the NetFlow Exporter, each of them is
inspected for one or many IP packet attributes. These attributes
are used to determine if the packet is unique or similar to other
packets. If it is similar then it is classified as in the same flow.
340
There are seven key IP packet attributes that can be used by

NetFlow to classify packets into separate flows
 IP source address
 IP destination address
 Source port
 Destination port
 Layer 3 protocol type
 Class of Service (or Type of Service – ToS) Byte
 Input (Router or switch) interface
Other attributes can be also used and they are called non-key
attributes such as timestamps, packet and byte counters, TCP
flag information…
After inspecting these attributes, the NetFlow Exporter
condenses them into flow records and save in a database called
the NetFlow cache. These flow records can also be exported to
a NetFlow Collector.
How to view NetFlow data
There are two main methods to view NetFlow data:
 Command Line Interface (CLI): Because the NetFlow
cache is a part of the NetFlow Exporter so we can view this
cache directly via the Command-Line-Interface (CLI),
which is very useful for troubleshooting, with the “show ip
cache flow” command. An example output of this
command is shown below:
341
A NetFlow reporting tool: there are many tools that can collect
NetFlow packets sent to the NetFlow Collector and display a
comprehensive view. Below is an example of what SolarWinds
NetFlow Traffic Analyzer can analyze
342
NetFlow versions
Version 1: the original format supported in the initial NetFlow
releases.
Versions 2, 3 and 4 were not released.
Version 5: an enhancement that adds Border Gateway Protocol
(BGP) autonomous system information, flow sequence numbers
and a few additional fields. This is the standard and most
common NetFlow version. Only support IPv4.
Version 6: similar to version 7
Version 7: Cisco-specific version for Catalyst 5000 series
switches but not compatible with Cisco routers
Version 8: choice of aggregation schemes in order to reduce
resource usage
Version 9: support flow-record format and it is known as
Flexible NetFlow technology. NetFlow version 9 includes a
template to describe what is being exported. It supports
extensible file export format to enable easier support. It also
supports additional fields & technologies such as MPLS, IPv6,
IPSec, NBAR protocols, Multicast, VLAN ID…
343
In general, the two most important NetFlow versions are

Version 5 and Version 9 which we will learn how to configure
them.
Note: NetFlow version 5 only supports monitoring inbound
statistics using the “ip flow ingress” command while NetFlow
v9 allows to monitor traffic leaving each interface via “ip flow
egress” command.
Configure NetFlow
NetFlow version 5 and version 9 are commonly used nowadays
so this part will show how to configure NetFlow in version 5
and 9. We only show the minimum configuration to help
NetFlow work well.
Configure NetFlow version 5
The following configuration enables NetFlow version 5 on
Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on
UDP port 2055.
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2
//NetFlow will use Fa0/2 as the source IP address for the UDP
datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
344
Router(config)#ip flow-cache timeout active 1 //export flow

records every minute.
Note:
+ NetFlow version 5 can inspect inbound traffic only.
+ We can use either the command “ip route-cache flow” or “ip
flow ingress” in this case. The former will enable flows on the
physical interface and all sub-interfaces associated with it while
the latter can be used on sub-interfaces and will enable flows on
sub-interfaces only.
+ The last command “ip flow-cache timeout active 1” is
necessary for NetFlow to work well. If you leave it at the default
of 30 minutes your traffic reports will have spikes.
Configure NetFlow version 9
To configure NetFlow version 9 (Flexible NetFlow), we need to
configure three components:
1. Flow Record
2. Flow Exporter
3. Flow Monitor
The following configuration enables NetFlow version 9 on
Fa0/1 interface and export to a NetFlow collector at 10.1.1.1 on
UDP port 2055.
1. Configure the Flow Record:
Router(config)# flow record TUT_Record
Router(config-flow-record)# match ipv4 destination address
Router(config-flow-record)# match ipv4 source address
2. Configure the Exporter:
Router(config)# flow exporter TUT_Exporter
Router(config-flow-exporter)# destination 10.1.1.1
3. Configure the Flow Monitor
Router(config)# flow monitor TUT_Monitor
345
Router(config-flow-monitor)# record TUT_Record //Must

match the above Flow Record name
Router(config-flow-monitor)# exporter TUT_Exporter //Must
match the above Exporter name
4. Apply to an interface
Router(config-if)#ip flow monitor TUT_Monitor input
//Monitor the receiving traffic on this interface
Small note: CEF should be enabled on the NetFlow Exporter
router when running NetFlow. CEF decides through which
interface traffic is exiting the router. Any NetFlow Collector will
calculate the OUT traffic for an interface based on the
Destination Interface value present in the NetFlow packets
exported from the NetFlow Exporter. If the CEF is disabled on
this router, the exported NetFlow packets will have “Destination
interface” as “null” and this leads NetFlow Collector to show no
OUT traffic for the interfaces.
Verification
After finishing configuration, we may need some commands to
verify and troubleshoot our NetFlow configuration. Some
popular commands used to check the NetFlow operation are
listed below:
+ show ip cache flow: display a summary of the NetFlow
accounting statistics. The output of this command has been
showed above
+ show ip flow export: display the status and the statistics for
NetFlow accounting data export, including the main cache and
all other enabled caches
Router# show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.1.1.1 (2055)
346
Exporting using source interface FastEthernet0/2

Version 5 flow records
39676332 flows exported in 1440719 udp datagrams
0 flows failed due to lack of export packet
153 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup
failures
+ “show ip flow interface”: displays NetFlow accounting
configuration on interfaces
R2# show ip flow interface
FastEthernet0/0
ip route-cache flow
+ show ip flow top-talkers: show which end devices on your
network are taking up the most bandwidth
Router# show ip flow top-talkers
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP

Bytes
Et0/1 191.168.1.1 Local 192.168.1.254 01 0000 0000
4800
Et0/2 191.168.1.2 Local 192.168.1.254 01 0000 0000
4800
Et0/3 191.168.1.3 Local 192.168.1.254 01 0000 0000
3400
347
CHAPTER – Access Lists

This chapter includes the following topic
 Introduction to Access Lists
 Standard Access Lists
 Extended Access Lists
 Access Lists -Remote Access, Switch Port, Modifying &
Helpful Hints
 Cisco Configuration Professional Initial Setup and
Access List Lab
 are essentially lists of conditions that control access.

They’re powerful tools that control access both to and from
network segments.
 They can filter unwanted packets and be used to implement
security policies.
 Access control lists (ACLs) provide a means to filter
packets by allowing a user to permit or deny IP packets
from crossing specified interfaces.
348
 To use ACLs, the system administrator must first configure

ACLs and then apply them to specific interfaces.
 The IP and IPX access lists work similarly—they’re both
packet filters that packets are compared with, categorized
by, and acted upon. Once the lists are built, they can be
applied to either inbound or outbound traffic on any Access
Lists interface.
There are a few important rules a packet follows when it’s

being compared with an access list:
 It’s always compared with each line of the access list in

sequential order, i.e., it’ll always start with line 1, then go
to line 2, then line 3, and so on.
 It’s compared with lines of the access list only until a

match is made.Once the packet matches a line of the access
list, it’s acted upon, and no further comparisons take place.
 There is an implicit “deny” at the end of each access list—

this means that if a packet doesn’t match up to any lines in
the access list, it’ll be discarded.
Each of these rules has some powerful implications when

filtering IP and IPX packets with access lists.
There are 3 popular types of ACL:
 Standard ACL
 Extended ACL
349
 Named ACLs
Standard access lists
These use only the source IP address in an IP packet to filter the

network. This basically permits or denies an entire
suite of protocols. IPX standards can filter on both source and
destination IPX address.
Extended access lists
These check for both source and destination IP address, protocol

field in the Network layer header, and port number at the
Transport layer header. IPX extended access lists use source and
destination IPX addresses, Network layer protocol fields, and
socket numbers in the Transport layer header.
Once you create an access list, you apply it to an interface with

either an inbound or outbound list.
Define In, Out, Inbound, Outbound, Source, and Destination
The router uses the terms in, out, source, and destination as
references. Traffic on the router can be compared to traffic on
the highway. If you were a law enforcement officer in
Pennsylvania and wanted to stop a truck going from Maryland to
New York, the source of the truck is Maryland and the
destination of the truck is New York. The roadblock could be
applied at the Pennsylvania–New York border (out) or the
Maryland–Pennsylvania border (in).
When you refer to a router, these terms have these meanings.
 Out—Traffic that has already been through the router and
leaves the interface. The source is where it has been, on the
other side of the router, and the destination is where it goes.
350
 In—Traffic that arrives on the interface and then goes

through the router. The source is where it has been and the
destination is where it goes, on the other side of the router.
 Inbound —If the access list is inbound, when the router
receives a packet, the Cisco IOS software checks the
criteria statements of the access list for a match. If the
packet is permitted, the software continues to process the
packet. If the packet is denied, the software discards the
packet.
 Outbound—If the access list is outbound, after the
software receives and routes a packet to the outbound
interface, the software checks the criteria statements of the
access list for a match. If the packet is permitted, the
software transmits the packet. If the packet is denied, the
software discards the packet.
Named access lists

Technically there really are only two since named access lists
are either standard or extended and not actually a new type. I’m
just distinguishing them because they’re created and referred to
differently than standard and extended access lists. But they’re
functionally the same.
Rules for configuring ACL

There are also some access list guidelines that should be
followed when creating and implementing access lists on a
router:
 You can only assign one access list per interface, per
protocol, or per direction. This means that if you are
351
creating IP access lists, you can only have one inbound

access list and one outbound access list per interface.
 Organize your access lists so that the more specific tests are
at the top of the access list.
 Anytime a new list is added to the access list, it will be

placed at the bottom of the list.
 You cannot remove one line from an access list. If you try
to do this, you will remove the entire list. It is best to copy
the access list to a text editor before trying to edit the list.
The only exception is when using named access lists.
 Unless your access list ends with a permit any command,

all packets will be discarded if they do not meet any of the
lists’ tests. Every list should have at least one permit
statement, or you might as well shut the interface down.
 Create access lists and then apply them to an interface. Any

access list applied to an interface without an access list
present will not filter traffic.
 Access lists are designed to filter traffic going through the

router. They will not filter traffic originated from the
router.
 Place IP standard access lists as close to the destination as

possible.
352
 Place IP extended access lists as close to the source as

possible.
Inverse Masks or Wildcard Mask
 Masks are used with IP addresses in IP ACLs to specify
what should be permitted and denied.
 Masks in order to configure IP addresses on interfaces start
with 255 and have the large values on the left side, for
example, IP address 209.165.202.129 with a
255.255.255.224 mask. Masks for IP ACLs are the reverse
for example, mask 0.0.0.255.
 This is sometimes called an inverse mask or a wildcard
mask.
 When the value of the mask is broken down into binary (0s
and 1s), the results determine which address bits are to be
considered in processing the traffic.
 A "0 "indicates that the address bits must be considered
(exact match); A "1" in the mask is a "don't care". This
table further explains the concept.
Mask Example
networ
k
addres
s
(traffic
that is
to be
proces
sed) 10.1.1.0
mask 0.0.0.255
353
networ
k
addres
s
(binar 00001010.00000001.000000
y) 01.00000000
mask
(binar 00000000.00000000.000000
y) 00.11111111
Based on the binary mask, you can see that the first three sets
(octets) must match the given binary network address exactly
(00001010.00000001.00000001).
The last set of numbers are "don't cares" (.11111111). Therefore,
all traffic that begins with 10.1.1. matches since the last octet is
"don't care". Therefore, with this mask, network addresses
10.1.1.1 through 10.1.1.255 (10.1.1.x) are processed.
Subtract the normal mask from 255.255.255.255 in order to
determine the ACL inverse mask. In this example, the inverse
mask is determined for network address 172.16.1.0 with a
normal mask of 255.255.255.0.
 255.255.255.255 - 255.255.255.0 (normal mask) =
0.0.0.255 (inverse mask) in ACL
Note these ACL equivalents.
 The source/source-wildcard of 0.0.0.0/255.255.255.255
means "any".
 The source/wildcard of 10.1.1.2/0.0.0.0 is the same as "host
10.1.1.2".
354
ACL Summarization
Note: Subnet masks can also be represented as a fixed length

notation.
For example, 192.168.10.0/24 represents 192.168.10.0
255.255.255.0.
This list describes how to summarize a range of networks into a
single network for ACL optimization. Consider these networks.
192.168.32.0/24
192.168.33.0/24
192.168.34.0/24
192.168.35.0/24
192.168.36.0/24
192.168.37.0/24
192.168.38.0/24
192.168.39.0/24
The first two octets and the last octet are the same for each
network. This table is an explanation of how to summarize these
into a single network.
The interest of octet is third octet and this octet for the previous
networks can be written as seen in this table, according to the
octet bit position and address value for each bit.
Decimal 128 64 32 16 8 4 2 1
32 0 0 1 0 0 0 0 0
33 0 0 1 0 0 0 0 1
355
34 0 0 1 0 0 0 1 0
35 0 0 1 0 0 0 1 1
36 0 0 1 0 0 1 0 0
37 0 0 1 0 0 1 0 1
38 0 0 1 0 0 1 1 0
39 0 0 1 0 0 1 1 1
M M M M M D D D
Since the first five bits match, the previous eight networks can
be summarized into one network (192.168.32.0/21 or
192.168.32.0 255.255.248.0). All eight possible combinations of
the three low-order bits are relevant for the network ranges in
question. This command defines an ACL that permits this
network. If you subtract 255.255.248.0 (normal mask) from
255.255.255.255, it yields 0.0.7.255.
access-list 1 permit ip 192.168.32.0 0.0.7.255
Configuraiton of ACL
Standard ACL
Standard IP access lists filter the network by using the source IP
address in an IP packet. You create a standard IP access list by
using the access list numbers 1–99.
Configuration Syntax
access-list access-list-number {permit | deny} source {source-
mask}
Apply ACL to an interface
356
ip access-group access-list-number {in |
out}
Example of Standard IP Access List
Configuration:
In this example we will define a standard access list that will
only allow network 10.0.0.0/8 to access the server (located on
the Fa0/1 interface)
Define which source is allowed to pass:
Router(config)#access-list 1 permit 10.0.0.0 0.255.255.255
(there is always an implicit deny all other traffic at the end of

each ACL so we don’t need to define forbidden traffic)
Apply this ACL to an interface:
Router(config)#interface Fa0/1
Router(config-if)#ip access-group 1 out
The ACL 1 is applied to permit only packets from 10.0.0.0/8 to

go out of Fa0/1 interface while deny all other traffic. So can we
apply this ACL to other interface, Fa0/2 for example? Well we
can but shouldn’t do it because users can access to the server
from other interface (s0 interface, for example). So we can
357
understand why an standard access list should be applied close

to the destination.
Controlling VTY (Telnet) Access

You will have a difficult time trying to stop users from telnetting
into a router because any active port on a router is fair game for
VTY access. However, you can use a standard IP access list to
control access by placing the
access list on the VTY lines themselves.
To perform this function:
 Create a standard IP access list that permits only the host or

hosts you want to be able to telnet into the routers.
 Apply the access list to the VTY line with the access-class
command.
Here is an example of allowing only host 172.16.10.3 to telnet

into a router:
RouterA(config)#access-list 50 permit 172.16.10.3

RouterA(config)#line vty 0 4
RouterA(config-line)#access-group 50 in
Because of the implied deny any at the end of the list, the access
list stops any host from telnetting into the router except the host
172.16.10.3.
Extended ACL
Extended IP access lists allow you to choose your IP source and
destination address as well as the protocol and port number,
which identify the upper-layer protocol or application. By using
358
extended IP access lists, you can ffectively allow users access to

a physical LAN and stop them from using certain services.
Extended IP lists (100-199) check both source and destination

addresses, specific UDP/TCP/IP protocols, and destination
ports.
Configuration Syntax
access-list access-list-number {permit | deny} protocol source
{source-mask} destination {destination-mask} [eq
destination-port]
Example of Extended IP Access List
In this example we will create an extended ACL that will deny

FTP traffic from network 10.0.0.0/8 but allow other traffic to go
through.
Note: FTP uses TCP on port 20 & 21.
Define which protocol, source, destination and port are denied:
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255
187.100.1.6 0.0.0.0 eq 21
Router(config)#access-list 101 deny tcp 10.0.0.0 0.255.255.255
187.100.1.6 0.0.0.0 eq 20
Router(config)#access-list 101 permit ip any any
Please note any = 0.0.0.0 / 255.255.255.255
Router(config-if)#ip access-group 101 out
359
Notice that we have to explicit allow other traffic (access-list

101 permit ip any any) as there is an “deny all” command at the
end of each ACL.
As we can see, the destination of above access list is
“187.100.1.6 0.0.0.0” which specifies a host. We can use “host
187.100.1.6” instead.
In summary, below is the range of standard and extended access
list
Access list Range
type
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699
Example#2
Extended ACL
let's deny access to a server on the finance-department LAN

(172.16.10.0)for both Telnet and FTP services on server
172.16.10.5. All other services on the LAN are acceptable for
the sales and marketing departments to access.
360
The telnet port # is 23.

The following access list should be created:
Acme#config t
Acme(config)#access-list 110 deny tcp any host 172.16.10.5
eq 21
Acme(config)#access-list 110 deny tcp any host 172.16.10.5
eq 23
Acme(config)#access-list 110 permit ip any any
Acme(config)#interface E0
Acme(config-if)#ip access-group 110 out
After the lists are created, they need to be applied to the Ethernet
0 port.This is because the other three interfaces on the router
need access to the LAN. However, if this list were created to
only block Sales, then we would
have wanted to put this list closest to the source, or on Ethernet
interface 2.
Named IP Access List

This allows standard and extended ACLs to be given names
instead of numbers

Named IP Access List Configuration Syntax
ip access-list {standard | extended} {name | number}
Example of Named IP Access List
This is an example of the use of a named ACL in order to block
all traffic except the Telnet connection from host 10.0.0.1/8 to
host 187.100.1.6.
361
Define the ACL:

Router(config)#ip access-list extended in_to_out permit tcp
host 10.0.0.1 host 187.100.1.6 eq telnet
(notice that we can use ‘telnet’ instead of port 23)

Router(config-if)#ip access-group in_to_out in
Where to place access list?

Standard IP access list should be placed close to destination.
Extended IP access lists should be placed close to the source.
How many access lists can be used?
You can have one access-list per protocol, per direction and per
interface. For example, you can not have two access lists on the
inbound direction of Fa0/0 interface. However you can have one
inbound and one outbound access list applied on Fa0/0.
Some additional examples:
 Block TCP packets on port 30 from any source to any

destination:
Router(config)#access-list 101 deny tcp any any eq 30

362
 Permit any IP packets in network 192.23.130.128 with

subnet mask 255.255.255.248 to any network:
Router(config)#access-list 101 permit ip 192.23.130.128

0.0.0.7 any
Apply the access control list to an interface:
Router(config)#interface fastEthernet0/0
Router(config-if)#ip access-group 101 in
Troubleshoot ACL
Where to place access list?
Standard IP access list should be placed close to destination.

Extended IP access lists should be placed close to the source.
How many access lists can be used?
You can have one access-list per protocol, per direction and per
interface. For example, you can not have two access lists on the
inbound direction of Fa0/0 interface. However you can have one
inbound and one outbound access list applied on Fa0/0.
How do I remove an ACL from an interface?
Go into configuration mode and enter no in front of the access-

group command, as shown in this example, in order to remove
an ACL from an interface.
interface <interface>
no ip access-group <acl-number> in|out
363
What do I do when too much traffic is denied?
If too much traffic is denied, study the logic of your list or try to
define and apply an additional broader list. The show ip access-
lists command provides a packet count that shows which ACL
entry is hit.
The log keyword at the end of the individual ACL entries shows
the ACL number and whether the packet was permitted or
denied, in addition to port-specific information.
Note: The log-input keyword exists in Cisco IOS Software
Release 11.2 and later, and in certain Cisco IOS Software
Release 11.1 based software created specifically for the service
provider market. Older software does not support this keyword.
Use of this keyword includes the input interface and source
MAC address where applicable.
Monitoring IP Access Lists
It is important to be able to verify the configuration on a router.

The following commands can be used to verify the
configuration:
show access-list Displays all access lists and their parameters

configured on the router. This command does not show you
which interface the list is set on.
show access-list 110 Shows only the parameters for the access
list 110. This command does not show you the interface the list
is set on.
364
show ip access-list Shows only the IP access lists configured on

the router.
show ip interface Shows which interfaces have access lists set.
show running-config Shows the access lists and which

interfaces
have access lists set.
End of Chapter
Chapter – Network Address Translation (NAT)

This chapter covers the following topics
 Introduction to NAT
 Static NAT Configuration & Verification
 Dynamic NAT Configuration
 NAT Overloading or Port Address Translation
(PAT)
365
 NAT Troubleshooting
 NAT Configuration with Cisco Configuration
Professional
NAT
 To translate your private inside addresses to a global
outside address is called Natting
 NAT allows a host that does not have a valid registered IP
address to communicate with other hosts through the
Internet
 The main idea is to conserve Internet global address space,
but it also increases network
security by hiding internal IP addresses from external
networks
 using Network Address Translation (NAT) we can save
tons of IP addresses for later uses
 In NAT terminology, the
 "inside network" is the set of networks that are subject to
translation.The "outside network" refers to all other
addresses—usually those located on the Internet
 A significant advantage of NAT is that it can be configured
without requiring any changes to hosts or routers other than
to those few routers on which NAT will be configured.
 NAT enables private IP internetworks that use
nonregistered IP addresses to connect to the Internet. NAT
operates on a device, usually connecting two networks, and
translates the private (not globally unique) addresses in the
internal network into legal addresses before packets are
forwarded onto another network.
366
 NAT is also used at the enterprise edge to allow internal

users access to the Internet and to allow Internet access to
internal devices such as mail servers.
 NAT operates on a Cisco router—generally only
connecting two networks together—and translates your
private (inside local) addresses within the internal network,
into public (inside global) addresses before any packets are
forwarded to another network.
 This functionality gives you the option to configure NAT
so that it will advertise only a single address for your entire
network to the outside world. Doing this effectively hides
the internal network from the whole world really well,
giving you some much-needed additional security.
NAT Terminology Inside and Outside Addresses

Inside local address—An IP address that is assigned to a
host on the inside network. The address is probably not a
legitimate IP address assigned by the Network Information
Center (NIC) or service provider.
Inside global address—A legitimate IP address (assigned
by the NIC or service provider) that represents one or more
inside local IP addresses to the outside world.
Outside local address—The IP address of an outside host
as it appears to the inside network. Not necessarily a
legitimate address, it is allocated from the address space
that is routable on the inside.
367
Outside global address—The IP address assigned to a

host on the outside network by the owner of the host. The
address is allocated from a globally routable address or
network space.
The following process describes the inside source address

translation, as shown in the figure above:
1. The user at host 10.1.1.1 opens a connection to Host B in
the outside network.
2. The first packet that the device(router) receives from host
10.1.1.1 causes the device to check its Network Address
Translation (NAT) table. Based on the NAT configuration,
the following scenarios are possible:
 If a static translation entry is configured, the device
goes to Step 3.
 If no translation entry exists, the device determines
that the source address (SA) 10.1.1.1 must be
translated dynamically, selects a legal, global address
from the dynamic address pool, and creates a
translation entry in the NAT table. This type of
translation entry is called a simple entry.
368
3. The device replaces the inside local source address of host

10.1.1.1 with the global address of the translation entry and
forwards the packet.
4. Host B receives the packet and responds to host 10.1.1.1 by
using the inside global IP destination address (DA)
203.0.113.2.
5. When the device receives the packet with the inside global
IP address, it performs a NAT table lookup by using the
inside global address as a key. It then translates the address
to the inside local address of host 10.1.1.1 and forwards the
packet to host 10.1.1.1.
Host 10.1.1.1 receives the packet and continues the
conversation. The device performs Steps 2 to 5 for each
packet that it receives.
There are different flavors of NAT:
Static NAT Designed to allow one-to-one mapping

between local and global addresses. This
flavor requires you to have one real Internet IP address for
every host on your network.
Dynamic NAT Designed to map an unregistered IP address

to a registered IP address from out of a pool of registered IP
addresses. You don’t have to statically configure your
router to map an inside to an outside address as in static
NAT, but you do have to have enough real IP addresses for
everyone who wants to send packets to and from the
Internet.
369
Overloading This is the most popular type of NAT

configuration. Overloading is a form of
dynamic NAT that maps multiple unregistered IP addresses
to a single registered IP address
(many-to-one) by using different ports. Therefore, it’s also
known as port address translation
(PAT). By using PAT (NAT Overload), you can have
thousands of users connect to the Internet using only one
real global IP address—pretty slick! NAT Overload is the
reason we have not run out of valid IP address on the
Internet.
Configuring Static Translation of Inside Source Addresses

Configure static translation of inside source addresses to allow
one-to-one mapping between an inside local address and an
inside global address. Static translation is useful when a host on
the inside must be accessible by a fixed address from the
outside.
ON Device (Router)
SUMMARY STEPS
1. enable
3. ip nat inside source static local-ip global-ip
4. interface type number
5. ip address ip-address mask [secondary]
6. ip nat inside
7. exit
9. ip address ip-address mask [secondary]
370
10. ip nat outside
11. end
DETAILED STEPS
Command or Action Purpos
e
Ste enable Enables
p 1 privileg
ed
Example: EXEC
Device> enable mode.
 Enter
your
passwo
rd if
prompt
ed.

Ste configure terminal Enters
p 2 global
configu
Example: ration
Device# configure mode.
terminal

Ste ip nat inside source s Establis
p 3 tatic local-ip global- hes
ip static
translati
on
371
Example: betwee
Device(config)# ip n an
nat inside source inside
static 10.10.10.1 local
172.16.131.1 address
and an
inside
global
address
.

Ste interface type numbe Specifi
p 4 r es an
interfac
e and
Example: enters
Device(config)# interfac
interface ethernet 1 e
configu
ration
mode.

Ste ip address ip-address Sets a
p 5 mask [secondary] primary
IP
address
Example: for an
Device(config-if)# ip interfac
address 10.114.11.39 e.
255.255.255.0

372
Ste ip nat inside Connec

p 6 ts the
interfac
Example: e to the
Device(config-if)# ip inside
nat inside networ
k,
which
is
subject
to
NAT.

Ste exit Exits
p 7 interfac
e
Example: configu
Device(config-if)# ration
exit mode
and
returns
to
global
configu
ration
mode.

Ste interface type numbe Specifi
p 8 r es a
differen
t
373
Example: interfac
Device(config)# e and
interface enters
gigabitethernet 0/0/0 interfac
e
configu
ration
mode.

Ste ip address ip-address Sets a
p 9 mask [secondary] primary
IP
address
Example: for an
Device(config-if)# ip interfac
address e.
172.31.232.182
255.255.255.240

Ste ip nat outside Connec
p 1 ts the
0 interfac
Example: e to the
Device(config-if)# ip outside
nat outside networ
k.

Ste end Exits
p 1 interfac
1 e
configu
374
Example: ration
Device(config-if)# mode
end and
returns
to
privileg
ed
EXEC
mode.

Configuring Dynamic Translation of Inside Source Addresses

Dynamic translation establishes a mapping between an inside
local address and a pool of global addresses. Dynamic
translation is useful when multiple users on a private network
need to access the Internet. The dynamically configured pool IP
address may be used as needed and is released for use by other
users when access to the Internet is no longer required.
SUMMARY STEPS
1. enable
3. ip nat pool name start-ip end-ip {netmask netmask | prefi
x-length prefix-length}
4. access-list access-list-number permit source [source-
wildcard]
5. ip nat inside source list access-list-number pool name
7. ip address ip-address mask
375
8. ip nat inside
9. exit
11. ip address ip-address mask
12. ip nat outside
13. end
DETAILED STEPS
Command or Action Purpose
Step enable Enables
1 privilege
d EXEC
Example: mode.
 Ente
Device> enable r your
password
if
prompted
.

Step configure terminal Enters
2 global
configura
Example: tion
mode.
Device# configure
terminal
376

Step ip nat pool name start- Defines a
3 ip end-ip {netmask net pool of
mask | prefix-length p global
refix-length} addresses
to be
allocated
as
Example: needed.
Device(config)# ip nat
pool net-208
172.16.233.208
172.16.233.223 prefix-
length 28

Step access-list access-list- Defines a
4 number permit source standard
[source-wildcard] access
list
permittin
g those
Example:
addresses
Device(config)# that are
access-list 1 permit to be
192.168.34.0 0.0.0.255 translated
.

377
Step ip nat inside source lis Establish

5 t access-list-number po es
ol name dynamic
source
translatio
n,
Example:
specifyin
Device(config)# ip nat g the
inside source list 1 pool access
net-208 list
defined
in Step 4.

Step interface type number Specifies
6 an
interface
Example: and
enters
Device(config)# interface
interface ethernet 1 configura
tion
mode.

Step ip address ip-address Sets a
7 mask primary
IP
address
Example: for the
378
Device(config-if)# ip interface.
address 10.114.11.39
255.255.255.0

Step ip nat inside Connects
8 the
interface
Example: to the
inside
Device(config-if)# ip network,
nat inside which is
subject to
NAT.

Step exit Exits
9 interface
configura
Example: tion
mode
Device(config-if)# exit and
returns to
global
configura
tion
mode.

Step interface type number Specifies
379
10 an
interface
Example: and
enters
Device(config)# interface
interface ethernet 0 configura
tion

mode.

Step ip address ip-address Sets a
11 mask primary
IP
address
Example: for the
interface.
Device(config-if)# ip
address 172.16.232.182
255.255.255.240

Step ip nat outside Connects
12 the
interface
Example: to the
outside
Device(config-if)# ip network.
nat outside

380
Step end Exits

13 interface
configura
Example: tion
mode
Device(config-if)# end and
returns to
privilege
d EXEC
mode.
Configure PAT (NAT Overload)
 Configure a standard access list to define what internal

traffic will be translated
 Link the access list to the interface to be used for PAT
 Define interfaces as either inside or outside
381
NAT Overloading Conifguration commands on Router R2 .

Router2(config)#ip nat pool mypool 125.125.125.1
125.125.125.5 netmask 255.255.255.0
Router2(config)# access-list 2 permit 192.168.10.0 0.0.0.255
Router2(config)# ip nat inside source list 2 pool mypool
overload
OR
Router2(config)# ip nat inside source list 2 interface gi 1/0
overlooad
Router2(config)# interface gi 1/0
RouterA(config-if)# ip nat outside
RouterA(config-if)# interface gi 2/0
RouterA(config-if)# ip nat inside
Troubleshooting NAt Commands
R#sh ip nat translations
For any reason if you want to remove NAT configuration, then
issue this command on router R2 which has NAT
configurations.
R2#clear ip nat translations forced
382
End of Chapter
Chapter – Wide Area Networks

 Introduction to Wide-Area Networks
 Point-to-Point WANs: Layer 1
 Point-to-Point WANs: Layer 2
 PPP Concepts
 PPP Configuration
 Other WAN Technologies
 Troubleshooting Serial Links
 Frame Relay
 LMI and Encapsulation Types
 Frame Relay Congestion Control
 Frame Relay Encapsulation
 Frame Relay Addressing
 Frame-Relay Topology Approaches
 Frame Relay Configuration
WAN
383
 A WAN is a data communications network that covers a

relatively broad geographic area and that often uses
transmission facilities provided by common carriers, such
as telephone companies. WAN technologies generally
function at the lower three layers of the OSI reference
model: the physical layer, the data link layer, and the
network layer.
 The following articles provide information about the
various protocols and technologies used in WAN
environments:
 Frame Relay
 High-Speed Serial Interface
 Integrated Services Digital Network
 Point-to-Point Protocol(PPP)
 Switched Multimegabit Data Service
 Synchronous Data Link Control and Derivatives
 X.25
 Digital Subscriber Line(DSL)
 Cisco IOS WAN can support many different WAN
protocols that can help you extend your LANs to other
LANs at remote sites. Connecting company sites together
so information can be exchanged is imperative in this
economy.
 Service providers allow you to lease or share connections
that the service provider already has installed, which can
save money and time.
 WAN services help connect networks at a broad geographic
distance, from a few to thousands of kilometers. LANs are
used inside buildings like Home, Office, Internet Service
Provider (ISP)… WANs are often used to connect between
them. By the way, Internet is the largest WAN nowadays.
384
 Because of long distance connection, individuals usually do

not own WAN (unlike LAN which they often own it). They
do not have the rights to bury a long cable between
buildings either. Therefore they hire available network
service providers, such as ISPs, cable or telephone
companies… in their cities instead. This helps reduce the
connection cost very much.
 Although we often think about serial connections with
copper cables when talking about WAN but nowadays fiber
optical cables play an important role in connection at both
LAN and WAN. Great bandwidth, great distance, very little
signal loss, high speed, security, thin… are very big
advantages in the transmission so they are used more and
more popular in networking.
Defining WAN Terms

Before you order a WAN service type, it is important to
understand the terms that the service providers use.
Customer premises equipment (CPE)

Equipment that is owned and located at the subscriber’s
premises.
Demarcation (demarc)
The last responsibility of the service provider, usually an RJ-45
jack located close to the CPE. The CPE at this point
would be a CSU/DSU or ISDN interface that plugs into the
demarc.
Local loop
Connects the demarc to the closest switching office, called a
central office.
Central office (CO/POP)
385
Connects the customers to the provider’s switching network. A

CO is sometimes referred to as a point of presence (POP).
Toll network
Trunk lines inside a WAN provider’s network. It is a collection
of switches and facilities.
WAN Connection Types
The below Figure shows the different WAN connection types
that can be used to connect your LANs together over a DCE
network.
The following list explains the WAN connection types:

Leased lines
Typically referred to as a point-to-point or dedicated connection.
It is a pre-established WAN communications path from the
CPE,through the DCE switch, to the CPE of the remote site,
allowing DTE networks to communicate at any time with no
386
setup procedures before transmitting data. It uses synchronous

serial lines up to 45Mbps.
Circuit switching
Sets up line like a phone call. No data can transfer before the
end-to-end connection is established. Uses dial-up modems and
ISDN. It is used for low-bandwidth data transfers.
Packet switching
WAN switching method that allows you to share bandwidth
with other companies to save money. Think of packet switching
networks as a party line. As long as you are not constantly
transmitting data and are instead using bursty data transfers,
packet switching can save you a lot of money. However, if you
have constant data transfers,then you will need to get a leased
line. Frame Relay and X.25 are packets witching technologies.
Speeds can range from 56Kbps to 2.048Mbps.
WAN Terminology
Router: a device provides internetworking and WAN access
interfaces that connect to the provider network
Data Terminal Equipment (DTE): Typically, DTE is the
router (at the customer side)
Data Communications Equipment (DCE): provides a clocking
signal used to synchronize data transmission between DCE and
DTE devices.
Customer Premise Equipment (CPE): devices located at the
customer side. CPE often owned by the customer or hired from
the WAN provider. In the picture below, the router, LAN switch
and two computers in the house are classified as CPE
Demarcation Point: the physical point where the public
network ends and the private network of a customer begins
Local loop: A cable connects the CPE to the nearest exchange
387
or Central Office (CO)/POP of the service provider. In other

words, it is the physical link that connects from the demarcation
point to the edge of the service provider’s network
CSU/DSU: short for Channel Service Unit/Data Service Unit,

used on digital lines such as T1, T3 or E1. CSU/DSU provides
clocking signal to the customer equipment interface and
terminates the channelized transport media to a leased line. As a
result, DSU/CSU converts one form of digital format to another
digital format. Therefore CSU/DSU terminates a digital local
loop. But you will not see CSU/DSU nowadays because most
T1 or E1 interfaces on current routers integrate CSU/DSU
capabilities
Modem: short for Modulator/Demodulator, a Modem is a
hardware device that allows a computer to send and receive
information over telephone lines by converting digital data into
an analog signal used on phone lines, and vice versa. Modem
terminates an analog local loop
388
WAN Protocols
we will define the most prominent WAN protocols used today.
These are Frame Relay, ISDN, LAPB, HDLC, and PPP.We use
HDLC and PPP on leased lines whereas Frame Relay on packet
switching technologies.
High-Level Data Link Control (HDLC)

 a point-to-point protocol and it is the default WAN protocol
for Cisco routers is used on leased lines.
 is a connection-oriented protocol at the DataLink layer.
 HDLC is the default encapsulation used by Cisco routers
over synchronous serial links.
 Cisco’s HDLC is proprietary—it won’t communicate with
any other vendor’s HDLC implementation—
 HDLC was not intended to encapsulate multiple Network
layer protocols across the same link. The HDLC header
carries no identification of the type of protocol being
carried inside the HDLC encapsulation.
HDLC Configuraiton
Components Used
The information in this document is based on the software
and hardware versions below.
389
 All Cisco IOS® Software Releases

 WAN DCE cable
 WAN DTE cable
This document uses the network setup shown in the
diagram below.
The default serial encapsulation on Cisco routers is Cisco

HDLC, so it does not need to be explicitly configured on
the router.
As a result, the encapsulation type is not displayed in the
configuration.With a back-to-back serial connection, the
router connected to the DCE end of the cable provides the
clock signal for the serial link.
The clockrate command in the interface configuration

mode enables the router at the DCE end of the cable (Prasit,
in this example) to provide the clock signal for the serial
link.
This document uses the configurations shown below.
Prasit
interface Serial0
ip address 5.0.2.1
255.255.255.0
clockrate 64000
390
no cdp enable
Spicey
interface Serial1
ip address 5.0.2.2
255.255.255.0
no cdp enable
Verify
 show controllers
 ping
 show interfaces
The output shown below results when these commands are
issued on the devices used in this sample configuration.
The show controllers command shows that the physical
layer is working and what type of cable is connected. In the
output below, Prasit is connected at the DCE end and
Spicey at the DTE end
PPP
The Point-to-Point Protocol (PPP) provides a standard
method(non-proprietary) for transporting multi-protocol
datagrams over point-to-point links. PPP is comprised of three
main components:
 A method for encapsulating multi-protocol datagrams.
391
 A Link Control Protocol (LCP) for establishing,

configuring, and testing the data-link connection.
 A family of Network Control Protocols (NCPs) for
establishing and configuring different network-layer
protocols.
 LCP uses echo requests and responses to monitor the
continuing availability of the link.
 PPP uses keepalives to monitor the link state, as described
in the “Keepalive Timer” section.
PPP supports the following authentication protocols, which
require a remote device to prove its identity before allowing data
traffic to flow over a connection:
 Challenge Handshake Authentication Protocol (CHAP)
—CHAP authentication sends a challenge message to the
remote device. The remote device encrypts the challenge
value with a shared secret and returns the encrypted value
and its name to the local router in a response message. The
local router attempts to match the remote device’s name
with an associated secret stored in the local username or
remote security server database; it uses the stored secret to
encrypt the original challenge and verify that the encrypted
values match.
 Microsoft Challenge Handshake Authentication Protocol
(MS-CHAP)—MS-CHAP is the Microsoft version of
CHAP. Like the standard version of CHAP, MS-CHAP is
used for PPP authentication; in this case, authentication
occurs between a personal computer using Microsoft
Windows and a Cisco router or access server acting as a
network access server.
 Password Authentication Protocol (PAP)—PAP
authentication requires the remote device to send a name
392
and a password, which are checked against a matching

entry in the local username database or in the remote
security server database.
Use the ppp authentication command in interface configuration
mode to enable CHAP, MS-CHAP, and PAP on a serial
interface.
For Multilink PPP Multilink Point-to-Point Protocol (MLPPP) is
supported on the Cisco 800M Series ISR serial interface.
MLPPP provides a method for combining multiple physical
links into one logical link.
Configuring PPP on Cisco Routers
Configuring PPP encapsulation on an interface is a fairly

straightforward process. To configure it, follow these router
commands:
Router#
config t
Router(config)#int s0
Router(config-if)#encapsulation ppp
Router(config-if)#
^Z
Router#
Of course, PPP encapsulation must be enabled on both interfaces
connected to a serial line to work, and there are several
additional configuration options available by using the help
command.
Configuring PPP Authentication

393
After you configure your serial interface to support PPP

encapsulation, you can then configure authentication using PPP
between routers. First set the hostname of the router if it is not
already set. Then set the username and password for the remote
router connecting to your router.
Router#config t
Router(config)# hostname RouterA
RouterA(config)#username todd password cisco
When using the hostname command, remember that the

username is the hostname of the remote router connecting to
your router. It is case-sensitive. Also, the password on both
routers must be the same. It is a plain-text password and can be
seen with a show run command. You can configure the
password to be encrypted by using the command service
passwordconfig before you set the username and password.
You must have a username and password configured for each
remote system you are going to connect to. The remote routers
must also be configured with usernames and passwords.
After you set the hostname, usernames, and passwords, choose
the authentication type, either CHAP or PAP.
RouterA#config t
RouterA(config)#int s0
RouterA(config-if)#ppp authentication chap
RouterA(config-if)#ppp autherntication pap
RouterA(config-if)#^Z
394
If both methods are configured, as shown in the preceding

configuration example, then only the first method is used during
link negotiation. If the first method fails, then the second method
will be used.
Verifying PPP Encapsulation
RouterA#show int s0
Serial0 is up, line protocol is up

---------------------------------------
-----------------------------------------
WAN Packet Switching
A big advantage of packet-switching over leased line services is

we can connect many routers to the packet-switching service
using a single serial link on each router.
Each router can then communicate with all other routers. A
popular type of packet-switching service that you need to grasp
in CCNA is Frame-Relay. Asynchronous Transfer Mode (ATM)
is another type of packet-switching service but it is out of
CCNA scope and we will not discuss it here.
Frame Relay
 A digital packet-switched service that can run only across
synchronous digital connections. Because digital
connections have very few errors, it does not perform any
error correction or flow control.
 However, Frame Relay detects errors and drops bad frames.
It is up to a higher layer protocol, such as TCP, to resend the
dropped information.
395
 is to allow users to communicate between two DTE devices

through DCE devices.
 It operates at the Physical and Data Link layers of the OSI
reference model and was originally designed for use across
Integrated Services Digital Network (ISDN) interfaces.But
today, Frame Relay is used over a variety of other network
interfaces.
 Let’s take a simple example. Suppose you are working in a
big company and your company has just expanded to two
new locations. The main site is connected to two branch
offices, named Branch 1 & Branch 2 and your boss wants
these two branches can communicate with the main site. The
most simple solution is to connect them directly (called a
leased line) as shown below:

 To connect to these two branches, the main site router,
HeadQuarter, requires two serial interfaces which a router
can provide. But what happens when the company expands
to 10 branches, 50 branches? For each point-to-point line,
HeadQuarter needs a separate physical serial interface (and
maybe a separate CSU/DSU if it is not integrated into the
WAN card). As you can imagine, it will need many routers
with many interfaces and lots of rack space for the routers
and CSU/DSUs. Maybe we should use another solution for
this problem? Luckily, Frame Relay can do it!
 By using Frame Relay we only need one serial interface at
the HeadQuarter to connect to all branches. This is also true
396
when we expand to 10 or 50 branches. Moreover, the cost is

much lesser than using leased-lines.

 Frame Relay is a high-performance WAN protocol that
operates at the physical and data link layers of the OSI
reference model. It offers lower-cost data transfer when
compared to typical point-to-point applications, by using
virtual connections within the frame relay network and by
combining those connections into a single physical
connection at each location. Frame relay providers use a
frame relay switch to route the data on each virtual circuit to
the appropriate destination.
 Maybe these terminologies of Frame Relay are difficult to
understand so we will explain them in more detail in this
article.
 In general, the routers are considered DTE, and the Frame
Relay switches are DCE(DCE, also called data circuit-
terminating equipment). The purpose of DCE equipment is
to provide clocking and switching services in a network. In
our example, HeadQuarter, Branch 1 & Branch 2 are DTEs
while Frame Relay switches are DCEs.
Virtual Circuit
 The logical connection through the Frame Relay network

between two DTEs is called a virtual circuit (VC). The term
“virtual” here means that the two DTEs are not connected
397
directly but through a network. For example, the

HeadQuarter & Branch 1 (or Branch 2) can communicate
with each other as if they were directly connected but in fact
they are connected through a Frame Relay network with
many Frame Relay switches between them.

There are two types of VCs
1. switched virtual circuits (SVCs): are temporary

connections that are only used when there is sporadic data
transfer between DTE devices across the Frame Relay
network. SVC is set up dynamically when needed. SVC
connections require call setup and termination for each
connection.
2.permanent virtual circuits (PVCs): A predefined VC. A
PVC can be equated to a leased line in concept.
Nowadays most service providers offer PVC service only to

save additional costs for signaling and billing procedures
DLCI
 Although the above picture shows two VCs from the
HeadQuarter but do you remember that the HeadQuarter
only has only one serial interface? So how can it know
which branch it should send the frame to?
 Frame-relay uses data-link connection identifiers (DLCIs) to
build up logical circuits. The identifiers have local meaning
398
only, that means that their values are unique per router, but
not necessarily in the other routers. For example, there is
only one DLCI of 23 representing for the connection from
HeadQuarter to Branch 1 and only one DLCI of 51 from
HeadQuarter to Branch 2. Branch 1 can use the same DLCI
of 23 to represent the connection from it to HeadQuarter. Of
course it can use other DLCIs as well because DLCIs are
just local significant.

 By including a DLCI number in the Frame Relay header,
HeadQuarter can communicate with both Branch 1 and
Branch 2 over the same physical circuit.
 DLCI values typically are assigned by the Frame Relay
service provider (for example, the telephone company). In
Frame Relay, DLCI is a 10-bit field.
 Before DLCI can be used to route traffic, it must be
associated with the IP address of its remote router. For
example, suppose that:
 HeadQuarter’s IP address is 9.9.9.9
Branch 1’s IP address is 1.1.1.1
Branch 2’s IP address is 2.2.2.2

 Then the HeadQuarter will need to map Branch 1 IP address
to DLCI 23 & map Branch 2 IP address to DLCI 51. After
399
that it can encapsulate data inside a Frame Relay frame with

an appropriate DLCI number and send to the destination.
The mapping of DLCIs to Layer 3 addresses can be handled
manually or dynamically.

 * Manually (static): the administrators can statically assign
a DLCI to the remote IP address by the following statement:
 Router(config-if)#frame-relay
map protocol dlci [broadcast]
 For example HeadQuarter can assign DLCIs of 23 & 51 to
Branch 1 & Branch 2 with these commands:
 HeadQuarter(config-if)#frame-relay map ip 1.1.1.1 23
broadcast
HeadQuarter(config-if)#frame-relay map ip 2.2.2.2 51
broadcast
 We should use the “broadcast” keyword here because by
default split-horizon will prevent routing updates from being
sent back on the same interface it received. For example, if
Branch 1 sends an update to HeadQuarter then HeadQuarter
can’t send that update to Branch 2 because they are received
and sent on the same interface. By using the “broadcast”
keyword, we are telling the HeadQuarter to send a copy of
any broadcast or multicast packet received on that interface
to the virtual circuit specified by the DLCI value in the
“frame-relay map” statement. In fact the copied packet will
be sent via unicast (not broadcast) so sometimes it is called
“pseudo-broadcast”.
 Note: “frame-relay interface-dlci” command can be used to
statically assign (bind) a DLCI number to a physical
interface.
400
 Note: In fact, we need to run a routing protocol (like OSPF,

EIGRP or RIP…) to make different networks see each other
 * Dynamic: the router can send an Inverse ARP Request to
the other end of the PVC for its Layer 3 address. In short,
Inverse ARP will attempt to learn its neighboring devices IP
addresses and automatically create a dynamic map table. By
default, physical interfaces have Inverse ARP enabled.
 We will take an example of how Inverse ARP works with
the topology above. At the beginning, all routers are not
configured with static mapping and HeadQuarter has not
learned the IP addresses of Branch 1 & 2 yet. It only has 2
DLCI values on s0/0 interface (23 & 51). Now it needs to
find out who are attached to these DLCIs so it sends an
Inverse ARP Request on s0/0 interface. Notice that the
router will send Inverse ARP Request out on every DLCI
associated with the interface.
 In the Inverse ARP Request, HeadQuarter also includes its

IP 9.9.9.9. When Branch 1 & 2 receive this request, they
401
send back an Inverse ARP Reply with their own IP
addresses.
 Now all the routers have a pair of DLCI & IP address of the
router at the other end so data can be forwarded to the right
destination.
 In this example you can see that each router has a DLCI first
(Layer 2) and it needs to find out the IP address (Layer 3).
This process is opposite of the ARP process (ARP translates
Layer 3 address to Layer 2 address) so it is called Inverse
ARP.
 After the Inverse ARP process completes, we can use the
“show frame-relay map” to check. The word “dynamic”
indicates the mapping was learned through Inverse ARP (the
output below is not related to the above topology):
 By default, routers send Inverse ARP messages on all active

DLCIs every 60 seconds.
 Another thing you should notice is when you supply a static
map (via “frame-relay map” command), Inverse ARP is
automatically disabled for the specified protocol on the
specified DLCI.
LMI
Local Management Interface (LMI) is a signaling standard
protocol used between your router (DTE) and the first Frame
402
Relay switch. The LMI is responsible for managing the

connection and maintaining the status of your PVC.

LMI includes:
 A keepalive mechanism, which verifies that data is
flowing
 A multicast mechanism, which provides the network
server (router) with its local DLCI.
 A status mechanism, which provides PVC statuses on
the DLCIs known to the switch
In our example, when HeadQuarter is configured with Frame
Relay, it sends an LMI Status Inquiry message to the DCE. The
response from the DCE might be a small Hello message or a full
status report about the PVCs in use containing details of all the
VCs configured (DLCI 23 & 51). By default, LMI messages are
sent out every 10 seconds.
The four possible PVC states are as follows:
Active state: Indicates that the connection is active and that
routers can exchange data.
Inactive state: Indicates that the local connection to the Frame
Relay switch is working, but the remote router connection to the
Frame Relay switch is not working.
Deleted state: Indicates that no LMI is being received from the
Frame Relay switch, or that there is no service between the
403
customer router and Frame Relay switch.

Static state: the Local Management Interface (LMI) mechanism
on the interface is disabled (by using the “no keepalive”
command). This status is rarely seen so it is ignored in some
books.
We can use the “show frame-relay lmi” to display LMI statistics
of Frame Relay on enabled interfaces of the router. The output
shows the LMI type used by the Frame Relay interface and the
counters for the LMI status exchange sequence, including errors
such as LMI timeouts.
Cisco routers support the following three LMI types:

* Cisco: LMI type de?ned jointly by Cisco, StrataCom,
Northern Telecom (Nortel), and Digital Equipment Corporation
* ANSI: ANSI T1.617 Annex D
* Q.933A: ITU-T Q.933 Annex A
Notice that three types of LMI are not compatible with each
others so the LMI type must match between the provider Frame
Relay switch and the customer DTE device.
From Cisco IOS Release 11.2, the router attempts to
automatically detect the type of LMI used by the provider
switch.
404
Note: LMI is required for Inverse ARP to function because it

needs to know that the PVC is up before sending out Inverse
ARP Request.
Now you learn most of Frame Relay mentioned in CCNA, some
other Frame Relay’s characteristics you should know are
mentioned below.
Other Frame Relay Characteristics:
 LMI Cisco IOS automatically senses the LMI type by
default and this feature is referred to as LMI autosense. If
you manually configure the LMI using the frame-relay
lmi-type command, LMI autosense is silently disabled.
 IARP Cisco IOS automatically discovers the next-hop IP
address associated with a DLCI or VC using Inverse
Address Resolution Protocol (IARP). You can also create a
mapping between a DLCI and next-hop IP address
manually using frame-relay map ip command.
 Encapsulation Cisco IOS uses Cisco encapsulation for
Frame Relay and if you are using only Cisco routers, this
default setting works fine without any additional
configuration.
 Frame Relay provides no error recovery mechanism. It
only provides CRC error detection.
 Unlike with LANs, you cannot send a data link layer
broadcast over Frame Relay. Therefore, Frame Relay
networks are called nonbroadcast multiaccess (NBMA)
networks.
 Depending on the bandwidth needed for each virtual
connection, the customer can order a circuit with a
guaranteed amount of bandwidth. This amount is
405
the Committed Information Rate (CIR). CIR defines how

much bandwidth the customer is “guaranteed” during
normal network operation. Any data transmitted above this
purchased rate (CIR) is available for discard by the network
if the network doesn’t have available bandwidth.
 If the Frame relay switch begins to experience congestion,
it sends the upstream site (to the source) a Backward
explicit congestion notification (BECN) and the
downstream site (to the destination) a Forward explicit
congestion notification (FECN).
There are two Frame Relay encapsulation types: the Cisco

encapsulation and the IETF Frame
Relay encapsulation, which is in conformance with RFC 1490
and RFC 2427. The former is often used to connect two Cisco
routers while the latter is used to connect a Cisco router to a
non-Cisco router.
406
Frame Relay does not define the way the data is transmitted
within the service provider’s network once the traffic reaches
the provider’s switch. So the providers can use Frame Relay,
ATM or PPP… inside their networks.
Layer 2 Encapsulation Protocols
Besides Frame Relay there are other Layer 2 Encapsulation
Protocols that you can implement instead:
X.25/Link Access Procedure, Balanced (LAPB): Defines
connections between DTE and DCE for remote terminal access.
LAPB is a data link layer protocol specified by X.25.
Asynchronous Transfer Mode (ATM): International standard
for cell relay using fixed-length (53-byte) cells for multiple
service types. Fixed-length cells allow hardware processing,
which greatly reduces transit delays. ATM takes advantage of
high-speed transmission media such as E3, T3, and Synchronous
Optical Network (SONET).
www.cisco.com/c/en/us/support/docs/wan/frame-relay/16563-
12.html
Configuring Basic Frame Relay

Once you have reliable connections to the local Frame Relay
switch at both ends of the permanent virtual circuit (PVC), then
it is time to start planning the Frame Relay configuration. In this
first example, the Local Management Interface (LMI)-type
defaults to "cisco" LMI on Spicey. An interface is by default a
"multipoint" interface so, frame-relay inverse-arp is on (for
point-to-point, there is no Inverse ARP). IP split horizon
checking is disabled by default for Frame Relay encapsulation,
so routing updates come in and out the same interface. The
407
routers learn the data-link connection identifiers (DLCIs) they

need to use from the Frame Relay switch via LMI updates. The
routers then Inverse ARP for the remote IP address and create a
mapping of local DLCIs and their associated remote IP
addresses.
Network Diagram
Configurations
 Router --->Spicey
 Router --->Prasit
Spicey
Spicey#show running-
config
Building configuration...
Current configuration :
1705 bytes
!
version 12.1
service timestamps debug
datetime msec
service timestamps log
datetime msec
no service password-
encryption
!
hostname Spicey
408
!
!
!
interface Ethernet0
ip address 124.124.124.1
255.255.255.0
!
interface Serial0
ip address 3.1.3.1
255.255.255.0
encapsulation frame-relay
frame-relay interface-dlci
140
!
!
router rip
network 3.0.0.0
network 124.0.0.0
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
End
Prasit
409
Prasit#show running-config
Current configuration : 1499
bytes
!
version 12.1
service timestamps debug
datetime msec
service timestamps log
datetime msec
no service password-encryption
!
hostname Prasit
!
!
!
interface Ethernet0
ip address 123.123.123.1
255.255.255.0
!
!
interface Serial1
ip address 3.1.3.2
255.255.255.0
frame-relay interface-dlci 150
!
!
router rip
network 3.0.0.0
410
network 123.0.0.0
!
!
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
End
debug and show Commands
Before issuing debug commands, please see Important
Information on Debug Commands.
 show frame-relay map
 show frame-relay pvc
 show frame-relay lmi
 ping <device name>
 show ip route
Spicey
Spicey#show frame-relay map
Here is your step-by-step guide to configuring Frame Relay:

 The first step should always be to configure the physical
interface to use Frame Relay encapsulation using the
command encapsulation frame-relay in interface
configuration mode.
 Configure an IP address on the interfaces or sub-interface
using the good old ip address command.
411
 Optionally, configure the LMI type of each physical

interace using the frame-relay lmi-type command.
 Optionally, change the default Frame Relay encapsulation
using the command encapsulation frame-relay. If you use
the command on the interface (or sub-interface), it will
change the encapsulation for all VCs on the interface (or
sub-interface. If you want to change the encapsulation only
for a specific VC, you should use the ietf keyword with the
command frame-relay interface-dlci (point-to-point sub-
interfaces) or frame-relay map.
 The default is to use the Inverse ARP (IARP) to map the
DLCI to the IP address of next-hop router. However, you
can also configure static mapping using the frame-relay
map ip ip-address dlci broadcast command.
 There are two ways to associate one DLCI to point-to-point
or multiple DLCIs to multipoint interfaces. The first
involves using the frame-relay interface-dlci dlci sub-
interface command. The second involves using the frame-
relay map ip ip-address dlci broadcast sub-interface
command.
Hub and Spoke

It is also known as One Subnet per VC
The configuraiton example built on GNS3 using frame switch
and Routers 7200 series involves one subnet per virtual circuit
as shown in below figure. It is a special case of partial mesh
topology. We are going to use point-to-point sub-interfaces, and
DLCIs assigned manually to sub-interfaces. Even though the
router can learn DLCIs through LMI messages, but those
DLCI’s will all be assigned to the physical interface by default,
412
rather than point-to-point sub-interface. However Inverse ARP

is still used to map remote IP adddresses to DLCIs.
R1
interface Serial1/0
no ip address
serial restart-delay 0
!
interface Serial1/0.200 point-to-point
ip address 10.10.10.1 255.255.255.0
!
ip address 30.30.30.1 255.255.255.0
413

!
router ospf 1
log-adjacency-changes
network 10.10.10.0 0.0.0.0 area 0
network 30.30.30.0 0.0.0.0 area 0
R2
interface Serial1/0
no ip address
!
ip address 10.10.10.2 255.255.255.0
!
router ospf 1
network 10.10.10.0 0.0.0.0 area 0
R3
interface Serial1/0
no ip address
!
ip address 30.30.30.2 255.255.255.0
router ospf 1
network 30.30.30.0 0.0.0.0 area 0
414
!
Verification
R1#sh frame-relay map
Serial1/0.200 (up): point-to-point dlci, dlci 100(0x64,0x1840),
broadcast
status defined, active
Serial1/0.400 (up): point-to-point dlci, dlci 110(0x6E,0x18E0),
broadcast
R2#sh frame-relay map
Serial1/0.200 (up): point-to-point dlci, dlci 200(0xC8,0x3080),
broadcast
R2#sh frame-relay pvc
PVC Statistics for interface Serial1/0 (Frame Relay DTE)
Active Inactive Deleted Static

Local 1 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0
DLCI = 200, DLCI USAGE = LOCAL, PVC STATUS =

ACTIVE, INTERFACE = Serial1/0.200
input pkts 278 output pkts 176 in bytes 79832

out bytes 20214 dropped pkts 0 in pkts dropped 0
out pkts dropped 0 out bytes dropped 0
in FECN pkts 0 in BECN pkts 0 out FECN pkts 0
out BECN pkts 0 in DE pkts 0 out DE pkts 0
out bcast pkts 141 out bcast bytes 16574
415
5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec
pvc create time 05:56:12, last time pvc status changed 05:55:12
Note : For full mesh and spoke to spoke Frame Relay,

please go to the reference provided in the beginning of this
article.
End of chapter
416
Chapter – IPv6
 IPv6 Introduction
 IPv6 Address Configuration
 OSPF Version 3
 EIGRP for IPv6
 Summary
IPV6
 An IPv6 address consists of 8 sets of 16-bit hexadecimal

values separated by colons (:), totaling 128 bits in length.
 For example: 2001:0db8:1234:5678:9abc:def0:1234:5678

Leading zeros can be omitted, and consecutive zeros in
contiguous blocks can be represented by a double colon
(::). Double colons can appear only once in the address.
 For example: 2001:0db8:0000:130F:0000:0000:087C:140B

can be abbreviated as 2001:0db8:0:130F::87C:140B As
with the IPv4 Classless Inter-Domain Routing (CIDR)
network prefix representation (such as 10.1.1.0/24), an
IPv6 address network prefix is represented the same way:
2001:db8:12::/64Internet has been growing extremely fast
417
so the IPv4 addresses are quickly approaching complete

depletion. Although many organizations already use
Network Address Translators (NATs) to map multiple
private address spaces to a single public IP address but they
have to face with other problems from NAT (the use of the
same private address, security…). Moreover, many other
devices than PC & laptop are requiring an IP address to go
to the Internet. To solve these problems in long-term, a new
version of the IP protocol – version 6 (IPv6) was created
and developed.
 IPv6 was created by the Internet Engineering Task Force
(IETF), a standards body, as a replacement to IPv4 in 1998.
So what happened with IPv5? IP Version 5 was defined for
experimental reasons and never was deployed.
 While IPv4 uses 32 bits to address the IP (provides
approximately 232 = 4,294,967,296 unique addresses – but
in fact about 3.7 billion addresses are assignable because
the IPv4 addressing system separates the addresses into
classes and reserves addresses for multicasting, testing, and
other specific uses), IPv6 uses up to 128 bits which
provides 2128 addresses or approximately 3.4 *
1038 addresses. Well, maybe we should say it is extremely
extremely extremely huge :)
IPv6 Address Types
Address Description
Type
Unicast One to One (Global, Link local,
Site local)
418
An address destined for a single

interface.
Multicas One to Many
t An address for a set of interfaces
Delivered to a group of interfaces
identified by that address.
Replaces IPv4 “broadcast”
Anycast One to Nearest (Allocated from
Unicast)
Delivered to the closest interface as
determined by the IGP
 A single interface may be assigned multiple IPv6 addresses
of any type (unicast, anycast, multicast)
 IPv6 address format
Format:
x:x:x:x:x:x:x:x – where x is a 16 bits hexadecimal field
and x represents four hexadecimal digits.
An example of IPv6:
2001:0000:5723:0000:0000:D14E:DBCA:0764
 There are:
8 groups of 4 hexadecimal digits.
Each group represents 16 bits (4 hexa digits * 4 bit)
Separator is “:”
Hex digits are not case sensitive, so “DBCA” is same as
“dbca” or “DBca”…
 IPv6 (128-bit) address contains two parts:
1. The first 64-bits is known as the prefix. The prefix
includes the network and subnet address. Because
addresses are allocated based on physical location, the
prefix also includes global routing information. The 64-bit
419
prefix is often referred to as the global routing prefix.

2. The last 64-bits is the interface ID. This is the unique
address assigned to an interface.
Note: Addresses are assigned to interfaces (network
connections), not to the host. Each interface can have more
than one IPv6 address.
Rules for abbreviating IPv6 Addresses:
1. Leading zeros in a field are optional

2. 2001:0DA8:E800:0000:0260:3EFF:FE47:0001 can be
written as
3. 2001:DA8:E800:0:260:3EFF:FE47:1
4. Successive fields of 0 are represented as ::, but only once in
an address:
5. 2001:0DA8:E800:0000:0000:0000:0000:0001 ->
2001:DA8:E800::1
6. Other examples:
– FF02:0:0:0:0:0:0:1 => FF02::1
– 3FFE:0501:0008:0000:0260:97FF:FE40:EFAB =
3FFE:501:8:0:260:97FF:FE40:EFAB =
3FFE:501:8::260:97FF:FE40:EFAB
– 0:0:0:0:0:0:0:1 => ::1
– 0:0:0:0:0:0:0:0 => ::
IPv6 Addressing In Use
 IPv6 uses the “/” notation to denote how many bits in the
IPv6 address represent the subnet.
 The full syntax of IPv6 is
ipv6-address/prefix-length
420
 where
ipv6-address is the 128-bit IPv6 address
/prefix-length is a decimal value representing how many of
the left most contiguous bits of the address comprise the
prefix.
 Let’s analyze an example:
2001:C:7:ABCD::1/64 is really
2001:000C:0007:ABCD:0000:0000:0000:0001/64
+ The first 64-bits 2001:000C:0007:ABCD is the address
prefix
+ The last 64-bits 0000:0000:0000:0001 is the interface ID
+ /64 is the prefix length (/64 is well-known and also the
prefix length in most cases)
IPv6 Address Scopes

Address types have well-defined destination scopes:
IPv6 Address Description
Scopes
Link-local + only used for communications within

address the local subnetwork (automatic address
configuration, neighbor discovery, router
discovery, and by many routing
protocols). It is only valid on the current
subnet.
+ routers do not forward packets with
link-local addresses.
+ are allocated with the FE80::/64 prefix
-> can be easily recognized by the prefix
FE80. Some books indicate the range of
421
link-local address is FE80::/10, meaning

the first 10 bits are fixed and link-local
address can begin with FE80, FE90,FEA0
and FEB0 but in fact the next 54 bits are
all 0s so you will only see the prefix FE80
for link-local address.
+ same as 169.254.x.x in IPv4, it is
assigned when a DHCP server is
unavailable and no static addresses have
been assigned
+ is usually created dynamically using a
link-local prefix of FE80::/10 and a 64-bit
interface identifier (based on 48-bit MAC
address).
Global unicast + unicast packets sent through the public

address Internet
+ globally unique throughout the Internet
+ starts with a 2000::/3 prefix (this means
any address beginning with 2 or 3). But in
the future global unicast address might not
have this limitation
Site-local address + allows devices in the same organization,

or site, to exchange data.
+ starts with the prefix FEC0::/10. They
are analogous to IPv4’s private address
classes.
+ Maybe you will be surprised because
Site-local addresses are no longer
supported (deprecated) by RFC 3879 so
422
maybe you will not see it in the future.
All nodes must have at least one link-local address, although

each interface can have multiple addresses.
However, using them would also mean that NAT would be
required and addresses would again not be end-to-end.
Site-local addresses are no longer supported (deprecated) by
RFC 3879.
Special IPv6 Addresses
Reserved Multicast Description
Address
FF02::1 + All nodes on a link (link-local

scope).
FF02::2 + All routers on a link
FF02::5 + OSPFv3 All SPF routers
FF02::6 + OSPFv3 All DR routers
FF02::9 + All routing information protocol

(RIP) routers on a link
FF02::A + EIGRP routers
FF02::1:FFxx:xxxx + All solicited-node multicast

addresses used for host auto-
configuration and neighbor discovery
423
(similar to ARP in IPv4)

+ The xx:xxxx is the far right 24 bits
of the corresponding unicast or
anycast address of the node
FF05::101 + All Network Time Protocol (NTP)

servers
Reserved IPv6 Multicast Addresses
Reserved Multicast Description
Address
FF02::1 + All nodes on a link (link-local

scope).
FF02::2 + All routers on a link
FF02::9 + All routing information protocol

(RIP) routers on a link
FF02::1:FFxx:xxxx + All solicited-node multicast

addresses used for host auto-
configuration and neighbor discovery
(similar to ARP in IPv4)
+ The xx:xxxx is the far right 24 bits
of the corresponding unicast or
anycast address of the node
FF05::101 + All Network Time Protocol (NTP)

servers
424
Configuring IPv6 Addressing and Enabling IPv6 Routing

Perform this task to assign IPv6 addresses to individual device
interfaces and enable IPv6 traffic forwarding globally on the
device. By default, IPv6 addresses are not configured and IPv6
routing is disabled. Multiple IPv6 link-local addresses on an
interface are not supported
SUMMARY STEPS
1. enable
4. Do one of the following:
 ipv6 address ipv6-prefix /prefix-length eui-64

 ipv6 address ipv6-address / prefix-length link-local
 ipv6 enable
5. exit
6. ipv6 unicast-routing
DETAILED STEPS
Command or Action Purpose
Step enable Enables privileged
1 EXEC mode.
 Enter your
Example:
password if
Device> enable
prompted.

Step configure terminal Enters global
2 configuration mode.
425
Example:
Device# configure terminal

Step interface type number Specifies an
3 interface type and
number, and places
Example: the device in
Device(config)# interface interface
gigabitethernet 0/0/0 configuration mode.

Step Do one of the following: Specifies an IPv6
4  ipv6 address ipv6- network assigned to
prefix /prefix-length eui-64
the interface and
 enables IPv6
 ipv6 address ipv6- processing on the
address / prefix-length link
interface.
-local or
 Specifies an IPv6
 address assigned to
 ipv6 enable the interface and
enables IPv6
processing on the
Example: interface.
Device(config-if)# ipv6
or
address 2001:DB8:0:1::/64
eui-64 Automatically
configures an IPv6
link-local address on
Example: the interface while
426
also enabling the

interface for IPv6
Example: processing. The link-
Device(config-if)# ipv6 local address can be
address used only to
FE80::260:3EFF:FE11:677 communicate with
0 link-local nodes on the same
link.
 Specifying
Example: the ipv6address eui-
Device(config-if)# ipv6 64 command
enable configures global
IPv6 addresses with
an interface
identifier (ID) in the
low-order 64 bits of
the IPv6 address.
Only the 64-bit
network prefix for
the address needs to
be specified; the last
64 bits are
automatically
computed from the
interface ID.
 Specifying
the ipv6address link
-local command
configures a link-
local address on the
427
interface that is used

instead of the link-
local address that is
automatically
configured when
IPv6 is enabled on
the interface.

Step exit Exits interface
5 configuration mode,
and returns the
Example: device to global
Device(config-if)# exit configuration mode.

Step ipv6 unicast-routing Enables the
6 forwarding of IPv6
unicast datagrams.
Example:
Device(config)# ipv6
unicast-routing

OSPFV3 Routing
OSPFv3 uses link-local IPv6 addresses for neighbor discovery

and other features. The router ID and area ID are 32-bit numbers
with no relationship to IPv6 addresses.The OSPFv3 adjacencies
428
are formed over link-local IPv6 communications. It runs per-link

rather than per-subnet.
Steps
 Complete the OSPFv3 network strategy and planning for
your IPv6 network. For example, you must decide whether
multiple areas are required.
 Enable IPv6 unicast routing.
 Enable IPv6 on the interface.
SUMMARY STEPS
2. interface interface-type slot/port
3. ipv6 address ipv6-prefix/length
4. ipv6 router ospfv3 instance-tag area area-
id [ secondaries none ]
5. (Optional) show ipv6 ospfv3 instance-
tag interface interface-type slot/por t
6. (Optional) copy running-config startup-config
Example
Let's see an example of ospfv3 configred on Gns3 .
Figure 14.1
429
R1
interface Loopback0
no ip address
ipv6 address 2002:1:1::1/128
ipv6 enable
ipv6 ospf 1 area 0
!
interface Serial1/0
no ip address
ipv6 address FE80::2 link-local
ipv6 enable
ipv6 ospf 1 area 0
clock rate 64000
!
ipv6 router ospf 1
router-id 1.1.1.1
end
R2
interface Loopback0
no ip address
ipv6 address 2002:2:2::2/128
ipv6 enable
ipv6 ospf 1 area 0
!
interface Serial1/0
no ip address
ipv6 enable
430
ipv6 ospf 1 area 0

clock rate 64000
!
interface Serial1/1
no ip address
ipv6 ospf 1 area 0
clock rate 64000
!
!
ipv6 router ospf 1
router-id 2.2.2.2
!
R3
interface Loopback0
no ip address
ipv6 address 2002:3:3::3/128
ipv6 enable
ipv6 ospf 1 area 0
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
431
ipv6 enable
ipv6 ospf 1 area 0
!
ipv6 router ospf 1
router-id 3.3.3.3
Verficiation
R1#sh ipv route

IPv6 Routing Table - default - 4 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static
route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX -
EIGRP external
ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 -
OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
LC 2002:1:1::1/128 [0/0]
via Loopback0, receive
O 2002:2:2::2/128 [110/64]
via FE80::1, Serial1/0
O 2002:3:3::3/128 [110/128]
via FE80::1, Serial1/0
L FF00::/8 [0/0]
via Null0, receive
EIGRP IPV6
432
Restrictions
The configuration of EIGRP for IPv6 has some restrictions;
which are:
 The interfaces can be directly configured with EIGRP for
IPv6, without the use of a global IPv6 address. There is no
network statement in EIGRP for IPv6.
 The router ID needs to be configured for an EIGRPv6
protocol instance before it can run.
 EIGRP for IPv6 has a shutdown feature. Ensure that the
routing process is in "no shut" mode in order to run the
protocol.
NOTE : USING ABOVE example and diagram 14.1 to
configure EIGRP for IPV6
R1
interface Loopback0
no ip address
ipv6 address 2002:1:1::1/128
ipv6 enable
ipv6 eigrp 1
!
interface Serial1/0
no ip address
ipv6 address 2003:1:1::1/64
ipv6 enable
ipv6 eigrp 1
clock rate 64000
!
ipv6 router eigrp 1
eigrp router-id 1.1.1.1
433
no shut
R2
interface Loopback0
no ip address
ipv6 address 2002:2:2::2/128
ipv6 enable
ipv6 eigrp 1
!
interface Serial1/0
no ip address
ipv6 address 2003:1:1::2/64
ipv6 enable
ipv6 eigrp 1
interface Serial1/1
no ip address
ipv6 address 2005:1:1::3/64
ipv6 enable
ipv6 eigrp 1
!
ipv6 router eigrp 1
no shut
!
end
R3
interface Loopback0
no ip address
ipv6 address 2002:3:3::3/128
434
ipv6 enable
ipv6 eigrp 1
!
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
ipv6 address 2005:1:1::4/64
ipv6 enable
ipv6 eigrp 1
clock rate 64000
!
ipv6 router eigrp 1
no shut
!
end
RIP for IPv6(RIPng)
 IPv6 RIP functions the same and offers the same benefits as
RIP in IPv4. RIP enhancements for IPv6, detailed in RFC
2080, include support for IPv6 addresses and prefixes, and
the use of the all-RIP-devices multicast group address
FF02::9 as the destination address for RIP update
messages.
 RIP for IPv6 also commonly referred as RIPng.

435
 In the Cisco software implementation of IPv6 RIP, each

IPv6 RIP process maintains a local routing table, referred to
as a Routing Information Database (RIB). The IPv6 RIP
RIB contains a set of best-cost IPv6 RIP routes learned
from all its neighboring networking devices. If IPv6 RIP
learns the same route from two different neighbors, but
with different costs, it will store only the lowest cost route
in the local RIB
Configurtion
Using diagram and topology 14.1
R1
interface Loopback0
no ip address
ipv6 address 2002:1:1::1/128
ipv6 enable
ipv6 rip comnetss enable
!
int se 1/0
no ip address
ipv6 address 2003:1:1::1/64
ipv6 enable
clock rate 64000
!
ipv6 router rip comnetss
!
end
436
R2
interface Loopback0
no ip address
ipv6 address 2002:2:2::2/128
ipv6 enable
!
interface Serial1/0
no ip address
ipv6 address 2003:1:1::2/64
ipv6 enable
clock rate 64000
!
interface Serial1/1
no ip address
ipv6 address 2005:1:1::3/64
ipv6 enable
clock rate 64000
!
!
end
R3
interface Loopback0
no ip address
ipv6 address 2002:3:3::3/128
ipv6 enable
437

!
no ip address
shutdown
duplex half
!
interface Serial1/0
no ip address
ipv6 address 2005:1:1::4/64
ipv6 enable
clock rate 64000
!
!
end
Verification
R1#sh ipv route
IPv6 Routing Table - default - 7 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static
route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX -
EIGRP external
ND - Neighbor Discovery
438
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 -

OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
LC 2002:1:1::1/128 [0/0]
via Loopback0, receive
R 2002:2:2::2/128 [120/2]
via FE80::C801:35FF:FEDC:0, Serial1/0
R 2002:3:3::3/128 [120/3]
C 2003:1:1::/64 [0/0]
via Serial1/0, directly connected
L 2003:1:1::1/128 [0/0]
via Serial1/0, receive
R 2005:1:1::/64 [120/2]
L FF00::/8 [0/0]
via Null0, receive
 R1#sh ipv rip database

RIP process "comnetss", local RIB
2002:2:2::2/128, metric 2, installed
Serial1/0/FE80::C801:35FF:FEDC:0, expires in 160 secs
2002:3:3::3/128, metric 3, installed
2003:1:1::/64, metric 2
2005:1:1::/64, metric 2, installed
------------------------------------------------------------------------------
-----------End of chapter
439
Chapter 12 – Virtual Private Networks

 VPN Concepts
 Types of VPN
 Encryption
 IPsec VPNs
 SSL VPNs & Tunneling Protocols
 GRE Tunnels
 VPN Summary
Background information
 Many companies have facilities spread out across the
country, or even around the world. But there is one thing
that all companies need: a way to maintain fast, secure, and
reliable communications wherever their offices are located.
 Until recently, reliable communication has meant the use of
leased lines to maintain a wide-area network (WAN).
Leased lines, ranging from Integrated Services Digital
Network (ISDN, which runs at 144 Kbps) to Optical
Carrier-3 (OC3, which runs at 155 Mbps) fiber, provide a
company with a way to expand their private network
beyond their immediate geographic area.
 A WAN has obvious advantages over a public network like
the Internet when it comes to reliability, performance, and
security; but maintaining a WAN, particularly when using
leased lines, can become quite expensive (it often rises in
cost as the distance between the offices increases).
440
 Additionally, leased lines are not a viable solution for

organizations where part of the work force is highly mobile
(as is the case with the marketing staff) and might
frequently need to connect to the corporate network
remotely and access sensitive data.
 As the popularity of the Internet has grown, businesses
have turned to it as a means of extending their own
networks. First came intranets, which are sites designed for
use only by company employees. Now, many companies
create their own Virtual Private Networks (VPNs) to
accommodate the needs of remote employees and distant
offices.
 A typical VPN might have a main local-area network

(LAN) at the corporate headquarters of a company, other
LANs at remote offices or facilities, and individual users
that connect from out in the field.
Virtual Private Network (VPN
A VPN is a private network that uses a public network
(usually the Internet) to connect remote sites or users
together. Instead of using a dedicated, real-world
441
connection, such as leased line, a VPN uses "virtual"

connections routed through the Internet from the company's
private network to the remote site or employee.
Types of VPN
There are two common types of VPNs.

 Remote-Access—Also called a Virtual Private Dial-up
Network (VPDN), this is a user-to-LAN connection used
by a company that has employees who need to connect to
the private network from various remote locations.
Typically, a corporation that wishes to set up a large
remote-access VPN provides some form of Internet dial-up
account to their users using an Internet service provider
(ISP). The telecommuters can then dial a 1-800 number to
reach the Internet and use their VPN client software to
access the corporate network.
 A good example of a company that needs a remote-
access VPN would be a large firm with hundreds of
sales people in the field. Remote-access VPNs permit
secure, encrypted connections between a company's
private network and remote users through a third-party
service provider.
 Site-to-Site—Through the use of dedicated equipment and
large-scale encryption, a company can connect multiple
fixed sites over a public network such as the Internet. Each
site needs only a local connection to the same public
network, thereby saving money on long private leased-
lines.
442
 Site-to-site VPNs can be further categorized into

intranets or extranets. A site-to-site VPN built
between offices of the same company is said to be an
intranet VPN, while a VPN built to connect the
company to its partner or customer is referred to as an
extranet VPN.
 For site-to-site VPNs, the encapsulating protocol is
usually IPsec or Generic Routing Encapsulation
(GRE). GRE includes information on what type of
packet you are encapsulating and information about
the connection between the client and server.
VPN Technologies
A well-designed VPN uses several methods in order to keep
your connection and data secure.
 Data Confidentiality—This is perhaps the most important
service provided by any VPN implementation. Since your
private data travels over a public network, data
confidentiality is vital and can be attained by encrypting the
data into a form that only the other computer will be able to
decode not others.
Most VPNs use one of these protocols to provide encryption.
1. IPsec(Internet protocol security )—
Internet Protocol Security Protocol (IPsec) IPSec is a
network layer security protocol.
443
 It is an Internet Engineering Task Force (IETF) standard.

 IPSec is a framework of open standards to ensure private,
secure communications over IP networks through the use of
cryptographic security services.
 It has become the most common network layer security
control, typically used to create a virtual private network
(VPN).
 For remote-access VPN users, some form of third-party
software package provides the connection and encryption
on the users PC. IPsec supports either 56-bit (single DES)
or 168-bit (triple-DES) encryption.
 To verify sources of IP packets
 Authentication
 To prevent replaying of old packets.
 To protect integrity and/or confidentiality of packets
 Data Integrity/Data Encryption
 Prevention of unauthorized use of a resourceAccess control
 Supports authentication and encryption of traffic.
 It consists of three protocols:
i. Authentication header (AH):To authenticate the origin
of the IP packet and ensure its integrity
– To detect message replays using sliding window, Use
32-bit sequence number to counter replaying attacks
– Use integrity check algorithms
ii. Encapsulating security payload (ESP): Encrypt and/or

authenticate IP packets, only provides data confidentiality
where AH does not. Uses symmetric key encryption
444
algorithms to encrypt packets like DES, Triple-

DES,AES,etc
iii. Internet key exchange (IKE): Establish secret keys for
the sender and the receiver
IPSec Architecture :
 IPSec provides security in three situations:

i. Host-to-host, host-to-gateway and gateway-to-gateway.
 IPSec operates in two modes:
i. Transport mode (for end-to-end)
ii. Tunnel mode (for VPN)
Tunnel mode encrypts the header and the payload of each
packet while transport mode only encrypts the payload
445
 Security association (SA): An SA is a relationship between

two or more entities that describes how the entities will use
security services to communicate securelySecurity
parameter index (SPI)
Security policy database (SPD)
SA database (SAD)
2 .PPTP/MPPE—PPTP was created by the PPTP Forum, a

consortium which includes US Robotics, Microsoft,
3COM, Ascend, and ECI Telematics. PPTP supports multi-
protocol VPNs, with 40-bit and 128-bit encryption using a
protocol called Microsoft Point-to-Point Encryption
(MPPE). It is important to note that PPTP by itself does not
provide data encryption.
3. L2TP/IPsec—Commonly called L2TP over IPsec
o For remote-access VPNs, tunneling normally takes
place using Point-to-Point Protocol (PPP). Part of the
TCP/IP stack, PPP is the carrier for other IP protocols
when communicating over the network between the
host computer and a remote system. PPP tunneling
will use one of PPTP, L2TP or Cisco's Layer 2
Forwarding (L2F).
o this provides the security of the IPsec protocol over the
tunneling of Layer 2 Tunneling Protocol (L2TP).
446
o L2TP is the product of a partnership between the members

of the PPTP forum, Cisco, and the Internet Engineering
Task Force (IETF).
o Primarily used for remote-access VPNs with Windows
2000 operating systems, since Windows 2000 provides a
native IPsec and L2TP client.
o Internet Service Providers can also provide L2TP
connections for dial-in users, and then encrypt that traffic
with IPsec between their access-point and the remote office
network server.
 Data Integrity—While it is important that your data is

encrypted over a public network, it is just as important to
verify that it has not been changed while in transit.
o For example, IPsec has a mechanism to ensure that the
encrypted portion of the packet, or the entire header
and data portion of the packet, has not been tampered
with. If tampering is detected, the packet is dropped.
Data integrity can also involve authenticating the
remote peer.
 Data Origin Authentication—It is extremely important to
verify the identity of the source of the data that is sent. This
is necessary to guard against a number of attacks that
depend on spoofing the identity of the sender.
447
 Anti Replay—This is the ability to detect and reject

replayed packets and helps prevent spoofing.
 Data Tunneling/Traffic Flow Confidentiality—
Tunneling is the process of encapsulating an entire packet
within another packet and sending it over a network.
Data tunneling is helpful in cases where it is desirable to
hide the identity of the device originating the traffic.
For example, a single device that uses IPsec encapsulates
traffic that belongs to a number of hosts behind it and adds
its own header on top of the existing packets.
By encrypting the original packet and header (and routing
the packet based on the additional layer 3 header added on
top), the tunneling device effectively hides the actual
source of the packet.
Only the trusted peer is able to determine the true source,
after it strips away the additional
All the encryption protocols listed here also use tunneling as a
means to transfer the encrypted data across the public network.
It is important to realize that tunneling, by itself, does not
provide data security. The original packet is merely
encapsulated inside another protocol and might still be visible
with a packet-capture device if not encrypted. It is mentioned
here, however, since it is an integral part of how VPNs function.
Tunneling requires three different protocols.
448
o Passenger protocol—The original data (IPX, NetBeui, IP)

that is carried.
o Encapsulating protocol—The protocol (GRE, IPsec, L2F,
PPTP, L2TP) that is wrapped around the original data.
o Carrier protocol—The protocol used by the network over
which the information is traveling.
The original packet (Passenger protocol) is encapsulated inside
the encapsulating protocol, which is then put inside the carrier
protocol's header (usually IP) for transmission over the public
network. Note that the encapsulating protocol also quite often
carries out the encryption of the data. Protocols such as IPX and
NetBeui, which would normally not be transferred across the
Internet, can safely and securely be
 AAA—Authentication, authorization, and accounting
is used for more secure access in a remote-access VPN
environment. Without user authentication, anyone who sits
at a laptop/PC with pre-configured VPN client software can
establish a secure connection into the remote network. With
user authentication however, a valid username and
password also has to be entered before the connection is
completed. Usernames and passwords can be stored on the
VPN termination device itself, or on an external AAA
server, which can provide authentication to numerous other
databases such as Windows NT, Novell, LDAP, and so on.
449
When a request to establish a tunnel comes in from a dial-up

client, the VPN device prompts for a username and password.
This can then be authenticated locally or sent to the external
AAA server, which checks:
o Who you are (Authentication)
o What you are allowed to do (Authorization)
o What you actually do (Accounting)
The Accounting information is especially useful for tracking
client use for security auditing, billing or reporting purposes.
A number of protocols exist that can be used to build a VPN
solution. All of these protocols provide some subset of the
services listed in this document. The choice of a protocol
depends on the desired set of services.
For example, an organization might be comfortable with the
data being transferred in clear text but extremely concerned
about maintaining its integrity, while another organization might
find maintaining data confidentiality absolutely essential. Their
choice of protocols might thus be different. For more
information on the protocols available and their relative
strengths
Example IPSec: Site-to-site Configuration between Two
Cisco Routers
450
Reference :
http://www.cisco.com/c/en/us/support/docs/routers/1700-series-
modular-access-routers/71462-rtr-l2l-ipsec-split.html.
 IPSec - it doesn’t support multicast/broadcast traffic.The
solution of this problem is GRE VPN.
Summary steps:There are five step to configure IPSec VPN
1.Ipsec phase 1 : Configure isakmp policy
2.Ipsec phase 2 : configure Ipsec Transform set
3. Extended ACL to encrytpt interested vpn traffic
4. Create Crypto map (sequence)
5. Apply Crypto map to outgoing interface of Router.
In this section, you are presented with the information to

configure the features described in this document.
Network Diagram
This document uses this network setup:
Note: The IP addressing schemes used in this configuration are

not legally routable on the Internet.
451
Configurations
This document uses these configurations:
 Router A
 Router B
Router A
RouterA#show running-config
Current configuration : 1132 bytes

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!--- Create an ISAKMP policy for

!--- negotiations for the L2L tunnels.
452
crypto isakmp policy 10

hash md5
authentication pre-share
!--- Specify the pre-shared key and the remote

!--- to match for the L2L tunnel.
crypto isakmp key vpnuser address 10.0.0.2

!
!--- Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set myset esp-des esp-md5-hmac

!
!--- Create the actual crypto map.

!--- the peer IP address,
!--- set, and an access control list (ACL) for the split tunneling.
crypto map mymap 10 ipsec-isakmp

set peer 10.0.0.2
set transform-set myset
match address 100
!
453
!
!
!
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
half-duplex
!
!--- Apply the crypto map on the outside interface.
interface Serial2/0
ip address 172.16.1.1 255.255.255.0
crypto map mymap
!
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!--- Create an ACL for the tr

!--- be encrypted. In this
!--- the traffic from 10.1.1.0/24 to
!--- is encrypted. The traffic which does not match
!--- is unencrypted for the Internet.
access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255

!
454
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
!
End
Router B
RouterB#show running-config
Current configuration : 835 bytes

!
version 12.4
service timestamps debug uptime
service timestamps log uptime
!
hostname R2
!
!
ip subnet-zero
!
!
!--- Create an ISAKMP policy for

!--- negotiations for the L2L tunnels.
455

hash md5
!--- Specify the pre-shared key and the remote

!--- to match for the L2L tunnel.
crypto isakmp key vpnuser address 172.16.1.1

!
!--- Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set myset esp-des esp-md5-hmac

!
!--- Create the actual crypto map.

!--- the peer IP address,
!--- set, and an ACL for the split tunneling.
!
crypto map mymap 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set myset
match address 100
!
!
456
!
!
interface Ethernet0
ip address 172.16.2.1 255.255.255.0
!
!--- Apply the crypto map on the outside interface.
interface Ethernet1
ip address 10.0.0.2 255.255.255.0
crypto map mymap
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
!
!--- Create an ACL for the tr

!--- be encrypted. In this
!--- the traffic from 172.16.2.0/24 to
457
!--- is encrypted. The traffic which does not match

!--- is unencrypted for the Internet.
access-list 100 permit ip 172.16.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!
line con 0
line aux 0
line vty 0 4
!
End
Verify
This section provides information you can use to confirm your
configuration is working properly.
 show crypto ipsec sa - Shows the settings used by current
Security Associations (SAs).
 RouterA#show crypto ipsec sa
Generic Routing Encryption (GRE Tunneling)

Ref :
http://www.cisco.com/c/en/us/support/docs/routers/1700-
series-modular-access-routers/71462-rtr-l2l-ipsec-split.html
Introduction
This document illustrates a basic Cisco IOS® Firewall
configuration with Network Address Translation (NAT). This
configuration allows traffic to be initiated from inside the
10.1.1.x and 172.16.1.x networks to the Internet and NATed
458
along the way. A generic routing encapsulation (GRE) tunnel is

added to tunnel IP and IPX traffic between two private
networks. When a packet arrives at the outbound interface of the
router and if it is sent down the tunnel, it is first encapsulated
using GRE and then encrypted with IPsec. In other words, any
traffic permitted to enter the GRE tunnel is also encrypted by
IPsec.
Note : GRE can be configured on Cisco IOS security routers
and Catalyst 6500/7600 devices in hub-and-spoke, point-to-
point, and full mesh VPN topologies.
Advantages of IPsec Tunneling with GRE
The main advantages of IPsec tunneling with GRE are the

following:
 GRE uses a static ip interface or dynamic routing
protocol(EIGRP, OSPF etc by which every IPsec peer
knows the status of every other peer at all times.
 GRE provides higher resiliency than IKE keepalive.
 Spoke-to-spoke connectivity is supported when you use
GRE.
 GRE supports multicast and broadcast transmissions.
Components Used
The information in this document is based on these software and
hardware versions:
459
 Cisco IOS Software Release 12.2(21a) and 12.3(5a)

 Cisco 3725 and 3640
Background Information
The tips in this section help you to implement the configuration:
 Implement NAT on both routers to test the Internet
connectivity.
 Add GRE to the configuration and test. Non-encrypted
traffic should flow between the private networks.
 Add IPsec to the configuration and test. The traffic between
the private networks should be encrypted.
 Add the Cisco IOS Firewall to the external interfaces, the
outbound inspect list and inbound access list, and test.
 If you use a Cisco IOS Software release earlier than 12.1.4,
you need to permit IP traffic between 172.16.1.x and -
10.0.0.0 in access list 103.
Network Diagram
This document uses this network setup.
Configurations
This document uses these configurations.
 Daphne Configuration
460
 Fred Configuration
Daphne Configuration
version 12.3
service timestamps debug datetime
msec
service timestamps log datetime
msec
!
hostname daphne
!
boot-start-marker
boot-end-marker
!
enable secret 5
$1$r2sh$XKZR118vcId11ZGzhbz5
C/
!
no aaa new-model
461
ip subnet-zero
!
!
!--- This is the Cisco IOS Firewall

configuration and what to
inspect. !--- This is applied outbound
on the external interface.
ip inspect name myfw tcp

ip inspect name myfw udp
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw
streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
462
ip inspect name myfw http

ip telnet source-interface
FastEthernet0/0
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!--- This is the IPsec configuration.
!
crypto isakmp key ciscokey

address 192.168.2.2
!
!
crypto ipsec transform-set to_fred
463
esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-
isakmp
set peer 192.168.2.2

set transform-set to_fred
match address 101
!
!
!
!
!
!--- This is one end of the GRE

tunnel.
!
interface Tunnel0
464
255.255.255.0
!--- Associate the tunnel with the

physical interface.
tunnel source FastEthernet0/1
tunnel destination 192.168.2.2
!--- This is the internal network.
ip address 10.0.0.2 255.255.255.0

ip nat inside
speed 100
full-duplex
465
!--- This is the external interface and

one end of the GRE tunnel.
255.255.255.0
ip access-group 103 in
ip nat outside
ip inspect myfw out
speed 100
full-duplex
crypto map myvpn
!
!--- Define the NAT pool.

466
ip nat pool ourpool 192.168.1.10

192.168.1.20 netmask
255.255.255.0
ip nat inside source route-map
nonat pool ourpool overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!--- Force the private network traffic

into the tunnel.
-
ip route 172.16.1.0 255.255.255.0
192.168.3.2
ip http server
no ip http secure-server
467
!
!
!--- All traffic that enters the GRE

tunnel is encrypted by IPsec. !---
Other ACE statements are not
necessary.
access-list 101 permit gre host

192.168.1.1 host 192.168.2.2
!--- Access list for security reasons.

Allow !--- IPsec and GRE traffic
between the private networks.

192.168.2.2 host 192.168.1.1
468
access-list 103 permit esp host

192.168.2.2 host 192.168.1.1
access-list 103 permit udp host
192.168.2.2 eq isakmp host
192.168.1.1
access-list 103 deny ip any any log
!--- See the Background Information

section if you use !--- a Cisco IOS
Software release earlier than 12.1.4
for access list 103.
access-list 175 deny ip 10.0.0.0

0.0.0.255 172.16.1.0 0.0.0.255
access-list 175 permit ip 10.0.0.0
0.0.0.255 any
469
!--- Use access list in route-map to

address what to NAT.
route-map nonat permit 10

match ip address 175
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password ww
login
!
!
End
Fred Configuration
470
version 12.2
service timestamps debug uptime
service timestamps log uptime
!
hostname fred
!
enable secret 5
$1$AtxD$MycLGaJvF/tAIFXkikCes
1
!
ip subnet-zero
!
!
ip telnet source-interface
FastEthernet0/0
!
ip inspect name myfw tcp
ip inspect name myfw udp
471
ip inspect name myfw ftp

ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw
streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw http
ip audit notify log
ip audit po max-events 100
!
-
crypto isakmp key ciscokey
address 192.168.1.1
!
!
472
crypto ipsec transform-set

to_daphne esp-des esp-md5-hmac
!
crypto map myvpn 10 ipsec-
isakmp
set peer 192.168.1.1

set transform-set to_daphne
match address 101
!
call rsvp-sync
!
!
!
!
!
!
!
!
473
interface Tunnel0
-
255.255.255.0
tunnel source FastEthernet0/1
-
tunnel destination 192.168.1.1
!
255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Serial0/0
no ip address
clockrate 2000000
!
474
255.255.255.0
ip access-group 103 in
ip nat outside
ip inspect myfw out
speed 100
full-duplex
crypto map myvpn
!
!--- Output is supressed.
!
475
ip nat pool ourpool 192.168.2.10

192.168.2.20 netmask
255.255.255.0
ip nat inside source route-map
nonat pool ourpool overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1

ip route 10.0.0.0 255.255.255.0
192.168.3.1
ip http server
!

192.168.2.2 host 192.168.1.1
192.168.1.1 host 192.168.2.2
access-list 103 permit udp host
192.168.1.1 eq isakmp host
192.168.2.2
access-list 103 permit esp host
476
192.168.1.1 host 192.168.2.2

access-list 175 deny ip 172.16.1.0
0.0.0.255 10.0.0.0 0.0.0.255
access-list 175 permit ip 172.16.1.0
0.0.0.255 any
route-map nonat permit 10

match ip address 175
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
477
line aux 0
line vty 0 4
password ww
login
!
End
Verify
Use this section to confirm that your configuration works
properly.
Try to ping a host in the remote subnet - 10.0.0..x from a host in
the 172.16.1.x network in order to check the VPN configuration.
This traffic should go through the GRE tunnel and be encrypted.
Use the show crypto ipsec sa command to verify that the IPsec
tunnel is up. First check that the SPI numbers are different than
0. You should also see an increase in the pkts encrypt and pkts
decrypt counters.
 show crypto ipsec sa—Verifies that the IPsec tunnel is up.
 show access-lists 103—Verifies that the Cisco IOS
Firewall configuration works correctly.
 show ip nat translations—Verifies that NAT works
properly.
478
Note : Please note also that I have not configured any security
protection on the GRE tunnel. If you want you can configure
IPSEC on top of GRE in order to encrypt all data passing
through the GRE tunnel.
Example 2 :
Another good example for GRE tunneling is available on below
link .
http://www.slideshare.net/NetworksTraining/configuring-gre-
tunnel-through-a-cisco-asa-firewall
End of chapter
479
480
Chapter------Network Security
 Network Security
 Cisco Firewalls
 Layer 2 Security
 AAA Security Services
 Secure Device Management
 Secure Communications

CCNA Notes Guide Updated Imp

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Notes Guide Updated Imp

Uploaded by

Copyright:

Available Formats

1

_It encourages industry standardization by defining what

The Application Layer:

X Window Widely used by intelligent terminals for

In reliable transport operation, a device that wants to transmit

+ Windowing: a window is the quantity of data segments that

_ A virtual circuit is set up (e.g., a three-way handshake).

protocols because each routing protocol keeps track of a

Interface The exit interface a packet will take when destined

_Layer 3 devices (routers in this case) provide connections

Layer 2 switching is considered hardware-based bridging

Generally speaking in easy terms, A collision domain is a set of

The real estate business is all about location, location,

propagating through an internetwork is with a layer 3 device—a

Repeater: A repeater receives a digital signal and reamplifies or

Collision Domain on Hub:

ONE single collision domain. If a hub or repeater connected to a

Figure Collision Domain on Hub

Figure Broadcast Domain

Answer: 2 Broadcast domains and 7 collsion domains in the

Answer: One broadcast domain in the network

Answer: 5 broadcast domains and 10 collision domains.

when packets are transmitted simultaneously from different

Half-duplex Ethernet is defined in the original 802.3 Ethernet;

Ethernet standard 802.3

Wireshark: this software is a simulator tool to anlyze network

At a transmitting device, the data encapsulation method works

3. Segments are converted to packets or datagrams, and a logical

Core layer: This layer is considered the backbone of the

 Control Broadcast and Multicast: The layer serves as the

 Handle switch bandwidth: You can move data from one

This page is intentionally left blank.

 Simple Mail Transfer Protocol (SMTP)

occur, agents send an alert called a trapto the management

For example, in the topology above you want to monitor a

enhancement is the introduction of INFORM and GETBULK

+ Privacy (Encryption): by using encryption (56-bit DES

From SNMPv2c, two new messages were added: INFORM and

a response message with as much of the requested data as will

A big advantage of using DHCP is the ability to join a network

How DHCP works

has no way of knowing the subnet to which it belongs, the

2. After receiving the discover message, the DHCP Server will

Client, not FF-FF-FF-FF-FF-FF). So, in some books they may

4. When the DHCP Server receives the DHCPREQUEST

In conclusion there are four messages sent between the DHCP

As we know, router does not forward broadcast packets (it drops

When a DHCP address conflict occurs

Router(config)#ip Create a DHCP Pool named

Router(dhcp-config) Specifies the subnet and mask of the

Router(dhcp-config) Set the default gateway of the DHCP

Router(dhcp-config) Configure a Domain Name Server

Router(dhcp-config) Configure a domain-name

Router(dhcp-config) Duration of the lease (the time during

Router(config)# ip The IP range that a DHCP Server

Transmission Control Protocol (TCP)

TCP provides full-duplex, acknowledged, and flow-controlled

• Data—Contains upper-layer information.

Table 7-1 Internet Protocol/Application

to move files between computer systems. Telnet

services 111), X Windows (UDP ports

These and other network applications use the services of TCP/IP

additional bits for tracking and checking purpose. So which