Cisco Certified Network Associate (CCNA) Exam Code No: 640 – 802

Chapter
Routing Protocol Static Routing Default Routing Dynamic Routing RIP RIPv2 IGRP EIGRP OSPF Frame-Relay Managing Traffic with Access-list NAT and PAT PAP and CHAP Switch VPN Layers IP Addresses Wireless

Routing Basics What is Routing ? o The term “routing” is used for taking a packet from one device and sending it through the network to another device on a different network. o Routers don’t really care about hosts—they only care about networks and the best path to each network. Routers route traffic to all the networks in your internetwork. To be able to route packets, a router must know, at a minimum, the following:  Destination address  Neighbor routers from which it can learn about remote networks  Possible routes to all remote networks  The best route to each remote network  How to maintain and verify routing information Routing Example :

192.168.10.1 F0/0

192.168.20.1 F0/0

192.168.10.2 Internet

192.168.20.2

• •

Routing is taking place from Host_A to Host_B through the Lab_A Router. To be able to route, the router must know how to get into the network 172.16.20.0.

ROUTING TYPES 1. Static Routing 2. Default Routing 3. Dynamic Routing 1. Static Routing. Static routing occurs when you manually add routes in each router’s routing table. By default, Static routes have an Administrative Distance (AD) of 1 Features  There is no overhead on the router CPU  There is no bandwidth usage between routers  It adds security, because the administrator can choose to allow routing access to certain networks only. Configuration Static Routing Router(config)#ip route Destination_network Mask Next-Hop_Address (or) Router(config)#ip route Destination_network Mask Exit interface ip route : The command used to create the static route. destination_network : The network you’re placing in the routing table. mask : The subnet mask being used on the network. next-hop_address : The address of the next-hop router Exitinterface : You can use it in place of the next-hop address administrative_distance : By default, static routes have an administrative distance of 1

DTE F0/0 S0/0

DCE

DTE

DCE F0/0

S0/0

S0/1

S0/0

DTE - Data Terminal Equipment DCE - Data Communication Equipment

2. Default Routing. Default routing is used to send packets with a remote destination network not in the routing table to the next-hop router.

We can only use default routing on stup networks. Those with only one exit Path out of the network. Configuration Default Routing Router(config)#ip route 0.0.0.0 0.0.0.0 Next-Hop_Address Router(config)#ip route 0.0.0.0 0.0.0.0 Exit interface Router(config)#ip default-network ? 3. Dynamic Routing. Dynamic routing is when protocols are used to find networks and update routing table on routers. A routing protocol defines the set of rules used by router when it communicates routing information between neighbor routers There are two type of routing protocols used in internetwors:  Interior Gateway Protocols (IGPs) IGPs are used to exchange routing information with routers in the same Autonomous System(AS) number.  Exterior Gateway Protocols (EGPs) EGPs are used to communicate between different Autonomous System. Autonomous System. An autonomous system is a collection of networks under a common administrative domain, which basically means that all routers sharing the same routing table information are in the same AS. Routing Protocol Basics. • • • Administrative Distances Routing protocol Routing Loops

Administrative Distances. The Administrative Distance (AD) is used to rate the trustworthiness of routing information received on a router from a neighbor router. An Administrative Distance is an integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed via this route. If a router receives two updates listing he sane remote network, the first thing the router checks is the AD. If one of the advertised routes has lower AD than the other, then the route with the lowest AD will be placed in the routing table. If both advertised routes to the same network have the same AD, then routing protocol metrics (such as hop count or bandwidth of the lines) will be used to find the best path to the remote network. The advertised route with the lowest metric will be placed in the routing table.

But if both advertised routes have the same AD as well as the same metrics, then the routing protocol will load-balance in the remote network

Default Administrative Distances Route Source Connected interface Static Route EIGRP IGRP OSPF RIP External EIGRP Unknown 255 Routing Protocols. There are three classes of Routing Protocol • Distance vector protocol • Link state protocol • Hybrid protocol Distance vector protocol. The Distance-vector protocols find the best path to remote network by judging distance. Each time a packet goes through a router, that’s called a hop. The route with the least number of hops to the network is determined to be the best route. The vector indicates the direction to the remote network. They send the entire routing table to directly connected neighbors. Ex: RIP, IGRP. Link state protocol. Also called shortest-path-first protocols, the routers each create three separate tables. One keeps track of directly attached neighbors, one determines the topology of the entire internet work, and one is used as the routing tables. Link state routers know more about the internet work than any distance-vector routing protocol. Link state protocols send updates containing the state of their own links to all other routers on the network Ex: OSPF Hybrid protocol Hybrid protocol use aspects of both distance-vector and link state protocol. 0 1 90 100 110 120 170 This route will never be used Default AD

Ex: EIGRP Distance-vector Routing Protocols
 The distance-vector routing algorithm passes complete routing table contents to

neighboring routers.
 A router receiving an update from a neighbor router believes the information

about remote networks without actually finding out for itself.
 It’s possible to have network that has multiple links to the same remote network,

and if that’s the case, the administrative distance is checked first. If the AD is the same, the protocol will have to use other metrics to determine the best path to use to that remote network.

Converged Network

Routing Loops Distance-vector routing protocols keep track of any changes to the internet work by broadcasting periodic routing updates out all active interfaces. This broadcast includes the complete routing table. Routing loops can occur because a every router isn’t updated simultaneously.

Routing Loops Example
Router B Router C Router E

Router A

Network 3

Network 4

Network 5

Router D

The interface to Network 5 fails. All routers know about Network 5 from Router E. RouterA, in its tables, has a path to Network 5 through Router B. When Network 5 fails, Router E tells Router C. This causes Router C to stop routing to Network 5 through Router E. But Routers A, B, and D don’t know about Network 5 yet, so they keep sending out update information. Router C will eventually send out its update and cause B to stop routing to Network 5, but Routers A and D are still not updated. To them, it appears that Network 5 is still available through Router B with a metric of 3.The problem occurs when Router A sends out its regular 30-second “Hello, I’m still here—these are the links I know about” message, which includes the ability to reach Network 5 and now Routers B and D receive the wonderful news that Network 5 can be reached from Router A, so Routers B and D then send out the information that Network 5 is available. Anypacket destined for Network 5 will go to Router A, to Router B, and then back to Router A.This is a routing loop. Loop Avoidance Maximum Hop count RIP permits a hop count of up to 15, so anything that requires 16 hops is deemed unreachable. Thus, the maximum hop count will control how long it takes for a routing table entry to become invalid.

Split Horizon This reduces incorrect routing information and routing overhead in a distancevector network by enforcing the rule that routing information cannot be sent back in the direction from which it was received Route Poisoning when Network 5 goes down, Router E initiates route poisoning by advertising Network 5 as 16, or unreachable. When Router C receives a route poisoning from Router E, it sends an update, called a poison reverse, back to Router E. This ensures all routes on the segment have received the poisoned route information. Router Configuration Modes
   

User mode (or) Console mode Privilege mode Global Configuration mode Specification mode

- Router> - Router# - Router(config)# - Router(config-if)#

(user logon mode) (user logon mode)

Password set to Console mode Router>enable Router#configuration terminal Router(config)#line console 0 Router(config-line)#password ***** Router(config-line)#login Password set to Privilege mode Text Password Router>enable Router#configuration terminal Router(config)#enable password ***** Secret Password Router>enable Router#configuration terminal Router(config)#enable secret ***** Password set to Auxiliary port Router>enable Router#configuration terminal Router(config)#line aux 0 Router(config-line)#password ***** Router(config-line)#login

Password set to Vty (Virtual Teletype-TELNET) Router>enable Router#configuration terminal Router(config)#line vty 0 4 (In Router 0-15) Router(config-line)#password ***** Router(config-line)#login Configure IP address to LAN port Router>enable Router#configuration terminal Router(config)#interface Fastethernet 0/0 Router(config-if)#ip address ***.***.***.***. ***.***.***.*** Router(config-if)#no shutdown

Static Routing Configuration LAB

10.0.0.1 F0/0

20.0.0.1 S0/0

20.0.0.2 S3/0

40.0.0.1 S3/1

40.0.0.2 S0/0

50.0.0.1 F0/0

1700 A

3600 A F0/0 30.0.0.1

1700 B

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.2 or S0/0 exit interface

1700A(config)#ip route 40.0.0.0 255.0.0.0 20.0.0.2 or S0/0 (exit interface) 1700A(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2 or S0/0 (exit interface) 1700A(config)#exit 1700A#show ip interface brief 1700A# show ip protocol 3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A#show controllers S3/0 (to see a DCE end or DTE end) 3600A(config-if)#clock rate 64000 3600A(config)#interface Serial 3/1 3600A(config-if)#ip address 30.0.0.1. 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#control Z 3600A#show ip route 3600A#show ip interface brief 3600A(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1 or 20.0.0.2 3600A(config)#ip route 50.0.0.0 255.0.0.0 40.0.0.2 or 40.0.0.1 3600A(config)#exit 3600A#show ip interface brief 3600A# show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 30.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B(config)#ip route 10.0.0.0 255.0.0.0 40.0.0.1 or 40.0.0.2 1700B(config)#ip route 20.0.0.0 255.0.0.0 40.0.0.1 or 40.0.0.2 1700B(config)#ip route 30.0.0.0 255.0.0.0 40.0.0.1 or 40.0.0.2(exit interface) S0/0 1700B(config)#exit 1700B#show ip interface brief 1700B#show ip route 1700B#show ip protocol

1700B#ping 10.0.0.1

Default Routing Configuration LAB

10.0.0.1 F0/0

20.0.0.1 S0/0

20.0.0.2 S3/0

30.0.0.1 S3/1

30.0.0.2 S0/0 1700 B

40.0.0.1 F0/0

1700 A

3600 A

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2 or 1700A(config)#ip route 0.0.0.0 0.0.0.0 S0/0 or 1700A(config)#ip default-network 0.0.0.0 0.0.0.0 20.0.0.0 1700A(config)#exit 1700A#show ip interface brief 1700A#show ip protocol 3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0

3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A#show controllers S3/0 (to see a DCE or DTE ) 3600A(config-if)#clock rate 64000 3600A(config)#interface Serial 3/1 3600A(config-if)#ip address 30.0.0.1. 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#control Z 3600A#show ip route 3600A#show ip interface brief 3600A(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.2 or 3600A(config)#ip route 0.0.0.0 0.0.0.0 S3/1 or 3600A(config)#ip default-network 30.0.0.0 3600A(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1 or S3/0(static routing) 3600A(config)#exit 3600A#show ip interface brief 3600A#show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 30.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.1 or 1700B(config)#ip route 0.0.0.0 0.0.0.0 S0/0 or 1700B(config)#ip default-network 30.0.0.0 1700B(config)#exit 1700B#show ip interface brief 1700B#show ip route 1700B#show ip protocol 1700B#ping 10.0.0.1

Routing Information Protocol (RIP)
  

 

Routing Information Protocol is a true distance-vector routing protocol. It sends the complete routing table out to all active interfaces every 30 seconds. RIP only uses hop count to determine the best way to remote network, but it has a maximum allowable hop count of 0-15 by default, meaning that 16 is deemed unreachable. RIP version 1 uses only class full routing, which means that all devices in the network must use the same subnet mask. RIP version 2 provides something called prefix routing, and does send subnet mask information with the route updates. This is called classless routing. RIP Timers

RIP uses three different kinds of timers to regulate its performance. Route update timer Router update timer sets the interval 30 seconds between periodic routing updates, in which the router sends a complete copy of its routing table out to all neighbors. Router invalid timers A router invalid timer determines the length of time that must elapse 180 seconds before a router determines that a route has become invalid. It will come to this conclusion if it hasn’t heard any updates about a particular route for that period. When that happens, thee router will send out updates to all its neighbors letting them know that the route is invalid. Hold-down timer This sets the amount of time during which routing information is suppressed. Routers will enter into the hold-down state when an update packet is received that indicated the route is unreachable. This continues until entire an update packet is received with a better metric or until the hold-down timer expires. The default is 180 seconds Route flush timer Route flush timers’ sets the time between a route becoming invalid and its interval from the routing table 240 seconds. Before it’s removed from the table, the router notifies its neighbors of that route’s impending demise. The value of the route invalid timer must be less than that of the route flush timers

RIP (Routing Information Protocol) Configuration LAB

S3/0 20.0.0.2

S3/1 50.0.0.1

3600A

20.0.0.1 S0/0 10.0.0.1 F0/0 30.0.0.1 S0/1 30.0.0.2 S1/0 60.0.0.1 S1/1 60.0.0.2 S1/0

50.0.0.2 S0/0 F0/0 80.0.0.1

1700A
S1/0 40.0.0.1

3600B

1700B
S1/1 70.0.0.2

S0/0 40.0.0.2

S0/1

3600C

70.0.0.1

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/1 1700A(config-if)#ip address 30.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 1/0 1700A(config-if)#ip address 40.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown

1700A(config-if)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#configuration terminal 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#network 30.0.0.0 1700A(config-router)#network 40.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#show ip protocol 3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config)#interface Serial 3/1 3600A(config-if)#ip address 50.0.0.1. 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#exit 3600A(config)#router rip 3600A(config-router)#network 20.0.0.0 3600A(config-router)#network 50.0.0.0 3600A(config-router)#control Z 3600A#show ip route 3600A#show ip interface brief 3600A# show ip protocol 3600B Router>enable Router#configuration terminal Router(config)#hostname 3600B 3600B(config)#interface S1/0 3600B(config-if)#ip address 30.0.0.2 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#clock rate 64000 3600B(config)#interface Serial 1/1 3600B(config-if)#ip address 60.0.0.1. 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#clock rate 64000 3600B(config-if)#exit

3600B(config)#router rip 3600B(config-router)#network 30.0.0.0 3600B(config-router)#network 60.0.0.0 3600A(config-router)#control Z 3600B#show ip route 3600B#show ip interface brief 3600B# show ip protocol 3600C Router>enable Router#configuration terminal Router(config)#hostname 3600C 3600C(config)#interface S0/0 3600C(config-if)#ip address 40.0.0.2 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#clock rate 64000 3600C(config)#interface Serial 0/1 3600C(config-if)#ip address 70.0.0.1. 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#clock rate 64000 3600C(config-if)#exit 3600C(config)#router rip 3600C(config-router)#network 40.0.0.0 3600C(config-router)#network 70.0.0.0 3600C(config-router)#control Z 3600C#show ip route 3600C#show ip interface brief 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 80.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 50.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 1/0 1700B(config-if)#ip address 60.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 1/1 1700B(config-if)#ip address 70.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#control Z 1700B#show ip route 1700B#show ip interface brief

1700B#show ip protocol 1700B#configuration terminal 1700B(config)#router rip 1700B(config-router)#network 50.0.0.0 1700B(config-router)#network 60.0.0.0 1700B(config-router)#network 70.0.0.0 1700B(config-router)#network 80.0.0.0 1700B(config-router)#control Z 1700B#show ip interface brief 1700B#show ip protocol

Routing Information Protocol version 2 • • • • • • • Both RIPv1 and RIPv2 are distance-vector protocols, which means that each router running RIP sends its complete routing tables out all active interfaces at periodic time intervals. The timers and loop-avoidance schemes are the same in both RIP versions. Both RIPv1 and RIPv2 are configured as classful addressing, (but RIPv2 is considered classless because subnet information is sent with each route update) Both have the same administrative distance (120) RIP is an open standard, you can use RIP with any brand of router. Alogrithm – Bellman Ford Multicast addresse 224.0.0.9 RIP Version 1 Distance Vector Maximum hop count of 15 Classful No support for VLSM No support for discontiguous RIP Version 2 Distance Vector Maximum hop count of 15 Classless Supports VLSM networks Support discontiguous networks

RIP Version 2 (Routing Information Protocol) Configuration LAB

192.168.1.17 - 22 F0/0

192.168.1.5 S0/0

192.168.1.33 - 46 192.168.1.9 S3/0 192.168.1.6 S3/1 S0/0 192.168.1.10 3600 A 1700 B F0/0

1700 A

RIPV2 Supports Classless IP Addresses Question: IP Address 192.168.1.0/24 1700A - F0/0 Need – 6 IP Addresses WAN Serial Connection Need – 2 IP Addresses (S0/0 & S3/0) WAN Serial Connection Need – 2 IP Addresses (S3/1 & S0/0) 1700B – F0/0 Need – 14 IP Addresses Answer: IP Addresses 192.168.1.0/24 Need 2 IP Addresses 22 = 4 – 2= 2 192.168.1. Borrowing 2 bits Network ID 192.168.1.4 192.168.1.8 12 8 6 4 3 2 1 6 8 4 2 1

First Host ID 192.168.1.5 192.168.1.9

Last Host ID 192.168.1.6 192.168.1.10

Broadcast ID 192.168.1.7 192.168.1.11

Need 6 IP Addresses 23 = 8 – 2 = 6 192..168.1. 12 8 6 4 3 2 1 6 8 4 2 1

Borrowing 3 bits Network ID First Host ID The following IP already use 192.168.1.8 192.168.1.9 So we are use following IP Addresses 192.168.1.16 192.168.1.17

Last Host ID 192.168.1.14 192.168.1.22

Broadcast ID 192.168.1.15 192.168.1.23

Need 14 IP Addresses 24 = 16 – 2 = 14 Borrowing 4 bits 192.168.1. 12 8 6 4 3 2 1 6 8 4 2 1

Network ID First Host ID The following IP already use 192.168.1.16 192.168.1.17 So we are use following IP Addresses 192.168.1.32 192.168.1.33

Last Host ID 192.168.1.30 192.168.1.46

Broadcast ID 192.168.1.31 192.168.1.47

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 192.168.1.17 255.255.255.248 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 192.168.1.5 255.255.255.252 1700A(config-if)#no shutdown 1700A(config-if)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A(config)#router rip 1700A(config-router)#version 2 1700A(config-router)#network 192.168.1.4 1700A(config-router)#network 192.168.1.16 1700A(config)#exit 1700A#show ip interface brief 1700A# show ip protocol 3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 192.168.1.6 255.255.255.252 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config)#interface Serial 3/1 3600A(config-if)#ip address 192.168.1.9 255.255.255.252

3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#control Z 3600A#show ip route 3600A#show ip interface brief 3600A(config-router)#router rip 3600A(config-router)#version 2 3600A(config-router)#network 192.168.1.4 3600A(config-router)#network 192.168.1.8 3600A(config)#exit 3600A#show ip interface brief 3600A# show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 192.168.1.33 255.255.255.240 1700B(config-if)#no shutdown 1700B(config-if)#interface Serial 0/0 1700B(config-if)#ip address 192.168.1.10 255.255.255.252 1700B(config-if)#no shutdown 1700B(config-if)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B(config)#router rip 1700B(config-if)#version 2 1700B(config-router)#network 192.168.1.8 1700B(config-router)#network 192.168.1.32 1700B(config-router)#control Z 1700B#show ip interface brief 1700B#show ip route 1700B#show ip protocol 1700B#ping 192.168.1.17 To change Update time, Invalid time, Hold downtime & Flush out time by default to customize use following command Router>en Router#configuration terminal Router(config)#router RIP Router(config-router)#time basic **(update) **(invalid) **(hold down) **(flush time)

RIP V1 & RIP V2 Configuration (Router Information Protocol Version 1 & Router Information Protocol Version 2) LAB
RIP V1
10.0.0.1 F0/0 20.0.0.1 S0/0 20.0.0.2 S3/0 30.0.0.1 S3/1

RIP V2
30.0.0.2 S0/0 40.0.0.1 F0/0

1700 A

3600 A

1700 B

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config)#exit 1700A#show ip interface brief 1700A# show ip protocol 3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config)#interface Serial 3/1 3600A(config-if)#ip address 30.0.0.1. 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000

3600A(config-if)#control Z 3600A#show ip route 3600A#show ip interface brief 3600A(config)#router rip 3600A(config-router)#network 20.0.0.0 3600A(config-router)#router rip 3600A(config-router)#version 2 3600A(config-router)#network 30.0.0.0 3600A(config)#exit 3600A#show ip interface brief 3600A# show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#interface Serial 0/0 1700B(config-if)#ip address 30.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B(config)#router rip 1700B(config-if)#version 2 1700B(config-router)#network 30.0.0.0 1700B(config-router)#network 40.0.0.0 1700B(config-router)#control Z 1700B#show ip interface brief 1700B#show ip route 1700B#show ip protocol 1700B#ping 10.0.0.1 Another type to configure RIPV2 in this 1700A Router Serial S0/0 interface configuration command 1700B(config-if)#interface Serial 0/0 1700B(config-if)#ip received version 1

Interior Gateway Routing Protocol (IGRP)
 Interior Gateway Routing Protocol (IGRP) is a Cisco-proprietary distance-vector

routing protocol.  To use IGRP, all your routers must be Cisco routers.  IGRP has a maximum hop count of 255 with a default of 100.  IGRP uses bandwidth and delay of the line by default as a metric for determining the best route to an internetwork.  Reliability, load, and maximum transmission unit (MTU) can also be used, although they are not used by default. Note: The main difference between RIP and IGRP configuration is that when you configure IGRP, you supply the autonomous system number. All routers must use the same number in order to share routing table information. IGRP Can be used in large internetworks Uses an autonomous system number for activation Gives a full route table update every 90 seconds Has an administrative distance of 100 Uses bandwidth and delay of the line as metric (lowest composite metric),with a maximum hop count of 255 IGRP Timers To control performance, IGRP includes the following timers with default settings: Update timers : These specify how frequently routing-update messages should be sent. The default is 90 seconds. Invalid timers : These specify how long a router should wait before declaring a route invalid if it doesn’t receive a specific update about it. The default is three times the update period. Holddown timers : These specify the holddown period. The default is three times the update timer period plus 10 seconds. Flush timers : These indicate how much time should pass before a route should be flushed from the routing table. The default is seven times the routing update period. If the update timer RIP Works best in smaller networks Does not yse aytibiniys system numbers Gives full route table update every 30 seconds Has an administrative distance of 120 Uses only hop count to determine the best path to a remote network, with 15 hops being the maximum

is 90 seconds by default, then 7 × 90 = 630 seconds elapse before a route will be flushed from the route table. IGRP (Interior Gateway Routing Protocol) Configuration LAB
10.0.0.1 F0/0

20.0.0.1 S0/0

20.0.0.2 S3/0

30.0.0.1 S3/1

30.0.0.2

40.0.0.1 F0/0

S0/0

1700 A

3600 A

1700 B

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#router igrp 100 (autonomous system number) 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#control Z 1700A#show ip interface brief 1700A# show ip protocol

3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#interface Serial 3/1 3600A(config-if)#ip address 30.0.0.1. 255.0.0.0 3600A(config-if)#no shutdown

3600A(config-if)#clock rate 64000 3600A(config-if)#exit 3600A(config)# router igrp 100 (autonomous system number) 3600A(config-router)#network 20.0.0.0 3600A(config-router)#network 30.0.0.0 3600A(config-router)#control Z 3600A#show ip interface brief 3600A# show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 30.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#router igrp 100 (autonomous system number) 1700B(config-router)#network 10.0.0.0 1700B(config-router)#network 20.0.0.0 1700B(config-router)#control Z 1700B#show ip interface brief 1700B#show ip route 1700B#show ip protocol 1700B#ping 10.0.0.1

EIGRP (Enhanced Interior Gateway Routing Protocol) o Enhanced IGRP (EIGRP) is a classless, enhanced distance-vector protocol that gives us a real edge over IGRP. o Like IGRP, EIGRP uses the concept of an autonomous system to describe the set of contiguous routers that run the same routing protocol and share routing information. o But unlike IGRP, EIGRP includes the subnet mask in its route updates o The advertisement of subnet information allows us to use VLSM and summarization when designing our networks. o EIGRP is sometimes referred to as a hybrid routing protocol because ithas characteristics of both distance-vector and link-state protocols. o It sends traditional distance-vector updates containing information about networks plus the cost of reaching them from the perspective of the adverting router o EIGRP has a maximum hop count of 255. Powerful features that make EIGRP a real standout from IGRP
     

Support for IP, IPX, and AppleTalk via protocol-dependent modules Considered classless (same as RIPv2 and OSP Support for VLSM/CIDR Support for summaries and discontiguous networks Efficient neighbor discovery Communication via Reliable Transport Protocol (RTP) Best path selection via Diffusing Update Algorithm (DUAL)

Note: Cisco calls EIGRP a distance vector routing protocol, or sometimes an advanced distance vector or even a hybrid routing protocol. • EIGRP supports different Network layer protocols through the use of protocoldependent modules (PDMs). • Each EIGRP PDM will maintain a separate series of tables containing the routing information that applies to a specific protocol. • It means that there will be IP/EIGRP tables, IPX/EIGRP tables, and AppleTalk/EIGRP tables. Neighbor Discovery Before EIGRP routers are willing to exchange routes with each other, they must become neighbors.There are three conditions that must be met for neighborship establishment:  Hello or ACK received

AS numbers match

Identical metrics (K values)

To maintain the neighborship relationship, EIGRP routers must also continue receiving Hellos from their neighbors. EIGRP routers that belong to different autonomous systems (ASes) don’t automatically share routing information and they don’t become neighbors. The only time EIGRP advertises its entire routing table is when it discovers a new neighbor and forms an adjacency with it through the exchange of Hello packets. When this happens, both neighbors advertise their entire routing tables to one another. After each has learned its neighbor’s routes, only changes to the routing table are propagated from then on. EIGRP maintains three tables containing information about the internetworks. Neighbor Table Records information about routers with whom neighborship relationships have been formed. Topology Table Stores the route advertisements about every route in the internetwork received from each neighbor. Routing Table Stores the routes that are currently used to make routing decisions. EIGRP IP Routing Table List of directly connected routers running EIGRP with which this router has an adjacency IP IGRP Neighbors Table Next-Hop Router Interface

List of all routers learned from Each EIGRP neighbors

IP EIGRP Topology Table Destination 1 FD and AD via each neighbors

List of all best routes from EIGRP topology table and other routing processes

The IP Routing Table Destination Best Route

Feasible distance This is the best metric along all paths to a remote network, including the metric to the neighbor that is advertising that remote network. This is the route that you will find in the routing table, because it is considered the best path. The metric of a feasible distance is the metric reported by the neighbor (called reported distance), plus the metric to the neighbor reporting the route. Reported distance ( Advertised Distance ) This is the metric of a remote network, as reported by a neighbor. It is also the routing table metric of the neighbor. Neighbor table Each router keeps state information about adjacent neighbors. When a newly discovered neighbor is learned, the address and interface of the neighbor are recorded, and this information is held in the neighbor table, stored in RAM. There is one neighbor table for each protocol-dependent module . Topology table The topology table is populated by the PDMs and acted upon by the Diffusing Update Algorithm (DUAL). It contains all destinations advertised by neighboring routers, holding each destination address and a list of neighbors that have advertised the destination. For each neighbor, the advertised metric is recorded, which comes only from the neighbor’s routing table. If the neighbor is advertising this destination, it must be using the route to forward packets. Feasible successor A destination entry is moved from the topology table to the routing table when there is a feasible successor. A feasible successor is a path whose reported distance is less than the feasible distance, and it is considered a backup route. EIGRP will keep up to six feasible successors in the topology table. Only the one with the best metric (the successor).is placed in the routing table. Successor A successor route is the best route to a remote network. A successor route is used by EIGRP to forward traffic to a destination and is stored in the routing table. It is backed up by a feasible successor route that is stored in the topology table—if one is available. • A feasible successor is a backup route and is stored in the topology table. • A successor route is stored in the topology table and also placed in the routing table. Reliable Transport Protocol (RTP)

o EIGRP uses a proprietary protocol, called Reliable Transport Protocol (RTP), to manage the communication of messages between EIGRP-speaking routers. o EIGRP sends updates via multicast traffic, it uses the Class D address 224.0.0.10. o If EIGRP doesn’t get a reply from a neighbor, it will switch to using unicasts to resend the same data. o If it still doesn’t get a reply after 16 unicast attempts, the neighbor is declared dead. o This process is reffered to as reliable multicast Diffusing Update Algorithm (DUAL) EIGRP uses Diffusing Update Algorithm (DUAL) for selecting and maintaining the best path to each remote network. This algorithm allows for the following: o Backup route determination if one is available o Support of Variable-Length Subnet Masks (VLSMs) o Dynamic route recoveries o Queries for an alternate route if no route can be found DUAL provides EIGRP with possibly the fastest route convergence time among all protocols. EIGRP Metrics Another really sweet thing about EIGRP is that unlike many other protocols that use a single factor to compare routes and select the best possible path, EIGRP can use a combination of four:
 Bandwidth  Delay  Load  Reliability  MTU

Like IGRP, EIGRP uses only bandwidth and delay of the line to determine the best path to a remote network by default. Maximum Paths and Hop Count

By default, EIGRP (and IGRP) can provide unequal cost load balancing of up to four links. However, you can have EIGRP actually load balance across up to six links. EIGRP (and IGRP) has a maximum hop count of 100, but can be set up to 255. If you need to stop EIGRP from working on a specific interface, such as Ethernet interface or a serial connection to the Internet. Configure with passive-interface interface command. By using the no auto-summary command, EIGRP will advertise all the subnets between the two routers. If the networks were larger, you could then provide manual summarization on these same boundaries.

EIGRP (Enhanced Interior Gateway Routing Protocol) Configuration LAB
S3/1 50.0.0.1

S3/0 20.0.0.2 512 kbps

3600A

128 kbps

20.0.0.1 S0/0 10.0.0.1 F0/0 30.0.0.1 S0/1 256 kbps 30.0.0.2 S1/0 60.0.0.1 S1/1 256 kbps 60.0.0.2 S1/0

50.0.0.2 S0/0 F0/0 80.0.0.1

1700A
S1/0 40.0.0.1 128 kbps S0/0 40.0.0.2

3600B

1700B
S1/1 70.0.0.2 512 kbps

S0/1

3600C

70.0.0.1

1700A Router>enable

Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface S0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#bandwidth 512 1700A(config)#interface Serial 0/1 1700A(config-if)#ip address 30.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#bandwidth 256 1700A(config)#interface S1/0 1700A(config-if)#ip address 40.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#bandwidth 128 1700A(config-if)#exit 1700A(config)#router EIGRP 500 (autonomous no: 0 – 65565) 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#network 30.0.0.0 1700A(config-router)#network 40.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#show ip EIGRP topology 1700A#show ip EIGRP neighbors If we want to stop Fast Ethernet Port to advertise, type following command: 1700A(config)#router EIGRP 500 1700A(config-router)#passive-interface F0/0 (enable command) 1700A(config-router)#no passive-interface F0/0 (disable command) 3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#bandwidth 512 3600A(config-if)#interface S3/1 3600A(config-if)#ip address 50.0.0.1. 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#bandwidth 128

3600A(config-if)#exit 3600A(config)#router EIGRP 500 3600A(config-router)#network 20.0.0.0 3600A(config-router)#network 50.0.0.0 3600A(config-router)#control Z 3600A#show ip route 3600A#show ip interface brief 3600A#show ip EIGRP topology 3600A#show ip EIGRP neighbors

3600B Router>enable Router#configuration terminal Router(config)#hostname 3600B 3600B(config)#interface S1/0 3600B(config-if)#ip address 30.0.0.2 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#clock rate 64000 3600B(config-if)#bandwidth 256 3600B(config)#interface S1/1 3600B(config-if)#ip address 60.0.0.1. 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#clock rate 64000 3600B(config-if)#bandwidth 256 3600B(config-if)#exit 3600B(config)#router EIGRP 500 3600B(config-router)#network 30.0.0.0 3600B(config-router)#network 60.0.0.0 3600B(config-router)#control Z 3600B#show ip route 3600B#show ip interface brief 3600B#show ip EIGRP topology 3600B#show ip EIGRP neighbor 3600C Router>enable Router#configuration terminal Router(config)#hostname 3600C 3600C(config)#interface S0/0 3600C(config-if)#ip address 40.0.0.2 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#clock rate 64000

3600C(config if)#bandwidth 128 3600C(config)#interface S0/1 3600C(config-if)#ip address 70.0.0.1. 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#clock rate 64000 3600C(config if)#bandwidth 512 3600C(config-if)#exit 3600C(config)#router EIGRP 500 3600C(config-router)#network 40.0.0.0 3600C(config-router)#network 70.0.0.0 3600C(config-router)#control Z 3600C#show ip route 3600C#show ip interface brief 3600C#show ip EIGRP topology 3600C#show ip EIGRP neighbor 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 80.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface S0/0 1700B(config-if)#ip address 50.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#bandwidth 128 1700B(config)#interface S1/0 1700B(config-if)#ip address 60.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#bandwidth 256 1700B(config)#interface S1/1 1700B(config-if)#ip address 70.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#bandwidth 512 1700B(config-if)#exit 1700B(config)#router EIGRP 500 1700B(config-router)#network 50.0.0.0 1700B(config-router)#network 60.0.0.0 1700B(config-router)#network 70.0.0.0 1700B(config-router)#network 80.0.0.0 1700B(config-router)#control Z 1700B#show ip interface brief 1700B#show ip EIGRP topology 1700B#show ip EIGRP neighbor

EIGRP Summarization Configuration LAB

20.0.0.1 10.0.0.1 F0/0 1700 A S0/0

20.0.0.2 S0/1 30.0.0.1 F0/0 3600 A Loopback Loopback Loopback Loopback Loopback Loopback Loopback Loopback Loopback 0 1 2 3 4 5 6 7 8 172.168.4.1 172.168.5.1 172.168.6.1 172.168.7.1 172.168.8.1 172.168.9.1 172.168.10.1 172.168.11.1 172.168.12.1

1700A Router>en Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface fast Ethernet 0/0 1700A(config-if)#ip address 10.0.01 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#interface S0/0 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#exit 1700A(config)#router EIGRP 500 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#show ip EIGRP topology 1700A#show ip EIGRP neighbors 1700B Router>en

Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#interface S0/1 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)# interface Loop back 0 1700B(config-if)# ip address 172.168.4.1 255.255.0.0 1700B(config-if)# interface Loop back 1 1700B(config-if)# ip address 172.168.5.1 255.255.0.0 1700B(config-if)# interface Loop back 2 1700B(config-if)# ip address 172.168.6.1 255.255.0.0 1700B(config-if)# interface Loop back 3 1700B(config-if)# ip address 172.168.7.1 255.255.0.0 1700B(config-if)# interface Loop back 4 1700B(config-if)# ip address 172.168.8.1 255.255.0.0 1700B(config-if)# interface Loop back 5 1700B(config-if)# ip address 172.168.9.1 255.255.0.0 1700B(config-if)# interface Loop back 6 1700B(config-if)# ip address 172.168.10.1 255.255.0.0 1700B(config-if)# interface Loop back 7 1700B(config-if)# ip address 172.168.11.1 255.255.0.0 1700B(config-if)# interface Loop back 8 1700B(config-if)# ip address 172.168.12.1 255.255.0.0 1700B(config-if)#exit 1700B(config)#router EIGRP 500 1700B(config-router)#network 20.0.0.0 1700B(config-router)#network 30.0.0.0 1700B(config-router)#network 172.168.4.1 1700B(config-router)#network 172.168.5.1 1700B(config-router)#network 172.168.6.1 1700B(config-router)#network 172.168.7.1 1700B(config-router)#network 172.168.8.1 1700B(config-router)#network 172.168.9.1 1700B(config-router)#network 172.168.10.1 1700B(config-router)#network 172.168.11.1 1700B(config-router)#network 172.168.12.1 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B#show ip EIGRP topology 1700B#show ip EIGRP neighbors Manually assign Summarization 1700B(config-router)#no auto summarization

To manually summarization configure this command.(each and every network summarized).To minimize the routing table configure below command. 1700B(config)#interface s0/0 1700B(config-if)#ip summary-address eigrp 500 172.168.4.0 255.255.252.0

EIGRP Load Balancing Configuration LAB Unequal Cost Path
20.0.0.1 768 kbps 30.0.0.1 512 kbps 20.0.0.2

S0/0 10.0.0.1 F0/0 S0/1

S3/0

50.0.0.1 F0/0

30.0.0.2 S3/1

1700 A

S1/0

40.0.0.1

256 kpbs

40.0.0.2 S3/2

3600 A

Bandwith default delay 20000 1700A Router>en Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface fast Ethernet 0/0 1700A(config-if)#ip address 10.0.01 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#interface S0/0 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#bandwidth 768 1700A(config-if)#interface S0/1 1700A(config-if)#ip address 30.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)# bandwidth 512 1700A(config-if)#interface S1/0 1700A(config-if)#ip address 40.0.0.1 255.0.0.0 1700A(config-if)#no shutdown

1700A(config-if)# bandwidth 256 1700A(config-if)#exit 1700A(config)#router EIGRP 500 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#network 30.0.0.0 1700A(config-router)#network 40.0.0.0

3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#bandwidth 768 3600A(config-if)#interface S3/1 3600A(config-if)#ip address 30.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#bandwidth 512 3600A(config-if)#interface S3/2 3600A(config-if)#ip address 40.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#bandwidth 256 3600A(config-if)#exit 3600A(config)#router EIGRP 500 3600A(config-router)#network 20.0.0.0 3600A(config-router)#network 30.0.0.0 3600A(config-router)#network 40.0.0.0 3600A(config-router)#network 50.0.0.0

Load Balancing Command Following Command used to bandwidth balance command. Calculate Load balancing = Feasible Distance multiply to different between Feasible Distance (Eg., FD*3) 1700A(config-router)#variance *** [* - number to multiply] (Enable) 1700A(config-router)#no variance (Disable) 1700A(config-router)#control Z 1700A#show ip route

1700A#show ip interface brief 1700A#show ip EIGRP topology 1700A#show ip EIGRP neighbors

OSPF (Open Shortest Path First) Open Shortest Path First (OSPF) is an open standards routing protocol that’s been implemented by a wide variety of network vendors, including Cisco. This works by using the Dijkstra algorithm. First, a shortest path tree is constructed, and then the routing table is populated with the resulting best paths. OSPF converges quickly, although perhaps not as quickly as EIGRP, and it supports multiple, equal-cost routes to the same destination. But unlike EIGRP, it only supports IP routing. OSPF provides the following features:
     

Consists of areas and autonomous systems Minimizes routing update traffic Allows scalability Supports VLSM/CIDR Has unlimited hop count Allows multi-vendor deployment (open standard)

Note: OSPF is the first link-state routing protocol that most people are introduced to. OSPF and RIP comparison Chracteristic Type of protocol Classless support VLSM support Auto summarization Manual summarization Discontiguous Route propagation Path metric Hop count limit OSPF Link-state Yes Yes No Yes Yes Multicast on change Bandwidth None RIPv2 Distance-vector Yes Yes Yes No RIPv1 Distance-vector No No Yes No

Yes No Periodic multicast Periodic multicast Hops Hops 15 15

Convergence Peer authentication Hierarchical network Updates Event Route computation

Fast Yes Yes (using areas) Triggered Dijkstra

Slow Yes Yes Routetable updates Bellman-Ford

Slow No No Routable updates Bell-Ford

OSPF is supposed to be designed in a hierarchical fashion, which basically means that you can separate the larger internetwork into smaller internetworks called areas. This is the best design for OSPF. The reasons for creating OSPF in a hierarchical design include: • To decrease routing overhead • To speed up convergence • To confine network instability to single areas of the network Each router in the network connects to the backbone called area 0, or the backbone area.OSPF must have an area 0, and all routers should connect to this area if at all possible.But routers that connect other areas to the backbone within an AS are called Area Border Routers (ABRs). Still, at least one interface must be in area 0. OSPF runs inside an autonomous system, but can also connect multiple autonomous systems together. The router that connects these ASes together is called an Autonomous System Boundary Router (ASBR). OSPF Terminology Link A link is a network or router interface assigned to any given network. When an interface is added to the OSPF process, it’s considered by OSPF to be a link. Router ID The Router ID (RID) is an IP address used to identify the router. Cisco chooses the Router ID by using the highest IP address of all configured loopback interfaces. If no loopback interfaces are configured with addresses, OSPF will choose the highest IP address of all active physical interfaces. Neighbors Neighbors are two or more routers that have an interface on a common network,such as two routers connected on a point-to-point serial link. Adjacency An adjacency is a relationship between two OSPF routers that permits the direct exchange of route updates. OSPF is really picky about sharing routing information— unlike EIGRP, which directly shares routes with all of its neighbors. Instead, OSPF directly shares routes only with neighbors that have also established adjacencies. And not

all neighbors will become adjacent—this depends upon both the type of network and the configuration of the routers. Hello protocol The OSPF Hello protocol provides dynamic neighbor discovery and maintains neighbor relationships. Hello packets and Link State Advertisements (LSAs) build and maintain the topological database. Hello packets are addressed to 224.0.0.5. Neighborship database The neighborship database is a list of all OSPF routers for which Hello packets have been seen. A variety of details, including the Router ID and state, are maintained on each router in the neighborship database.

Topology database The topology database contains information from all of the Link State Advertisement packets that have been received for an area. The router uses the information from the topology database as input into the Dijkstra algorithm that computes the shortest path to every network. LSA packets are used to update and maintain the topology database. Link State Advertisement A Link State Advertisement (LSA) is an OSPF data packet containing link-state and routing information that’s shared among OSPF routers. There are different types of LSA packets. An OSPF router will exchange LSA packets only with routers to which it has established adjacencies. Designated router A designated router (DR) is elected whenever OSPF routers are connected to the same multi-access network. A prime example is an Ethernet LAN. Backup designated router A backup designated router (BDR) is a hot standby for the DR on multi-access links The BDR receives all routing updates from OSPF adjacent routers, but doesn’t flood LSA updates. OSPF areas An OSPF area is a grouping of contiguous networks and routers. All routers in the same area share a common Area ID. Broadcast (multi-access) Broadcast (multi-access) networks such as Ethernet allow multiple devices to connect to (or access) the same network, as well as provide a broadcast ability in which a single packet is delivered to all nodes on the network. In OSPF, a DR and a BDR must be elected for each broadcast multi-access network.

Non-broadcast multi-access Non-Broadcast Multi-Access (NBMA) networks are types such as Frame Relay, X.25, and Asynchronous Transfer Mode (ATM). These networks allow for multi-access, but have no broadcast ability like Ethernet. So, NBMA networks require special OSPF configuration to function properly and neighbor relationships must be defined. Point-to-point Point-to-point refers to a type of network topology consisting of a direct connection between two routers that provides a single communication path. The point-topoint connection can be physical, as in a serial cable directly connecting two routers, or it can be logical. Point-to-multipoint Point-to-multipoint refers to a type of network topology consisting of a series of connections between a single interface on one router and multiple destination routers.All of the interfaces on all of the routers sharing the point-to-multipoint connection belong to the same network. As with point-to-point, no DRs or BDRs are needed.

SPF Tree Calculation Within an area, each router calculates the best/shortest path to every network in that same area.This calculation is based upon the information collected in the topology database and an algorithm called shortest path first (SPF) OSPF uses a metric referred to as cost. A cost is associated with every outgoing interface included in an SPF tree. The cost of the entire path is the sum of costs of the outgoing interfaces along the path. Cisco uses a simple equation of 108/ bandwidth.The bandwidth is the configured bandwidth for the interface. Using this rule, a 100Mbps Fast Ethernet interface would have a default OSPF cost of 1 and a 10Mbps Ethernet interface would have a cost of 10. An interface set with a bandwidth of 64,000 would have a default cost of 1563.

OSPF (Open Shortest Path First) Single Area Configuration LAB

10.0.0.1 F0/0

20.0.0.1 S0/0

20.0.0.2 S3/0

30.0.0.1 S3/1

30.0.0.2 S0/0

40.0.0.1 F0/0

1700 A

3600 A

1700 B

1700A Router>en Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#interface S0/0 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#router OSPF 1 (Process ID 1 - 65535) 1700A(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 20.0.0.0 0.255.255.255 area 0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip OSPF interface 1700A#show ip OSPF neighbors 1700A#show ip OSPF database 3600A Router>en Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#interface S3/1 3600A(config-if)#clock rate 64000 3600A(config-if)#ip address 30.0.0.1 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#exit 3600A(config)#router OSPF 2 (Process ID 1 - 65535) 3600A(config-router)#network 20.0.0.0 0.255.255.255 area 0

3600A(config-router)#network 30.0.0.0 0.255.255.255 area 0 3600A(config-router)#control Z 3600A#show ip route 3600A#show ip OSPF interface 3600A#show ip OSPF neighbors 3600A#show ip OSPF database 1700B Router>en Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#interface S0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#router OSPF 1 (Process ID 1 - 65535) 1700B(config-router)#network 30.0.0.0 0.255.255.255 area 0 1700B(config-router)#network 40.0.0.0 0.255.255.255 area 0 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip OSPF interface 1700B#show ip OSPF neighbors 1700B#show ip OSPF database

OSPF (Open Shortest Path First) Broadcast Area Configuration LAB

1700 A

Loopback 20.0.0.1 F0/0 10.0.0.1

10.0.0.2 F0/0

10.0.0.3 F0/0

1700 B

Loopback 30.0.0.1

1700 C Loopback 40.0.0.1

While configure in OSPF broadcast, following few steps. Step 1: Switch off our Switch Step 2: Configure router Step 3: Switch on our Switch Why we want to switch off the Switch? After we have finished router configuration switch on our Switch. The Switch will running election process and finished to select then assigned the priority one and two. The first priority goes to Designated Router (DR) and Second priority goes to Backup Designated Router (BDR). If we have change default priority use following command (Priority 0 - 255) Router>en Router#configuration terminal Router(config)#interface Router(config-if)#ip ospf priority 1 or Router(config-if)#ip ospf priority 2 or Router(config-if)#ip ospf priority 3 Hello Interval Configuration Router>en Router#configuration terminal Router(config)#interface S0/0 Router(config-if)#ip ospf hello-interval Router(config-if)#ip ospf dead-interval multiply 4

1700A Router>en Router#configuration terminal Router(config)#hostname 1700A

1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#interface loop back 0 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#exit 1700A(config)#router OSPF 1 (Process ID 1 - 65535) 1700A(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 20.0.0.1 0.255.255.255 area 0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip OSPF interface 1700A#show ip OSPF neighbors 1700A#show ip OSPF database 1700B Router>en Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 10.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#interface loop back 0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#exit 1700B(config)#router OSPF 1 (Process ID 1 - 65535) 1700B(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700B(config-router)#network 30.0.0.1 0.255.255.255 area 0 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip OSPF interface 1700B#show ip OSPF neighbors 1700B#show ip OSPF database 1700C Router>en Router#configuration terminal Router(config)#hostname 1700C 1700C(config)#interface Fast Ethernet 0/0 1700C(config-if)#ip address 10.0.0.3 255.0.0.0 1700C(config-if)#no shutdown 1700C(config-if)#interface loop back 1700C(config-if)#ip address 40.0.0.1 255.0.0.0 1700C(config-if)#exit 1700C(config)#router OSPF 1 (Process ID 1 - 65535) 1700C(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700C(config-router)#network 40.0.0.1 0.255.255.255 area 0

1700C(config-router)#control Z 1700C#show ip route 1700C#show ip OSPF interface 1700C#show ip OSPF neighbors 1700C#show ip OSPF database

OSPF (Open Shortest Path First) – Multi Area Configuration LAB

Area 0

10.0.0.1 F0/0

20.0.0.1 S0/0 1700 A Loopback 1.1.1.1.

20.0.0.2 S3/0

30.0.0.1 S3/1

Area Border Router 30.0.0.2

Area 1

Area Border Router 40.0.0.2 S0/0 50.0.0.1

Area 2

40.0.0.1

50.0.0.2 S0/0

60.0.0.1

3600 A Loopback 2.2.2.2

S1/0 3600 B S1/1 Loopback 3.3.3.3

S1/0 3600 C Loopback 4.4.4.4

F0/ 1700 B 0 Loopback 5.5.5.5

Virtual Link

1700A Router>en Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#interface S0/0 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#interface loop back 0 1700A(config-if)#ip address 1.1.1.1 255.255.255.255 1700A(config-if)#control Z 1700A# show ip interface brief 1700A#configuration terminal 1700A(config)#router OSPF 1

1700A(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 20.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 1.1.1.1 0.0.0.0 area 0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip OSPF interface 1700A#show ip OSPF neighbors 1700A#show ip OSPF database 3600A Router>en Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#interface S3/1 3600A(config-if)#ip address 30.0.0.1 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#interface loop back 3600A(config-if)#ip address 2.2.2.2 255.255.255.255 3600A(config-if)#exit 3600A(config)#router OSPF 2 3600A(config-router)#network 20.0.0.0 0.255.255.255 area 0 3600A(config-router)#network 30.0.0.0 0.255.255.255 area 0 3600A(config-router)#network 2.2.2.2 0.0.0.0 area 0 3600A(config-router)#control Z 3600A#show ip route 3600A#show ip OSPF interface 3600A#show ip OSPF neighbors 3600A#show ip OSPF database 3600B Router>en Router#configuration terminal Router(config)#hostname 3600B 3600B(config)#interface S1/0 3600B(config-if)#ip address 30.0.0.2 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#clock rate 64000 3600B(config-if)#interface S1/1 3600B(config-if)#ip address 40.0.0.1 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#interface loop back 3600B(config-if)#ip address 3.3.3.3 255.255.255.255

3600B(config-if)#exit 3600B(config)#router OSPF 3 3600B(config-router)#network 30.0.0.0 0.255.255.255 area 0 3600B(config-router)#network 40.0.0.0 0.255.255.255 area 1 3600B(config-router)#network 3.3.3.3 0.0.0.0 area 1 3600B(config-router)#control Z 3600B#show ip route 3600B#show ip OSPF interface 3600B#show ip OSPF neighbors 3600B#show ip OSPF database To create Virtual link collect update information between all routers on different areas network to type following command 3600B(config)#router OSPF 3 3600B(config-router)#area virtual-link 3600B(config-router)#loopback 4.4.4.4 3600C Router>en Router#configuration terminal Router(config)#hostname 3600C 3600C(config)#interface S0/0 3600C(config-if)#ip address 40.0.0.2 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#clock rate 64000 3600C(config-if)#interface S1/0 3600C(config-if)#ip address 50.0.0.1 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#interface loop back 3600C(config-if)#ip address 4.4.4.4 255.255.255.255 3600C(config-if)#exit 3600C(config)#router OSPF 4 3600C(config-router)#network 40.0.0.0 0.255.255.255 area 1 3600C(config-router)#network 50.0.0.0 0.255.255.255 area 2 3600C(config-router)#network 4.4.4.4 0.0.0.0 area 2 3600C#show ip route 3600C#show ip OSPF interface 3600C#show ip OSPF neighbors 3600C#show ip OSPF database 1700B Router>en Router#configuration terminal Router(config)#hostname 1700B 1700A(config)#interface S0/0 1700B(config-if)#ip address 50.0.0.2 255.0.0.0 1700B(config-if)#no shutdown

1700B(config-if)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 60.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#interface loop back 1700B(config-if)#ip address 5.5.5.5.5 255.255.255.255 1700B(config-if )#exit 1700B(config)#router OSPF 5 1700B(config-router)#network 50.0.0.0 0.255.255.255 area 2 1700B(config-router)#network 60.0.0.0 0.255.255.255 area 2 1700B(config-router)#network 5.5.5.5 0.0.0.0 area 2 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip OSPF interface 1700B#show ip OSPF neighbors 1700B#show ip OSPF database

Wan Technologies Frame-Relay Frame-Relay Overview

– Connections made by virtual circuits – Connection-oriented service
Frame-Relay Stack Frame-Relay OSI Reference Model

Application Presentation Session Transport Network Data-link Physical EIA/TIA-232, EIA/TIA-449, V.35, X.21, EIA/TIA-530 IP/IPX/Apple talk etc., FRAME-RELAY

Frame Relay Terminology

Selecting a Frame Relay Topology

Frame Relay default: nonbroadcast, multiaccess (NBMA)

Reachability Issues with Routing Updates

• Problem: – Broadcast traffic must be replicated for each active connection. – Split-horizon rule prevents routing updates received on one interface from being forwarded out the same interface. –

Resolving Reachability Issues

• Split horizon can cause problems in NBMA environments. • Subinterfaces can resolve split horizon issues. • Solution: A single physical interface simulates multiple logical interfaces.

Frame Relay Address Mapping

– Use LMI to get locally significant DLCI from the Frame Relay switch. – Use Inverse ARP to map the local DLCI to the remote router’s network layer address.

Frame Relay Signaling

Cisco supports three LMI standards: • Cisco • ANSI T1.617 Annex D • ITU-T Q.933 Annex A

Frame Relay Inverse ARP and LMI Signaling

Stages of Inverse ARP and LMI Operation

How Service Providers Map Frame Relay DLCIs: Enterprise View

• • • • • • •

Frame Relay is an ITU-T and ANSI standard that defines the process for sending data over a public data network. The core aspects of Frame Relay function at the lower two layers of the OSI reference model. Frame Relay allows you to interconnect your remote sites in a variety of topologies including star, full mesh, and partial mesh. A Frame Relay NBMA topology may cause routing update reachability issues, which are solved by using subinterfaces. A Frame Relay connection requires that, on a VC, the local DLCI be mapped to a destination network layer address such as an IP address. LMI is a signaling standard between the router and the Frame Relay switch that is responsible for managing the connection and maintaining status between the devices. Service providers map Frame Relay DLCIs so that DLCIs with local significance appear at each end of a Frame Relay connection.

Access rate: The maximum speed at which the Frame Relay interface can transmit. Committed Information Rate (CIR) The maximum bandwidth of data guaranteed to be delivered. Virtual Circuits Frame Relay operates using virtual circuits, There are two types of virtual circuits: Permanent The telco creates the mappings inside their gear, and as long as you pay the bill, they will remain in place. Switched The virtual circuit is established when data needs to be transmitted, then is taken down when data transfer is complete. Data Link Connection Identifiers (DLCIs) • Frame Relay PVCs are identified to DTE end devices using Data LinkConnectionIdentifiers (DLCIs). • Inverse ARP (IARP) is used to map a known DLCI to an IP address.

Local Management Interface (LMI) o Local Management Interface (LMI) is a signaling standard used between your router and the first Frame Relay switch. o Keepalives : These verify that data is flowing. Three standard LMI signaling formats : o Cisco o ANSI o ITU-T Frame Relay Congestion Control Three types of congestion bits Discard Eligibility (DE) Forward Explicit Congestion Notification (FECN) Backward Explicit Congestion Notification (BECN) Discard Eligibility (DE) when you burst (transmit packets beyond the CIR of a PVC), any packets exceeding the CIR are eligible to be discarded if the provider’s network is congested at the time. Because of this, the excessive bits are marked with a Discard Eligibility Forward Explicit Congestion Notification (FECN) When the Frame Relay network recognizes congestion in the cloud, the switch will set the Forward Explicit Congestion Notification (FECN) bit to 1 in a Frame Relay packet header. This will indicate to the destination DTE that the path the frame just traversed is congested. Backward Explicit Congestion Notification (BECN) When the switch detects congestion in the Frame Relay network, it’ll set the Backward Explicit Congestion Notification (BECN) bit in a Frame Relay frame that’s destined for the source router. This notifies the router that congestion is being encountered ahead.

Frame-Relay Point-to-Point over OSPF Configuration LAB

20.0.0.2 Act as FRAMERELAY Switch S1/0

Loopback 50.0.0.1

3600 B DLCI - 100 DLCI - 200 DLCI - 300 S3/0 1700 A S0/0 Sub Interface S0/0 - 100 - 20.0.0.1 S0/0 - 200 - 30.0.0.1 S0/0 - 300 - 40.0.0.1 S3/3 3600 A Frame-Relay Switch DLCI 103 3600 C 40.0.0.2 DLCI 101 S3/1 S3/2 DLCI 102 30.0.0.2 S0/0 Loopback 60.0.0.1

10.0.0.01 F0/0 S0/0

Loopback 70.0.01

S0/0 1700 B

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#iinterface F0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#interface S0/0 1700A(config-if)#encapsulation frame-relay 1700A(config-if)#exit 1700A(config-if)#interface S0/0.100 Point-to-Point 1700A(config-subif)#ip address 20.0.0.1 255.0.0.0 1700A(config-subif)#no shutdown 1700A(config-subif)#frame-relay interface-dlci 100 1700A(config-if)#interface S0/0 1700A(config-if)#encapsulation frame-relay 1700A(config-if)#exit 1700A(config-if)#interface S0/0.200 Point-to-Point 1700A(config-subif)#ip address 30.0.0.1 255.0.0.0 1700A(config-subif)#no shutdown 1700A(config-subif)#frame-relay interface-dlci 200 1700A(config-if)#interface S0/0 1700A(config-if)#encapsulation frame-relay 1700A(config-if)#exit 1700A(config-if)#interface S0/0.300 Point-to-Point

1700A(config-subif)#ip address 40.0.0.1 255.0.0.0 1700A(config-subif)#no shutdown 1700A(config-subif)#frame-relay interface-dlci 300 1700A(config-subif)#control Z 1700A#show ip interface brief 1700A#configuration terminal 1700A(config)#router ospf 1 1700A(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 20.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 30.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 40.0.0.0 0.255.255.255 area 0 1700A(config-router)#control Z 1700A#sh ip route 1700A#show frame-relay map LMI Configuration 1700A#conf t 1700A(config)#interface S0/0 1700A(config-if)#frame-relay lmi-type cisco Or 1700A(config-if)#frame-relay lmi-type ansi Or 1700A(config-if)#frame-relay lmi-type c 1700A(config-ig)#control Z 1700A#sh ip route 1700A#show frame-relay map 1700A#show frame-relay pvc 1700A#show frame-relay lmi 3600B Router>enable Router#configuration terminal Router(config)#hostname 3600B 3600B(config)#interface S1/0 3600B(config-if)#ip address 20.0.0.2 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#interface Loopback 0 3600B(config-if)#ip address 50.0.0.1 255.0.0.0 3600B(config-if)#interface S1/0 3600B(config-if)#encapsulation frame-relay 3600B(config-if)#ip address 20.0.0.2 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#ip ospf network point-to-point 3600B(config-if)#control Z 3600B#sh ip route 3600B#configuration terminal 3600B(config)#router ospf 1 3600B(config-router)#network 20.0.0.0 0.255.255.255 area 0

3600B(config-router)#network 50.0.0.0 0.255.255.255 area 0 3600B(config-router)#control Z 3600B#show frame-relay map 3600B#conf t 3600B(config)#interface S1/0 3600B(config-if)#frame-relay lmi-type cisco Or 3600B(config-if)#frame-relay lmi-type ansi Or 3600B(config-if)#frame-relay lmi-type c 3600B(config-ig)#control Z 3600B#sh ip route 3600B#show frame-relay map 3600B#show frame-relay pvc 3600B#show frame-relay lmi 3600C Router>enable Router#configuration terminal Router(config)#hostname 3600C 3600C(config-if)#interface Loopback 0 3600C(config-if)#ip address 60.0.0.1 255.0.0.0 3600C(config-if)#interface S0/0 3600C(config-if)#encapsulation frame-relay 3600C(config-if)#ip address 30.0.0.2 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#ip ospf network point-to-point 3600C(config-if)#exit 3600C(config)#router ospf 1 3600C(config-router)#network 30.0.0.0 0.255.255.255 area 0 3600C(config-router)#network 60.0.0.0 0.255.255.255 area 0 3600C(config-router)#control Z 3600C#show frame-relay map 3600C#configuration terminal 3600C(config)#interface S0/0 3600C(config-if)#frame-relay lmi-type cisco Or 3600C(config-if)#frame-relay lmi-type ansi Or 3600C(config-if)#frame-relay lmi-type 3600C(config-ig)#control Z 3600C#sh ip route 3600C#show frame-relay map 3600C#show frame-relay pvc 3600C#show frame-relay lmi 1700B Router>enable Router#configuration terminal

Router(config)#hostname 1700B 1700B(config)#iinterface loopback 0 1700B(config-if)#ip address 70.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#interface S0/0 1700B(config-if)#encapsulation frame-relay 1700B(config-if)#ip address 40.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#ip ospf network point-to-point 1700B(config-if)#exit 1700B(config)#router ospf 1 1700B(config-router)#network 40.0.0.0 0.255.255.255 area 0 1700B(config-router)#network 70.0.0.0 0.255.255.255 area 0 1700B(config-router)#control Z 1700B#show frame-relay map 1700B#configuration terminal 1700B(config)#interface S0/0 1700B(config-if)#frame-relay lmi-type cisco Or 1700B(config-if)#frame-relay lmi-type ansi Or 1700B(config-if)#frame-relay lmi-type 1700B(config-ig)#control Z 1700B#sh ip route 1700B#show frame-relay map 1700B#show frame-relay pvc 1700B#show frame-relay lmi 3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#frame-relay switching 3600A(config)# interface Serial3/0 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)# frame-relay lmi-type cisco 3600A(config-if)# frame-relay route 100 interface Serial3/1 101 3600A(config-if)# frame-relay route 200 interface Serial3/2 201 3600A(config-if)# frame-relay route 300 interface Serial3/3 301 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)# interface Serial3/1 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)# frame-relay lmi-type cisco 3600A(config-if)#frame-relay route 101 interface Serial3/0 100

3600A(config-if)#clockrate 64000 3600A(config-if)#no shutdown 3600A(config-if)#interface Serial3/2 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)# frame-relay lmi-type cisco 3600A(config-if)#frame-relay route 201 interface Serial3/0 200 3600A(config-if)#clock rate 64000 3600A(config-if)#no shutdown 3600A(config-if)# interface Serial3/3 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)# frame-relay lmi-type cisco 3600A(config-if)#frame-relay route 301 interface Serial3/0 300 3600A(config-if)#clockrate 64000 3600A(config-if)#no shutdown 3600A(config-if)#control Z 3600A#show frame-relay lmi 3600A#show frame-relay 3600A# show frame-relay pvc 3600A#show frame-relay map 3600A#

Frame-Relay Point-to-Multipoint over OSPF Configuration LAB
20.0.0.2 Act as FRAMERELAY Switch S1/0 Loopback 30.0.0.1

3600 B DLCI - 100 DLCI - 200 DLCI - 300 S3/0 1700 A S3/3 3600 A Frame-Relay Switch DLCI 103 3600 C 20.0.0.4 DLCI 101 S3/1 S3/2 DLCI 102 20.0.0.3 S0/0 Loopback 40.0.0.1

10.0.0.01 F0/0

20.0.0.1 S0/0

Loopback 50.0.01

S0/0 1700 B

1700A Router>en Router#configuration terminal Router(config)#ho Router(config)#hostname 1700A 1700A(config)#interface f0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface s0/0 1700A(config-if)#encapsulation frame-relay 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#exit 1700A(config)#interface s0/0 1700A(config-if)#ip ospf network point-to-multipoint 1700A(config-if)#no shutdown 1700A(config)#router ospf 1 1700A(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700A(config-router)#network 20.0.0.0 0.255.255.255 area 0 1700A(config-router)#^Z 1700A#show ip ospf neighbors 1700A#show ip ospf database

3600B Router>en Router#configuration terminal Router(config)#hostname 3600B 3600B(config)#interface loop back 0 3600B(config-if)#ip address 30.0.0.1 255.0.0.0 3600B(config)#interface s1/0 3600B(config-if)#encapsulation frame-relay 3600B(config-if)#ip address 20.0.0.2 255.0.0.0 3600B(config-if)#no shutdown 3600B(config-if)#ip ospf network point-to-multipoint 3600B(config-if)#^Z 3600B(config)#router ospf 1 3600B(config-router)#network 20.0.0.0 0.255.255.255 area 0 3600B(config-router)#network 30.0.0.0 0.255.255.255 area 0 3600B(config-router)#control Z 3600B# show ip route 3600B# show frame-relay map 3600B# show frame-relay pvc 3600C Router>en Router#configuration terminal Router(config)#hostname 3600C 3600C(config)#interface loop back 0 3600C(config-if)#ip address 40.0.0.1 255.0.0.0 3600C(config)#interface s1/0 3600C(config-if)#encapsulation frame-relay 3600C(config-if)#ip address 20.0.0.3 255.0.0.0 3600C(config-if)#no shutdown 3600C(config-if)#ip ospf network point-to-multipoint 3600C(config-if)#^Z 3600C(config)#router ospf 1 3600C(config-router)#network 20.0.0.0 0.255.255.255 area 0 3600C(config-router)#network 40.0.0.0 0.255.255.255 area 0 3600C(config-router)#control Z 3600C# show ip route 3600C#show frame-relay map 3600C# show frame-relay pvc

3600A Router>en Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#frame-relay switching 3600A(config)#interface s3/0 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)#frame-relay route 100 interface s3/1 101 3600A(config-if)#frame-relay route 200 interface s3/2 201 3600A(config-if)#frame-relay route 300 interface s3/3 301 3600A(config-if)#clock rate 64000 3600A(config-if)#no shutdown 3600A(config)#interface s3/1 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)#frame-relay route 101 interface s3/1 100 3600A(config-if)#clock rate 64000 3600A(config)#interface s3/2 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)#frame-relay route 201 interface s3/2 200 3600A(config-if)#clock rate 64000 3600A(config)#interface s3/3 3600A(config-if)#encapsulation frame-relay 3600A(config-if)#frame-relay intf-type dce 3600A(config-if)#frame-relay route 301 interface s3/3 300 3600A(config-if)#clock rate 64000 3600A(config-if)#control Z 3600A#show frame-relay map 3600A#show frame-relay pvc

Managing Traffic with Access Lists
   

An access list is essentially a list of conditions that categorize packets. They can be really helpful when you need to control over network traffic. Manage IP traffic as network access grows. Filter packets as they pass through the router.

There are a few important rules that a packet follows when it’s being compared with an access list: • It’s always compared with each line of the access list in sequential order—i.e., it’ll always start with the first line of the access list, then go to line 2, then line 3, and so on. It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon, and no further comparisons take place. There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded.

Two main types of access lists 1. Standard access lists These use only the source IP address in an IP packet as the condition test. All decisions are made based on source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. 2. Extended access lists Extended access lists can evaluate many of the other fields in the Layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic. Named access lists Technically there really are only two since named access lists are either standard or extended and not actually a new type. They’re created and referred to differently than standard and extended access lists. But they’re functionally the same.

Access List Configuration Guidelines
 Access list numbers indicate which protocol is filtered.  One access list per interface, per protocol, per direction is allowed.  The order of access list statements controls testing.  Place the most restrictive statements at the top of list.  There is an implicit deny any statement as the last access list test. Every list needs at

least one permit statement.
 Create access lists before applying them to interfaces.  Any time a new entry is added to the access list, it will be placed at the bottom of the

list.
 Access lists filter traffic going through the router; they do not apply to traffic

originating from the router.
 You cannot remove one line from an access list. If you try to do this, you will remove

the entire list. Inbound access lists When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied won’t be routed because they’re discarded before the routing process is invoked. Outbound access lists When an access list is applied to outbound packets on an interface,those packets are routed to the outbound interface and then processed through the access list before being queued. Access-list types are generally differentiated using a number. 1-99 IP standard access list 100-199 IP extended access list 1000-1099 IPX SAP access list 1100-1199 Extended 48-bit MAC address access list 1200-1299 IPX summary address access list 1300-1999 IP standard access list (expanded range) 200-299 Protocol type-code access list 2000-2699 IP extended access list (expanded range) 300-399 DECnet access list

600-699 Appletalk access list 700-799 48-bit MAC address access list 800-899 IPX standard access list 900-999 IPX extended access list Well-Known TCP Port Numbers In TCP/IP and UDP networks, port is an endpoint to a logical connection and the way a client program specifies a specific server program on a computer in a network. Some ports have numbers the are preassigned to them by the IANA (Internet Assigned Number in Authority), and these are known as well-known prots (specifed RFC 1700). Port numbers range from 0 -65536. Serial No 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 Port Number 1 5 7 9 13 18 19 20 21 23 25 29 37 42 43 49 53 69 70 71 80 101 103 109 110 111 113 115 118 119 137 139 143 Description TCP Port Service Multiplexer (TCPMUX) Remote Job Entry ECHO echo DISCARD discard DAYTIME daytime MSP (Message Send Protocol) Chargen character generator FTP (File Transfer Protocol) – Data FTP (File Transfer Protocol) – Control TELNET SMTP (Simple Mail Tranfer Protocol) MSG ICP TIME Host Name Server WhoIs Nickname Login Host Protocol / TAC Access Control System DNS (Domain Name Server) TFTP (Trival File Transfer Protocol) Gopher Services Finger HTTP (Hypher Text Transfer Protocol) NIC Host Name Server X.400 Standard POP 2 (Post Of Protocol Version 2) POP 3 (Post Of Protocol Version 3) Sun Remote Procedure Call sunrpc Ident Protocol ident SFTP (Simple File Transfer Protocol) SQL Services NNTP (Network News Transport Protocol) NetBIOS Name Service NetBIOS Datagram Service IMAP (Interim Mail Access Protocol)

034 035 036 037 Serial No 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060

150 156 161 179 Port Number 190 194 197 389 396 443 444 445 448 512 513 514 515 540 543 544 546 547 563 569 1080

NetBIOS Session Service SQL Server SNMP (SNMP) BGP (Border Gateway Protocol) Description GACP (Gateway Access Control Protocol) Internet Relay Chat irc DLS (Directory Location Service) LDAP (Lightweight Directory Access Protocol) Novell Netware Over IP HTTPS (HTTPS) SNPP (Simple Network Paging Protocol) Microsoft – DS Apple Quick Time EXEC exec LOGIN rlogin RCMD (Remote Command) IPD Printer Service UUCP (Unix-to-Unix Copy Program) KLOGIN (Kerberos Login) KSHELL (Kerberos Shell) DHCP – Client DHCP (DHCP) – Server SNEWS MSN SOCKS

Standard access lists Configuration LAB

10.0.0.1 F0/0

20.0.0.1 S0/0

20.0.0.2 S0/0

30.0.0.1 F0/0

Switch
10.0.0.2

1700 A

1700 B

Switch

10.0.0.3

30.0.0.2 Block TELNET traffic from 30.0.0.3

30.0.0.3

Permit all

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#line vty 0 4 1700A(config-line)#password 123 1700A(config-line)#enble secret 1700A(config-line)#login 1700A(config-line)#exit 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#show ip protocol

1700A(config)#access-list 10 deny 30.0.0.3 0.0.0.0 (standard access-list range 1-99) (we want to deny this IP only S0,wildcard mask 0.0.0.0 ) 1700A(config)#access-list 10 permit any (access to telnet others IP) 1700A(config)#line vty 0 4 (inform to telnet) 1700A(config-line)#access-class 10 in (enble) 1700A(config-line)#no access-class 10 in (disable) 1700A(config-line)#control Z 1700A#show ip access-list 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#router rip 1700B(config-router)#network 20.0.0.0 1700B(config-router)#network 30.0.0.0 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B#show ip protocol

Extended access lists Configuration LAB

Outbound 10.0.0.1 F0/0

Inbound 20.0.0.1 S0/0

Outbound 20.0.0.2 S0/0

Inbound 30.0.0.1 F0/0

Switch
10.0.0.2

1700 A

1700 B

Switch

10.0.0.3

30.0.0.2 Block FTP traffic from 30.0.0.2

30.0.0.3

Permit all

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#show ip protocol

1700A(config)#access-list 100 deny tcp 30.0.0.2 0.0.0.0 10.0.0.2 0.0.0.0 eq 21 30.0.0.2 - Source IP Address 10.0.0.2 - Destination IP Address EQ 21 - Equal 21 (21- FTP Port no.,) 100 - Extended access-list range 100-199 1700A(config)#access-list 100 permit ip any any Any - without 30.0.0.2 to access all Any - with 10.0.0.2 to access all 1700A(config)#interface F0/0 1700A(config-if)#ip access-group 100 out (Outbound interface) 1700A(config-if)#control Z 1700A#show ip access-list 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#router rip 1700B(config-router)#network 20.0.0.0 1700B(config-router)#network 30.0.0.0 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B#show ip protocol

Extended access lists Configuration LAB - 2

Outbound 10.0.0.1 F0/0

Inbound 20.0.0.1 S0/0

Outbound 20.0.0.2 S0/0

Inbound 30.0.0.1 F0/0

Switch
10.0.0.2

1700 A

1700 B

Switch

10.0.0.3

30.0.0.2 Block FTP and HTTP traffic from 30.0.0.4

30.0.0.3

30.0.0.4

Block HTTP traffic from 30.0.0.3

Permit all

Block ICMP Packets traffic from 10.0.0.2

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown

1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#show ip protocol 1700A(config)#access-list 100 deny tcp 30.0.0.3 0.0.0.0 10.0.0.0 0.255.255.255 eq 80 or 1700A(config)#access-list 100 deny tcp host 30.0.0.3 10.0.0.0 0.255.255.255 eq 80 1700A(config)#access-list 100 deny tcp 30.0.0.4 0.0.0.0 10.0.0.2 0.0.0.0 eq 21 1700A(config)#access-list 100 deny tcp host30.0.0.4 10.0.0.2 0.0.0.0 eq 21 or 1700A(config)#access-list 100 deny tcp 30.0.0.4 0.0.0.0 10.0.0.2 0.0.0.0 eq 21 1700A(config)#access-list 100 deny tcp 30.0.0.4 0.0.0.0 10.0.0.2 0.0.0.0 eq 80 or 1700A(config)#access-list 100 deny tcp host 30.0.0.4 10.0.0.2 0.0.0.0 eq 80 1700A(config)#access-list 100 permit ip any any 1700A(config)#interface F0/0 1700A(config-if)#ip access-group 100 out (which interface we want to configure S0/0) or 1700A(config-if)#interface S0/0 1700A(config-if)#ip access-group 100 in (which interface we want to configure F0/0) 1700A# 1700A# 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#router rip 1700B(config-router)#network 20.0.0.0 1700B(config-router)#network 30.0.0.0 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B#show ip protocol 1700B(config)#access-list 199 deny icmp 10.0.0.2 0.0.0.0 30.0.0.0 0.255.255.255 echo 1700B(config)#access-list 199 permit ip any any

1700B(config)#interface S0/0 1700B(config-if)#ip access-group 199 in 1700B(config-if)#control Z 1700B#show ip access-list Network Address Translator (NAT) This is used when a end user's network only needs to have a few addresses available to access the Global Internet. A table is created on the router that lists 'inside' local addresses to 'inside'global addresses which are the legal IP addresses. This mapping can be done statically or via the use of a dynamic pool of available legal addresses. Following are a number of different ways to implement NAT: Static Address Translation This is where one-to-one mapping is carried out between inside local and outside global addresses. Dynamic Source Address Translation This is where individual addresses within a pool of global addresses are dynamically mapped to local addresses. NAT operation is illustrated in the following diagram:

For both static and dynamic NAT the process occurs as follows: An inside station connects to an outside station. When the first packet arrives from the inside station the router checks the NAT table. If no static match has been found the router carries out a translation of the inside address to an outside address from the available pool of outside addresses by replacing the address. The resultant mapping is saved as a 'simple entry'. The outside station receives the packet and replies to the outside address given by the NAT table. The router carries out a lookup in its table of inside to outside address mappings and forwards the packet to the station with the inside address. The packet is received and the rest of the conversation uses the NAT table. Address Overloading (PAT) Sometimes called Port Address Translation (PAT), this is where each client uses the same IP address but uses a different port. A good example is access to a web server.Users from a private address, say in the 10.0.0.0 network, have their individual addresses translated to just one legal IP address but separate port numbers between 1024 and 65535. They can all have separate conversations with a web server having just one address and destination port of 80 (HTTP). This applies just as well if one user has several sessions with the same web server, the different port numbers distinguish the sessions. The process operates as follows:
 An inside station connects to an outside station.  When the first packet arrives from the inside station the router checks the NAT

table.
 If no static match has been found the router carries out a translation

of the inside address to an outside address from the available pool of outside addresses by replacing the address. The resultant mapping is saved as an 'extended entry'. If other inside addresses wants to connect to outside stations then the same IP address is used but a different TCP port is utilised to distinguish the conversations.
 The outside station receives the packet and replies to the outside address

given by the NAT table.
 The router carries out a lookup in its table of inside to outside address and port

mappings and forwards the packet to the station with the inside address.

 The packet is received and the rest of the conversation uses the NAT table.

Static NAT Configuration LAB

10.0.0.1 F0/0

20.0.0.1 S0/0

20.0.0.2 S0/0

30.0.0.1 F0/0

Switch
10.0.0.2

1700 A

1700 B Switch

10.0.0.3 30.0.0.2 SERVER

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2 1700A(config)#exit 1700A#show ip route 1700A#show ip interface brief 1700A#config t 1700A(config)#ip nat inside source static 10.0.0.2 20.0.0.1 1700A(config)#interface F0/0 1700A(config-if)#ip nat inside 1700A(config-if)#interface S0/0 1700A(config-if)#ip nat outside 1700A(config-if)#exit

1700A#debug ip nat ? 1700A#show ip nat translation 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown

Dynamic NAT Configuration (o.k) LAB

ISP
10.0.0.64 F0/0 20.0.0.1 S0/0 20.0.0.2 S0/0 30.0.0.1 F0/0

Switch
10.0.0.65

1700 A

Switch
30.0.0.2 200.200.200.0/24

10.0.0.66

Major Network ID 10.0.0.0/8 SERVER SERVER

Major Network ID in LAN 10.0.0.0 / 8 Need 62 IP’s 2 6 = 64 – 2 = 62 Network 6 Bits 128 64 32 16 8 4 2 1 10. NID - 10.0.0.64 FHID - 10.0.0.65 LHID - 10.0.0.126 BCID - 10.0.0.127 Subnetmask – 255.255.255.192 ISP Provided ID 200.200.200.0 / 24 Need 6 IP’s 2 3 =8–2=6 Network 3 Bits 128 64 32 16 8 4 2 1 200. 200. 200. 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1

NID - 200.200.200.8 FHID - 200.200.200.9 LHID - 200.200.200.14 BCID - 200.200.200.15 Subnetmask – 255.255.255.248 1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.64 255.255.255.192 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2 1700A(config)#exit 1700A#show ip route 1700A#show ip interface brief 1700A#config t 1700A(config)#access-list permit 1 10.0.0.64 0.0.0.63 1700A(config)#ip nat pool CCNA 200.200.200.9 200.200.200.14 netmask 255.255.255.248 1700A(config)#ip nat inside source list 1 pool CCNA 1700A(config)#interface F0/0 1700A(config-if)#ip nat inside 1700A(config-if)#interface S0/0 1700A(config-if)#ip nat outside 1700A(config-if)#exit 1700A#debug ip nat 1700A#show ip nat translation

1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#ip route 200.200.200.0 255.255.255.0 20.0.0.1

1700B(config)#exit 1700B#show ip route

PAT (Port Address Translation) Configuration(o.k) LAB

ISP
10.0.0.1 F0/0 20.0.0.1 S0/0 20.0.0.2 S0/0 30.0.0.1 F0/0

Switch
10.0.0.2

1700 A

1700 B Switch

10.0.0.3 30.0.0.2 SERVER

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2 1700A(config)#access-list 1 permit 10.0.0.0 0.255.255.25 1700A(config)#ip nat inside source list 1interface S0/0 overload 1700A(config)#interface F0/0 1700A(config-if)#ip nat inside 1700A(config-if)#interface S0/0 1700A(config-if)#ip nat outside Why we configured PAT, private network communicate to public network.Because Private IP is non-routable addresses.

In remote network to communicate public addresses to configure Port forwarding following command. 1700A(config)#ip nat inside source static tcp 10.0.0.2 21 20.0.0.1 21 extendable 1700A(config)#ip nat inside source static tcp 10.0.0.2 80 20.0.0.1 80 extendable 10.0.0.2 - which machine communicate to the network 20.0.0.2 - which public ip to access 21 - FTP port number 80 - HTTP port number Extendable - continue How to check? In remote machine (whatever network) ftp://20.0.0.1/ (which file we want to download?) http://20.0.0.1/shalom.html 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown

High-Level Data-Link Control (HDLC)
 The High-Level Data-Link Control (HDLC) protocol is a popular ISO-standard,

bit-oriented Data Link layer protocol.
 It specifies an encapsulation method for data on synchronous serial data links

using frame characters and checksums.
 HDLC is a point-to-point protocol used on leased lines. No authentication can be

used with HDLC.
 HDLC is the default encapsulation used by Cisco routers over synchronous serial

links.
 Cisco’s HDLC is proprietary—it won’t communicate with any other vendor’s

HDLC implementation.
 Each vendor has a different way for the HDLC protocol to encapsulate multiple

Network layer protocols. Cisco HDLC frame format

Point-to-Point Protocol (PPP)
o Point-to-Point Protocol (PPP) is a Data Link layer protocol that can be used over either asynchronous serial (dial-up) or synchronous serial (ISDN) media. o It uses the LCP (Link Control Protocol) to build and maintain data-link connections. o Network Control Protocol (NCP) is used to allow multiple Network layer protocols (routed protocols) to be used on a point-to-point connection. o The basic purpose of PPP is to transport layer 3 packets across a Data Link layer point-to-point link. PPP contains four main components:
 EIA/TIA-232-C, V.24, V.35, and ISDN - A Physical layer international standard

for serial communication.
 HDLC - A method for encapsulating datagrams over serial links.  LCP - A method of establishing, configuring, maintaining, and terminating the

point-to-point connection.
 NCP - A method of establishing and configuring different Network layer

protocols. NCP is designed to allow the simultaneous use of multiple Network layer protocols. Some examples of protocols here are IPCP (Internet Protocol Control Protocol) and IPXCP (Internetwork Packet Exchange Control Protocol). Protocol stack compared to the OSI reference model

 It is important to understand that the PPP protocol stack is specified at the

Physical and Data Link layers only.

 NCP is used to allow communication of multiple Network layer protocols by

encapsulating the protocols across a PPP data link. Link Control Protocol (LCP) Configuration options Link Control Protocol (LCP) offers different PPP encapsulation options including the following Authentication This option tells the calling side of the link to send information that can identify the user. The two methods are PAP and CHAP. Compression This is used to increase the throughput of PPP connections by compressing the data or payload prior to transmission. PPP decompresses the data frame on the receiving end. Error detection PPP uses Quality and Magic Number options to ensure a reliable, loop-free data link. Multilink Starting in IOS version 11.1, multilink is supported on PPP links with Cisco routers. This option allows several separate physical paths to appear to be one logical path at layer 3. For example, two T1s running multilink PPP would appear as a single 3Mbps path to a layer 3 routing protocol. PPP callback PPP can be configured to call back after successful authentication. With callback enabled, a calling router (client)will contact a remote router (server) and authenticate as described in the previous section. Both routers must be configured for the callback feature. Once authentication is completed, the remote router will terminate the connection and then re-initiate a connection to the calling router from the remote router. PPP Sssion Etablishment
Dial-up or CircuitSwitched Network

PPP Session Establishment 1. Link establishment Phase 2. Authentication Phase (optional) 3. Network Layer Protocol Phase Link-establishment phase LCP packets are sent by each PPP device to configure and test the link. These packets contain a field called the Configuration Option that allows each device to see the

size of the data, compression, and authentication. If no Configuration Option field ispresent, then the default configurations are used.

Authentication phase If required, either CHAP or PAP can be used to authenticate a link. Authentication takes place before Network layer protocol information is read. It is possible that linkquality determination may occur at this same time. Network layer protocol phase PPP uses the Network Control Protocol (NCP) to allow multiple Network layer protocols to be encapsulated and sent over a PPP data link. Each Network layer protocol (e.g., IP, IPX, AppleTalk, which are routed protocols) establishes a service with NCP. PPP Authentication Methods There are two methods of authentication that can be used with PPP links: 1. Password Authentication Protocol (PAP) 2. Challenge Handshake Authentication Protocol (CHAP) Password Authentication Protocol (PAP) The Password Authentication Protocol (PAP) is the less secure of the two methods. Passwords are sent in clear text, and PAP is only performed upon the initial link establishment. When the PPP link is first established, the remote node sends back to the originating router the username and password until authentication is acknowledged.

Challenge Handshake Authentication Protocol (CHAP) The Challenge Handshake Authentication Protocol (CHAP) is used at the initial startup of a link and at periodic checkups on the link to make sure the router is still communicating with the same host. After PPP finishes its initial link-establishment phase, the local router sends a challenge request to the remote device. The remote device sends a value calculated using a one-way hash function called MD5. The local router checks this hash value to make sure it matches. If the values don’t match, the link is immediately terminated.

PAP (Password Authentication Protocol) Configuration (O.K) LAB

ISP
10.0.0.1 F0/0 PAP 20.0.0.1 S0/0 PPP 20.0.0.2 S0/0 PAP 30.0.0.1

F0/0

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#username CCNA password 123 (Destination username and Password) 1700A(config)#interface Serial S0/0 1700A(config-if)#enacapsulation PPP 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#PPP authentication PAP 1700A(config-if)#PPP PAP sent-username CCSP password 123 (Source user and password)

1700A(config-if)#exit 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#^Z 1700A#show ip route 1700A#show ip protocol 1700A#show ip interface brief

1700A#debug PPP authentication 1700A#config t 1700A(config)#interface S0/0 1700A(config-if)#shoutdown 1700A(config-if)#no shutdown 1700A# *Mar 5 01:05:07.671: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up *Mar 5 01:05:07.671: Se0/0 PPP: Using default call direction *Mar 5 01:05:07.671: Se0/0 PPP: Treating connection as a dedicated line *Mar 5 01:05:07.671: Se0/0 PPP: Session handle[31000006] Session id[6] *Mar 5 01:05:07.671: Se0/0 PPP: Authorization required *Mar 5 01:05:07.679: Se0/0 PAP: Using hostname from interface PAP *Mar 5 01:05:07.679: Se0/0 PAP: Using password from interface PAP *Mar 5 01:05:07.679: Se0/0 PAP: O AUTH-REQ id 3 len 13 from "ccsp" *Mar 5 01:05:07.683: Se0/0 PAP: I AUTH-REQ id 3 len 13 from "ccna" *Mar 5 01:05:07.683: Se0/0 PAP: Authenticating peer ccna *Mar 5 01:05:07.687: Se0/0 PPP: Sent PAP LOGIN Request *Mar 5 01:05:07.687: Se0/0 PPP: Received LOGIN Response PASS *Mar 5 01:05:07.691: Se0/0 PPP: Sent LCP AUTHOR Request *Mar 5 01:05:07.691: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 5 01:05:07.691: Se0/0 LCP: Received AAA AUTHOR Response PASS *Mar 5 01:05:07.691: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 5 01:05:07.695: Se0/0 PAP: O AUTH-ACK id 3 len 5 *Mar 5 01:05:07.695: Se0/0 PAP: I AUTH-ACK id 3 len 5 *Mar 5 01:05:07.699: Se0/0 PPP: Sent CDPCP AUTHOR Request *Mar 5 01:05:07.699: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 5 01:05:07.703: Se0/0 CDPCP: Received AAA AUTHOR Response PASS *Mar 5 01:05:07.747: %SYS-5-CONFIG_I: Configured from console by console *Mar 5 01:05:08.701: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up Interface serial shutdown, to see a state up or down the two authentications displayed in screen 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B

1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#username CCSP password 123 (Destination username and Password) 1700B(config)#interface Serial 0/0 1700B(config-if)#encapsulation PPP 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#PPP authentication PAP 1700B(config-if)#PPP PAP sent-username CCNA password 123 (Source user and password) 1700B(config-if)#exit 1700B(config)#router rip 1700B(config-router)#network 20.0.0.0 1700B(config-router)#network 30.0.0.0 1700B(config-router)#^Z 1700B#show ip route 1700B#debug PPP authentication 1700B# changed state to down *Mar 1 13:00:31.301: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up *Mar 1 13:00:31.301: Se0/0 PPP: Using default call direction *Mar 1 13:00:31.301: Se0/0 PPP: Treating connection as a dedicated line *Mar 1 13:00:31.301: Se0/0 PPP: Session handle[AA000004] Session id[3] *Mar 1 13:00:31.301: Se0/0 PPP: Authorization required *Mar 1 13:00:31.313: Se0/0 PAP: Using hostname from interface PAP *Mar 1 13:00:31.313: Se0/0 PAP: Using password from interface PAP *Mar 1 13:00:31.313: Se0/0 PAP: O AUTH-REQ id 3 len 13 from "ccna" *Mar 1 13:00:31.317: Se0/0 PAP: I AUTH-REQ id 3 len 13 from "ccsp" *Mar 1 13:00:31.317: Se0/0 PAP: Authenticating peer ccsp *Mar 1 13:00:31.321: Se0/0 PPP: Sent PAP LOGIN Request *Mar 1 13:00:31.321: Se0/0 PPP: Received LOGIN Response PASS *Mar 1 13:00:31.321: Se0/0 PPP: Sent LCP AUTHOR Request *Mar 1 13:00:31.325: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 13:00:31.325: Se0/0 LCP: Received AAA AUTHOR Response PASS *Mar 1 13:00:31.325: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 1 13:00:31.329: Se0/0 PAP: O AUTH-ACK id 3 len 5 *Mar 1 13:00:31.329: Se0/0 PAP: I AUTH-ACK id 3 len 5 *Mar 1 13:00:31.329: Se0/0 PPP: Sent CDPCP AUTHOR Request *Mar 1 13:00:31.333: Se0/0 CDPCP: Received AAA AUTHOR Response PASS *Mar 1 13:00:31.333: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 1 13:00:32.331: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

CHAP (Challenge Handshake Authentication Protocol) Configuration LAB

ISP
10.0.0.1 F0/0 20.0.0.1 S0/0 CHAP PPP 20.0.0.2 S0/0 CHAP 30.0.0.1

F0/0

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#username 1700B password 123 (Destination username and password) 1700A(config)#interface Serial S0/0 1700A(config-if)#enacapsulation PPP (Authentication Protocol) 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#PPP authentication CHAP 1700A(config-if)#exit 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#^Z 1700A#show ip route 1700A#show ip protocol 1700A#show ip interface brief

1700A#debug PPP authentication 1700A#config t 1700A(config)#interface S0/0 1700A(config-if)#shoutdown 1700A(config-if)#no shutdown 1700A(config-if)# *Mar 5 14:53:43.225: %LINK-5-CHANGED: Interface Serial0/0, changed state to adm inistratively down *Mar 5 14:53:44.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down *Mar 5 14:53:46.326: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up *Mar 5 14:53:46.326: Se0/0 PPP: Using default call direction *Mar 5 14:53:46.326: Se0/0 PPP: Treating connection as a dedicated line *Mar 5 14:53:46.326: Se0/0 PPP: Session handle[D700003B] Session id[61] *Mar 5 14:53:46.326: Se0/0 PPP: Authorization required *Mar 5 14:53:46.338: Se0/0 CHAP: O CHALLENGE id 57 len 26 from "1700A" *Mar 5 14:53:46.342: Se0/0 CHAP: I CHALLENGE id 57 len 26 from "1700B" *Mar 5 14:53:46.346: Se0/0 CHAP: Using hostname from unknown source *Mar 5 14:53:46.346: Se0/0 CHAP: Using password from AAA *Mar 5 14:53:46.346: Se0/0 CHAP: O RESPONSE id 57 len 26 from "1700A" *Mar 5 14:53:46.350: Se0/0 CHAP: I RESPONSE id 57 len 26 from "1700B" *Mar 5 14:53:46.354: Se0/0 PPP: Sent CHAP LOGIN Request *Mar 5 14:53:46.354: Se0/0 PPP: Received LOGIN Response PASS *Mar 5 14:53:46.358: Se0/0 PPP: Sent LCP AUTHOR Request *Mar 5 14:53:46.358: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 5 14:53:46.358: Se0/0 LCP: Received AAA AUTHOR Response PASS *Mar 5 14:53:46.362: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 5 14:53:46.362: Se0/0 CHAP: O SUCCESS id 57 len 4 *Mar 5 14:53:46.366: Se0/0 CHAP: I SUCCESS id 57 len 4 *Mar 5 14:53:46.366: Se0/0 PPP: Sent CDPCP AUTHOR Request *Mar 5 14:53:46.370: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 5 14:53:46.370: Se0/0 CDPCP: Received AAA AUTHOR Response PASS *Mar 5 14:53:47.368: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#username 1700A password 123 (Destination username and password) 1700B(config)#interface Serial S0/0 1700B(config-if)#enacapsulation PPP (Authentication Protocol) 1700B(config-if)#ip address 20.0.0.2 255.0.0.0

1700B(config-if)#no shutdown 1700B(config-if)#PPP authentication CHAP 1700B(config-if)#exit 1700B(config)#router rip 1700B(config-router)#network 20.0.0.0 1700B(config-router)#network 30.0.0.0 1700B(config-router)#^Z 1700B#show ip route 1700B#show ip protocol 1700B#show ip interface brief 1700A#debug PPP authentication 1700A#config t 1700A(config)#interface S0/0 1700A(config-if)#shoutdown 1700A(config-if)#no shutdown 1700B# *Mar 2 00:23:21.542: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down *Mar 2 00:23:22.544: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down *Mar 2 00:23:24.643: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up *Mar 2 00:23:24.643: Se0/0 PPP: Using default call direction *Mar 2 00:23:24.643: Se0/0 PPP: Treating connection as a dedicated line *Mar 2 00:23:24.643: Se0/0 PPP: Session handle[6D00003E] Session id[61] *Mar 2 00:23:24.643: Se0/0 PPP: Authorization required *Mar 2 00:23:24.651: Se0/0 CHAP: O CHALLENGE id 57 len 26 from "1700B" *Mar 2 00:23:24.655: Se0/0 CHAP: I CHALLENGE id 57 len 26 from "1700A" *Mar 2 00:23:24.659: Se0/0 CHAP: Using hostname from unknown source *Mar 2 00:23:24.659: Se0/0 CHAP: Using password from AAA *Mar 2 00:23:24.659: Se0/0 CHAP: O RESPONSE id 57 len 26 from "1700B" *Mar 2 00:23:24.667: Se0/0 CHAP: I RESPONSE id 57 len 26 from "1700A" *Mar 2 00:23:24.667: Se0/0 PPP: Sent CHAP LOGIN Request *Mar 2 00:23:24.671: Se0/0 PPP: Received LOGIN Response PASS *Mar 2 00:23:24.671: Se0/0 PPP: Sent LCP AUTHOR Request *Mar 2 00:23:24.675: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 2 00:23:24.675: Se0/0 LCP: Received AAA AUTHOR Response PASS *Mar 2 00:23:24.675: Se0/0 IPCP: Received AAA AUTHOR Response PASS *Mar 2 00:23:24.679: Se0/0 CHAP: O SUCCESS id 57 len 4 *Mar 2 00:23:24.679: Se0/0 CHAP: I SUCCESS id 57 len 4 *Mar 2 00:23:24.679: Se0/0 PPP: Sent CDPCP AUTHOR Request *Mar 2 00:23:24.683: Se0/0 CDPCP: Received AAA AUTHOR Response PASS *Mar 2 00:23:24.683: Se0/0 PPP: Sent IPCP AUTHOR Request *Mar 2 00:23:25.681: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up

Redistribution of EIGRP and OSPF Configuration LAB

EIGRP 20.0.0.2 F0/0 10.0.0.1 S0/0 20.0.0.1 S3/0 S3/1 30.0.0.1

OSPF

30.0.0.2 S0/0 F0/0 40.0.0.1

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#router eigrp 100 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#^Z 1700A#show ip route 1700A#show ip protocol 1700A#show ip interface brief

3600A Router>enable

Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#interface S3/1 3600A(config-if)#ip address 30.0.0.1 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#exit 3600A(config)#router eigrp 100 3600A(config-router)#network 20.0.0.0 3600A(config-router)#router ospf 1 3600A(config-router)#network 30.0.0.0 0.255.255.255 area 0 3600A(config-router)#exit 3600A(config)#router eigrp 100 3600A(config-router)#redistribute ospf 1 metric 1 1 0 1 1 (EIGRP have band,load….,) 3600A(config-router)#router ospf 1 3600A(config-router)#redistribute eigrp 100 metric 1 subnet (ospf have a wildcard mask) 3600A(config-router)#^Z 3600A#show ip route 3600A#show ip interface brief 3600A#show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 30.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)router ospf 1 1700B(config-router)#network 30.0.0.0 1700B(config-router)#network 40.0.0.0 \

Redistribution of RIP and EIGRP Configuration LAB

RIP 20.0.0.2 F0/0 10.0.0.1 S0/0 20.0.0.1 S3/0 S3/1 30.0.0.1

EIGRP

30.0.0.2 S0/0 F0/0 40.0.0.1

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#^Z 1700A#show ip route 1700A#show ip protocol 1700A#show ip interface brief

3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#interface S3/1

3600A(config-if)#ip address 30.0.0.1 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#exit 3600A(config)#router rip 3600A(config-router)#network 20.0.0.0 3600A(config-router)#router eigrp 100 3600A(config-router)#network 30.0.0.0 3600A(config-router)#exit 3600A(config)#router rip 3600A(config-router)#redistribute eigrp 100 metric 1(metric 1 have a rip hop count) 3600A(config-router)#router eigrp 100 3600A(config-router)#redistribute rip metric 1 1 0 1 1 (bandwidth,delay,load,reliability,MTU,) 3600A(config-router)#^Z 3600A#show ip route 3600A#show ip interface brief 3600A#show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 30.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)router eigrp 100 1700B(config-router)#network 30.0.0.0 1700B(config-router)#network 40.0.0.0

Redistribution of RIP and OSPF Configuration LAB

RIP 20.0.0.2 F0/0 10.0.0.1 S0/0 20.0.0.1 S3/0 S3/1 30.0.0.1

OSPF

30.0.0.2 S0/0 F0/0 40.0.0.1

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#^Z 1700A#show ip route 1700A#show ip protocol 1700A#show ip interface brief

3600A Router>enable Router#configuration terminal Router(config)#hostname 3600A 3600A(config)#interface S3/0 3600A(config-if)#ip address 20.0.0.2 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#interface S3/1

3600A(config-if)#ip address 30.0.0.1 255.0.0.0 3600A(config-if)#no shutdown 3600A(config-if)#clock rate 64000 3600A(config-if)#exit 3600A(config)#router rip 3600A(config-router)#network 20.0.0.0 3600A(config-router)#router ospf 1 3600A(config-router)#network 30.0.0.0 0.255.255.255 area 0 3600A(config-router)#exit 3600A(config)#router rip 3600A(config-router)#redistribute ospf 1 metric 1(metric 1 have a rip hop count) 3600A(config-router)#router ospf 1 3600A(config-router)#redistribute rip metric 1 subnet (because ospf have a wildcard mask) 3600A(config-router)#^Z 3600A#show ip route 3600A#show ip interface brief 3600A#show ip protocol 1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 40.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 30.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)router ospf 1 1700B(config-router)#network 30.0.0.0 1700B(config-router)#network 40.0.0.0

Fundamentals of Switching

SWITCH LAN Segmentation In a collision domain, a frame sent by a device can cause collision with a frame sent by another device in the same collision domain. Moreover, a device can hear the frames destined for any device in the same collision domain. In a broadcast domain, a broadcast frame sent by a device can be received by all other devices in the same broadcast domain. A LAN segment or an Ethernet network segment consists of the devices connected with a coaxial cable or a hub. The devices are in the same collision domain. Ethernet congestion problem Ethernet congestion problem occurs when too many devices are connected to the same Ethernet network segment, such that the high network bandwidth utilization increases the possibility of collision, which causes degradation of network performance.

LAN segmentation LAN segmentation solves the congestion problem by breaking the network into separate segments or collision domains using bridges, switches or routers (but not hub s or repeaters). LAN segmentation can reduce the number of collisions in the network and increase the total bandwidth of the network (e.g. 10 Mbps for one segment, 20 Mbps for two segments, 30 Mbps for three segments, and so on). 80/20 rule The 80/20 rule should be used when designing how to segment a network, i.e. 80% or more data traffic should be on the local network segment while 20% or less data traffic should cross network segments. Layer 2 Switching • • • Layer – 2 switching is hardware based, which means it uses the MAC address from the host NIC card to filter the network traffic. Layer 2 switch can be considered as multi port bridge. Layer 2 switches are fast because they do not look at the network layer header information, instead it looks at the frames hardware address before deciding to either forward the frame or drop it.

Layer 2 Switching Provides the Following : • • • • Hardware based bridging Wire speed Low latency Low cost.

Limitations of Layer 2 Switching With bridge the connected networks are still one large broadcast domain. Layer 2 switch cannot break the broadcast domain, this cause performance issue which limits the size of your network. For this one reason the switch cannot completely replace routers in the internetwork. Bridging v/s LAN Switching

Layer 2 switches are just bridges with more ports, however there are some important differences. Bridges are software based. While switches are hardware based because they use ASIC (Application Specific Integrated Circuit) chip that help make filtering decisions. LAN Switching Address learning – learning the MAC addresses of the connected devices to build the bridge table. Forward and filter decision – forwarding and filtering frames based on the bridge table entries and the bridge logic. Loop avoidance – avoiding network loop by using Spanning Tree Protocol A bridge or switch maintains a forwarding table (also known as bridge table or MAC address table) which maps destination physical addresses with the interfaces or ports to forward frames to the addresses. A bridge or switch builds a bridge table by learning the MAC addresses of the connected devices. When a bridge is first powered on, the bridge table is empty. The bridge listens to the incoming frames and examines the source MAC addresses of the frames. For example, if there is an incoming frame with a particular source MAC address received from a particular interface, and the bridge does not have an entry in its table for the MAC address, an entry will be created to associate the MAC address with the interface. The default aging time for an entry in a bridge table is 300 seconds (5 minutes). It means that an entry will be removed from the bridge table if the bridge has not heard any message from the concerned host for 5 minutes.

ADDRESS LEARNING How Switches Learn Addresses

Examining the Forward/Filter Process

A bridge or switch forwards or filters a frame based on the following logic: 1. If the destination MAC address of the frame is the broadcast address (i.e.FFFF.FFFF.FFFF) or a multicast address, the frame is forwarded out all interfaces,except the interface at which the frame is received. 2. If the destination MAC address is an unicast address and there is no associated entry in the bridge table, the frame is forwarded out all interfaces, except the interface at which the frame is received. 3. If there is an entry for the destination MAC address in the bridge table, and the associated interface is not the interface at which the frame is received, the frame is forwarded out that interface only. 4. Otherwise, drop the frame. Broadcast and Multicast Frames • • • Broadcast and multicast frames do not have a destination address specified. The source address will always be the hardware address of the device transmitting the frame, and the destination address will either be all 1’s which is a broadcast. With the network or subnet address specified and the host address all 1’s are multicast. eg: 255.255.255.255 (broadcast) 172.16.255.255 (multicast) o Multicast sends the frame to a certain network or subnet and all hosts within that network or subnet. o broadcast of all 1’s sends the frame to all networks and hosts.

There are three types of switching method: Store-and-forward switching The entire frame is received and the CRC is computed and verified before forwarding the frame. If the frame is too short (i.e. less than 64 bytes including the CRC), too long (i.e. more than 1518 bytes including the CRC), or has CRC error, it will be discarded. It has the lowest error rate but the longest latency for switching. However, for high-speed network (e.g. Fast Ethernet or Gigabit Ethernet network), the latency is not significant. It is the most commonly used switching method, and is supported by most switches. Cut-through switching (also known as Fast Forward switching ) A frame is forwarded as soon as the destination MAC address in the header has been received (the 1st 6 bytes following the preamble). It has the highest error rate (because a frame is forwarded without verifying the CRC and confirming there is no collision) but the shortest latency for switching. Fragment-free switching ( Modified Cut-through switching ) A frame is forwarded after the first 64 bytes of the frame have been received. Since a collision can be detected within the first 64 bytes of a frame, fragment-free switching can detect a frame corrupted by a collision and drop it.Therefore, fragment-free switching provides better error checking than cut-through switching. The error rate of fragment-free switching is above store-and-forward switching and below cut-through switching. The latency of fragment-free switching is shorter than store-and- forward switching and longer than cut-through switching. NOTE: Bridges only support store-and-forward switching. Most new switch models also use store-and-forward switching. However, it should be noted that Cisco 1900 switches use fragment-free switching by default.

Redundant Topology Overview

– –

Redundant topology eliminates single points of failure. Redundant topology causes broadcast storms, multiple frame copies, and MAC address table instability problems.

Broadcast Storms

• •

Host X sends a broadcast. Switches continue to propagate broadcast traffic over and over.

Multiple Frame Copies

• • •

Host X sends a unicast frame to router Y. MAC address of router Y has not been learned by either switch yet. Router Y will receive two copies of the same frame. MAC Database Instability

• • • • •

Host X sends a unicast frame to router Y. MAC address of router Y has not been learned by either switch. Switches A and B learn the MAC address of host X on port 0. The frame to router Y is flooded. Switches A and B incorrectly learn the MAC address of host X on port 1.

Spanning-Tree Protocol Overview Spanning-Tree Protocol

Provides a loop-free redundant network topology by placing certain ports in the blocking state.

Spanning Tree Protocol Basics
 Spanning Tree Protocol or STP (IEEE 802.1d) is used to solve the looping

problem.It runs on bridges and switches in a network. It implements a Spanning Tree Algorithm (STA), which calculates a loop-free topology for the network.
 STP ensures that there is only one active path between any two network segments

by blocking the redundant paths. A redundant path is used only when the corresponding active path failed. It is not used for load-balancing.
 Because STP solves the looping problem by blocking one or more links in a

network, the frames traveling between some source / destination devices may not be able to use the shortest physical path.
 Bridges exchange STP information using messages called Bridge Protocol Data

Units (BPDUs) through Layer 2 multicast.

A Port of Bridge running STP can be in one of the following: Handling of BDUs State Disabled (Administratively Down) Blocking (default state when a Bridge is powered on) Listending (a blocking port goes Through this state before entering the learning state) Learning (a listening port goes through this state before entering the forwarding state) Forwarding (all ports in the forwarding state belong to the current spanning tree.) Doesnot receive BPDUs Receives BPDUs Receives and Forwards BPDUs Receives and Forwards BPDUs Learning MAC addresses Does not learn Addresses Does not learn addresses Does not learn addresses Learns addresses Handling of frames Discards frames received Discards frames received Discards frames received Discards frames received

Receives and Forwards BPDUs

Learn addresses

Receives and forwards frames

By default, the transition from the blocking state to the listening state takes 20 seconds (MaxAge time), from the listening state to the learning state takes 15 seconds (FwdDlay time), and from the listening state to the forwarding state takes another 15 seconds (FwdDlay time). The whole process takes 50 seconds Spanning-Tree Operation • One root bridge per network • One root port per nonroot bridge • One designated port per segment • Nondesignated ports

A spanning tree consists of a root bridge, which likes the root of a living tree. There is only one root bridge in the whole switched network. There is a single path from the root bridge (root) to each network segment (leaf). The paths form the spanning tree of the network. The bridges place the interfaces on the spanning tree in the forwarding state, and the interfaces not on the spanning tree in the blocking state. Each bridge has an 8-byte Bridge ID, which is the concatenation of the priority (2-byte)and the MAC address (6 byte) of the bridge. The default priority of a device is 32,768. The bridge with the lowest bridge ID is elected as the root bridge. The root path cost of a bridge (i.e. cost of the path from the bridge to the root bridge) is the accumulated cost of the links along the root path. The cost of a link is determined by its bandwidth. The following default costs are used for different types of links: Link Speed 10Gbps 1Gbps 100Mbps 10Mbps New IEEE Cost 2 4 19 100 Original IEEE Cost 1 1 10 100

In a spanning tree, the ports of a non-root bridge can be classified as follows: Root port The root port of a bridge is the port that is the closest to the root bridge in terms of path cost. The path cost can be calculated based on the information stored in the BPDUs sent by the root bridge. Designated port For each physical network segment, the bridge with the lowest cost to the root bridge is elected as the designated bridge of that segment. If two or more bridges have the same cost to the root bridge, the bridge with the lowest bridge ID is elected. The designated bridge puts the port connected to that segment in the forwarding state. This port is known as a designated port. For those segments that are directly connected to the root bridge, the root bridge is their designated bridge.

Spanning-Tree Protocol Root Bridge Selection

• • • •

Bpdu = Bridge Protocol Data Unit (default = sent every two seconds) Root bridge = Bridge with the lowest bridge ID Bridge ID = Bridge Priority & MAC addresses In the example, which switch has the lowest bridge ID? Spanning-Tree Port States (Cont.)

Spanning-Tree Example

BPDU & STP Logic There are two types of BPDUs. They are:
 

Configuration BPDU Topology Change Notification (TCN) BPDU

The root bridge sends a Configuration BPDU (or Hello BPDU) out each interface periodically (every 2 seconds, by default). Each bridge forwards the BPDU to the other bridges downstream after updating several fields in the BPDU, including the cost from this bridge to the root bridge. As long as such BPDUs are received periodically, a bridge knows that the path to the root bridge is still working. Otherwise, it needs to update its spanning tree. A Configuration BPDU is 35 bytes long and contains the following information:
       

Protocol ID (2 bytes) and Version (1 byte). Message type (1 byte) – Configuration BPDU or TCN BPDU. Flag (1 byte) – It contains a topology change (TC) bit and a topology change acknowledgement (TCA) bit. Root bridge ID (8 bytes) – Bridge ID of the root bridge. Root path cost (4 bytes) – Cost of the path from the sender bridge (the bridge forwarding the BPDU) to the root bridge. Sender bridge ID (8 bytes). Port ID (2 bytes) of the port forwarding the BPDU. Message Age (2 bytes) in 1/256 second. The time elapsed since the root bridge sent the original BPDU that this BPDU is based on.

.

Hello time (2 bytes) in 1/256 second. . The time interval between BPDUs is sent from the root bridge. . The default Hello interval is 2 seconds.  MaxAge time (2 bytes) in 1/256 second.If a new BPDU is not received before the MaxAge timer expires, the BPDU information is considered invalid and the bridge will try to update the STP topology. In other words, it is the time interval required for a port (on the alternate path) to transit from the blocking state to the listening state.The default MaxAge is 20 seconds.

Forward Delay time (fwddlay) (2 bytes) in 1/256 second.The time interval for a port to move from the listening state to the learning state. It is also the time interval for a port to move from the learning state to the forwarding.The default forward delay time interval is 15 seconds.

TCN BPDU : A Topology Change Notification (TCN) BPDU is sent out when a bridge detects that a port in the forwarding state is going down or a port is moving to the forwarding state (e.g.the port is enabled by the administrator). The bridge will send TCN BPDUs out of its root port towards the root bridge at every Hello interval until it is acknowledged. A TCN BPDU is only 4 bytes long, which includes protocol ID, version field, and message type field. It virtually contains no information. When a non-root bridge receives a TCN BPDU, it will forward the BPDU upstream towards the root bridge. It will also set the TCA bit in the next Configuration BPDU going downstream. The Configuration BPDU notifies the downstream bridge that the TCN BPDU has been received so that it can stop sending out TCN BPDUs. When the root bridge receives a TCN BPDU, it will send out a Configuration BPDU with the TCA bit set, just like a non-root bridge. In addition, the TC bit of the BPDU will also be set to notify all the bridges in the network that there is a topology change. The TC bit will be set by the root bridge for a certain period of time (MaxAge + Fwddlay). When a bridge receives a BPDU with the TC bit set, it will shorten the aging time of its bridge table entries from the default of 300 seconds to the Forward Delay time. Therefore the entries will be timed out quickly and the bridge will learn the topology of the new spanning tree.

VLAN Operation Overview A Virtual LAN (VLAN) is a broadcast domain created based on the functional, security, or other requirements, instead of the physical locations of the devices, on a switch or across switches. With VLANs, a switch can group different interfaces into different broadcast domains. Without VLANs, all interfaces of a switch are in the same broadcast domain; switches connected with each other are also in the same broadcast domain, unless there is a router in between. Different ports of a switch can be assigned to different VLANs. A VLAN can also span multiple switches. The advantages of implementing VLAN are: . It can group devices based on the requirements other than their physical locations. . It breaks broadcast domains and increases network throughput. . It provides better security by separating devices into different VLANs. . Since each VLAN is a separate broadcast domain, devices in different VLANs cannot listen or respond to the broadcast traffic of each other. . Inter-VLAN communication can be controlled by configuring access control lists on the router or Layer 3 switch connecting the VLANs. VLANs can be configured using one of the following two methods: Static VLAN Assigning VLANs to switch ports based on the port numbers. It is easier to set up and manage. Dynamic VLAN Assigning VLANs to switch ports based on the MAC addresses of the devices connected to the ports. A VLAN management application is used to set up a database of MAC addresses, and configure the switches to assign VLANs to the switch ports dynamically based on the MAC addresses of the connected devices. The application used by Cisco switches is called VLAN Management Policy Server (VMPS). Cisco switches support a separate instance of spanning tree and a separate bridge table for each VLAN.

A VLAN = A Broadcast Domain = Logical Network (Subnet)

VLAN Operation

• • • •

Each logical VLAN is like a separate physical bridge. VLANs can span across multiple switches. Trunks carry traffic for multiple VLANs. Trunks use special encapsulation to distinguish between different VLANs.

VLAN Membership Modes

VLAN Trunking There are two different types of links in a switched network: Access link A link that is part of only one VLAN. Therefore, a port connecting to an access link can be a member of only one VLAN. Trunk link A 100 Mbps or 1000 Mbps point-to-point link that connects switches or routers, and carries frames of different VLANs.Therefore, a port connecting to a trunk link can be a member of multiple VLANs. All VLANs are configured on a trunk link by default. VLAN Trunking, by making use of frame tagging, allows traffic from different VLANs to transmit through the same Ethernet link (trunk link) across switches. VLAN Trunking identifies the VLAN from which a frame is sent by tagging the frame with the source VLAN ID (12-bit long). This feature is known as frame tagging or frame identification. With frame tagging, a switch knows which ports it should forward a broadcast frame (forward out the ports which have the same VLAN ID as the source VLAN ID). It also knows which bridge table it should use for forwarding an unicast frame (since a separate bridge table is used for each VLAN). A frame tag is added when a frame is forwarded out to a trunk link, and is removed when the frame is forwarded out to an access link. Therefore, any device attached to an access link is unaware of its VLAN membership.

Cisco switches support two trunking protocols: Inter-switch Link (ISL) . It is a Cisco proprietary VLAN trunking protocol and can only be used between Cisco switches or switches supporting ISL. . It encapsulates a frame by an ISL header and trailer. . An ISL header is 26 bytes long and contains the 12-bit VLAN ID, MAC addresses of the sending and the receiving switch, and some other information. . An ISL trailer is 4 bytes long and contains the CRC of the frame. . It supports a separate instance of spanning tree for each VLAN by using a Cisco proprietary feature called Per-VLAN Spanning Tree (PVST+). Different instances of spanning tree allow the STP parameters of different VLANs to be configured independently. For example, we can break a network loop by blocking different links for different VLANs instead of blocking the same link for all VLANs, so that the available bandwidth can be used more efficiently. IEEE 802.1q . It is the IEEE standard trunking protocol. . It inserts a 4-byte header to the middle of the original Ethernet header. The 802.1q header contains the 12-bit VLAN ID and some other information. Ethernet frame without 802.1Q header Destination Addresses (6 bytes) Source addresses (6 bytes) Type (2 bytes) Data (46-1500bytes) FCS (4 bytes)

Ethernet frame with 802.1Q header Destination Addresses (6 bytes) Source addresses (6 bytes) 802.1Q header (4 bytes) Type (2 bytes) Data (46-1500bytes) FCS (4 bytes)

Recalculation of the FCS is required after the insertion of the 802.1q header as the original header has been changed. It did not support a separate instance of spanning tree for each VLAN originally. However, Cisco switches can use PVST+ with 802.1q to support this feature. IEEE has also defined a new specification called 802.1S, which can be used with 802.1q to support multiple instances of spanning tree.

It defines one VLAN as the native VLAN. It does not insert 802.1q header into the frames sent from the native VLAN over a trunk link. The default native LAN is VLAN 1. Since 802.1q is defined as a type of Ethernet frame, it does not require that every device on a link understands 802.1q. By defining a trunk port as a member of the native VLAN, any Ethernet device (even if it does not understand 802.1q) connected to the trunk port can read frames for the native VLAN. Both sides of a trunk link must agree on which VLAN is used as the native VLAN. Otherwise, the trunk will not operate properly.

802.1Q Trunking

Importance of Native VLANs

802.1Q Frame

Per-VLAN Spanning Tree

ISL Tagging

ISL Encapsulation

VTP Protocol Features o A messaging system that advertises VLAN configuration information o Maintains VLAN configuration consistency throughout a common administrative domain o Sends advertisements on trunk ports only

VTP Modes Server • Creates VLANs • Modifies VLANs • Deletes VLANs • Sends/forwards advertisements • Synchronizes • Saved in NVRAM Client • Forwards advertisements • Synchronizes • Not saved in NVRAM Transparent • Creates VLANs • Modifies VLANs • Deletes VLANs • Forwards advertisements • Does not synchronize • Saved in NVRAM VTP Operation • VTP advertisements are sent as multicast frames. • VTP servers and clients are synchronized to the latest revision number. • VTP advertisements are sent every 5 minutes or when there is a change.

VTP Pruning • Increases available bandwidth by reducing unnecessary flooded traffic • Example: Station A sends broadcast, and broadcast is flooded only toward any switch with ports assigned to the red VLAN

Switch Inter VLAN(Virtual Local Area Network) Configuration LAB

VLAN 2 VLAN 1

F0/3 S0/0 Internet 1700 A F0/0 F0/1 F0/5

F0/4 F0/2 F0/1 F0/6

F0/2

F0/3

VLAN 3

1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#no ip addresses 1700A(config-if)#interface F0/0.1(sub interface creation) 1700A(config-subif)#encapsulation Dot1Q 1 (encapsulation type) 1700A(config-subif)#ip address 192.168.10.17 255.255.255.240 1700A(config-subif)#no shutdown 1700A(config-subif)#interface F0/0.2 1700A(config-subif)#encapsulation Dot1Q 2 1700A(config-subif)#ip address 192.168.10.33 255.255.255.240 1700A(config-subif)#no shutdown 1700A(config-subif)#interface F0/0.3 1700A(config-subif)#encapsulation Dot1Q 3 1700A(config-subif)#ip address 192.168.10.49 255.255.255.240

1700A(config-subif)#no shutdown 1700A(config-subif)#^Z 1700A#show ip route 3550 Switch Switch>en Switch#config t Switch(config)#host name 3550 3550(config)#interface vlan 1 3550(config-if)#ip address 192.168.10.1 255.255.255.0 3550(config-if)#no shutdown 3550(config-if)#exit 3550(config)#ip default gateway 192.168.10.17 3550(config)#interface F0/1 3550(config-if)#description connection 1700A 3550(config-if)#interface F0/2 3550(config-if)#description connection 3560 3550(config-if)#exit 3550(config)#interface F0/1 (Through Router) 3550(config-if)#switch port trunk encapsulation dot1Q 3550(config-if)#switch port mode trunk 3550(config)#interface F0/2 (Through Switch) 3550(config-if)#switch port trunk encapsulation dot1Q 3550(config-if)#switch port mode trunk 3550(config-if)#exit 3550(config)#vtp mode server 3550(config)#vtp domain CCSP 3550(config-if)#^Z 3550#show interface trunk 3550#config t 3550(config)#vlan 3 3550(config-vlan)#name sales 3550(config-vlan)#^Z 3550#show vlan 3550(config)#interface F0/5 3550(config-if)#switchport mode access 3550(config-if)#switch port access vlan 3 3550(config)#interface F0/6 3550(config-if)#switchport mode access 3550(config-if)#switch port access vlan 3 3550(config-if)#^Z 3550#show vlan 3550#show interface trunk

3560 Switch Switch>en Switch#config t Switch(config)#hostname 3560 3560(config)#interface F0/2 3560(config-if)#description connection to 3550 3560(config-if)#exit 3560(config)#inter vlan 1 3560(config-if)#ip address 192.168.10.2 255.255.255.0 3560(config-if)#no shutdown 3560(config-if)#exit 3560(config)#ip default gateway 192.168.10.17 3560(config)#interface F0/1 3560(config-if)#switch-port trunk encapsulation dot1Q 3560(config-if)#switch-port modetrunk 3560(config)#vtp mode client 3560(config)#vtp domain CCSP 3560(config-if)#^Z 3560#show interface trunk 3560#show vtp status 3560#config t 3560(config)#vlan 2 3560(config-vlan)#name production 3560(config-vlan)#^Z 3560#show vlan 3560(config)#interface F0/2 3560(config-if)switch-port mode access vlan 2 3560(config-if)#switch-port access vlan 2 3560(config)#interface F0/3 3560(config-if)switch-port mode access vlan 2 3560(config-if)#switch-port access vlan 2 3560(config-if)#^Z 3560#show spanning tree 3560#show interface trunk 3560#show vtp status 3560#show vlan

Virtual Private Networks (VPN)
A virtual private network (VPN) allows the creation of private networks across the Internet, enabling privacy and tunneling of non-TCP/IP protocols. VPNs are used to give remote users and disjointed networks connectivity over a public medium like the Internet instead of using more expensive permanent means. What is a VPN? VPN is a generictermthatdescribesanycombinationoftechnologiesthatcanbeusedtosecure a connection through an otherwise unsecured or untrusted network.

Types of VPNs
Types of VPNs are named based upon the role they play in a business. There are three different categories of VPNs: Remote access VPNs Remote access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to. Site-to-site VPNs Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive WAN connections like Frame Relay. Extranet VPNs Extranet VPNs allow an organization’s suppliers, partners, and customers to be connected to the corporate network in a limited way for business-to-business (B2B) communications. VPN Components: Security

Keys • Secret code that the encryption algorithm uses to create a unique version of cipher-text • 8-bits keys = 256 combinations or two to the eighth power • 16-bits keys = 65,536 combinations or two to the 16th power • 56-bits keys = 72,057,594,037,927,900 or two to the 56th power • 168-bits keys …

Remote Access Virtual Private Network
Public Server e-mail world wide web File Transfer

Sales

Mobile User

Finance
Mobile user

Internet Gateway
IT Management

Internet

Mobile user

Remote Access VPN Features o Remote Access VPNs provide communications between a corporate network and remote and/or mobile employees. o Strong authentication is critical to verify remote and mobile users’ identities as accurately and efficiently as possible. o Remote Access VPNs require centralized management. o Remote Access VPNs require a high degree of scalability to handle the vast number of remote users accessing the VPN.

Intranet Virtual Private Network
Public Server e-mail world wide web File Transfer

Sales

Finance
Remote Site

Internet Gatewayl
IT Management

Internet

Remote Access VPN Features o Remote Access VPNs provide communications between a corporate network and remote and/or mobile employees. o Strong authentication is critical to verify remote and mobile users’ identities as accurately and efficiently as possible. o Remote Access VPNs require centralized management. o Remote Access VPNs require a high degree of scalability to handle the vast number of remote users accessing the VPN.

Extranet Virtual Private Network

Sales

Public Server e-mail world wide web File Transfer

Partnets

Finance

Internet Gatewayl
IT Management

Customers

Internet

Extranet VPN Features o Extranet VPNs are between a company and its strategic partners, customers and suppliers. o Extranet VPNs require an open, standards-based solution to ensure interoperability. The accepted standard for Internet-based VPNs is the Internet Protocol Security [IPSec] standard. o Extranet VPNs use traffic control to eliminate bottlenecks at network access points and guarantee swift delivery of and rapid response times for critical data. Four of the most common tunneling protocols in use: Layer 2 Forwarding (L2F) Layer 2 Forwarding (L2F) is a Cisco-proprietary tunneling protocol, and it was their first tunneling protocol created for virtual private dial-up networks (VPDNs). VPDN

allows a device to use a dial-up connection to create a secure connection to a corporate network. L2F was later replaced by L2TP, which is backward compatible with L2F. Point-to-Point Tunneling Protocol (PPTP) Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to allow the secure transfer of data from remote networks to the corporate network . Layer 2 Tunneling Protocol (L2TP) Layer 2 Tunneling Protocol (L2TP) was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the capabilities of both L2F and PPTP into one tunneling protocol. Generic Routing Encapsulation (GRE) Generic Routing Encapsulation (GRE) is another Cisco-proprietary tunneling protocol. It forms virtual point-to-point links, allowing for a variety of protocols to be encapsulated in IP tunnels.

Introduction of CISCO IOS IPsec
 IPSec is an industry-wide standard suite of protocols and algorithms that allows

for secure data transmission over an IP-based network that functions at the layer 3 network layer of the OSI model.
 IPSec can’t be used to encrypt non-IP traffic. This means that if you run into a

situation where you have to encrypt non-IP traffic, you’ll need to create a GRE tunnel for it and then use IPSec to encrypt that tunnel IP Sec Transforms An IPSec transform specifies a single security protocol with its corresponding security algorithm; without these transforms, IPSec wouldn’t be able to give us its glory. Its very important to understand the security protocols and the supporting encryption and hashing algorithms that IPSec relies upon. Security Protocols The two primary security protocols used by IPSec :
 Authentication Header (AH) 

Encapsulating Security Payload (ESP)

Authentication Header (AH) The AH protocol provides authentication for the data and the IP header of a packet using a one-way hash for packet authentication. Working mechanism : The sender generates a one-way hash; then the receiver generates the same oneway hash. If the packet has changed in any way, it won’t be authenticated and will be dropped. So basically, IPSec relies upon AH to guarantee authenticity. AH checks the entire packet, but it doesn’t offer any encryption services. Encapsulating Security Payload (ESP) ESP will provide confidentiality, data origin authentication, connectionless integrity, antireplay service, and limited traffic-flow confidentiality by defeating traffic flow analysis. Four components of ESP: Confidentiality : Confidentiality is provided through the use of symmetric encryption algorithms like DES or 3DES. Confidentiality can be selected separately from all other services, but the confidentiality selected must be the same on all endpoints of your VPN. Data origin authentication and connectionless integrity : Data origin authentication and connectionless integrity are joint services offered as an option in conjunction with the likewise optional confidentiality.

Anti-replay service : You can only use the anti-replay service if data origin authentication is selected. Anti-replay election is based upon the receiver, meaning the service is effective only if the receiver checks the sequence number. In case you were wondering, a replay attack is when a hacker nicks a copy of an authenticated packet and later transmits it to the intended destination. When the duplicate, authenticated IP packet gets to the destination, it can disrupt services and other ugly stuff. The Sequence Number field is designed to foil this type of attack. Traffic flow : For traffic flow confidentiality to work, you have to have tunnel mode selected. And it’s most effective if it’s implemented at a security gateway where tons of traffic

amasses— a situation that can mask the true source-destination patterns of bad guys trying to breach your network’s security.

Virtual Private Network (VPN) Site-to-Site Configuration LAB
20.0.0.1 S0/0

1700 A

1700B

20.0.0.2 S0/0

1700C

F0/0 10.0.0.1

Switch

F0/0 10.0.0.2

Internet

F0/0 30.0.0.1

10.0.0.3

10.0.0.4

1700A

20.0.0.1 S0/0

20.0.0.2 S0/0

1700B

Switch

F0/0 10.0.0.1

Internet

F0/0 30.0.0.1

10.0.0.3

10.0.0.4

1700A Router>en Router#config t Router(config)#hostname 1700A 1700A(config)#interface F0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#interface S0/0 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#crypto isakmp enble (Internet security Architecture key management protocol) 1700A(config)#crypto isakmp policy 10 (1- 10000 Policy number) 1700A(config-isakmp)#authentication pre-share 1700A(config-isakmp)#encryption 3des 1700A(config-isakmp)#hash sha (authentication for between hacks) 1700A(config-isakmp)#group 5 (integrity checking) 1700A(config-isakmp#exit 1700A(config)#crypto isakmp key CISCO address 20.0.0.2 (Destination address) 1700A(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac 1700A(config-crypto-trans)#exit 1700A(config)#access-list 100 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255 1700A(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number) 1700A(config-cryptomap)#match address 100 1700A(config-cryptomap)#set peer 20.0.0.2 (Destinaion address) 1700A(config-cryptomap)#set transform-set 20 (20 – Transform name) 1700A(config-cryptomap)#set pfs group 5 (Perfect forward security) 1700A(config-cryptomap)#exit 1700A(config)#interface S0/0 1700A(config-if)#crypto map AAA (Which int., we want to start encryption) 1700A(config-if)#^Z 1700A#show ip route 1700A#config t 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#^Z 1700A#ping 30.0.0.1 1700A#show crypto isakmp sa 1700A#show crypto ipsec sa

protected vrf: (none) local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (30.0.0.0/255.0.0.0/0/0) current_peer 20.0.0.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13 #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 2, #recv errors 0 local crypto endpt.: 20.0.0.1, remote crypto endpt.: 20.0.0.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0xBFD33C73(3218291827) inbound esp sas: spi: 0x9357B85B(2471999579) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: aaa sa timing: remaining key lifetime (k/sec): (4507657/3454) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: spi: 0x8EEC094D(2397833549) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: aaa sa timing: remaining key lifetime (k/sec): (4507657/3450) replay detection support: Y Status: ACTIVE inbound pcp sas: outbound esp sas: spi: 0xBFD33C73(3218291827) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: 2, crypto map: aaa sa timing: remaining key lifetime (k/sec): (4507657/3450) IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas: spi: 0x232953F4(589911028) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: 2, crypto map: aaa sa timing: remaining key lifetime (k/sec): (4507657/3448) replay detection support: Y Status: ACTIVE outbound pcp sas:

1700B Router>en Router#config t Router(config)#hostname 1700B 1700B(config)#interface F0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#interface S0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#crypto isakmp enble (Internet security Architecture key management protocol) 1700B(config)#crypto isakmp policy 10 (1- 10000 Policy number) 1700B(config-isakmp)#authentication pre-share 1700B(config-isakmp)#encryption 3des 1700B(config-isakmp)#hash sha (authentication for between hacks) 1700B(config-isakmp)#group 5 (integrity checking) 1700B(config-isakmp#exit 1700B(config)#crypto isakmp key CISCO address 20.0.0.1 (Destination address) 1700B(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac 1700B(config-crypto-trans)#exit 1700B(config)#access-list 100 permit ip 30.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 1700B(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number) 1700B(config-cryptomap)#match address 100 1700B(config-cryptomap)#set peer 20.0.0.1 (Destinaion address) 1700B(config-cryptomap)#set transform-set 20 (20 – Transform name) 1700B(config-cryptomap)#set pfs group 5 (Perfect forward security) 1700B(config-cryptomap)#exit

1700B(config)#interface S0/0 1700B(config-if)#crypto map AAA (Which int., we want to start encryption) 1700B(config-if)#^Z 1700B#show ip route 1700B#config t 1700B(config)#router rip 1700B(config-router)#network 20.0.0.0 1700B(config-router)#network 30.0.0.0 1700B(config-router)#^Z 1700B#ping 10.0.0.1 1700B#show crypto isakmp sa 1700B#show crypto ipsec sa 1700B#show crypto IPsec SA interface: Serial0/0 Crypto map tag: aaa, local addr 20.0.0.2 protected vrf: (none) local ident (addr/mask/prot/port): (30.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) current_peer 20.0.0.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13 #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 20.0.0.2, remote crypto endpt.: 20.0.0.1 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 0x9357B85B(2471999579) inbound esp sas: spi: 0xBFD33C73(3218291827) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: aaa sa timing: remaining key lifetime (k/sec): (4433696/1900) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: spi: 0x232953F4(589911028) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2001, flow_id: 1, crypto map: aaa

sa timing: remaining key lifetime (k/sec): (4433696/1897) replay detection support: Y Status: ACTIVE inbound pcp sas: outbound esp sas: spi: 0x9357B85B(2471999579) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: 2, crypto map: aaa sa timing: remaining key lifetime (k/sec): (4433696/1897) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: spi: 0x8EEC094D(2397833549) transform: ah-sha-hmac , in use settings ={Tunnel, } conn id: 2002, flow_id: 2, crypto map: aaa sa timing: remaining key lifetime (k/sec): (4433696/1894) replay detection support: Y Status: ACTIVE outbound pcp sas:

VPN SDM type Configuration

1700A

20.0.0.1 S0/0 Internet

20.0.0.2 S0/0

1700B

F0/0 10.0.0.1 Switch

F0/0 30.0.0.1

30.0.0.2

10.0.0.3

10.0.0.4

Step 1 - Install JAVA Runtime Environment ver 5 and above (Local machine). Step 2 - Install SDM (Security Device Manager) 1700A Router>en Router#config t Router(config)#hostname 1700A 1700A(config)#username CCNA privilege level 15 password 123 1700A(config)#line vty 0 4 1700A(config-line)#privilege level 15 1700A(config-line)#exit 1700A(config)#interface F0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#ip http authentication local

1700B Router>en Router#config t Router(config)#hostname 1700B 1700B(config)#username CCSP privilege level 15 password 123 1700B(config)#line vty 0 4 1700B(config-line)#privilege level 15 1700B(config-line)#exit 1700B(config)#interface F0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#ip http authentication local

IPv6 with GRE (Generic Routing Encapsulation) Tunnel Configuration LAB

1700A

20.0.0.1 S0/0 Internet
fec

20.0.0.2 S0/0
c0 :1 :2 :/ 11 2

1700B

F0/0 10.0.0.1 Switch

0:: 1:1 / 11 2

F0/0 30.0.0.1

VPN Tunnel

10.0.0.3

10.0.0.4

1700A Router>en Router#config t Router(config)#hostname 1700A 1700A(config)#ipv6 unicast-routing 1700A(config)#ipv6 cef (Cisco Express Forwarding) 1700A(config)#interface F0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#interface S0/0 1700A(config-if)#ip address 20.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#^Z 1700A#show ip route 1700A#config t 1700A(config)#router eigrp 100 (0 - 65535) 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#^Z 1700A(config)#int tunnel 0 1700A(config-if)#ipv6 ospf 1 area0 1700A(config-if)#exit

fe

1700A(config)#crypto isakmp enble (Internet security Architecture key management protocol) 1700A(config)#interface tunnel 0 1700A(config-if)#tunnel source S0/0 1700A(config-if)#tunnel destination 20.0.0.2 (Public IP) 1700A(config-if)#ipv6 address fec0::1:1/112 1700A(config)#crypto isakmp policy 10 (1- 10000 Policy number) 1700A(config-isakmp)#authentication pre-share 1700A(config-isakmp)#encryption 3des 1700A(config-isakmp)#hash sha (authentication for between hacks) 1700A(config-isakmp)#group 5 (integrity checking) 1700A(config-isakmp#exit 1700A(config)#crypto isakmp key CISCO address 20.0.0.2 (Destination address) 1700A(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac 1700A(config-crypto-trans)#exit 1700A(config)#access-list 100 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255 1700A(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number) 1700A(config-cryptomap)#match address 100 1700A(config-cryptomap)#set peer 20.0.0.2 (Destinaion address) 1700A(config-cryptomap)#set transform-set 20 (20 – Transform name) 1700A(config-cryptomap)#set pfs group 5 (Perfect forward security)(optional) 1700A(config-cryptomap)#exit 1700A(config)#interface S0/0 1700A(config-if)#crypto map AAA (Which int., we want to start encryption) 1700A(config-if)#^Z 1700A#ping 30.0.0.1 1700A#ping fec0::1:1 1700A#show crypto isakmp sa 1700A#show crypto ipsec sa 1700B Router>en Router#config t Router(config)#hostname 1700B 1700B(config)#ipv6 unicast-routing 1700B(config)#ipv6 cef (Cisco Express Forwarding) 1700B(config)#interface F0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#interface S0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#^Z 1700B#show ip route 1700B#config t 1700B(config)#router eigrp 100 (0 - 65535) 1700B(config-router)#network 20.0.0.0

1700B(config-router)#network 30.0.0.0 1700B(config-router)#^Z 1700B(config)#int tunnel 0 1700B(config-if)#ipv6 ospf 1 area 0 1700B(config-if)#exit 1700B(config)#crypto isakmp enble (Internet security Architecture key management protocol) 1700B(config)#interface tunnel 0 1700B(config-if)#tunnel source S0/0 1700B(config-if)#tunnel destination 20.0.0.1 (Public IP) 1700B(config-if)#ipv6 address fec0::1:2/112 1700B(config)#crypto isakmp policy 10 (1- 10000 Policy number) 1700B(config-isakmp)#authentication pre-share 1700B(config-isakmp)#encryption 3des 1700B(config-isakmp)#hash sha (authentication for between hacks) 1700B(config-isakmp)#group 5 (integrity checking) 1700B(config-isakmp#exit 1700B(config)#crypto isakmp key CISCO address 20.0.0.1 (Destination address) 1700B(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac 1700B(config-crypto-trans)#exit 1700B(config)#access-list 100 permit ip 30.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 1700B(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number) 1700B(config-cryptomap)#match address 100 1700B(config-cryptomap)#set peer 20.0.0.1 (Destinaion address) 1700B(config-cryptomap)#set transform-set 20 (20 – Transform name) 1700B(config-cryptomap)#set pfs group 5 (Perfect forward security)(optional) 1700B(config-cryptomap)#exit 1700B(config)#interface S0/0 1700B(config-if)#crypto map AAA (Which int., we want to start encryption) 1700B(config-if)#^Z 1700B#show ip route 1700B#ping 10.0.0.1 1700b#ping fec0::1:1 1700B#show crypto isakmp sa 1700B#show crypto ipsec sa 1700B#show crypto IPsec SA

CISCO IOS (Internetworking Operationg System)

DRAM NVRAM FLASH

Capacity of Components 1760 series NVRAM - 32kb DRAM - 64MB FLASH - 32MB Type of Router mode and Configuration Registry Normal mode - 0X2102 RX Boot mode - 0X2101 ROM Monitor - 0X2142 Initially router boots from the flash memory, if NVRAM is empty.If the user has already saved the running-config in startup-config then the router boots with the startupconfig with out prompting the initial auto install facility.

IOS Back-up and Restore Configuration

1700A

20.0.0.1 S0/0

Switch

F0/0 10.0.0.1

Internet

Back-up TFTP server 10.0.0.3

10.0.0.4

IOS Back-up command
Install TFTP server (use solarwind.exe – 3rd Party tool) in local machine 1700A#show flash 1700A#copy flash: tftp: Source file name: xxxxxxxxxx Remote host: 10.0.0.3 Destination file name: xxxxxxxxxx (same source file name)

Configuration Back-up command
1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown

1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#copy running configuration startup configuration 1700A#copy startup configuration tftp: 10.0.0.3 File name: AAAAt

Erase Starting configuration command
1700A#erase startup configuration

Restore IOS configuration commane
If we are already erase the starting configuration. So router doesn’t boot from flash rom because of to change the RX Boot mode. Router>en Router#config t Router(config)#config-register 0X2101 Router(config)#exit Router#reload Few second to reload………… Router(config)#interface F0/0 Router(config-if)#ip address 10.0.0.1 255.0.0.0 Router(config-if)#no shutdown Router(config-if)#^Z Router#ping 10.0.0.3 Router#copy tftp: flash: Host: 10.0.0.3 Source file name: xxxxxxxxxx Same name to transfer: xxxxxxxxxx erase :yes

Configuration restores command
Router#copy tftp: startup configuration Source address: 10.0.0.3 Source file name: AAAA

Change Normal mode command
Router(config)#config-register 0X2102

Router#reload

Password Recovery Configuration
Router>en Router#config t Router(config)#line console 0 Router(config-line)#password 123 Router(config-line)#login

Password recovery steps Switch off our Router then on Press Control+Break Rommon 1 >confreg 0X2142 (to by pass the NVRAM) Rommon 2 >reset Would u like to default configuration ? No Router#show running configuration Router#show startup configuration To see a Password Router#show ver Router#config t Router(config)#config-register 0X2102 Router(config)#exit Router#reload No

Secure Shell

Secure Shell Server

20.0.0.1 S0/0

F0/0 10.0.0.1

Internet

10.0.0.3

10.0.0.4

1700A
Router>en Router#config t Router(config)#hostname 1700A 1700A(config)#interface F0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#ip domain-name CCNA.COM 1700A(config)#crypto key generate rsa usage-keys modulus 1024 1700A(config)#user-name CCSP password 123 1700A(config)#line vty 0 4 1700A(config-line)#login local 1700A(config-line)#exit 1700A(config)#enable secret 123 Use this Software Putty.exe Wireshake.exe

Configuration Back-up
20.0.0.1 S0/0

1700A

20.0.0.2 S0/0

1700B

Switch

F0/0 10.0.0.1

Internet

F0/0 30.0.0.1

Back-up FTP server 10.0.0.3

10.0.0.4

Remot Back-up FTP Server 30.0.0.2

1700A
Router>en Router#config t Router(config)#hostname 1700A 1700A(config)#interface F0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#ip FTP username Administrator 1700A(config)#ip FTP password 1700 1700A(config)#archive 1700A(config-archive)#path ftp://10.0.0.3 /Cisco backup/rip (any routing protocol) 1700A(config-archive)#path ftp://30.0.0.2 /Cisco backup/rip (any routing protocol) 1700A(config-archive)#write memory If we want to change any configuration copy running conffg to startingconfig automatically backup. 1700A#copy running configuration startconfiguration

SYSLOG Server Configuration

1700A

20.0.0.1 S0/0

20.0.0.2 S0/0

1700B

Switch

F0/0 10.0.0.1

Internet

F0/0 30.0.0.1

Syslog Server 30.0.0.2 10.0.0.3 10.0.0.4

1700A
Router>en Router#config t Router(config)#hostname 1700A 1700A(config)#logging 30.0.0.2 1700A(config)#logging trap notification 1700A(config)#logging sourch-interface F0/0 1700A(config)#archive 1700A(config-archive)log config 1700A(config-archive-log-cfg)#logging enable 1700A(config-archive-cfg)#hidekeys (Password Doesnot see in syslock server) 1700A(config-archive-cfg)#notify syslog 1700A(config-archive-cfg)#^Z 1700A#show

IPV6 Routing Configuration

10.0.0.1 fec0::1:1/112 F0/0 S0/0 fec0::10:2 S0/1 fec0::11:1 1700A

fec0::10:1 S0/0 1700B F0/0 20.0.0.1 fec0::2:1/112

fec0::12:1 S0/1

fec0::12:2 S0/0

fec0::11:2 S0/1 1700C F0/0 30.0.0.1 fec0::3:1/112

1700A Router>en Router#config t Router(config)#hostname 1700A 1700A(config)#ipv6 unicast-routing 1700A(config)#ipv6 cef (Cisco Express Forwarding) 1700A(config)#interface F0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#ipv6 address fec0::1:1 1700A(config-if)#no shutdown 1700A(config-if)#interface S0/0 1700A(config-if)#ipv6 address fec0::10:1/112 1700A(config-if)#no shutdown 1700A(config-if)#interface S0/1 1700A(config-if)#ipv6 fec0::12:1/112 1700A(config-if)#no shutdown 1700A(config-if)#^Z 1700A#show ip route 1700A(config)#router OSPF 1 (Process ID 1 - 65535) 1700A(config-router)#network 10.0.0.0 0.255.255.255 area 0 1700A(config-router)#exit

1700A(config)#interface F0/0 1700A(config-if)#ipv6 ospf 1 area 0 1700A(config-if#interface S0/0 1700A(config-if)#ipv6 ospf 1 area 0 1700A(config-if)#interface S1/1 1700A(config-if)#ipv6 ospf 1 area 0 1700A(config-if)#^Z 1700A#show ip route 1700A#show ipv6 route 1700B Router>en Router#config t Router(config)#hostname 1700B 1700B(config)#ipv6 unicast-routing 1700B(config)#ipv6 cef (Cisco Express Forwarding) 1700B(config)#interface F0/0 1700B(config-if)#ip address 20.0.0.1 255.0.0.0 1700B(config-if)#ipv6 address fec0::2:1/112 1700B(config-if)#no shutdown 1700B(config-if)#interface S0/0 1700B(config-if)#ipv6 address fec0::10:2/112 1700B(config-if)#no shutdown 1700B(config-if)#interface S0/1 1700B(config-if)#ipv6 fec0::12:1/112 1700B(config-if)#no shutdown 1700B(config)#router OSPF 1 (Process ID 1 - 65535) 1700B(config-router)#network 20.0.0.0 0.255.255.255 area 0 1700B(config-router)#exit 1700B(config)#interface F0/0 1700B(config-if)#ipv6 ospf 1 area 0 1700B(config-if#interface S0/0 1700B(config-if)#ipv6 ospf 1 area 0 1700B(config-if)#interface S1/1 1700B(config-if)#ipv6 ospf 1 area 0 1700B(config-if)#^Z 1700B#show ip route 1700B#show ipv6 route 1700C Router>en Router#config t Router(config)#hostname 1700C 1700C(config)#ipv6 unicast-routing 1700C(config)#ipv6 cef (Cisco Express Forwarding) 1700C(config)#interface F0/0

1700C(config-if)#ip address 30.0.0.1 255.0.0.0 1700C(config-if)#ipv6 address fec0::3:1/112 1700C(config-if)#no shutdown 1700C(config-if)#interface S0/0 1700C(config-if)#ipv6 address fec0::12:2/112 1700C(config-if)#no shutdown 1700C(config-if)#interface S0/1 1700C(config-if)#ipv6 fec0::11:2/112 1700C(config-if)#no shutdown 1700C(config-if)#exit 1700C(config)#router OSPF 1 (Process ID 1 - 65535) 1700C(config-router)#network 30.0.0.0 0.255.255.255 area 0 1700C(config-router)#exit 1700C(config)#interface F0/0 1700C(config-if)#ipv6 ospf 1 area 0 1700C(config-if#interface S0/0 1700C(config-if)#ipv6 ospf 1 area 0 1700C(config-if)#interface S1/1 1700C(config-if)#ipv6 ospf area 0 1700C(config-if)#^Z 1700C#show ip route 1700C#show ipv6 route

Dynamic Host Configuration Protocol Configuration LAB
DHCP Server 10.0.0.1 F0/0 20.0.0.1 S0/0 20.0.0.2 S0/0 DHCP Relay 30.0.0.1 F0/0

Switch
10.0.0.2

1700 A

Unicast

1700 B Switch

10.0.0.3 30.0.0.2 SERVER

Router do not forward the broadcast packet across the network.It’s send a packet to unicast. 1700A Router>enable Router#configuration terminal Router(config)#hostname 1700A 1700A(config)#interface Fast Ethernet 0/0 1700A(config-if)#ip address 10.0.0.1 255.0.0.0 1700A(config-if)#no shutdown 1700A(config)#interface Serial 0/0 1700A(config-if)#ip address 20.0.0.1. 255.0.0.0 1700A(config-if)#no shutdown 1700A(config-if)#exit 1700A(config)#router rip 1700A(config-router)#network 10.0.0.0 1700A(config-router)#network 20.0.0.0 1700A(config-router)#control Z 1700A#show ip route 1700A#show ip interface brief 1700A#config t 1700A(config)#service dhcp 1700A(dhcp-config)#ip dhcp pool ccna (Some name) 1700A(dhcp-config)#network 10.0.0.0 255.0.0.0

1700A(dhcp-config)#default-router 10.0.0.1 1700A(dhcp-config)#dns-server xxx.xxx.xxx.xxx 1700A(dhcp-config)#netbios-name-server xxx.xxx.xxx.xxx (If DNS not available to use) 1700A(dhcp-config)#exit 1700A(config)#ip dhcp excluded-address 10.0.0.2 10.0.0.10 1700A(config)#exit 1700A#show ip dhcp database 1700A#show ip dhcp binding 1700A(config)#service dhcp 1700A(dhcp-config)#ip dhcp pool ccna (Some name) 1700A(dhcp-config)#network 30.0.0.0 255.0.0.0 1700A(dhcp-config)#default-router 30.0.0.1 1700A(dhcp-config)#dns-server xxx.xxx.xxx.xxx 1700A(dhcp-config)#netbios-name-server xxx.xxx.xxx.xxx (If DNS not available to use) 1700A(dhcp-config)#exit 1700A(config)#ip dhcp excluded address 30.0.0.2 30.0.0.10 1700A(config)#exit 1700A#show ip dhcp database 1700A#show ip dhcp binding

1700B Router>enable Router#configuration terminal Router(config)#hostname 1700B 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip address 30.0.0.1 255.0.0.0 1700B(config-if)#no shutdown 1700B(config)#interface Serial 0/0 1700B(config-if)#ip address 20.0.0.2 255.0.0.0 1700B(config-if)#no shutdown 1700B(config-if)#exit 1700B(config)#router rip 1700B(config-router)#network 30.0.0.0 1700B(config-router)#network 20.0.0.0 1700B(config-router)#control Z 1700B#show ip route 1700B#show ip interface brief 1700B#config t 1700B(config)#interface Fast Ethernet 0/0 1700B(config-if)#ip helpher-address 20.0.0.1 (next hop address)

CISCO DEFINATIONS ADSP AEP AFP AFP APPN ARB ARIS ARLL ARP ASP ATM BGP BOOTP BPDU CIDR CIR CPE DARPA DEMARC DHCP DHCP DSAP EIT/TIA EGP EBGP EIGRP FCS FDM FTP GPS HDLC HTTP HTTPS ICMP ICS IGMP IGRP IMAP4 INARP IOS - AppleTalk Data Stream Protocol - AppleTalk Echo Protocol - AppleTalk Filling Protocol - AppleTalk Filling Protocol - Advanced Peer-to-Peer Net-working - Area Border router. - Aggregate Route-Based Switching. - Advanced Run-Length Limited - Address Resolution Protocol - AppleTalk Session Protocol - Asynchronous Transfer Mode - Border Gateway Protocol - Bootable Protocol - Bridge Protocol Data Unit - Classes Inter-Domain Routing - Committed Information Rate - Customer Permises Equipment - Defense Advanced Research Projects Agency - Demarcation - Dynamic Host Configuration Protocol - Dynamic Host Configuration Protocol - Destination Service Access Point - Electronics Industry Association / Telecommunications Industry Association - Exterior Gateway Protocol - External Border Gateway Protocol - Enhanced Interior Gateway Routing Protocol - Frame Check Sequence - Fequency- Division Multiplexing - File Transfer Protocol - Global Positioning Services - High-level Data Link Control - Hypertext Transfer Protocol - Hypertext Transfer Protocol Secure - Internet Control Message Protocol - Internet Connection Sharing - Internet Group Management Protocol - Interior Gateway Routing Protocol - Internet Message Access Protocol, Version 4 - Inverse ARP - Internetwork Operating System

ISDN IP LCP LDAP LMI LPD LPR MMDS NBP NCP NDS NNTP NTP NVRAM OSPF OUI PAP POP PPP PPPoA PPPoE PPTP PVC Proxy ARP RAID RARP RAS RDP RIP RTMP SAP SCP SFTP SLIP SMB STP SMTP SNAP SNMP SSAP SSH STP SVC TDM TDM TELNET TFTP UDP

- Integrated Services Digital Network - Internet Protocol - Link Control Protocol - Lightweight Directory Access Protocol - Local Management Interface - Line Printer Daemon - Line Printer Remote - Multipoint Microwave Distribution System - Name Binding Protocol - NetWare Core Protocol - NetWare Directory Service - Network News Transfer Protocol - Network Time Protocol - Nonvolatile RAM - Open Shortest Path First - Organizationally Unique Identifier - Printer Access Protocol - Point Of Presence (Post Office Protocol) - Point-to-Point Protocol - Point-to-Point Protocol over ATM - Point-to-Point Protocol Ethernet - Point-to-Point Tunneling Protocol - Permanent Virtual Circuit - Proxy Address Resolution Protocol - Redundant Array of Inexpensive (Independent) Disks - Reverse Address Resolution Protocol - Windows Remote Access Service - Remote Desktop Protocol - Routing Information Protocol - Routing Table Maintenance Protocol - Service Advertising Protocol - Secure Copy Protocol - Secure File Transfer Protocol - Serial Line Internet Protocol - Server Message Block - Spanning Tree Protocol - Simple Mail Transfer Protocol - Sub-Network Access Protocol - Simple Network Management Protocol - Source Service Access Point - Secure Shell - Spanning Tree Protocol - Switched Virtual Circuit - Time Division Multiplexed - Time-Division Multiplexing - Terminal Emulation - Trivial File Transfer Protocol - User Datagram Protocol

VLANs VLSM WLAN ZIP IETF VPN NAS LNS PPP ISAKMP PPTP L2TP L2TPv3 MPLS L2F VPDN PPTP

- Virtual LANs - Variable Length Subnet Masking - Wireless LAN - Zone Information Protocol - Internet Engineering Task Force - Virtual private networks - Network Access server - L2TP Network Server - Point-to-Point Protocol - Internet Security Association and Key Management Protocol - point-to-point tunneling protocol - Layer 2 Tunnelling Protocol - Layer 2 Tunnelling Protocol version 3 - Multi-protocol label switching - Layer 2 Forwarding - virtual private dial-up network - Point-to-Point Tunneling Protocol

Sella

Sign up to vote on this title
UsefulNot useful