You are on page 1of 6



INT506: Network Administration

Homework Title/No: 4 Course Code: INT-506

Course Instructor: Anshu chopra Course Tutor(if applicable):

Date of Allotment: 2-4-2011 Date of submission: 22-4-11

Student’s Roll No: 45 Section No: C27T1

Declaration :

I declare that this assignment is my individual work. I have not copied from any other
student’s work or from any other source except where due acknowledgement is made
explicitly in the text, nor has any part been written for me by another person.

Student’s Signature : Amrit

Evaluator’s comments :


Marks obtained :______________________ out of _________________________

Part A

Q1. Show with the help of an example, how VLAN helps in adding extra functionalities
to any network.

Ans.1 A virtual local area network, virtual LAN or VLAN, is a group of hosts with a
common set of requirements that communicate as if they were attached to the same broadcast
domain, regardless of their physical location. A VLAN has the same attributes as a physical
local area network (LAN), but it allows for end stations to be grouped together even if they
are not located on the same network switch. LAN membership can be configured through
software instead of physically relocating devices or connections.
To physically replicate the functions of a VLAN, it would be necessary to install a separate,
parallel collection of network cables and equipment which are kept separate from the primary
network. However unlike a physically separate network, VLANs must share bandwidth; two
separate one-gigabit VLANs using a single one-gigabit interconnection can both suffer
reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports,
tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk
links, and untagging when exit from VLAN.)

Q2. Quote the benefits of a Dynamic VLAN in contrast to a Static VLAN. How is the
Dynamic VLAN configured?

Ans.2 VLAN Advantages

Dynamic VLAN

Putting all the host devices hardware addresses into a database so your switches can be
organized to allot VLANs dynamically any time you plug a host into a switch is called
dynamic VLAN.

Q3. Write about the VTP and the various modes of operation of VTP

Ans.3 VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol
that manages the addition, deletion, and renaming of Virtual Local Area Networks (VLAN)
on a network-wide basis. Cisco's VLAN Trunk Protocol reduces administration in a switched
network. When a new VLAN is configured on one VTP server, the VLAN is distributed
through all switches in the domain. This reduces the need to configure the same VLAN
everywhere. To do this, VTP carries VLAN information to all the switches in a VTP domain.

VTP operates in one of three modes:

• Server – In this VTP mode you can create, remove, and modify VLANs. You can
also set other configuration options like the VTP version and also turn on/off VTP
pruning for the entire VTP domain. VTP servers advertise their VLAN configuration
to other switches in the same VTP domain and synchronize their VLAN configuration
with other switches based on messages received over trunk links. VTP server is the
default mode. The VLANs information are stored on NVRAM and they are not lost
after a reboot.
• Client – VTP clients behave the same way as VTP servers, but you cannot create,
change, or delete VLANs on the local device. Remember that even in VTP client
mode, a switch will store the last known VTP information—including the
configuration revision number. Don’t assume that a VTP client will start with a clean
slate when it powers up.
• Transparent – When you set the VTP mode to transparent, then the switches do not
participate in VTP. A VTP transparent switch will not advertise its VLAN
configuration and does not synchronize its VLAN configuration based on received
messages. VLANS can be created, changed or deleted when in transparent mode. In
VTP version 2, transparent switches do forward VTP messages that they receive out
of their trunk ports.

Part B

Q4. Discuss the use of frame relay switch .

Ans.4 A Cisco lab's frame relay switch is not a switch at all; it's a Cisco router. Almost any
Cisco router can serve as your frame switch, but you will need multiple serial interfaces to
make a router particularly effective in this role.

The frame relay switch is going to play the role of the frame provider in your lab. In essence,
you've got a one-switch frame relay cloud, which gives you a tremendous opportunity to
practice frame relay scenarios.

Q5. Mention the various types of access list and when should an inbound access list be
applied and when should we use outbound? Quote Examples

Ans.5 Basically there are two major types of access lists.

Standard Access list

It provides basic filtering options to the route. To explain, an example is here, a standard IP
access list will only allow the source address of a data packet to be used in filtering the
decisions. If you just want to stop some selected host to join in the network and there are no
serious complexities in it then you can use standard access list.

Extended Access list

It allows filtering to be done in many different ways using different parameters. As an
example, an extended IP access list allows data packets to be managed according to source
address, destination address, protocol type, port numbers or any other parameter if there are
complexities in your network and you want to block some activities of some specific hosts
then you can use the extended access list.
Following are some access lists identified numerically to help you. The numerical value not
only identifies the list uniquely that it is extended or standard. The lists below define the
outlines foe different access lists.

Inbound ACL's
Inbound TO THE INTERFACE of the router is what we are talking about here. The router
will look at the packet and work top down in the ACL list to see if the packet should be
dropped or forwarded. Some processing clearly takes place here, but no routing decisions are
required on dropped packets.
You use ACL's here to filter packets into this device network point. A good example of an
inbound ACL list is on your WAN edge to the internet where you want to block all kinds of
traffic to your network (such as private address ranges, loopback addresses, and other "illegal
and unexpected" source IP addresses, as well as blocking by protocol to stop would be
attackers probing your network such as blocking ping/icmp replies.)

Outbound ACL's
These are OUTBOUND from the router interface leaving this network area. As far as I am
aware they do not process packets originating on that router (such as routing updates - where
you would need an inbound ACL on the destination to deny/permit). Packets that come in to
that router and then attempt to leave the interface with the ACL Out applied are inspected and
either permitted/denied. A simple example is to deny users access to file sharing sites or
messaging services by blocking outbound the relative port numbers to these services whilst
permitting everything else.

Q6. Take a suitable scenario and illustrate the concept of extended Access List.

Ans.Extended IP Access Lists

Extended ACLs allow you to permit or deny traffic from specific IP addresses to a specific
destination IP address and port. It also allows you to specify different types of traffic such as
ICMP, TCP, UDP, etc. Needless to say, it is very grangular and allows you to be very
specific. If you intend to create a packet filtering firewall to protect your network it is an
Extended ACL that you will need to create.

Typically you would allow outgoing traffic and incoming initiated traffic. In other words, you
want your users to be able to connect to web servers on the internet for browsing but you do
not want anyone on the Internet to be able to connect to your machines. This will require 2
ACLs. One to only limit our users on the company network to only use a web browser (so
this will block outgoing FTP, e-mail, Kazaa, napster, online gaming, etc.) The other access-
list will only allow incoming traffic from the Internet that has been initiated from a machine
on the inside. This is called an established connection. Let's see what our access list would
look like for starters

internal network:

access-list 101 - Applied to traffic leaving the office (outgoing)

access-list 102 - Applied to traffic entering the office (incoming)

ACL 101
access-list 101 permit tcp any eq 80

ACL 102
access-list 102 permit tcp any established

ACL 101

As you can see, ACL 101 says to permit traffic originating from any address on the
network. The 'any' statement means that the traffic is allowed to have any destination address
with the limitation of going to port 80 (which is the web port for HTTP). This is still only
half of the solution. If you only use this access list you have totally accomplished limiting
your users from doing nothing more on the internet than just be able to browse from website
to website. However, you have taken no action on the incoming trafic. The Internet still has
full access to all the IPs and all the ports. This leaves you vulnerable.
ACL 102
Since you only want your users to be able to browse the Internet, you must block all
incoming traffic accept for the established connections in which the websites are replying to a
computer on your network. Doing this is impossible unless you use the 'established'