© 2003, Cisco Systems, Inc. All rights reserved.

2

Data Networks
Sharing data through the use of floppy disks is not an efficient or cost-effective manner in which to operate businesses. Businesses needed a solution that would successfully address the following three problems: • How to avoid duplication of equipment and resources • How to communicate efficiently • How to set up and manage a network Businesses realized that networking technology could increase productivity while saving money.

Networking Devices
Equipment that connects directly to a network segment is referred to as a device. These devices are broken up into two classifications. • end-user devices • network devices End-user devices include computers, printers, scanners, and other devices that provide services directly to the user. Network devices include all the devices that connect the enduser devices together to allow them to communicate.
4

Network Interface Card
A network interface card (NIC) is a printed circuit board that provides network communication capabilities to and from a personal computer. Also called a LAN adapter.

5

Networking Device Icons

6

Repeater
A repeater is a network device used to regenerate a signal. Repeaters regenerate analog or digital signals distorted by transmission loss due to attenuation. A repeater does not perform intelligent routing.

7

Hub
Hubs concentrate connections. In other words, they take a group of hosts and allow the network to see them as a single unit. This is done passively, without any other effect on the data transmission. Active hubs not only concentrate hosts, but they also regenerate signals.

Bridge
Bridges convert network transmission data formats as well as perform basic data transmission management. Bridges, as the name implies, provide connections between LANs. Not only do bridges connect LANs, but they also perform a check on the data to determine whether it should cross the bridge or not. This makes each part of the network more efficient.

Workgroup Switch
Workgroup switches add more intelligence to data transfer management. Switches can determine whether data should remain on a LAN or not, and they can transfer the data to the connection that needs that data.
10

Router
Routers have all capabilities of the previous devices. Routers can regenerate signals, concentrate multiple connections, convert data transmission formats, and manage data transfers.They can also connect to a WAN, which allows them to connect LANs that are separated by great distances.

11

“The Cloud”
The cloud is used in diagrams to represent where the connection to the internet is. It also represents all of the devices on the internet.

12

which is the actual layout of the wire or media. The other part is the logical topology.which defines how the media is accessed by the hosts for sending data.Network Topologies Network topology defines the structure of the network. 13 . One part of the topology definition is the physical topology.

Physical Topologies 14 .

Bus Topology A bus topology uses a single backbone cable that is terminated at both ends. 15 . All the hosts connect directly to this backbone.

16 . This creates a physical ring of cable.Ring Topology A ring topology connects one host to the next and the last host to the first.

Star Topology A star topology connects all cables to a central point of concentration. 17 .

Extended Star Topology An extended star topology links individual stars together by connecting the hubs and/or switches.This topology can extend the scope and coverage of the network. 18 .

Hierarchical Topology A hierarchical topology is similar to an extended star. 19 .

Each host has its own connections to all other hosts.Mesh Topology A mesh topology is implemented to provide as much protection as possible from interruption of service. Although the Internet has multiple paths to any one location. 20 . it does not adopt the full mesh topology.

The solution was the creation of metropolitan-area networks (MANs) and wide-area networks (WANs). What was needed was a way for information to move efficiently and quickly. but also from one business to another. 21 . & WANs One early solution was the creation of local-area network (LAN) standards which provided an open set of guidelines for creating network hardware and software. not only within a company.LANs. making equipment from different companies compatible. MANs.

Examples of Data Networks 22 .

LANs 23 .

11 standard is Direct Sequence Spread Spectrum (DSSS). A key technology contained within the 802.Wireless LAN Organizations and Standards In cabled networks. 24 . The standards have been created within the framework of the regulations created by the Federal Communications Commission (FCC). IEEE is the prime issuer of standards for wireless networks.

Cellular Topology for Wireless 25 .

WANs 26 .

it avoids any traffic conflict between clients and servers. highperformance network used to move data between servers and storage resources. Because it is a separate. dedicated network.SANs A SAN is a dedicated. 27 .

a telecommuter can access the network of the company headquarters through the Internet by building a secure tunnel between the telecommuter’s PC and a VPN router in the headquarters. 28 . Using VPN.Virtual Private Network A VPN is a private network that is constructed within a public network infrastructure such as the global Internet.

Bandwidth 29 .

Measuring Bandwidth 30 .

31 .

released the OSI reference model in 1984. the International Organization for Standardization (ISO) researched many network schemes and recognized that there was a need to create a network model that would help network builders implement networks that could communicate and work together and therefore. 32 .Why do we need the OSI Model? To address the problem of networks increasing in size and in number.

some people say “International Standard Organization.International Organization for Standardization OSI .Internetwork Operating System The ISO created the OSI to make the IOS more efficient.Open System Interconnection IOS .Don’t Get Confused. The “ISO” acronym is correct as shown. To avoid confusion. ISO .” 33 .

The OSI Reference Model 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical 34 The OSI Model will be used throughout your entire networking career! Memorize it! .

User Data .Layer 7 . Examples: • Email • Web browsers PDU .The Application Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical 35 This layer deal with networking applications.

Layer 6 .Formatted Data .The Presentation Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical 36 This layer is responsible for presenting the data in the required format which may include: • Encryption • Compression PDU .

Layer 5 . Example: • Client Software ( Used for logging in) PDU .The Session Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical This layer establishes.Formatted Data 37 . and terminates sessions between two communicating hosts. manages.

Layer 4 . It also is used to insure reliable data transport across the network. PDU .The Transport Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical This layer breaks up the data from the sending host and then reassembles it in the receiver.Segments 38 .

The Network Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical Sometimes referred to as the “Cisco Layer”.Packets 39 . Makes “Best Path Determination” decisions based on logical addresses (usually IP addresses).Layer 3 . PDU .

Layer 2 .The Data Link Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical This layer provides reliable transit of data across a physical link. PDU .Frames 40 . Makes decisions based on physical addresses (usually MAC addresses).

Layer 1 .The Physical Layer 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical This is the physical media through which the data. Examples: • CAT5 (what we have) • Coaxial (like cable TV) • Fiber optic PDU . represented as electronic signals. is sent from the source host to the destination host.Bits 41 .

Germany. 42 . you decide that you want to give it to a friend who lives in Munich.Source Host After riding your new bicycle a few times in NewYork.OSI Model Analogy Application Layer .

Source Host Make sure you have the proper directions to disassemble and reassemble the bicycle. 43 .OSI Model Analogy Presentation Layer .

44 .Source Host Call your friend and make sure you have his correct address.OSI Model Analogy Session Layer .

45 . and “3 of 3”. “2 of 3”.Source Host Disassemble the bicycle and put different pieces in different boxes. The boxes are labeled “1 of 3”.OSI Model Analogy Transport Layer .

Source Host Put your friend's complete mailing address (and yours) on each box.Since the packages are too big for your mailbox (and since you don’t have enough stamps) you determine that you need to 46 go to the post office.OSI Model Analogy Network Layer . .

OSI Model Analogy Data Link Layer – Source Host NewYork post office takes possession of the boxes. 47 .

48 .Media The boxes are flown from USA to Germany.OSI Model Analogy Physical Layer .

OSI Model Analogy Data Link Layer .Destination Munich post office receives your boxes. 49 .

Destination Upon examining the destination address.OSI Model Analogy Network Layer . Munich post office determines that your boxes should be delivered to your written home address. 50 .

51 .OSI Model Analogy Transport Layer .Destination Your friend calls you and tells you he got all 3 boxes and he is having another friend named BOB reassemble the bicycle.

OSI Model Analogy Session Layer .Destination Your friend hangs up because he is done talking to you. 52 .

OSI Model Analogy Presentation Layer .Destination BOB is finished and “presents” the bicycle to your friend. Another way to say it is that your friend is finally getting him “present”. 53 .

54 .OSI Model Analogy Application Layer .Destination Your friend enjoys riding his new bicycle in Munich.

Host Layers 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical 55 These layers only exist in the source and destination host computers. .

56 .Media Layers 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical These layers manage the information out in the LAN or WAN between the source and destination hosts.

The OSI Layers Communications 57 .

Encapsulation Process 58 .

Data Flow Through a Network 59 .

60 .

the principal medium that will be studied is Category 5 unshielded twistedpair cable (Cat 5 UTP) 61 . or physical layer. and even free space can carry network signals. Each media has advantages and disadvantages. The function of media is to carry a flow of information through a LAN.LAN Physical Layer Various symbols are used to represent media types. optical fiber. Some of the advantage or disadvantage comparisons concern: • Cable length • Cost • Ease of installation • Susceptibility to interference Coaxial cable. However.Networking media are considered Layer 1. components of LANs.

Unshielded Twisted Pair (UTP) Cable 62 .

Four of the wires carry the voltage and are considered “tip” (T1 through T4). The other four wires are grounded and are called “ring” (R1 through R4). The RJ-45 transparent end connector shows eight colored wires.UTP Implementation EIA/TIA specifies an RJ-45 connector for UTP cable. The wires in the first pair in a cable or a connector are designated as T1 & R1 63 .

A transceiver is an adapter that converts one type of connection to another. 64 . The attachment unit interface (AUI) connector allows different media to connect when used with the appropriate transceiver. In some cases the type of connector on a network interface card (NIC) does not match the media that it needs to connect to.Connection Media The registered jack (RJ-45) connector and jack are the most common.

65 . A NIC transmits signals on pins 1 & 2.Ethernet Standards The Ethernet standard specifies that each of the pins on an RJ-45 connector have a particular purpose. and it receives signals on pins 3 & 6.

Remember…
A straight-thru cable has T568B on both ends. A crossover (or cross-connect) cable has T568B on one end and T568A on the other. A console cable had T568B on one end and reverse T568B on the other, which is why it is also called a rollover cable.

66

Straight-Thru or Crossover
Use straight-through cables for the following cabling: • Switch to router • Switch to PC or server • Hub to PC or server Use crossover cables for the following cabling: • Switch to switch • Switch to hub • Hub to hub • Router to router • PC to PC • Router to PC 67

Sources of Noise on Copper Media
Noise is any electrical energy on the transmission cable that makes it difficult for a receiver to interpret the data sent from the transmitter. TIA/EIA-568-B certification of a cable now requires testing for a variety of types of noise.Twisted-pair cable is designed to take advantage of the effects of crosstalk in order to minimize noise. In twisted-pair cable, a pair of wires is used to transmit one signal.The wire pair is twisted so that each wire experiences similar crosstalk. Because a noise signal on one wire will appear identically on the other wire, this noise be easily detected and filtered at receiver.Twisting one pair of wires in a cable also helps to reduce crosstalk of data or noise signals from adjacent wires.

68

Shielded Twisted Pair (STP) Cable

69

Coaxial Cable

70

Fiber Optic Cable

71

Fiber Optic Connectors
Connectors are attached to the fiber ends so that the fibers can be connected to the ports on the transmitter and receiver. The type of connector most commonly used with multimode fiber is the Subscriber Connector (SC connector).On single-mode fiber, the Straight Tip (ST) connector is frequently used

72

Fiber Optic Patch Panels
Fiber patch panels similar to the patch panels used with copper cable.

73

Cable Specifications
10BASE-T The T stands for twisted pair. 10BASE5 The 5 represents the fact that a signal can travel for approximately 500 meters 10BASE5 is often referred to as Thicknet. 10BASE2 The 2 represents the fact that a signal can travel for approximately 200 meters 10BASE2 is often referred to as Thinnet. All 3 of these specifications refer to the speed of transmission at 10 Mbps and a type of transmission that is baseband, or digitally interpreted. Thinnet and Thicknet are actually a type of networks, while 10BASE2 & 10BASE5 are the types of cabling used in these networks. 74

Ethernet Media Connector Requirements

75

LAN Physical Layer Implementation

76

Ethernet in the Campus

77

WAN Physical Layer 78 .

WAN Serial Connection Options 79 .

or to a device such as a CSU/DSU that will perform signal clocking. 80 . This is typically the case for routers.Serial Implementation of DTE & DCE When connecting directly to a service provider. the router is a DTE and needs a DTE serial cable.

81 .Back-to-Back Serial Connection When performing a back-to-back router scenario in a test environment. one of the routers will be a DTE and the other will be a DCE.

Repeaters regenerate analog or digital signals distorted by transmission loss due to attenuation.Repeater A repeater is a network device used to regenerate a signal.Repeater is a Physical Layer device 82 .

This rule is used to limit latency added to frame travel by each repeater. 83 .The 4 Repeater Rule The Four Repeater Rule for 10-Mbps Ethernet should be used as a standard when extending LAN segments. This rule states that no more than four repeaters can be used between hosts on a LAN.

Hub is a physical layer device.In other words. 84 . they take a group of hosts and allow the network to see them as a single unit.Hub Hubs concentrate connections.

85 . NICs are considered Data Link Layer devices because each NIC carries a unique code called a MAC address. A NIC is a printed circuit board that fits into the expansion slot on the motherboard or peripheral device of a computer.Network Interface Card The function of a NIC is to connect a host device to the network medium. The NIC is also referred to as a network adapter.

MAC Address MAC address is 48 bits in length and expressed as twelve hexadecimal digits. 86 .MAC addresses are sometimes referred to as burned-in addresses (BIA) because they are burned into read-only memory (ROM) and are copied into random-access memory (RAM) when the NIC initializes.

Each bridge port has a unique MAC address 87 .Bridge Bridges are Data Link layer devices.Connected host addresses are learned and stored on a MAC address table.

Bridges 88 .

Bridging Graphic 89 .

90 .Switch Switches are Data Link layer devices. Connected host MAC addresses are learned and stored on a MAC address table. Each Switch port has a unique MAC address.

and switching begins before the entire data field and checksum are read. Fragment-free reads the first 64 bytes. fragment-free A compromise between the cut-through and store-and-forward modes. No error checking is available. Must be used with asynchronous switching. store-and-forward At the other extreme. This gives the switch software an opportunity to verify the Frame Check Sum (FCS) to ensure that the frame was reliably received before sending it to the destination. 91 . Must use synchronous switching. the switch can receive the entire frame before sending it out the destination port. which includes the frame header.Switching Modes cut-through A switch starts to transfer the frame as soon as the destination MAC address is received.

A separate pair is used for the return or received signal. The capability of communication in both directions at once is known as full duplex.Full Duplex Another capability emerges when only two nodes are connected. In a network that uses twisted-pair cabling. one pair is used to carry the transmitted signal from one node to the other node. It is possible for signals to pass through both pairs simultaneously. 92 .

Switches – MAC Tables 93 .

Switches – Parallel Communication 94 .

consist of the switch port and the host connected to it. When only one node is connected to a switch port. These small physical segments are called micro segments.Microsegmentation A switch is simply a bridge with many ports. or collision domain. 95 . the collision domain on the shared media contains only two nodes. The two nodes in this small segment.

In a peer-to-peer network. which responds by serving the file to computer A. Computer A functions as client. each computer can take on the client function or the server function. computers A and B can reverse roles. As peers. peer-topeer relationships become increasingly difficult to coordinate. Peer-topeer networks are relatively easy to install and operate. while B functions as the server. computer A may make a request for a file from computer B. As networks grow.Peer-to-Peer Network In a peer-to-peer network. individual users control their own resources. networked computers act as equal partners. or peers. At a later time. 96 . At one time.

Client/Server Network In a client/server arrangement. 97 . network services are located on a dedicated computer called a server. Most network operating systems adopt the form of a client/server relationship. The server is a central computer that is continuously available to respond to requests from clients for file. The server responds to the requests of clients. and other services. application. print.

98 .

anywhere in the world. Department of Defense (DoD) created the TCP/IP reference model because it wanted a network that could survive any conditions. at nearly the speed of light.Why Another Model? Although the OSI reference model is universally recognized. the historical and technical open standard of the Internet is Transmission Control Protocol / Internet Protocol (TCP/IP). The U. 99 . The TCP/IP reference model and the TCP/IP protocol stack make data communication possible between any two computers.S. even a nuclear war.

Don’t Confuse the Models 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical Transport Internet Network Access Application 100 .

2 Models Side-By-Side 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical Transport Internet Network Access 101 Application .

The Application Layer The application layer of the TCP/IP model handles highlevel protocols. issues of representation. and dialog control. 102 . encoding.

It constitutes a logical connection between these endpoints of the network. The transport layer data stream provides end-to-end 103 transport services. .The Transport Layer The transport layer provides transport services from the source host to the destination host. Transport protocols segment and reassemble upper-layer applications into the same data stream between endpoints.

The main protocol that functions at this layer is the Internet Protocol (IP).The Internet Layer The purpose of the Internet layer is to select the best path through the network for packets to travel. Best path determination and packet switching occur at this layer. 104 .

105 . and all the details contained in the OSI physical and data-link layers. It includes LAN and WAN details.The Network Access Layer The network access layer is also called the host-tonetwork layer. It the layer that is concerned with all of the issues that an IP packet requires to actually make a physical link to the network media. NOTE: ARP & RARP work at both the Internet and Network Access Layers.

106 .Comparing TCP/IP & OSI Models NOTE: TCP/IP transport layer using UDP does not always guarantee reliable delivery of packets as the transport layer in the OSI model does.

are to transport and regulate the flow of information from the source to the destination. sequencing numbers. reliably and accurately. End-to-end control and reliability are provided by sliding windows.Introduction to the Transport Layer The primary duties of the transport layer. Layer 4 of the OSI model. 107 . and acknowledgments.

It establishes a logical connection between the endpoints of the network. • Transport services include the following basic services: • Segmentation of upper-layer application data • Establishment of end-to-end operations • Transport of segments from one end host to another end host • Flow control provided by sliding windows • Reliability provided by sequence numbers and acknowledgments 108 .More on The Transport Layer The transport layer provides transport services from the source host to the destination host.

Flow Control As the transport layer sends data segments. A receiving host that is unable to process data as quickly as it arrives could be a cause of data loss. 109 . it tries to ensure that data is not lost. Flow control avoids the problem of a transmitting host overflowing the buffers in the receiving host.

3-Way Handshake TCP requires connection establishment before data transfer begins. For a connection to be established or initialized. the two hosts must synchronize their Initial Sequence Numbers (ISNs). 110 .

An easy solution is to have a recipient acknowledge the receipt of each packet before the next packet is sent. 111 .Basic Windowing Data packets must be delivered to the recipient in the same order in which they were transmitted to have a reliable. connection-oriented data transfer. duplicated. The protocol fails if any data packets are lost. damaged. or received in a different order.

Sliding Window 112 .

Sliding Window with Different Window Sizes 113 .

TCP Sequence & Acknowledgement 114 .

The protocols that use TCP include: • FTP (File Transfer Protocol) • HTTP (Hypertext Transfer Protocol) • SMTP (Simple Mail Transfer Protocol) • Telnet 115 . a connection is established between both ends before the transfer of information can begin.TCP Transmission Control Protocol (TCP) is a connection-oriented Layer 4 protocol that provides reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.TCP supplies a virtual circuit between end-user applications. TCP is responsible for breaking messages into segments. reassembling them at the destination station. and reassembling messages from the segments. resending anything that is not received. In a connection-oriented environment.

TCP Segment Format 116 .

The protocols that use UDP include: • TFTP (Trivial File Transfer Protocol) • SNMP (Simple Network Management Protocol) • DHCP (Dynamic Host Control Protocol) • DNS (Domain Name System) 117 . is provided by application layer protocols. UDP is designed for applications that do not need to put sequences of segments together. without acknowledgments or guaranteed delivery.UDP User Datagram Protocol (UDP) is the connectionless transport protocol in the TCP/IP protocol stack. if needed. UDP uses no windowing or acknowledgments so reliability. UDP is a simple protocol that exchanges datagrams. Error processing and retransmission must be handled by higher layer protocols.

UDP Segment Format 118 .

) 119 .Well Known Port Numbers The following port numbers should be memorized: NOTE: The curriculum forgot to mention one of the most important port numbers. (Essentially access to the internet. Port 80 is used for HTTP or WWW protocols.

URL 120 .

SNMP – Managed Network 121 .

122 .

Base 2 Number System 101102 = (1 x 24 = 16) + (0 x 23 = 0) + (1 x 22 = 4) + (1 x 21 = 2) + (0 x 20 = 0) = 22 123 .

take all the remainders in reverse order for your answer: 20110 = 110010012 124 .Converting Decimal to Binary Convert 20110 to binary: 201 / 2 = 100 remainder 1 100 / 2 = 50 remainder 0 50 / 2 = 25 remainder 0 25 / 2 = 12 remainder 1 12 / 2 = 6 remainder 0 6 / 2 = 3 remainder 0 3 / 2 = 1 remainder 1 1 / 2 = 0 remainder 1 When the quotient is 0.

125 .

Network and Host Addressing Using the IP address of the destination network. a router can deliver a packet to the correct network. 126 . Accordingly. every IP address has two parts. When the packet arrives at a router connected to the destination network. the router uses the IP address to locate the particular computer connected to that network.

The packets must include an identifier for both the source and destination networks. 127 .Network Layer Communication Path A router forwards packets from the originating network to the destination network using the IP protocol.

because duplicate addresses would make routing impossible. This number must be a unique number.The second part.An IP address combines two identifiers into one number. 128 .The first part identifies the system's network address. called the host part. identifies which particular machine it is on the network.Internet Addresses IP Addressing is a hierarchical structure.

Class B addresses are used for medium-sized networks. medium. & Class C for small networks. and small networks. Class A addresses are assigned to larger networks.IP Address Classes IP addresses are divided into classes to define the large. 129 .

Identifying Address Classes 130 .

131 . IP addresses are divided into groups called classes.This is classful addressing.Address Class Prefixes To accommodate different size networks and aid in classifying these networks.

There are 5 IP address classes. A bit or bit sequence at the start of each address determines the class of the address. 132 .Network and Host Division Each complete 32-bit IP address is broken down into a network part and a host part.

with more than 16 million host addresses available.Class A Addresses The Class A address was designed to support extremely large networks. The remaining three octets provide for host addresses. Class A IP addresses use only the first octet to indicate the network address. 133 .

134 . The other two octets specify host addresses.A Class B IP address uses the first two of the four octets to indicate the network address.Class B Addresses The Class B address was designed to support the needs of moderate to large-sized networks.

135 .Class C Addresses The Class C address space is the most commonly used of the original address classes.This address space was intended to support small networks with a maximum of 254 hosts.

A multicast address is a unique network address that directs packets with that destination address to predefined groups of IP addresses. Therefore.Class D Addresses The Class D address class was created to enable multicasting in an IP address. 136 . a single station can simultaneously transmit a single stream of data to multiple recipients.

However. 137 . Therefore. no Class E addresses have been released for use in the Internet.Class E Addresses A Class E address has been defined. the Internet Engineering Task Force (IETF) reserves these addresses for its own research.

138 .IP Address Ranges The graphic below shows the IP address range of the first octet both in decimal and binary for each IP address class.

139 . unassigned IPv4 network addresses and the increase in the size of Internet routing tables. Over the past two decades.IPv4 As early as 1992. Two of the more important of these are subnet masks and classless interdomain routing (CIDR). numerous extensions to IPv4 have been developed. the Internet Engineering Task Force (IETF) identified two specific concerns: Exhaustion of the remaining.

255.168.Finding the Network Address with ANDing By ANDing the Host address of 192.168.0 140 .255.0 (its network mask) we obtain the network address of 192.10.2 with 255.10.

Network Address 141 .

Broadcast Address 142 .

255 200.255.255 150.0.50.75. which identifies the network.75. Here are some examples: Class A B C Network Address 100.255 143 .50.0 200. which is used to send data to all hosts on the network.255.100.100.0 150.255. An IP address that has binary 1s in all host bit positions is reserved for the broadcast address.0.0 Broadcast Address 100.Network/Broadcast Addresses at the Binary Level An IP address that has binary 0s in all host bit positions is reserved for the network address.0.

Public IP addresses must be obtained from an Internet service provider (ISP) or a registry at some expense. an organization known as the Internet Network Information Center (InterNIC) handled this procedure. All machines connected to the Internet agree to conform to the system. No two machines that connect to a public network can have the same IP address because public IP addresses are global and standardized. 144 . InterNIC no longer exists and has been succeeded by the Internet Assigned Numbers Authority (IANA).Public IP Addresses Unique addresses are required for each device on a network. Originally.

As mentioned. as long as each host within the private network is unique. public networks require hosts to have unique IP addresses. 145 . private networks that are not connected to the Internet may use any host addresses. However.Private IP Addresses Private IP addresses are another solution to the problem of the impending exhaustion of public IP addresses.

This translation process is referred to as Network Address Translation (NAT). as shown in the graphic.Mixing Public and Private IP Addresses Private IP addresses can be intermixed. 146 .This will conserve the number of addresses used for internal connections. Connecting a network using private addresses to the Internet requires translation of the private addresses to public addresses. with public IP addresses.

Subnet addresses include the network portion. With subnetting.The ability to decide how to divide the original host portion into the new subnet and host fields provides addressing flexibility for the network administrator. more efficient and manageable segments.Introduction to Subnetting Subnetting a network means to use the subnet mask to divide the network and break a large network up into smaller. plus a subnet field and a host field. B. or C network masks and there is more flexibility in the network design. the network is not limited to the default Class A. or subnets. 147 .

The 32-Bit Binary IP Address 148 .

Numbers That Show Up In Subnet Masks (Memorize Them!) 149 .

Addressing with Subnetworks 150 .

Obtaining an Internet Address 151 .

application servers. printer.Static Assignment of an IP Address Static assignment works best on small networks. and routers should be assigned static IP addresses. Network printers. The administrator manually assigns and tracks IP addresses for each computer. or server on the intranet. 152 .

0. 47) .4?“ ARP Reply SIE NS ME NIXDOR F SIEM ENS NIXDORF Host B IP Address: 128.Broadcast to all hosts „What is the hardware address for IP address 128.4 HW Address: 080020021545 153 Fig. 32 How does ARP work? (TI1332EU02TI_0004 The Network Layer.0.ARP (Address Resolution Protocol) Host A SIEMENS NIXDO RF ARP Request .10.10.

33 The ARP command (TI1332EU02TI_0004 The Network Layer.154 Fig. 47) .

1 Network = 1 Broadcast Domain A B host B would reply Broadcast: ARP request 2 Networks = 2 Broadcast Domains A Router B no one would reply Broadcast: ARP request 155 Fig. 49) . 34 Proxy-ARP concept (TI1332EU02TI_0004 The Network Layer.

I know the destination network.A B A B Router R I take care. let me give you my Ethernet address 156 . to forward IP packets to B Broadcast Message to all: If your IP address matches “B” then please tell me your Ethernet address Yes.

such as a diskless workstation. A network device.RARP Reverse Address Resolution Protocol (RARP) associates a known MAC addresses with an IP addresses. Devices using RARP require that a RARP server be present on the network to answer RARP requests. 157 . might know its MAC address but not its IP address. RARP allows the device to make a request to learn its IP address.

No two profiles can have the same IP address. and vendor-specific information. a network administrator creates a configuration file that specifies the parameters for each device. However. however. 158 . there is still a one to one relationship between the number of IP addresses and the number of hosts. as well as the address of a router. This means that for every host on the network there must be a BOOTP profile with an IP address assignment in it. With BOOTP. unlike RARP. One problem with BOOTP. the address of a server. Even though the addresses are dynamically assigned. is that it was not designed to provide dynamic address assignment. BOOTP packets can include the IP address.The administrator must add hosts and maintain the BOOTP database.BootP The bootstrap protocol (BOOTP) operates in a client-server environment and only requires a single packet exchange to obtain IP information.

159 . DHCP allows a host to obtain an IP address dynamically without the network administrator having to set up an individual profile for each device. they contact the DHCP server and request an address.As hosts come online. All that is required when using DHCP is a defined range of IP addresses on a DHCP server. the entire network configuration of a computer can be obtained in one message. plus a leased IP address and a subnet mask. This includes all of the data supplied by the BOOTP message. With DHCP. The major advantage that DHCP has over BOOTP is that it allows users to be mobile. The DHCP server chooses an address and leases it to that host. Unlike BOOTP.DHCP Dynamic host configuration protocol (DHCP) is the successor to BOOTP.

160 .

These configuration files contain the instructions and parameters that control the flow of traffic in and out of the routers. However. Just as computers need operating systems to run software applications. It has the same basic components as a standard desktop PC. routers are designed to perform some very specific functions. The many parts of a router are shown below: 161 .Introduction to Routers A router is a special type of computer. routers need the Internetwork Operating System software (IOS) to run configuration files.

RAM Random Access Memory. also called dynamic RAM (DRAM) RAM has the following characteristics and functions: • • • • • • • Stores routing tables Holds ARP cache Holds fast-switching cache Performs packet buffering (shared RAM) Maintains packet-hold queues Provides temporary memory for the configuration file of the router while the router is powered on Loses content when router is powered down or restarted 162 .

NVRAM Non-Volatile RAM NVRAM has the following characteristics and functions: • • Provides storage for the startup configuration file Retains content when router is powered down or restarted 163 .

Flash Flash memory has the following characteristics and functions: • Holds the operating system image (IOS) • Allows software to be updated without removing and replacing chips on the processor • Retains content when router is powered down or restarted • Can store multiple versions of IOS software Is a type of electronically erasable. programmable ROM (EEPROM) 164 .

ROM Read-Only Memory ROM has the following characteristics and functions: • Maintains instructions for power-on self test (POST) diagnostics • Stores bootstrap program and basic operating system software • Requires replacing pluggable chips on the motherboard for software upgrades 165 .

Interfaces Interfaces have the following characteristics and functions: • • Connect router to network for frame entry and exit Can be on the motherboard or on a separate module Types of interfaces: • • • • • • • • Ethernet Fast Ethernet Serial Token ring ISDN BRI Loopback Console Aux 166 .

Internal Components of a 2600 Router 167 .

External Components of a 2600 Router 168 .

External Connections 169 .

Fixed Interfaces When cabling routers for serial connectivity. Interfaces on routers with fixed serial ports are labeled for port type and port number. the routers will either have fixed or modular ports. The type of port being used will affect the syntax used later to configure each interface. 170 .

” when the interface is serial.To configure a port on a modular card. slot. it is necessary to specify the interface using the syntax “port type slot number/port number.Modular Serial Port Interfaces Interfaces on routers with modular serial ports are labeled for port type. and the port that is being referenced is port 1. and port number.The slot is the location of the module.” Use the label “serial 0/1. the slot number where the module is installed is slot 0. 171 .

use a phone cable with RJ-11 connectors.Routers & DSL Connections The Cisco 827 ADSL router has one asymmetric digital subscriber line (ADSL) interface. DSL works over standard telephone lines using pins 3 and 4 on a standard RJ-11 connector. 172 . To connect a router for DSL service.

Computer/Terminal Console Connection 173 .

Modem Connection to Console/Aux Port 174 .

HyperTerminal Session Properties 175 .

and no flow control. 1 stop bit. no parity. 176 . connect the terminal using the RJ-45 to RJ-45 rollover cable and an RJ-45 to DB-9 or RJ-45 to DB-25 adapter.Establishing a HyperTerminal Session Take the following steps to connect a terminal to the console port on the router: First. Then. configure the terminal or PC terminal emulation software for 9600 baud. 8 data bits.

which is the software that controls the routing and switching functions of internetworking devices. A solid understanding of the IOS is essential for a network administrator. 177 .Cisco IOS Cisco technology is built around the Cisco Internetwork Operating System (IOS).

It is the embedded software architecture in all of the Cisco routers and is also the operating system of the Catalyst switches. Cisco calls its operating system the Cisco Internetwork Operating System or Cisco IOS. the hardware does not have any capabilities. The Cisco IOS provides the following network services: • Basic routing and switching functions • Reliable and secure access to networked resources 178 • Network scalability . a router or switch cannot function without an operating system.The Purpose of Cisco IOS As with a computer. Without an operating system.

Router Command Line Interface 179 .

Ctrl-C can be pressed at any time to terminate the process. During the setup process. When the configuration process is completed in setup mode. The purpose of the setup mode is to permit the administrator to install a minimal configuration for a router. Press the Enter key to use these defaults. the following options will be displayed: [0] Go to the IOS command prompt without saving this config. default answers appear in square brackets [ ] following the question. unable to locate a configuration from another source. [1] Return back to the setup without saving this config. In the setup mode. [2] Save this configuration to nvram and exit. When setup is terminated using Ctrl-C. all interfaces will be administratively shutdown.Setup Mode Setup is not intended as the mode for entering complex protocol features in the router. 180 Enter your selection [2]: .

To see the IOS image and version that is running. The configuration register setting can be used by the system administrator to control the default start up mode for the router. which also indicates the configuration register setting. 181 . use the show version command.Operation of Cisco IOS Software The Cisco IOS devices have three distinct operating environments or modes: • ROM monitor • Boot ROM • Cisco IOS The startup process of the router normally loads into RAM and executes one of these operating environments.

IOS File System Overview 182 .

• Find and apply the startup configuration file or enter the setup mode. it enters setup mode. the router executes diagnostics from ROM on all 183 hardware modules. To do this. Upon completion of the setup mode a backup copy of the configuration file may be saved to nonvolatile RAM (NVRAM).Initial Startup of Cisco Routers A router initializes by loading the bootstrap. . During this self test. and a configuration file. When a Cisco router powers up. • Find and load the Cisco IOS software. it performs a power-on self test (POST). the startup routines must accomplish the following: • Make sure that the router hardware is tested and functional. If the router cannot find a configuration file. the operating system. The goal of the startup routines for Cisco IOS software is to start the router operations.

. If the boot field indicates a flash or network load. the setup dialog is initiated. If no TFTP server is found. Step 4 The configuration file saved in NVRAM is loaded into main memory and executed one line at a time. boot system commands in the configuration file indicate the exact name and location of the image. the operating system searches for an 184 available TFTP server. A bootstrap is a simple set of instructions that tests hardware and initializes the IOS for operation. Step 2 The IOS can be found in several places. Step 3 The operating system image is loaded. The boot field of the configuration register determines the location to be used in loading the IOS.After the Post… After the POST. supply addresses for interfaces. and define other operating characteristics of the router. Step 5 If no valid configuration file exists in NVRAM. The configuration commands start routing processes. the following events occur as the router initializes: Step 1 The generic bootstrap loader in ROM executes.

Step in Router Initialization 185 .

If an LED is off when the interface is active and the interface is correctly connected. The green OK LED to the right of the AUX port will be on after the system initializes correctly. the LED indicators will vary. If an interface is extremely busy. An interface LED indicates the activity of the corresponding interface. its LED will always be on. 186 . Depending upon the Cisco router model.Router LED Indicators Cisco routers use LED indicators to provide status information. a problem may be indicated.

Enhanced Cisco IOS Commands 187 .

188 .The show version Command The show version command displays information about the Cisco IOS software version that is currently running on the router. This includes the configuration register and the boot field settings. The following information is available from the show version command: IOS version and descriptive information • Bootstrap ROM version • Boot ROM version • Router up time • Last restart method • System image file and location • Router platform • Configuration register setting Use the show version command to identify router IOS image and boot source. issue the show flash command. To find out the amount of flash memory.

Checking File System Information with show version command 189 .

190 .

The privileged EXEC mode is also known as enable mode.Router User Interface Modes The Cisco command-line interface (CLI) uses a hierarchical structure. Each configuration mode is indicated with a distinctive prompt and allows only commands that are appropriate for that mode. user EXEC mode and privileged EXEC mode. This structure requires entry into different modes to accomplish particular tasks. 191 . As a security feature the Cisco IOS software separates sessions into two access levels.

Overview of Router Modes 192 .

Router Modes 193 .

User Mode Commands 194 .

195 .Privileged Mode Commands NOTE: There are many more commands available in privileged mode.

Specific Configuration Modes 196 .

Other more specific modes are entered depending upon the configuration change that is required.CLI Command Modes All command-line interface (CLI) configuration changes to a Cisco router are made from the global configuration mode. Typing exit from one of these specific configuration modes will return the router to global configuration mode. The following command moves the router into global configuration mode Router#configure terminal Router(config)# (or config t) When specific configuration modes are entered. Pressing Ctrl-Z returns the router to all 197 the way back privileged EXEC mode. the router prompt changes to indicate the current configuration mode. Global configuration mode commands are used in a router to apply configuration statements that affect the system as a whole. .

Configuring a Router’s Name A router should be given a unique name as one of the first configuration tasks. This task is accomplished in global configuration mode using the following commands: Router(config)#hostname Tokyo Tokyo(config)# As soon as the Enter key is pressed. . the prompt changes from the default host name (Router) to the newly configured host name (which is Tokyo in the 198 example above).

Setting the Clock with Help 199 .

Message Of The Day (MOTD) A message-of-the-day (MOTD) banner can be displayed on all connected terminals. Enter global configuration mode by using the command config t Enter the command banner motd # The message of the day goes here #. Save changes by issuing the command copy run start 200 .

Configuring a Console Password Passwords restrict access to routers. Passwords are also used to control access to privileged EXEC mode so that only authorized users may make changes to the configuration file. Passwords should always be configured for virtual terminal lines and the console line. The following commands are used to set an optional but recommended password on the console line: Router(config)#line console 0 Router(config-line)#password <password> Router(config-line)#login 201 .

Configuring a Modem Password If configuring a router via a modem you are most likely connected to the aux port. The method for configuring the aux port is very similar to configuring the console port. Router(config)#line aux 0 Router(config-line)#password <password> Router(config-line)#login 202 .

50.50.Configuring Interfaces An interface needs an IP Address and a Subnet Mask to be configured.255.75 255. All interfaces are “shutdown” by default.240 Router(config-if)#clock rate 56000 (required for serial DCE only) Router(config-if)#no shutdown Router(config-if)#exit Router(config)#int f0/0 Router(config-if)#ip address 150.255.255.0 Router(config-if)#no shutdown Router(config-if)#exit Router(config)#exit Router# On older routers.100. The DCE end of a serial interface needs a clock rate. Serial 0/1 would be just Serial 1 and f0/0 would be e0. s = serial e = Ethernet f = fast Ethernet 203 .100.255.25 255. Router#config t Router(config)#interface serial 0/1 Router(config-if)#ip address 200.

Configuring a Telnet Password A password must be set on one or more of the virtual terminal (VTY) lines for users to gain remote access to the router using Telnet. The following commands are used to set the same password on all of the VTY lines: Router(config)#line vty 0 4 Router(config-line)#password <password> Router(config-line)#login 204 . Typically Cisco routers support five VTY lines numbered 0 through 4.

show interfaces – Displays all the statistics for all the interfaces on the router. The list is considerably longer in privileged EXEC mode than it is in user EXEC mode. the command show ? provides a list of available show commands. In both privileged EXEC and user EXEC modes.Examining the show Commands There are many show commands that can be used to examine the contents of files in the router and for troubleshooting. show int s0/1 – Displays statistics for interface Serial 0/1 show controllers serial – Displays information-specific to the interface hardware show clock – Shows the time set in the router show hosts – Displays a cached list of host names and addresses show users – Displays all users who are connected to the router show history – Displays a history of commands that have been entered show flash – Displays info about flash memory and what IOS files are stored there show version – Displays info about the router and the IOS that is running in RAM show ARP – Displays the ARP table of the router show start – Displays the saved configuration located in NVRAM show run – Displays the configuration currently running in RAM show protocol – Displays the global and interface specific status of any configured Layer 3 protocols 205 .

The copy run tftp Command 206 .

The copy tftp run Command 207 .

208 .

Ethernet Overview Ethernet is now the dominant LAN technology in the world. All LANs must deal with the basic issue of how individual stations (nodes) are named. bandwidths. and other Layer 1 and 2 variations. and Ethernet is no exception. However. Ethernet is not one technology but a family of LAN technologies. 209 . Ethernet specifications support different media. the basic frame format and addressing scheme is the same for all varieties of Ethernet.

known as the MAC sublayer and the physical layer 210 .Ethernet and the OSI Model Ethernet operates in two areas of the OSI model. the lower half of the data link layer.

Ethernet Technologies Mapped to the OSI Model 211 .

The frame format diagram shows different groupings of bits (fields) that perform other functions. 212 .Layer 2 Framing Framing is the Layer 2 encapsulation process. A frame is the Layer 2 protocol data unit.

Ethernet and IEEE Frame Formats are Very Similar 213 .

it is wired as a star) FDDI logical ring topology (information flow is controlled in a ring) and physical dualring topology(wired as a dual-ring) 214 .3 Common Layer 2 Technologies Ethernet Uses CSMA/CD logical bus topology (information flow is on a linear bus) physical star or extended star (wired as a star) Token Ring logical ring topology (information flow is controlled in a ring) and a physical star topology (in other words.

the data often passes through a repeater. All other stations in the same collision domain see traffic that passes through a repeater. 215 . Problems originating in one part of the collision domain will usually impact the entire collision domain.Collision Domains To move data between one Ethernet station and another. A collision domain is then a shared resource.

CSMA/CD Graphic 216 .

which would result in more collisions. 217 .Backoff After a collision occurs and all stations allow the cable to become idle (each waits the full interframe spacing). The waiting period is intentionally designed to be random so that two stations do not delay for the same amount of time before retransmitting. then the stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the collided frame.

218 .

219 . Cisco Systems. All rights reserved.Hierarchical Addressing Using Variable-Length Subnet Masks © 2003. Inc.

64 through 192. when the host bits of the IP network number are: • All binary zeros – that address is the bottom of the address range • All binary ones – that address is the top of the address range .255. binary zeros represent host bits 11000000.79 • Have the first 28 bits in common.1.168.10101000.1. which is represented by a /28 prefix length • 28 bits in common can also be represented in dotted decimal as 255.11111111.00000001.255.Prefix Length and Network Mask Range of Addresses: 192.240 Binary ones in the network mask represent network bits in the accompanying IP address.0100xxxx IP Address 11111111.168.11111111.11110000 Network Mask Fourth Octet 64 01000000 65 01000001 66 01000010 67 01000011 68 01000100 69 01000101 70 01000110 71 01000111 72 01001000 73 01001001 74 01001010 75 01001011 76 01001100 77 01001101 78 01001110 79 01001111 220 In the IP network number that accompanies the network mask.

Implementing VLSM 221 .

Range Of Addresses for VLSM 222 .

Breakdown Address Space for Largest Subnet 223 .

Breakdown Address Space for Ethernets at Remote Sites 224 .

Address Space for Serial Subnets 225 .

Calculating VLSM: Binary 226 .

227 . All rights reserved. Inc.Route Summarization and Classless Interdomain Routing © 2003. Cisco Systems.

What Is Route Summarization? 228 .

Summarizing Within an Octet 229 .

Summarizing Addresses in a VLSM-Designed Network 230 .

231 .Classless Interdomain Routing – CIDR is a mechanism developed to alleviate exhaustion of addresses and reduce routing table size. – Block addresses can be summarized into single entries without regard to the classful boundary of the network number. – Summarized blocks are installed in routing tables.

232 . except that Class B network 172 has been replaced by Class C network 192.What Is CIDR? • Addresses are the same as in the route summarization figure.

CIDR Example 233 .

234 .

The IP header consists of the following: 235 .Anatomy of an IP Packet IP packets consist of the data from upper layers plus an IP header.

In order to make the correct decisions. routers must learn the direction to remote networks.Introducing Routing Routing is the process that a router uses to forward packets toward the destination network. A router makes decisions based upon the destination IP address of a packet. All devices along the way use the destination IP address to point the packet in the correct direction so that the packet eventually arrives at its destination. 236 .

Configuring Static Routes by Specifying Outgoing Interfaces 237 .

Configuring Static Routes by Specifying Next-Hop Addresses 238 .

The default administrative distance when using next-hop address is 1. 239 .0 255.3.1 130 Sometimes static routes are used for backup purposes.255. You can statically assign an AD as follows: Router(config)#ip route 172.0 172. while the default administrative distance when using the outgoing interface is 0. simply set the administrative distance higher than that of the dynamic routing protocol being used.16.4.16. The range of an AD is 0-255 where smaller numbers are more desireable. To use a static route in this manner.255. A static route can be configured on a router that will only be used when the dynamically learned route has failed.Administrative Distance The administrative distance is an optional parameter that gives a measure of the reliability of the route.

0.0.0.0.0.0 0.0.0.0.0 0.Configuring Default Routes Default routes are used to route packets with destinations that do not match any of the other routes in the routing table.0 [next-hop-address | outgoing interface] This is sometimes referred to as a “Quad-Zero” route.0.16. Example using next hop address: Router(config)#ip route 0.4.0 s0/0 240 .1 Example using the exit interface: Router(config)#ip route 0.0.0.0.0 0.0 172. A default route is actually a special static route that uses this format: ip route 0.

241 . The show ip route command is used to make sure that the static route is present in the routing table. The command show running-config is used to view the active configuration in RAM to verify that the static route was entered correctly.Verifying Static Route Configuration After static routes are configured it is important to verify that they are present in the routing table and that routing is working as expected.

Trouble Shooting Static Route Configuration 242 .

Path Determination Graphic 243 .

Routing Protocol Router Switch Router Router Switch Router Router What is an optimal route ? 244 .

245 . BGP. and EIGRP. OSPF.Routing Protocols Routing protocols includes the following: processes for sharing route information allows routers to communicate with other routers to update and maintain the routing tables Examples of routing protocols that support the IP routed protocol are: RIP. IGRP.

Routing Protocols 246 .

247 . In other words. Routers use routing protocols to exchange routing tables and share routing information. routing protocols enable routers to route routed protocols. The Internet Protocol (IP) and Novell's Internetwork Packet Exchange (IPX) are examples of routed protocols.Routed Protocols Protocols used at the network layer that transfer data from one host to another across a router are called routed or routable protocols.

Routed Protocols 248 .

48 IGP and EGP (TI1332EU02TI_0004 The Network Layer.Autonomous System An Autonomous System (AS) is a group of IP networks. 249 Fig. 67) . which has a single and clearly defined external routing policy. EGP Exterior Gateway Protocols are used for routing between Autonomous Systems AS 1000 AS 3000 IGP AS 2000 Interior Gateway Protocols are used for routing decisions within an Autonomous System.

Interior Gateway Protocol (IGP) Exterior Gateway Protocol (EGP) Interior Gateway Protocol (IGP) AS 1000 EGP EGP IGP EGP AS 3000 AS 2000 250 Fig. 49 The use of IGP and EGP protocols (TI1332EU02TI_0004 The Network Layer. 67) .

such as the cisco.IGP and EGP An autonomous system is a network or set of networks under common administrative control.com domain. 251 .

Categories of Routing Protocols Most routing algorithms can be classified into one of two categories: • • distance vector link-state The distance vector routing approach determines the direction (vector) and distance to any link in the internetwork. 252 . The link-state approach. recreates the exact topology of the entire internetwork. also called shortest path first.

Distance Vector Routing Concepts 253 .

16.7.1.16.16.Distance Vector Routing (DVR) Destination 192.0 192.7. 2 Hops 1 Hop Router A Router B 1 Hop Router C Router D 192.16.16.0 254 .16.0 Distance 1 1 2 Routing table contains the addresses of destinations and the distance of the way to this destination.1.5.5.0 192.0 192.0 Flow of routing information 192.

Routing Tables Graphic 255 .

Distance Vector Topology Changes 256 .

Router Metric Components 257 .

0 192.0 192.4.0 192.6.0 192.16.16.2.0 192.3.16.16.1.0 Router A Router B Router C 192.0 192.0 192.7.16.3.0 192.16.16.16.16.5.4.0 192.3.0 0 0 L L 192.16.0 192.16.16.16.0 192.16.0 192.16.16.7.4.0 192.0 192.0 192.6.16.2.16.4.0 192.1.2.16.3.0 192.2.16.16.3.Distance Vector Routing (DVR) 192.0 192.2.6.16.0 192.5.0 192.4.0 0 0 0 0 0 0 1 1 1 L L L L L L B B D 192.16.0 0 0 L L 192.16.1.0 192.6.0 192.16.1.16.0 Router D 192.16.5.0 0 0 0 0 0 0 1 1 1 L L L L L L A C C 192.16.5.0 192.4.0 0 0 1 1 L L B B 192.16.16.16.16.2.0 192.0 192.16.16.6.16.0 192.0 192.16.16.0 0 0 1 1 L L C C L Locally connected 258 .4.0 192.5.7.0 192.7.6.

0 192.2.4.16.Distance Vector Routing (DVR) 192.0 0 0 0 1 1 1 2 L L L B B D B 192.0 192.0 192.16.3.16.16.0 192.5.0 192.0 192.16.16.0 192. 53 Distribution of routing information with distance vector routing protocol (cont.6.5.3.0 192.0 192.16.0 192.1.5.4.0 192.0 192.16.0 192.16.) (TI1332EU02TI_0004 The Network Layer.16.16.16.1.16.16.7.2.16.7.16.0 192.6.0 192.0 0 0 0 1 1 1 2 L L L B B D B 192.1.16.0 192.6.0 192.16.0 192.5.0 192.3.0 192.16.16.16.16.16.2.4.2.16.0 192.6.4.1.0 192.7.16.2.3.16.0 192.0 192.4.2.5.4.3.16.1.0 192.0 192.0 192.16.5.16.0 0 0 1 1 2 2 L L B B B B 192.0 192.0 0 0 0 1 1 1 2 L L L A C C C 192.16.16.16.0 192.16.0 192.0 192.0 0 0 1 1 2 2 3 L L B B B B B 192.16.16.16.16.7.16. 71) .0 192.0 0 0 1 1 2 2 L L C C C C 192.1.0 192.7.4.16.16.0 192.5.0 192.3.2.16.6.0 192.7.6.0 192.16.1.16.16.0 192.0 192.7.0 192.0 192.16.0 0 0 1 1 2 2 3 L L C C C C C 259 Fig.2.16.0 192.16.6.0 0 0 0 1 1 1 2 L L L A C C C 192.16.5.16.4.0 192.16.16.6.16.0 192.3.0 192.16.3.0 192.16.

classful Distribution of Routing Tables via broadcast to adjacent routers Only one kind of metric: Number of Hops Connections with different bandwidth can not be weighted Routing loops can occur -> bad convergence in case of a failure Count to infinity problem (infinity = 16) Maximum network size is limited by the number of hops Fig.RIPv1 Distance Vector Routing Protocol. 59 Properties of RIPv1 (TI1332EU02TI_0004 The Network Layer. 81) 260 .

RIP Characteristics 261 .

24.0/24 262 Fig.36.24.24.2/24 200.0/24 Router A RIP-1: 130.36.13.13.13.36.0 Port 2 200. 83) .1/24 130.24. 60 RIP-1 permits only a single subnet mask (TI1332EU02TI_0004 The Network Layer.24.25.0/24 130.0/24 RIP-1: 130.24.24.0 RIP-1: 130.0.0 130.13.RIP-1 permits only a Single Subnet Mask Port 1 130.14.14.

An example of a routing configuration is: GAD(config)#router rip GAD(config-router)#network 172. 263 . The network command is required because it enables the routing process to determine which interfaces participate in the sending and receiving of routing updates.16.Router Configuration The router command starts a routing process.0. not subnet addresses or individual host addresses.0 The network numbers are based on the network class addresses.

Configuring RIP Example 264 .

Verifying RIP Configuration 265 .

discontiguous subnets. or split horizons.The debug ip rip Command Most of the RIP configuration errors involve an incorrect network statement. The debug ip rip command displays RIP routing updates as they are sent and received. 266 . One highly effective command for finding RIP update issues is the debug ip rip command.

Problem: Routing Loops 267 .Routing loops can occur when inconsistent routing tables are not updated due to slow convergence in a changing network.

Problem: Counting to Infinity 268 .

Solution: Define a Maximum 269 .

Solution: Split Horizon 270 .

This is usually accomplished by setting the hop count to one more than the maximum. 271 .Route Poisoning Route poisoning is used by various distance vector protocols in order to overcome large routing loops and offer explicit information when a subnet or network is not accessible.

The router that detects a topology change immediately sends an update message to adjacent routers that. For example. generate triggered updates notifying their adjacent neighbors of the change. used in conjunction with route poisoning. in turn. However a triggered update is sent immediately in response to some change in the routing table. When a route fails. Triggered updates. ensure that all routers know of failed routes before any holddown timers can expire.Triggered Updates New routing tables are sent to neighboring routers on a regular basis. RIP updates occur every 30 seconds. an update is sent immediately rather than waiting on the update timer to expire. 272 .

Triggered Updates Graphic 273 .

Solution: Holddown Timers 274 .

Bandwidth. Some of the IGRP key design characteristics emphasize the following: • • • It is a distance vector routing protocol. Routing updates are broadcast every 90 seconds. 275 .IGRP Interior Gateway Routing Protocol (IGRP) is a proprietary protocol developed by Cisco. load. delay and reliability are used to create a composite metric.

it lacks support for variable length subnet masks (VLSM). Cisco has 276 built upon IGRP's legacy of success with Enhanced IGRP. Rather than develop an IGRP version 2 to correct this problem. such as: • Holddowns • Split horizons • Poison reverse updates Holddowns Holddowns are used to prevent regular update messages from inappropriately reinstating a route that may not be up. Split horizons Split horizons are derived from the premise that it is usually not useful to send information about a route back in the direction from which it came.IGRP Stability Features IGRP has a number of features that are designed to enhance its stability. Poison reverse updates Split horizons prevent routing loops between adjacent routers. but poison reverse updates are necessary to defeat larger routing loops. Today. IGRP is showing its age. .

Configuring IGRP 277 .

Routing Metrics Graphics 278 .

Link State Concepts 279 .

Link State Topology Changes 280 .

..link state packet SPF.“ LSP..Link State Routing (LSR) LSP: „My links to R2 and R4 are up“ SPF Routing Table LSP: „My links to R1 and R3 are up. my link to R4 is down..“ Router 4 Router 1 Router 2 LSP: „My links to R1 and R3 are up.“ Router 3 LSP: „My links to R2 and R4 are up. shortest path first 281 . My link to R2 is down..

Link State Concerns 282 .

Link State Routing (LSR) 1 Router A Router C 4 2 4 Router B 2 1 Router D Link State Database Router E B-2 C-1 Router A A-2 D-4 Router B A-1 D-2 E-4 Router C C-2 B-4 E-1 Router D C-4 D-1 Router E A B C D E A C B D E D E C A B E D C A B 283 .

Link State Routing Features Link-state algorithms are also known as Dijkstras algorithm or as SPF (shortest path first) algorithms. 284 • • • . Link-state routing uses: • Link-state advertisements (LSAs) A link-state advertisement (LSA) is a small packet of routing information that is sent between routers. They have nonspecific information about distant networks and no knowledge of distant routers. SPF algorithm The shortest path first (SPF) algorithm is a calculation performed on the database resulting in the SPF tree. Link-state routing algorithms maintain a complex database of topology information. Topological database A topological database is a collection of information gathered from LSAs. A link-state routing algorithm maintains full knowledge of distant routers and how they interconnect. Routing tables – A list of the known paths and interfaces. The distance vector algorithm are also known as Bellman-Ford algorithms.

Link State Routing 285 .

Comparing Routing Methods 286 .

OSPF (Open Shortest Path First) Protocol © 2003. Inc. 287 . All rights reserved. Cisco Systems.

Consequently LS routers tend to make more accurate decisions.OSPF is a Link-State Routing Protocols – Link-state (LS) routers recognize much more information about the network than their distance-vector counterparts. – Link-state routers keep track of the following: • Their neighbours • All routers within the same area • Best paths toward a destination 288 .

Link-State Data Structures – Neighbor table: • Also known as the adjacency database (list of recognized neighbors) – Topology table: • Typically referred to as LSDB (routers and links in the area or network) • All routers within an area have an identical LSDB – Routing table: • Commonly named a forwarding database (list of best paths to destinations) 289 .

290 . OSPF overcomes these limitations and proves to be a robust and scalable routing protocol suitable for the networks of today. it converges slowly. and it sometimes chooses slow routes because it ignores critical factors such as bandwidth in route determination. RIP RIP is limited to 15 hops.OSPF vs.

291 .OSPF Terminology The next several slides explain various OSPF terms -one per slide.

OSPF Term: Link 292 .

OSPF Term: Link State 293 .

OSPF Term: Area 294 .

OSPF Term: Link Cost 295 .

OSPF Term: Forwarding Database 296 .

OSPF Term: Adjacencies Database 297 .

OSPF Terms: DR & BDR 298 .

•This two-level hierarchy consists of the following: • Transit area (backbone or area 0) • Regular areas (nonbackbone areas) 299 .Link-State Data Structure: Network Hierarchy •Link-state routing requires a hierachical network structure that is enforced by OSPF.

OSPF Areas 300 .

Area Terminology 301 .

LS Data Structures: Adjacency Database – Routers discover neighbors by exchanging hello packets. – LAN links: • Neighbors form an adjacency with the DR and BDR. 302 . – Routers declare neighbors to be up after checking certain parameters or options in the hello packet. • Maintain two-way state with the other routers (DROTHERs). – Routing updates and topology information are only passed between adjacent routers. – Point-to-point WAN links: • Both neighbors become fully adjacent.

using these adjacencies.OSPF Adjacencies Routers build logical adjacencies between each other using the Hello Protocol. Once an adjacency is formed: • LS database packets are exchanged to synchronize each other’s LS databases. • LSAs are flooded reliably throughout the area or network 303 .

Link State Routing Graphic 304 .

Open Shortest Path First Calculation •Routers find the best paths to destinations by applying Dijkstra’s SPF algorithm to the link-state database as follows: – Every router in an area has the identical link-state database. – Best routes are put into the forwarding database. – The best path is calculated with respect to the lowest total cost of links to a specific destination. 305 . – Each router in the area places itself into the root of the tree that is built.

OSPF Packet Types 306 .

OSPF Packet Header Format 307 .

Neighborship 308 .

Establishing Bidirectional Communication 309 .

) 310 .Establishing Bidirectional Communication (Cont.

Establishing Bidirectional Communication (Cont.) 311 .

Establishing Bidirectional Communication 312 .

Discovering the Network Routes 313 .

Discovering the Network Routes 314 .

Adding the Link-State Entries 315 .

) 316 .Adding the Link-State Entries (Cont.

Adding the Link-State Entries 317 .

0.6 318 .Maintaining Routing Information • Router A notifies all OSPF DRs on 224.0.

6 • DR notifies others on 224.0.0.Maintaining Routing Information (Cont.0.5 319 .0.) • Router A notifies all OSPF DRs on 224.

Maintaining Routing Information (Cont.0.) • Router A notifies all OSPF DRs on 224.5 320 .6 • DR notifies others on 224.0.0.0.

5 321 .0.0.Maintaining Routing Information • Router A notifies all OSPF DRs on 224.0.6 • DR notifies others on 224.0.

322 . Router(config-router)# network address inverse-mask area [area-id] • Router OSPF subordinate command that defines the interfaces (by network number) that OSPF will run on. Each network number must be defined to a specific area.Configuring Basic OSPF: Single Area Router(config)# router ospf process-id • Turns on one or more OSPF routing processes in the IOS software.

Configuring OSPF on Internal Routers of a Single Area 323 .

parameters and statistics Router# show ip route ospf • Displays all OSPF routes learned by the router Router# show ip ospf interface • Displays the OSPF router ID. area ID and adjacency information 324 .Verifying OSPF Operation Router# show ip protocols • Verifies the configured IP routing protocol processes.

Verifying OSPF Operation (Cont.)
Router#

show ip ospf

• Displays the OSPF router ID, timers, and statistics
Router#

show ip ospf neighbor [detail]

• Displays information about the OSPF neighbors, including Designated Router (DR) and Backup Designated Router (BDR) information on broadcast networks
325

The show ip route ospf Command
RouterA# show ip route ospf Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP, D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default Gateway of last resort is not set 10.0.0.0 255.255.255.0 is subnetted, 2 subnets O 10.2.1.0 [110/10] via 10.64.0.2, 00:00:50, Ethernet0

326

The show ip ospf interface Command
RouterA# show ip ospf interface e0 Ethernet0 is up, line protocol is up Internet Address 10.64.0.1/24, Area 0 Process ID 1, Router ID 10.64.0.1, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2 Backup Designated router (ID) 10.64.0.1, Interface address 10.64.0.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:04 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.64.0.2 (Designated Router) Suppress hello for 0 neighbor(s)

327

The show ip ospf neighbor Command
RouterB# show ip ospf neighbor
Neighbor ID 10.64.1.1 10.2.1.1 Pri 1 1 State FULL/BDR FULL/Dead Time 00:00:31 00:00:38 Address 10.64.1.1 10.2.1.1 Interface Ethernet0 Serial0

328

show ip protocol

show ip route

329

show ip ospf neighbor detail

show ip ospf database

330

OSPF Network Types - 1

331

Point-to-Point Links

• Usually a serial interface running either PPP or HDLC • May also be a point-to-point subinterface running Frame Relay or ATM • No DR or BDR election required • OSPF autodetects this interface type • OSPF packets are sent using multicast 224.0.0.5
332

Multi-access Broadcast Network

• Generally LAN technologies like Ethernet and Token Ring • DR and BDR selection required • All neighbor routers form full adjacencies with the DR and BDR only • Packets to the DR use 224.0.0.6 • Packets from DR to all other routers use 224.0.0.5
333

Electing the DR and BDR

• Hello packets are exchanged via IP multicast. • The router with the highest OSPF priority is selected as the DR. • Use the OSPF router ID as the tie breaker. • The DR election is nonpreemptive.
334

Setting Priority for DR Election
Router(config-if)# ip ospf priority number

• This interface configuration command assigns the OSPF priority to an interface. • Different interfaces on a router may be assigned different values. • The default priority is 1. The range is from 0 to 255. • 0 means the router is a DROTHER; it can’t be the DR or BDR.
335

OSPF Network Types - 2

336

state 2WAY OSPF: Send DBD to 192.168.10 OSPF: Rcv DBD from 192.1.0.168.0.11 on Serial1 seq 0x167F opt 0x2 flag 0x7 len 32 OSPF: NBR Negotiation Done.0.0.11 on Serial1 seq 0x20C4 opt 0x2 flag 0x7 len 32 state INIT OSPF: 2 Way Communication to 192.11 on Serial1 seq 0x20C4 opt 0x2 flag 0x2 len 72 337 .11 area 0 from Serial1 10.1.168.Creation of Adjacencies RouterA# debug ip ospf adj Point-to-point interfaces coming up: No election %LINK-3-UPDOWN: Interface Serial1.0.168.168. changed state to up OSPF: Interface Serial1 going Up OSPF: Rcv hello from 192. We are the SLAVE OSPF: Send DBD to 192.0. router ID 192.168.2 OSPF: End of hello processing OSPF: Build router LSA for area 0.11 on Serial1.

168.0.0. state 2WAY OSPF: end of Wait on interface Ethernet0 OSPF: DR/BDR election on Ethernet0 OSPF: Elect BDR 192.0.11 OSPF: Elect DR 192.168.168.12 (Id) OSPF: Send DBD to 192.0.10 on Ethernet0.0.11 (Id) 338 .12 DR: 192.168.0.168.168.12 (Id) BDR: 192.12 on Ethernet0 seq 0x546 opt 0x2 flag 0x7 len 32 <…> OSPF: DR/BDR election on Ethernet0 OSPF: Elect BDR 192.168.168.168.0.0.12 (Id) BDR: 192.) RouterA# debug ip ospf adj Ethernet interface coming up: Election OSPF: 2 Way Communication to 192.12 OSPF: Elect DR 192.168.Creation of Adjacencies (Cont.0.0.12 DR: 192.

339 .

improved scalability. EIGRP is often described as a hybrid routing protocol. EIGRP boasts faster convergence times. Compared to IGRP.Overview Enhanced Interior Gateway Routing Protocol (EIGRP) is a Ciscoproprietary routing protocol based on Interior Gateway Routing Protocol (IGRP). serving both IPX and AppleTalk networks with powerful efficiency. EIGRP can replace Novell Routing Information Protocol (RIP) and AppleTalk Routing Table Maintenance Protocol (RTMP). which is a classful routing protocol. offering the best of distance vector and link-state algorithms. Furthermore. 340 . EIGRP supports CIDR and VLSM. and superior handling of routing loops. Unlike IGRP.

IGRP has a maximum hop count of 255. Enabling dissimilar routing protocols such as OSPF and RIP to share information requires advanced configuration. EIGRP offers multiprotocol support. . is automatic between IGRP and EIGRP as long as both processes use the same 341 autonomous system (AS) number.Comparing EIGRP with IGRP IGRP and EIGRP are compatible with each other. EIGRP scales the metric of IGRP by a factor of 256. Redistribution. but IGRP does not. the sharing of routes. EIGRP and IGRP use different metric calculations. EIGRP has a maximum hop count limit of 224.

EIGRP & IGRP Metric Calculation 342 .

Comparing EIGRP with IGRP 343 .

Comparing EIGRP with IGRP 344 .

Like OSPF. Routes are given a particular status and can be tagged to provide additional useful information. EIGRP maintains three tables: • Neighbor table • Topology table • Routing table 345 .EIGRP Concepts & Terminology EIGRP routers keep route and topology information readily available in RAM. EIGRP saves routes that are learned in specific ways. EIGRP saves this information in several tables and databases. so they can react quickly to changes.

which is the EIGRP distance vector algorithm. the Diffusing Update Algorithm (DUAL). 346 . When the hold time expires. When a neighbor sends a hello packet.Neighbor Table The neighbor table is the most important table in EIGRP. it advertises a hold time. then the hold time expires. The hold time is the amount of time a router treats a neighbor as reachable and operational. Each EIGRP router maintains a neighbor table that lists adjacent routers. This table is comparable to the adjacency database used by OSPF. There is a neighbor table for each protocol that EIGRP supports. is informed of the topology change and must recalculate the new topology. if a hello packet is not heard within the hold time. In other words.

Every EIGRP router maintains a topology table for each configured network protocol. 347 . By tracking this information. All learned routes to a destination are maintained in the topology table. which is the term used to identify the primary or best route. The information that the router learns from the DUAL is used to determine the successor route. DUAL takes the information supplied in the neighbor table and the topology table and calculates the lowest cost routes to each destination. EIGRP routers can identify and switch to alternate routes quickly. A copy is also placed in the topology table.Topology Table The topology table is made up of all the EIGRP routing tables in the autonomous system.

These can be of equal or unequal cost and are identified as the best loop-free paths to a given destination. A successor is a route selected as the primary route to use to reach a destination. Multiple feasible successors for a destination can be 348 retained in the topology table although it is not mandatory. There can be up to four successor routes for any particular route.DUAL identifies this route from the information contained in the neighbor and topology tables and places it in the routing table. but they are only kept in the topology table. A feasible successor (FS) is a backup route. . Each EIGRP router maintains a routing table for each network protocol. This information is retrieved from the topology table. A copy of the successor routes is also placed in the topology table.Routing Table The EIGRP routing table holds the best routes to a destination.These routes are identified at the same time the successors are identified.

EIGRP routers send hellos at a fixed but configurable interval. and rediscover neighbor routers. The default hello interval depends on the bandwidth of the interface.0. EIGRP routers send hellos to the multicast IP address 224. EIGRP relies on different types of packets to maintain its various tables and establish complex relationships with neighbor routers. verify. The five EIGRP packet types are: • Hello • Acknowledgment • Update • Query • Reply EIGRP relies on hello packets to discover. On IP networks. Rediscovery occurs if EIGRP routers do not receive hellos from each other for a hold time interval but then re-establish communication. called the hello interval.EIGRP Data Structure Like OSPF.0.10. 349 .

Default Hello Intervals and Hold Times for EIGRP 350 .

351 . called the feasible successor (FS). where identified. the backup route. called the successor route (Successor). Note that it is not necessary to have an identified feasible successor. and.EIGRP Algorithm The sophisticated DUAL algorithm results in the exceptionally fast convergence of EIGRP. which is called Reported Distance The Topology heading identifies the preferred primary route. Each router constructs a topology table that contains information about how to route to a destination network. which is called Feasible Distance • The cost of the route as advertised by the neighboring router. Each topology table identifies the following: • The routing protocol or EIGRP • The lowest cost of the route.

FS Route Selection Rules 352 .

DUAL Example 353 .

Configuring EIGRP 354 .

Configuring EIGRP Summarization EIGRP automatically summarizes routes at the classful boundary. This is the boundary where the network address ends. 355 .0. In most cases auto summarization is beneficial because it keeps routing tables as compact as possible. as defined by classbased addressing.1.0.0.0. This means that even though RTC is connected only to the subnet 2.1. it will advertise that it is connected to the entire Class A network. 2.

To turn off auto-summarization.Configuring EIGRP no-summary However. automatic summarization may not be the preferred option in certain instances. use the following command: router(config-router)#no auto-summary 356 .

Configuring EIGRP Summary Addersses Manually With EIGRP.0.0 255. In the graphic below.1.255. a summary address can be manually configured by configuring a prefix network. RTC can be configured using the commands shown: RTC(config)#router eigrp 2446 RTC(config-router)#no auto-summary RTC(config-router)#exit RTC(config)#interface serial 0/0 RTC(config-if)#ip summary-address eigrp 2446 2.0 357 . router(config-if)#ip summary-address eigrp autonomous-systemnumber ip-address mask administrative-distance EIGRP summary routes have an administrative distance of 5 by default.0. Manual summary routes are configured on a per-interface basis.

These commands are shown on the next few slides. 358 .Verifying the EIGRP Configuration To verify the EIGRP configuration a number of show and debug commands are available.

show ip eigrp neighbors show ip eigrp interfaces 359 .

show ip eigrp topology show ip eigrp topology [active | pending | successors] 360 .

show ip eigrp topology all-links show ip eigrp traffic 361 .

Administrative Distances 362 .

Classful and Classless Routing Protocols 363 .

364 .

What are ACLs?
ACLs are lists of conditions that are applied to traffic traveling across a router's interface. These lists tell the router what types of packets to accept or deny. Acceptance and denial can be based on specified conditions. ACLs can be created for all routed network protocols, such as Internet Protocol (IP) and Internetwork Packet Exchange (IPX). ACLs can be configured at the router to control access to a network or subnet. Some ACL decision points are source and destination addresses, protocols, and upper-layer port numbers. ACLs must be defined on a per-protocol, per direction, or per port 365 basis.

Reasons to Create ACLs
The following are some of the primary reasons to create ACLs: • • • • Limit network traffic and increase network performance. Provide traffic flow control. Provide a basic level of security for network access. Decide which types of traffic are forwarded or blocked at the router interfaces. For example: Permit e-mail traffic to be routed, but block all telnet traffic. Allow an administrator to control what areas a client can access on a network. If ACLs are not configured on the router, all packets passing 366 through the router will be allowed onto all parts of the network.

ACLs Filter Traffic Graphic

367

How ACLs Filter Traffic

368

One List per Port, per Destination, per Protocol...

369

How ACLs work.

370

Creating ACLs
ACLs are created in the global configuration mode. There are many different types of ACLs including standard, extended, IPX, AppleTalk, and others. When configuring ACLs on a router, each ACL must be uniquely identified by assigning a number to it. This number identifies the type of access list created and must fall within the specific range of numbers that is valid for that type of list. Since IP is by far the most popular routed protocol, addition ACL numbers have been added to newer router IOSs. Standard IP: 1300-1999 Extended IP: 2000-2699 371

The access-list command

372

The ip access-group command

{ in | out }

373

ACL Example

374

Basic Rules for ACLs
These basic rules should be followed when creating and applying access lists: • • • • One access list per protocol per direction. Standard IP access lists should be applied closest to the destination. Extended IP access lists should be applied closest to the source. Use the inbound or outbound interface reference as if looking at the port from inside the router. • Statements are processed sequentially from the top of list to the bottom until a match is found, if no match is found then the packet is denied. • There is an implicit deny at the end of all access lists. This will not appear in the configuration listing. • Access list entries should filter in the order from specific to general. Specific hosts should be denied first, and groups or general filters should come last. • Never work with an access list that is actively applied. • New lines are always added to the end of the access list. • A no access-list x command will remove the whole list. It is not possible to selectively add and remove lines with numbered ACLs. • Outbound filters do not affect traffic originating from the local router.
375

Wildcard Mask Examples
5 Examples follow that demonstrate how a wildcard mask can be used to permit or deny certain IP addresses, or IP address ranges. While subnet masks start with binary 1s and end with binary 0s, wildcard masks are the reverse meaning they typically start with binary 0s and end with binary 1s. In the examples that follow Cisco has chosen to represent the binary 1s in the wilcard masks with Xs to focus on the specific bits being shown in each example. You will see that while subnet masks were ANDed with ip addresses, wildcard masks are ORed with IP addresses. .
376

Wildcard Mask Example #1 377 .

Wildcard Mask Example #2 378 .

Wildcard Mask Example #3 379 .

Wildcard Mask Example #4 .Even IPs 380 .

Wildcard Mask Example #5 .Odd IP#s 381 .

The any and host Keywords 382 .

The show access-lists command displays the contents of all ACLs on the router. The show running-config command will also reveal the access lists on a router and the interface assignment information. show access-list 1 shows just access-list 1. The show ip interface command displays IP interface information and indicates whether any ACLs are set. 383 .Verifying ACLs There are many show commands that will verify the content and placement of ACLs on the router.

(This only works with Standard ACLs and is the same thing as using host.0.0. This is the syntax: 384 Router(config)#no access-list access-list-number .0. subnet. the default mask is used. The standard version of the access-list global configuration command is used to define a standard ACL with a number in the range of 1 to 99 (also from 1300 to 1999 in recent IOS). The comparison will result in either permit or deny access for an entire protocol suite. which is 0. and host addresses.Standard ACLs Standard ACLs check the source address of IP packets that are routed. based on the network. If there is no wildcard mask.) The full syntax of the standard ACL command is: Router(config)#access-list access-list-number {deny | permit} source [source-wildcard ] [log] The no form of this command is used to remove a standard ACL.

The wildcards also have the option of using the host or any keywords in the command. 385 . greater than (gt).Extended ACLs Extended ACLs are used more often than standard ACLs because they provide a greater range of control. Extended ACLs check the source and destination packet addresses as well as being able to check for protocols and port numbers. additional precision is gained from a field that specifies the optional Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. and less than (lt). that the extended ACL will perform on specific protocols. equal (eq). The syntax for the extended ACL statement can get very long and often will wrap in the terminal window. Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000 to 2699 in recent IOS). not equal (neq). Logical operations may be specified such as. At the end of the extended ACL statement.

Extended ACL Syntax 386 .

Well Known Port Numbers Don’t forget that WWW or HTTP is 80 387 .

100.50.100.0.0.0. all Extended ACLs end with an implicit "deny ip any any" which means deny the entire internet from anywhere to 388 anywhere.0 0. .50. ftp.255 any eq 80 or access-list 101 permit tcp 200.0.100.0 0. but not allow any other protocols like email.255 any eq www or access-list 101 permit tcp 200.0.50.50.100.0.0 to surfing the internet. access-list 101 permit tcp 200.255 any eq http NOTE: Just like all Standard ACLs end with an implicit "deny any".Extended ACL Example This extended ACL will allow people in network 200. etc.0 0.

Remember that only one ACL per interface. per direction. The format of the command is: Router(config-if)#ip access-group access-list-number {in | out} 389 .ip access-group The ip access-group command links an existing standard or extended ACL to an interface. per protocol is allowed.

The same name may not be used for multiple ACLs. 390 .Named ACLs IP named ACLs were introduced in Cisco IOS Software Release 11. • Eliminate the limit of 798 simple and 799 extended ACLs • Named ACLs provide the ability to modify ACLs without deleting them completely and then reconfiguring them.2.2. The advantages that a named access list provides are: • Intuitively identify an ACL using an alphanumeric name. allowing standard and extended ACLs to be given names instead of numbers. Named ACLs are not compatible with Cisco IOS releases prior to Release 11.

Named ACL Example 391 .

For example. Standard ACLs do not specify destination addresses.Placing ACLs The general rule is to put the extended ACLs as close as possible to the source of the traffic denied. 392 . so they should be placed as close to the destination as possible. in the graphic a standard ACL should be placed on Fa0/0 of Router D to prevent traffic from Router A.

393 .

50.0 or Router(config)# access-list 1 permit host 200.Permitting a Single Host Router(config)# access-list 1 permit 200.23 0.100.0.) Router(config)# int e0 Router(config-if)# ip access-group 1 in or Router(config-if)# ip access-group 1 out 394 .100.100.0.23 or Router(config)# access-list 1 permit 200.23 (The implicit “deny any” ensures that everyone else is denied.50.50.

) Router(config)# int e0 Router(config-if)# ip access-group 1 in or Router(config-if)# ip access-group 1 out 395 .0.50.0.255 or Router(config)# access-list 1 deny host 200.0 Router(config)# access-list 1 permit 0.0.50.0 255.255. but totally irrelevant.100.255.100.0.23 Router(config)# access-list 1 permit any (The implicit “deny any” is still present.Denying a Single Host Router(config)# access-list 1 deny 200.23 0.

0.255 or Class A Router(config)# access-list 1 permit 13.50.255.0.255 or Class B Router(config)# access-list 1 permit 150.255 (The implicit “deny any” ensures that everyone else is denied.Permitting a Single Network Class C Router(config)# access-list 1 permit 200.0.0.255.0.0.) Router(config)# int e0 Router(config-if)# ip access-group 1 in or Router(config-if)# ip access-group 1 out 396 .0 0.255.0 0.100.75.0 0.

0.0.0.255.255 Router(config)# access-list 1 permit any (The implicit “deny any” is still present.Denying a Single Network Class C Router(config)# access-list 1 deny 200.0 0.50. but totally irrelevant.0.0 0.100.75.255 Router(config)# access-list 1 permit any or Class B Router(config)# access-list 1 deny 150.0.255.255 Router(config)# access-list 1 permit any or Class A Router(config)# access-list 1 deny 13.0 0.255.) 397 .0.

50.48 0.100.0.50.50.50.0.50.50.100.15 or subtract 200.48 from 200.0.63 to get 0.50.16-31 2nd Usable Subnet address range it 200.255.32-47 3rd Usable Subnet address range it 200.100.0.0.0.15 398 (The implicit “deny any” ensures that everyone else is denied.0/28 Desired Subnet: 3rd Process: 32-28=4 2^4 = 16 1st Usable Subnet address range it 200.48-63 Subnet Mask is 255.100.100.Permitting a Class C Subnet Network Address/Subnet Mask: 200.240 Inverse Mask is 0.) .15 Router(config)# access-list 1 permit 200.255.100.100.

0.68.0.68.72.64-95 Subnet Mask is 255.64 0.72.72.0/27 Undesired Subnet: 2nd Process: 32-27=5 2^5=32 1st Usable Subnet address range it 192.64 from 192.0.255.31 Router(config)# access-list 1 deny 192.31 or subtract 192.0.) .224 Inverse Mask is 0.31 Router(config)# access-list 1 permit any 399 (The implicit “deny any” is still present.0. but totally irrelevant.72.68.95 to get 0.68.72.255.0.68.Denying a Class C Subnet Network Address/Subnet Mask: 192.72.68.32-63 2nd Usable Subnet address range it 192.

0.255.255.0 Inverse Mask is 0.255 400 (The implicit “deny any” ensures that everyone else is denied.255 or subtract 150.129.0.75.0-255 Subnet Mask is 255.Permitting a Class B Subnet Network Address/Subnet Mask: 150.75.) .129. 129th Usable Subnet address range it 150.255 to get 0.255 Router(config)# access-list 1 permit 150.0.75.129.75.0 from 150.75.0/24 Desired Subnet: 129th Process: Since exactly 8 bits are borrowed the 3rd octet will denote the subnet number.0 0.129.0.0.0.0.

0-160.0-160.0.0/22 Undesired Subnet: 50th Process: 32-22=10 (more than 1 octet) 10-8=2 2^2=4 1st Usable Subnet address range it 160.8.0 0.88.88.0.4.255.0 from 160.255 or subtract 160.255 Router(config)# access-list 1 deny 160.88.0 Inverse Mask is 0.88.3.255 to get 0.255 50 * 4 = 200 50th subnet is 160.0.88.88.203.11.255 2nd Usable Subnet address range it 160.88.0.88.88.252.203.7.0-160.3.255 Subnet Mask is 255.200.Denying a Class B Subnet Network Address/Subnet Mask: 160.3.255 401 Router(config)# access-list 1 permit any .200.88.200.

Permitting a Class A Subnet Network Address/Subnet Mask: 111.0-111.0.0.31.0.0.208.240.255 Subnet Mask is 255.15.) 402 .208.0 from 111.255 13*16=208 13th Usable Subnet address range is 111.223.0.255 Router(config)# access-list 1 permit 111.208.255.223.255 (The implicit “deny any” ensures that everyone else is denied.0-111.255.0 Inverse Mask is 0.255 to get 0.0 0.255.255.15.255 or subtract 111.255.15.0/12 Desired Subnet: 13th Process: 32-12=20 20-16=4 2^4=16 1st Usable Subnet address range is 111.16.255.0.0.

44.255 255th Usable Subnet address range is 40.255 Router(config)# access-list 1 permit any 403 .1.0.1.0-40.1.244.255 300th Usable Subnet address range is 40.0.255.1.1.1.0.1.0 0 0.244.255.0-40.0.255 Router(config)# access-list 1 deny 40.44.0.0.0.Denying a Class A Subnet Network Address/Subnet Mask: 40.0/24 Undesired Subnet: 500th Process: Since exactly 16 bits were borrowed the 2nd and 3rd octet will denote the subnet.255 500th Usable Subnet address range is 40.0.244.0-40.255 256th Usable Subnet address range is 40. 1st Usable Subnet address range is 40.0.1.0.1.0-40.0-40.

404 .

100.100.26 access-list 1 permit host 200.50.98 access-list 1 permit host 200.100.Permit 200.100.50.100.24 access-list 1 permit host 200.50.27 access-list 1 permit host 200.50.24-100 Plan A access-list 1 permit host 200.100 This would get very tedious! 405 .100.50.50.100.50.50.28 : : : : : : : : access-list 1 permit host 200.50.100.100.100.99 access-list 1 permit host 200.25 access-list 1 permit host 200.100.50.96 access-list 1 permit host 200.97 access-list 1 permit host 200.50.

0.0.0.3 access-list 1 permit host 200.32 0.96 0.24-100 Plan B access-list 1 permit 200.31 (32-63) access-list 1 permit 200.50.50.50.100.100.7 (24-31) access-list 1 permit 200.Permit 200.100 (96-99) (100) (The implicit “deny any” ensures that everyone else is denied.50.0.64 0.0.24 0.100.100.50.) 406 .0.50.0.31 (64-95) access-list 1 permit 200.100.0.100.

63 (64-127) (The implicit “deny any” ensures that everyone else is denied.16 0.50.0.50.Permit 200.31 (32-63) access-list 1 permit 200.0.0.100.0.100.64 0.0.16-127 Plan A access-list 1 permit 200.15 (16-31) access-list 1 permit 200.32 0.) 407 .50.100.0.50.100.

15 (0-15) access-list 1 permit 200.0.0.127 (0-127) First we make sure that addresses 0-15 are denied.0 0.0 0.50. (The implicit “deny any” ensures that everyone else is denied.Permit 200.0.50.100.50.100. Since only the first matching statement in an ACL is applied an address in the range of 0-15 will be denied by the first statement before it has a chance to be permitted by the second. Then we can permit any address in the range 0-127.16-127 Plan B access-list 1 deny 200.0.) 408 .100.

50.100.5 access-list 1 permit host 200.100.Permit 200.50.100.29.13.) .13 access-list 1 permit host 200.50.42 access-list 1 permit host 200.50.100.42.50.100.1 access-list 1 permit host 200.50.29 access-list 1 permit host 200.5.1. 409 (The implicit “deny any” ensures that everyone else is denied.77 Sometimes a group of addresses has no pattern and the best way to deal with them is individually.77 access-list 1 permit host 200.50.100.100.

410 .

255.255 0.0.0 255.0 0.0.0 0.0.0.50.255 or access-list 101 permit ip 200.255 any Implicit deny ip any any 411 .0.100.255.0.50.Permit Source Network access-list 101 permit ip 200.100.

255.0.255.255.0.0 0.50.0.100.0.255 or access-list 101 deny ip 200. 412 .255.50.255 0.100.Deny Source Network access-list 101 deny ip 200.0.0.255 0.0.0.255 access-list 101 permit ip 0.0 255.0 255.0.255.0 0.0.0 255.255 any access-list 101 permit ip any any Implicit deny ip any any is present but irrelevant.255.

0.255 Implicit deny ip any any 413 .255.0 0.255.100.0.0.0 0.50.50.100.0.0 255.255 200.Permit Destination Network access-list 101 permit ip 0.255 or access-list 101 permit ip any 200.0.0.

0.0 255.255 access-list 101 permit ip any any Implicit deny ip any any is present but irrelevant.255.0.100.Deny Destination Network access-list 101 deny ip 0.100.0.0 0.255.255. 414 .255 0.0 255.255.0.255 access-list 101 permit ip 0.0.0.0 255.50.255 or access-list 101 deny ip any 200.0 0.0.255 200.0.255.50.255.0.0.

255 150.0.50.75.100.100.255 Implicit deny ip any any To allow 2 way traffic between the networks add this statement: access-list 101 permit ip 150.75.0 access-list 101 permit ip 200.255 415 200.0.75.50.255 .0.50.100.0.0.0.0.0 0.0 0.0 0.0 to network 150.255.255.0.0.Permit one Source Network to another Destination Network Assume the only traffic you want is traffic from network 200.0 0.

255 .0 0.0.0.50.0 to network 150.50.100.0.100.50.0.0.0 0.0.75.255 access-list 101 permit ip any any To deny 2 way traffic between the networks add this statement: access-list 101 deny ip 150.0.0 0.255.255 150.75.0.0 0.Deny one Source Network to another Destination Network Assume you want to allow all traffic EXCEPT from network 200.255 416 200.255.75.0.100.0 access-list 101 deny ip 200.

access-list 101 deny tcp any any eq 21 access-list 101 permit ip any any or access-list 101 deny tcp any any eq ftp access-list 101 permit ip any any 417 .Deny FTP Assume you do not want anyone FTPing on the network.

Deny Telnet Assume you do not want anyone telnetting on the network. access-list 101 deny tcp any any eq 23 access-list 101 permit ip any any or access-list 101 deny tcp any any eq telnet access-list 101 permit ip any any 418 .

access-list 101 deny tcp any any eq 80 access-list 101 permit ip any any or access-list 101 deny tcp any any eq www access-list 101 permit ip any any You can also use http instead of www.Deny Web Surfing Assume you do not want anyone surfing the internet. 419 .

255 any eq 21 access-list 101 permit tcp 150.0.255.0.0 may telnet to network 50.100.0.100.0 is allowed to FTP anywhere • Only hosts from network 150.100.0 0.0.100.Complicated Example #1 Suppose you have the following conditions: • No one from Network 200.50.0.0 0.0 0.255 any eq 80 access-list 101 permit ip any any 420 .0 • Subnetwork 100.50.0.0.100.0/24 is not allowed to surf the internet access-list 101 deny tcp 200.255 50.0.100.255.75.0.0 0.75.0.255.255 eq 23 access-list 101 deny tcp any any eq 23 access-list 101 deny tcp 100.0.

100.0.50.0 0.50. You wish to place no restriction on other protocols like web surfing.100. port 25 • User Check Email Protocol: POP3.255 200.0.0.0 0.100.0.50.0.255.255 eq 110 access-list 101 deny tcp any any smtp access-list 101 deny tcp any any pop3 421 access-list 101 permit ip any any .50. ftp.75.0.255 eq 25 access-list 101 permit tcp 150. port 110 This example assumes the your Email server is at addresses 200.50.0.255 200.0. etc.0. You want to permit Email only between your network and network 150.100.0 0.255 150. telnet. • Email server send/receive Protocol: SMTP.0 0.75.0 0.Complicated Example #2 Suppose you are the admin of network 200.0.255 eq 25 access-list 101 permit tcp 200.0.0 0.0.255.75.0.50.0.100.25 access-list 101 permit tcp 200.0.100.

3 NAT (TI1332EU02TI_0003 New Address Concepts. 7) .NAT Network Address Translator 422 Fig.

but this is not sufficient Short term solution NAT: Network Address Translator Long term solution IPv6 = IPng (IP next generation) Provides an extended address range 423 Fig.New addressing concepts Problems with IPv4 Shortage of IPv4 addresses Allocation of the last IPv4 addresses is forecasted for the year 2005 Address classes were replaced by usage of CIDR. 5) . 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.

4 How does NAT work? (TI1332EU02TI_0003 New Address Concepts. 9) .NAT: Network Address Translator NAT Translates between local addresses and public ones Many private hosts share few global addresses Private Network Uses private address range (local addresses) Local addresses may not be used externally Public Network Uses public addresses Public addresses are globally unique 424 Fig.

9) .realm with private addresses translate reserve pool map realm with public addresses To be translated NAT exclude exclude NAT Router 425 Fig. 5 Translation mechanism (TI1332EU02TI_0003 New Address Concepts.

15) .free NAT Pool A timeout value (default 15 min) instructs NAT how long to keep an association in an idle state before returning the external IP address to the free NAT pool. 426 Fig. 8 How does NAT know when to return the public IP address to the pool? (TI1332EU02TI_0003 New Address Concepts.

It is the actual IP address assigned to a host in the private enterprise network. typically the Internet. – A NAT router changes the source IP address of a packet sent by an inside host from an inside local address to an inside global address as the packet goes from the inside to the outside network. 427 .NAT Addressing Terms • Inside Local – The term “inside” refers to an address used for a host inside an enterprise. • Inside Global – NAT uses an inside global address to represent the inside host as the packet is sent through the outside network.

– A NAT router changes a packet’s destination IP address. • Outside Local – NAT uses an outside local address to represent the outside host as the packet is sent through the private enterprise network. 428 . typically the Internet. the Internet. as the packet goes from the outside to the inside network. sent from an outside global address to an inside host.NAT Addressing Terms • Outside Global – The term “outside” refers to an address used for a host outside an enterprise. – An outside global is the actual IP address assigned to a host that resides in the outside network.

0 M S E I N O D X R F 10.10 M S E I N O D X R F 192.10.5 429 Fig.50.WAN Router Router A with NAT Router SA = 193.10.20.0 LAN Net A 10.5 SA = 10. 13) .50.0. 7 An example for NAT (TI1332EU02TI_0003 New Address Concepts.50.0.50.50.47.20.20.4 DA = 192.47.10 DA = 192.5 Router Router B Router Router LAN Net B 192.30.20.

0.29.0/8 430 Fig.7 M S E I N O D X R F 10.0.0.76.28.10 Net A 10.76.76.4 Router SA = 138.4 Router M S E I N O D X R F 138.76.10 SA = 138.0.76.29.4 DA =138.29.76.29.29.10 DA = 138.28.0.WAN NAT with WAN interface: 138.0.28. 21) .7 DA = 10.7 Router SA = 10.7 SA = 138.76.0.7 DA = 138. 11 An example for NAPT (TI1332EU02TI_0003 New Address Concepts.0.76.

Types Of NAT • There are different types of NAT that can be used. which are – Static NAT – Dynamic NAT – Overloading NAT with PAT (NAPT) 431 .

432 .Static NAT • With static NAT. the NAT router simply configures a one-to-one mapping between the private address and the registered address that is used on its behalf.

Static NAT 433 .

434 .Dynamic NAT • Like static NAT. the mapping of an inside local address to an inside global address happens dynamically. the NAT router creates a oneto-one mapping between an inside local and inside global address and changes the IP addresses in packets as they exit and enter the inside network. • However.

Dynamic NAT • Dynamic NAT sets up a pool of possible inside global addresses and defines criteria for the set of inside local IP addresses whose traffic should be translated with NAT. and it needs a NAT entry. the router simply discards the packet. 435 . but all the pooled IP addresses are in use. • If a new packet arrives. • The dynamic entry in the NAT table stays in there as long as traffic flows occasionally.

17) . 9 NAPT (TI1332EU02TI_0003 New Address Concepts.PAT Port Address Translator 436 Fig.

21) . spor t= 23 DA = 138.0.76. sport = 1024 DA =138.7 M S E I N O D X R F 10.76. sport = 3017 DA = 138.7.29.29.7.28.7.0.76.10.0.29.10 Net A 10.76.4. dport = 1024 Router M S E I N O D X R F 138.10. 11 An example for NAPT (TI1332EU02TI_0003 New Address Concepts.0.28.0.76.76. spor t= 23 DA = 10.4. dpor t= 23 Router SA = 10.29.29.0.4 Router SA = 138.76.7.28.0/8 437 Fig.76. dpor t= 23 SA = 138.0. dport = 3017 SA = 138.0.WAN NAPT with WAN interface: 138.

local TU port # mapping assigned TU port # TU.g.PAT with e.TCP/UDP 438 Fig.... aasingle public IP address single public IP address private IP network (e.g.g. 10 NAPT (TI1332EU02TI_0003 New Address Concepts. SOHO) WAN pool of TU port numbers local IP @. registered IP @. 19) . single public IP address PAT with e.

3 NAT (TI1332EU02TI_0003 New Address Concepts. 7) .NAT&PAT Network Address Translation & Port Address Transation 439 Fig.

2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.New addressing concepts Problems with IPv4 Shortage of IPv4 addresses Allocation of the last IPv4 addresses is forecasted for the year 2006 Address classes were replaced by usage of CIDR. but this is not sufficient Short term solution NAT: Network Address Translator Long term solution IPv6 = IPng (IP next generation) Provides an extended address range 440 Fig. 5) .

9) .NAT: Network Address Translator NAT Translates between local addresses and public ones Many private hosts share few global addresses Private Network Uses private address range (local addresses) Local addresses may not be used externally Public Network Uses public addresses Public addresses are globally unique 441 Fig. 4 How does NAT work? (TI1332EU02TI_0003 New Address Concepts.

private addresses translate reserve pool map public addresses To be translated NAT exclude exclude NAT Router 442 Fig. 9) . 5 Translation mechanism (TI1332EU02TI_0003 New Address Concepts.

8 How does NAT know when to return the public IP address to the pool? (TI1332EU02TI_0003 New Address Concepts.free NAT Pool A timeout value (default 15 min) instructs NAT how long to keep an association in an idle state before returning the external IP address to the free NAT pool. 443 Fig. 15) .

– A NAT router changes the source IP address of a packet sent by an inside host from an inside local address to an inside global address as the packet goes from the inside to the outside network. 5) . typically the WAN.NAT Addressing Terms • Inside Local “Private address” – The term “inside” refers to an address used for a host inside an enterprise. • Inside Global “Public address” – NAT uses an inside global address to represent the inside host as the packet is sent through the outside network. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts. It is the actual IP address assigned to a host in the private enterprise network. 444 Fig.

7 An example for NAT (TI1332EU02TI_0003 New Address Concepts. 13) .10 DA = 192.50.50.10.0.50.20.20.50.30.0 LAN Net A 10.47.20.20.WAN Router Router A with NAT Router SA = 193.0.47.5 445 Fig.5 Router Router B Router Router LAN Net B 192.5 SA = 10.10 M S E I N O D X R F 192.4 DA = 192.0 M S E I N O D X R F 10.10.50.

4 Router SA = 138.0.7 M S E I N O D X R F 10.10 Net A 10.28.0.76.29.0.76.7 DA = 138.10 SA = 138.76.76.76.29. 11 An example for NAPT (TI1332EU02TI_0003 New Address Concepts.7 SA = 138.0.0/8 446 Fig.0.0.0.0.76.WAN NAT with WAN interface: 138.10 DA = 138.4 Router M S E I N O D X R F 138.7 DA = 10.4 DA =138. 21) .29.76.28.29.7 Router SA = 10.29.28.76.

Types Of NAT • There are different types of NAT that can be used. 5) . 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts. which are – Static NAT – Dynamic NAT – Overloading NAT with PAT (NAT Over PAT) 447 Fig.

the NAT router simply configures a one-to-one mapping between the private address and the registered address that is used on its behalf. 448 Fig. 5) .Static NAT • With static NAT. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.

5) . 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.Static NAT 449 Fig.

2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts. 5) .Static NAT Configuration • To form NAT table Router(config)#IP Nat inside source static [inside local source IP address] [inside global source IP address] • Assign NAT to an Interface Router(config)#Interface [Serial x/y] Router(config-if)#IP NAT [Inside] • See Example 450 Fig.

5) . • However. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts. the NAT router creates a oneto-one mapping between an inside local and inside global address and changes the IP addresses in packets as they exit and enter the inside network. the mapping of an inside local address to an inside global address happens dynamically.Dynamic NAT • Like static NAT. 451 Fig.

2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.Dynamic NAT • Dynamic NAT sets up a pool of possible inside global addresses and defines criteria for the set of inside local IP addresses whose traffic should be translated with NAT. the router simply discards the packet. • The dynamic entry in the NAT table stays in there as long as traffic flows occasionally. but all the pooled IP addresses are in use. • If a new packet arrives. and it needs a NAT entry. 452 Fig. 5) .

Dynamic NAT Configuration • Specify inside addresses to be translated Router(config)#IP Nat inside source list [standard Access List number] pool [NAT Pool Name] • Specify NAT pool Router(config)#IP Nat pool [NAT Pool Name] [First inside global address] [Last inside global address] netmask [subnet mask] • Assign NAT to an Interface Router(config)#Interface [Serial x/y] Router(config-if)#IP NAT [Inside] • See Example 453 Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts. 5) .

9 NAPT (TI1332EU02TI_0003 New Address Concepts. 17) .PAT Port Address Translator 454 Fig.

0. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.76.4. dport = 1024 Router M S E I N O D X R F 138.29.29.76.7.0.0.76.28.29.76.0.0. dpor t= 23 SA = 138. dport = 3017 SA = 138.76.7.76.29.10 Net A 10.28.76.WAN NAPT with WAN interface: 138. sport = 3017 DA = 138.0/8 455 Fig. spor t= 23 DA = 10. dpor t= 23 Router SA = 10.7 M S E I N O D X R F 10.29.0. spor t= 23 DA = 138.0.10.76. 5) .7.4.7.10.4 Router SA = 138. sport = 1024 DA =138.28.0.

PAT with e. single public IP address PAT with e. registered IP @. 5) . local TU port # mapping assigned TU port # TU... 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.g.g..g. SOHO) WAN pool of TU port numbers local IP @.TCP/UDP 456 Fig. aasingle public IP address single public IP address private IP network (e.

5) . 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts.PAT Configuration • Specify inside addresses to be translated Router(config)#IP Nat inside source list [standard Access List number] pool [NAT Pool Name] overload • Specify PAT pool Router(config)#IP Nat pool [NAT Pool Name] [First inside global address] [Last inside global address] netmask [subnet mask] • Assign PAT to an Interface Router(config)#Interface [Serial x/y] Router(config-if)#IP NAT [Inside] • See Example 457 Fig.

458 .

Ethernet Access with Hubs 459 .

Ethernet Access with Bridges 460 .

Ethernet Access with Switches 461 .

Today's LAN 462 .

The full-duplex Ethernet switch takes advantage of the two pairs of wires in the cable by creating a direct connection between the transmit (TX) at one end of the circuit and the receive (RX) at the other end. Ethernet usually can only use 50%-60% of the available 10 Mbps of bandwidth because of collisions and latency. This produces a potential 20 Mbps throughput. This connection is considered point-to-point and is collision free. This simultaneous transmission and reception requires the use of two pairs of wires in the cable and a switched connection between each node. 463 .Full Duplex Transmitting Full-duplex Ethernet allows the transmission of a packet and the reception of a different packet at the same time. Full-duplex Ethernet offers 100% of the bandwidth in both directions.

Why Segment LANs? 464 .

Collision Domains 465 .

Segmentation with Bridges 466 .

Segmentation with Routers 467 .

Segmentation with Switches 468 .

Switching equipment performs the following two basic operations: • Switching data frames • Maintaining switching operations 469 . Token Ring. Switching accomplishes this by reducing traffic and increasing bandwidth. LAN switches are often used to replace shared hubs and are designed to work with existing cable infrastructures. and FDDI LANs.Basic Operations of a Switch Switching is a technology that decreases congestion in Ethernet.

Fragment-Free Fragment-free switching filters out collision fragments before forwarding begins. Filters are applied before the frame is forwarded. Most reliable and also most latency especially when frames are large. In a properly functioning network. Store-and-Forward The entire frame is received before any forwarding takes place. This mode decreases the latency of the transmission. Cut-Through The frame is forwarded through the switch before the entire frame is received.Switching Methods 1. 470 . 2. collision fragments must be smaller than 64 bytes. At a minimum the frame destination address must be read before the frame can be forwarded. 3. Collision fragments are the majority of packet errors. Anything > 64 bytes is a valid packet and is usually received without error. but also reduces error detection.

Frame Transmission Modes 471 .

Benefits of Switching 472 .

the bridge or switch learns which addresses belong to the devices connected to each port. 473 . In this way.How Switches and Bridges Learn Addresses Bridges and switches learn in the following ways: • Reading the source MAC address of each received frame or datagram • Recording the port on which the MAC address was received.

. the port is provided. The CAM compares the received destination MAC address against the CAM table contents. and switching control 474 forwards the packet to the correct port and address.CAM Content Addressable Memory CAM is used in switch applications: • To take out and process the address information from incoming data packets • To compare the destination address with a table of addresses stored within it The CAM stores host MAC addresses and associated port numbers. If the comparison yields a match.

then the full bandwidth of the connection to the switch is available to the connected computer. Dedicates Bandwidth If a hub is used. If a workstation or server is directly connected to a switch port. then bandwidth is dedicated. If a switch is used. 475 . bandwidth is shared.Shared vs. bandwidth is shared between all devices connected to the hub. If a hub is connected to a switch port.

Microsegmentation of a Network 476 .

Microsegmentation 477 .

3 Methods of Communication 478 .

Routers are used to segment both collision and broadcast domains.Switches & Broadcast Domains When two switches are connected. 479 . The overall result is a reduction in available bandwidth. the broadcast domain is increased. Routers are Layer 3 devices. Routers do not propagate broadcasts. This happens because all devices in the broadcast domain must receive and process the broadcast frame.

Broadcast Domain 480 .

481 .

The design of larger LANs includes identifying the following: • An access layer that connects end users into the LAN • A distribution layer that provides policy-based connectivity between end-user LANs • A core layer that provides the fastest connection between the distribution points Each of these LAN design layers requires switches that are best 482 suited for specific tasks. and scalable networks.Overview To design reliable. a network designer must realize that each of the major components of a network has distinct design requirements. . manageable. Good network design will improve performance and also reduce the difficulties associated with network growth and evolution.

483 . Layer 2 switches are used in the access layer.The Access Layer The access layer is the entry point for user workstations and servers to the network. In a campus LAN the device used at the access layer can be a switch or a hub. Access layer functions also include MAC layer filtering and microsegmentation.

Access Layer Switches Access layer switches operate at Layer 2 of the OSI model The main purpose of an access layer switch is to allow end users into the network. The following Cisco switches are commonly used at the access layer: • Catalyst 1900 series • Catalyst 2820 series • Catalyst 2950 series • Catalyst 4000 series • Catalyst 5000 series 484 . An access layer switch should provide this functionality with low cost and high port density.

Networks are segmented into broadcast domains by this layer.The Distribution Layer The distribution layer of the network is between the access and core layers. The distribution layer also prevents these problems from affecting the core layer. Switches in this layer operate at Layer 2 and Layer 3. Policies can be applied and access control lists can filter packets. 485 . The distribution layer isolates network problems to the workgroups in which they occur.

The following Cisco switches are suitable for the distribution layer: • Catalyst 2926G • Catalyst 5000 family • Catalyst 6000 family 486 . It combines VLAN traffic and is a focal point for policy decisions about traffic flow. For these reasons distribution layer switches operate at both Layer 2 and Layer 3 of the OSI model. The distribution layer switch is a point at which a broadcast domain is delineated.Distribution Layer Switches The distribution layer switch must have high performance. These multilayer switches combine the functions of a router and a switch in one device. Switches in this layer are referred to as multilayer switches.

The core can be designed to use Layer 2 or Layer 3 switching. would slow down the process. This layer of the network design should not perform any packet manipulation. Packet manipulation. Providing a core infrastructure with redundant alternate paths gives stability to the network in the event of a single device failure. 487 .The Core Layer The core layer is a high-speed switching backbone. Asynchronous Transfer Mode (ATM) or Ethernet switches can be used. such as access list filtering.

Provided that the distance between the core layer switches is not too great. the core layer can be a routed. or Layer 3. In a network design. The following Cisco switches are suitable for the core layer: • Catalyst 6500 series • Catalyst 8500 series • IGX 8400 series • Lightstream 1010 488 . core. and performance should be considered before a choice is made.Core Layer Switches The switches in this layer can make use of a number of Layer 2 technologies. the switches can use Ethernet technology. Factors such as need. Core layer switches are designed to provide efficient Layer 3 functionality when needed. cost.

489 .

as well as specialized ports for the purpose of management.Physical Startup of the Catalyst Switch Switches are dedicated. specialized computers. Switches usually have several ports for the purpose of connecting hosts. 490 . Switches typically have no power switch to turn them on and off. which contain a CPU. and an operating system. RAM. They simply connect or disconnect from a power source. Several switches from the Cisco Catalyst 2950 series are shown in graphic to the right. A switch can be managed by connecting to the console port to view and make changes to the configuration.

depending on the current 491 value of the Mode LED. The Mode LEDs indicate the current state of the Mode button. These lights are called light-emitting diodes (LEDs). The RPS LED indicates whether or not the remote power supply is in use. The Port Status LEDs have different meanings. . The switch has the following LEDs: • • • • System LED Remote Power Supply (RPS) LED Port Mode LED Port Status LEDs The System LED shows whether the system is receiving power and functioning correctly.Switch LED Indicators The front panel of a switch has several lights to help monitor system activity and performance.

The System LED indicates the success or failure of POST. the switch initiates a series of tests called the power-on self test (POST).Verifying Port LEDs During Switch POST Once the power cable is connected. 492 . POST runs automatically to verify that the switch functions correctly.

Connecting a Switch to a Computer 493 .

The help command is very flexible and essentially functions the same way it does in a router CLI. . a list of commands available for the current command mode is displayed. The help command is issued by entering a question mark (?). This form of help is called command syntax help.Examining Help in the Switch CLI The command-line interface (CLI) for Cisco switches is very similar to the CLI for Cisco routers. because it provides applicable keywords or arguments based on a partial 494 command. When this command is entered at the system prompt.

The commands available in User EXEC mode are limited to those that change terminal settings. which ends in a pound-sign character (#). and display system information. which ends in a greater-than character (>). perform basic tests. The configure command allows other command modes to be 495 accessed. The default mode is User EXEC mode. The enable command is used to change from User EXEC mode to Privileged EXEC mode.Switch Command Modes Switches have several command modes. .

Show Commands in User-Exec Mode 496 .

Setting Switch Hostname Setting Passwords on Lines 497 .

498 .

multiple frame transmissions. and MAC address database instability.Overview Redundancy in a network is extremely important because redundancy allows networks to be fault tolerant. Redundant topologies based on switches and bridges are susceptible to broadcast storms. The Spanning-Tree Protocol is used in switched networks to create a loop free logical topology from a physical topology that has loops. Therefore network redundancy requires careful planning and monitoring to function properly. 499 .

Switches will flood frames for unknown destinations until they learn the MAC addresses of the devices. A redundant switched topology may cause broadcast storms. multiple frame copies.Redundant Switched Topologies Networks with redundant paths and devices allow for more network uptime. 500 . Switches learn the MAC addresses of devices on their ports so that data can be properly forwarded to the destination. If port 1 fails on Switch A then traffic can still flow through port 1 on Switch B. if Switch A fails. traffic can still flow from Segment 2 to Segment 1 and to the router through Switch B. In the graphic. and MAC address table instability problems.

Broadcast Storms Broadcasts and multicasts can cause problems in a switched network. The switches continue to propagate broadcast traffic over and over. This is called a broadcast storm. This will continue until one of the switches is disconnected. The network will appear to be down or extremely slow. Broadcasts and multicasts frames are flooded out all ports. 501 . except the one on which the frame was received. Multicasts are treated as broadcasts by the switches.

Switch B then floods the frame it received causing Router Y to receive multiple copies of the same frame. Switch A does not have the MAC address of the Router Y and will therefore flood the frame out its ports. This is a cause of unnecessary processing in all devices. The router receives the frame because it is on the same segment as Host X. 502 . Assume that the MAC address of Router Y has been timed out by both switches. Switch B also does not know which port Router Y is on.Multiple Frame Transmissions In a redundant switched network it is possible for an end device to receive multiple frames. Also assume that Host X still has the MAC address of Router Y in its ARP cache and sends a unicast frame to Router Y.

503 . Switches A and B see this information on port 1 and incorrectly learn the MAC address of Host X on port 1. when it is actually on a different port. but the switches have incorrectly learned that Host X is on port 1. This is unnecessary. When Router Y sends a frame to Host X.MAC Database Instability A switch can incorrectly learn that a MAC address is on one port. The frame to Router Y is flooded on port 1 of both switches. In this example the MAC address of Router Y is not in the MAC address table of either switch. Host X sends a frame directed to Router Y. Switch A and Switch B will also receive the frame and will send it out port 1. Switches A & B learn the MAC address of Host X on port 0.

Using Bridging Loops for Redundancy 504 .

Logical Loop Free Topology Created with STP 505 .

NOTE: Don’t confuse Spanning Tree Protocol (STP) with Shielded Twisted Pair (STP). 506 .

Shortest path is based on cumulative link costs. 507 . Link costs are based on the speed of the link.1 Ethernet bridges and switches can implement the IEEE 802.1D Spanning-Tree Protocol and use the spanning-tree algorithm to construct a loop free shortest path network.Spanning Tree Protocol .

508 . is called a Bridge Protocol Data Unit (BPDU).Spanning Tree Protocol .2 The Spanning-Tree Protocol establishes a root node. called the root bridge/switch. The message that a switch sends. Links that will cause a loop are put into a blocking state. The Spanning-Tree Protocol requires network devices to exchange messages to detect bridging loops. allowing the formation of a loop free logical topology. The Spanning-Tree Protocol constructs a topology that has one path for reaching every network node. The resulting tree originates from the root bridge/switch.

Selecting the Root Bridge The first decision that all switches in the network make. it assumes it is the root switch and sends BPDUs. is to identify the root bridge. the spanning-tree algorithm is used to identify the root bridge. . BPDUs are sent out with the Bridge ID (BID). The position of the root bridge in a network will affect the traffic flow. When a switch first starts up. The BID consists of a bridge priority that defaults to 32768 and the switch base MAC address. All bridges see these and decide that the bridge with the smallest BID value will be the root bridge. A network administrator may want to influence the decision by setting 509 the switch priority to a smaller value than the default. When a switch is turned on. These BPDUs contain the switch MAC address in both the root and sender BID. As a switch receives a BPDU with a lower root BID it replaces that in the BPDUs that are sent out.

• Select ports that are part of the spanning tree. Non-designated ports are blocked. The designated switch handles all communication from that LAN towards the root bridge. for each LAN segment.BDPUs BPDUs contain enough information so that all switches can do the following: • Select a single switch that will act as the root of the spanning tree • Calculate the shortest path from itself to the root switch • Designate one of the switches as the closest one to the root. 510 . this is the interface that gives the best path to the root switch. This bridge is called the “designated switch”. • Each non-root switch choose one of its ports as its root port. the designated ports.

Spanning Tree Operation When the network has stabilized. it has converged and there is one spanning tree per network. As a result. Non-designated ports discard data traffic. Non-designated ports are called blocking (B) or discarding ports. non-designated ports Root ports and designated ports are used for forwarding (F) data traffic. for every switched network the following elements exist: • One root bridge per network • One root port per non root bridge • One designated port per segment • Unused. 511 .

Spanning Tree Port States 512 .

and the learning forward 513 delay of 15 seconds. Blocked ports will only receive BPDUs.Spanning Tree Recalculation A switched internetwork has converged when all the switch and bridge ports are in either the forwarding or blocked state. When the network topology changes. . plus the listening forward delay of 15 seconds. Forwarding ports send and receive data traffic and BPDUs. Convergence on a new spanning-tree topology using the IEEE 802. switches and bridges recompute the Spanning Tree and cause a disruption of user traffic.1D standard can take up to 50 seconds. This convergence is made up of the max-age of 20 seconds.

Rapid STP Designations 514 .

515 .

VLANs can also be used to provide security by creating the VLAN groups according to function and by using routers to communicate between VLANs. Communication between VLANs can occur only through the router. NOTE: This is the only way a switch can break up a broadcast domain! 516 . A physical port association is used to implement VLAN assignment.VLANs VLAN implementation combines Layer 2 switching and Layer 3 routing technologies to limit both collision domains and broadcast domains. This limits the size of the broadcast domains and uses the router to determine whether one VLAN can talk to another VLAN.

Setting up VLAN Implementation 517 .

VLAN Communication 518 .

VLAN Membership Modes • VLAN membership can either be static or dynamic. 519 .

520 .Static VLANs • All users attached to same switch port must be in the same VLAN.

Configuring VLANs in Global Mode Switch#configure terminal Switch(config)#vlan 3 Switch(config-vlan)#name Vlan3 Switch(config-vlan)#exit Switch(config)#end 521 .

. 522 .Configuring VLANs in VLAN Database Mode Switch#vlan database Switch(vlan)#vlan 3 VLAN 3 added: Name: VLAN0003 Switch(vlan)#exit APPLY completed.. Exiting..

Deleting VLANs in Global Mode Switch#configure terminal Switch(config)#no vlan 3 Switch(config)#end 523 .

.Deleting VLANs in VLAN Database Mode Switch#vlan database Switch(vlan)#no vlan 3 VLAN 3 deleted: Name: VLAN0003 Switch(vlan)#exit APPLY completed... 524 . Exiting.

Assigning Access Ports to a VLAN Switch(config)#interface gigabitethernet 1/1 • Enters interface configuration mode Switch(config-if)#switchport mode access • Configures the interface as an access port Switch(config-if)#switchport access vlan 3 • Assigns the access port to a VLAN 525 .

Gi0/2 2 VLAN0002 active 51 VLAN0051 active 52 VLAN0052 active … VLAN ---1 2 51 52 … Type ----enet enet enet enet SAID ---------100001 100002 100051 100052 MTU ----1500 1500 1500 1500 Parent -----RingNo -----BridgeNo -------Stp ---BrdgMode -------Trans1 -----1002 0 0 0 Trans2 -----1003 0 0 0 Remote SPAN VLANs -----------------------------------------------------------------------------526 Primary Secondary Type Ports ------.-------------------------------.----------------. Fa0/11.------------------------------1 default active Fa0/1. Fa0/2.--------. Fa0/7 Fa0/8.Verifying the VLAN Configuration Switch#show vlan [id | name] [vlan_num | vlan_name] VLAN Name Status Ports ---. Fa0/9. Fa0/5.------------------------------------------ .--------. Fa0/12 Gi0/1.

Verifying the VLAN Port Configuration Switch#show running-config interface {fastethernet | gigabitethernet} slot/port • Displays the running configuration of the interface Switch#show interfaces [{fastethernet | gigabitethernet} slot/port] switchport • Displays the switch port configuration of the interface Switch#show mac-address-table interface interface-id [vlan vlan-id] [ | {begin | exclude | include} expression] • Displays the MAC address table information for the specified interface in the specified VLAN 527 .

All rights reserved.0—2-528 .Implementing VLAN Trunks 528 © 2003. BCMSN v2. Inc. Cisco Systems.

VLAN Trunking 529 .

Importance of Native VLANs 530 .

ISL Encapsulation – Performed with ASIC – Not intrusive to client stations. client does not see the header – Effective between switches. and between routers and switches 531 .

ISL and Layer 2 Encapsulation 532 .

Configuring ISL Trunking Switch(config)#interface fastethernet 2/1 • Enters interface configuration mode Switch(config-if)#switchport mode trunk • Configures the interface as a Layer 2 trunk Switch(config-if)#switchport trunk encapsulation [isl|dot1q] • Selects the encapsulation 533 .

1002-1005 VLANs in spanning tree forwarding state and not pruned 1-2.Verifying ISL Trunking Switch#show running-config interface {fastethernet | gigabitethernet} slot/port Switch#show interfaces [fastethernet | gigabitethernet] slot/port [ switchport | trunk ] Switch#show interfaces fastethernet 2/1 trunk Port Fa2/1 Port Fa2/1 Port Fa2/1 Port Fa2/1 Mode desirable Encapsulation isl Status trunking Native VLAN 1 VLANs allowed on trunk 1-1005 VLANs allowed and active in management domain 1-2.1002-1005 534 .

1Q Trunking 535 .802.

15.11.1Q Trunking Switch(config)#interface fastethernet 5/8 Switch(config-if)#shutdown Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport trunk allowed vlan 1.Configuring 802.1002-1005 Switch(config-if)#switchport mode trunk Switch(config-if)#no shutdown 536 .

.Verifying 802. . 537 .1Q Trunking Switch#show running-config interface {fastethernet | gigabitethernet} slot/port Switch#show interfaces [fastethernet | gigabitethernet] slot/port [ switchport | trunk ] Switch#show interfaces gigabitEthernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On Access Mode VLAN: 1 (default) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 .

Implementing VLAN Trunk Protocol 538 © 2003. Cisco Systems.0—2-538 . All rights reserved. Inc. BCMSN 2.

VTP Protocol Features – Advertises VLAN configuration information – Maintains VLAN configuration consistency throughout a common administrative domain – Sends advertisements on trunk ports only 539 .

and deletes VLANs locally only • Forwards advertisements • Does not synchronize VLAN configurations • Saves configuration in NVRAM 540 . modifies. change. or delete VLANs • Forwards advertisements • Synchronizes VLAN configurations • Does not save in NVRAM • Creates.VTP Modes • Creates. modifies. and deletes VLANs • Sends and forwards advertisements • Synchronizes VLAN configurations • Saves configuration in NVRAM • Cannot create.

• VTP servers and clients are synchronized to the latest update identified revision number. • VTP advertisements are sent every 5 minutes or when there is a change.VTP Operation • VTP advertisements are sent as multicast frames. 541 .

542 . and broadcast is flooded only toward any switch with ports assigned to the red VLAN.VTP Pruning • Increases available bandwidth by reducing unnecessary flooded traffic • Example: Station A sends broadcast.

– Add all new configurations to switch in transparent mode and check your configuration well then convert it to Server mode to prevent the switch from propagating incorrect VLAN information. – Add a new switch in a Client mode to get the last up-to-date information from the network then convert it to Server mode. 543 .VTP Configuration Guidelines – Configure the following: • • • • VTP domain name VTP mode (server mode is the default) VTP pruning VTP password – Be cautious when adding a new switch into an existing domain.

Configuring a VTP Server Switch(config)#vtp server • Configures VTP server mode Switch(config)#vtp domain domain-name • Specifies a domain name Switch(config)#vtp password password • Sets a VTP password Switch(config)#vtp pruning • Enables VTP pruning in the domain 544 .

Configuring a VTP Server (Cont. Switch(config)#vtp domain Lab_Network Setting VTP domain name to Lab_Network Switch(config)#end 545 .) Switch#configure terminal Switch(config)#vtp server Setting device to VTP SERVER mode.

0 at 8-12-99 15:04:49 Switch# 546 .Verifying the VTP Configuration Switch#show vtp status Switch#show vtp status VTP Version : 2 Configuration Revision : 247 Maximum VLANs supported locally : 1005 Number of existing VLANs : 33 VTP Operating Mode : Client VTP Domain Name : Lab_Network VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 0.0.0.

) Switch#show vtp counters Switch#show vtp counters VTP statistics: Summary advertisements received Subset advertisements received Request advertisements received Summary advertisements transmitted Subset advertisements transmitted Request advertisements transmitted Number of config revision errors Number of config digest errors Number of V1 summary errors : : : : : : : : : 7 5 0 997 13 3 0 0 0 VTP pruning statistics: Trunk Join Transmitted Join Received Summary advts received from non-pruning-capable device ---------------.--------------------------Fa5/8 43071 42766 5 547 .---------------.---------------.Verifying the VTP Configuration (Cont.

.

At my organization. For example. and access your network? You might argue that the wall jack has no connection to a switch. hoping to get Internet access. but couldn't someone just pull the Ethernet cable from a working PC and connect to the network that way? • You might think this an unlikely scenario. can anyone walk into your office. but it does happen. we had salesmen coming in to demo products. .• A growing challenge facing network administrators is determining how to control who can access the organization's internal network—and who can't. and they would just pull the Ethernet jack off a PC and connect it to their laptop. plug in a laptop.

Let's look at how you can use Cisco's Port Security feature to protect your organization. and you don't want to trust your network's security to their apathy. . • I turned to switch port security to help solve the problem.• The idea that anyone could just come in and access our network scared me—and the possibility should scare you too. Remember. not everyone recognizes the importance of effective security measures. What frightened me the most were the various viruses or worms that their PCs might contain.

If any other MAC address tries to communicate through the port. the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. Most of the time.• Understand the basics • In its most basic form. port security will disable the port. . network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port's disabled for security reasons.

In this case. which increases security.• Of course. you trade increased security for less convenience. . which can cause problems when there are legitimate reasons to change out devices. implementing any security solution always involves a trade-off—most often. • However. there's usually a downside. it's that the network administrator is the only one who can "unlock" the port. you can prevent devices from accessing the network. as you know. When using port security.

cccd STATIC CPU All 0100.dddd STATIC CPU 1 00b0.0ccc.f100 STATIC CPU All 0100.cccc STATIC CPU All 0100.0cdd.----------.0ccc.• • • • • • • • • • • • • Port Security CISCO# sh mac-address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ---.-------.5303 DYNAMIC Fa0/2 1 00b0.d097.d0ca.21d1.04f6 DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 6 .----All 0008.

• CISCO# sh port-security interface fastEthernet 0/1 • Port Security : Disabled • Port Status : Secure-down • Violation Mode : Shutdown • Aging Time : 0 mins • Aging Type : Absolute • SecureStatic Address Aging : Disabled .

0000.• • • • • • Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : 0000.0000 Security Violation Count : 0 .

• CISCO(config)# int fastEthernet 0/1 • CISCO(config-if)# switchport mode access • CISCO(config-if)# switchport port-security • CISCO(config-if)# switchport port-security maximum 1 • CISCO(config-if)# switchport port-security mac-address sticky .• !!! Configure port Security on Fast Ethernet 0/1.

• CISCO(config-if)# switchport port-security violation shutdown • CISCO# sh port-security interface fastEthernet 0/1 • Port Security : Enabled • Port Status : Secure-up • Violation Mode : Shutdown • Aging Time : 0 mins • Aging Type : Absolute • SecureStatic Address Aging : Disabled .

• • • • • •

Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address : 00b0.d0ca.04f6 Security Violation Count : 0

• • • • • • • • • • •

CISCO# sh mac-address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ---- ----------- -------- ----All 0008.21d1.f100 STATIC CPU All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0100.0cdd.dddd STATIC CPU 10 00b0.d0ca.04f6 STATIC Fa0/1 20 00b0.d097.5303 DYNAMIC Fa0/2

• CISCO# sh port-security • Secure Port MaxSecureAddr CurrentAddr Security Violation Security • Action • (Count) (Count) (Count) • Fa0/1 1 1 0 Shutdown • Total Addresses in System (excluding one mac per port) : 0 • Max Addresses limit in System (excluding one mac per port) : 1024

• • • • • • • • • •

CISCO# sh port-security address Secure Mac Address Table ------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------10 00b0.d0ca.04f6 SecureSticky Fa0/1 ------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024

• • • • • • • • • • •

CISCO# sh ip interface fastEthernet 0/1 FastEthernet0/1 is up, line protocol is up Inbound access list is not set !!! After Changing the PC on Fast 0/1 CISCO# sh port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Fa0/1 1 1 1 Shutdown Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024

• CISCO# sh port-security interface fastEthernet 0/1 • Port Security : Enabled • Port Status : Secure-shutdown • Violation Mode : Shutdown • Aging Time : 0 mins • Aging Type : Absolute • SecureStatic Address Aging : Disabled • Maximum MAC Addresses : 1

• • • • • • • •

Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address : 00b0.d097.5303 Security Violation Count : 1 CISCO# sh ip interface fastEthernet 0/1 FastEthernet0/1 is down, line protocol is down Inbound access list is not set

Now when you want to add a new device to the interface, you only have 2 options: delete one sticky secure MAC Address or increase maximum allowed secure MAC Addresses.

To delete one sticky secure MAC Address, switch(config-if)#no switchport port-security mac-address sticky 000c.29e9.f24a To increase maximum allowed secure MAC Addresses switch(config-if)#no switchport port-security maximum 3 Next, to disable sticky learning. switch(config-if)#no switchport port-security mac-address sticky To disable port security switch(config-if)#no switchport port-security

As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options: • switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses—one for each device. The maximum number of secure MAC addresses per port is 132. • switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other MAC addresses (i.e., protect).

• switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address. • Of course, you can also configure port security on a range of ports. Here's an example: • Switch)# config t • Switch(config)# int range fastEthernet 0/1 - 24 Switch(config-if)# switchport port-security However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

• •

View the status of port security Once you've configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command's output: Switch# show port-security address Secure Mac Address Table ------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0004.00d5.285d SecureDynamic Fa0/18 - ------------------------------------------------------------------Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 Switch# show port-security interface fa0/18 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute Secure Static Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : 0004.00d5.285d Security Violation Count : 0

569

Contents • • • • • Remote access overview WAN Connection Types Defining WAN Encapsulation Protocols Determining the WAN Type to Use OSI Layer-2 Point-to-Point WANs – PPP – HDLC – Frame Relay 570 .

571 .Remote Access Overview • A WAN is a data communications network covering a relatively broad geographical area. • A network administrator designing a remote network must weight issues concerning users needs such as bandwidth and cost of the variable available technologies.

WAN Connection Types 572 .

• Circuit switching – Sets up line like a phone call. No data can transfer before the end-to-end connection is established. to the CPE of the remote site.WAN Connection Types • Leased lines – It is a pre-established WAN communications path from the CPE. 573 . allowing DTE networks to communicate at any time with no setup procedures before transmitting data. through the DCE switch.

WAN Connection Types • Packet switching – WAN switching method that allows you to share bandwidth with other companies to save money. – However. then you will need to get a leased line. 574 . packet switching can save you a lot of money. As long as you are not constantly transmitting data and are instead using bursty data transfers.25 are packet switching technologies. – Frame Relay and X. if you have constant data transfers.

Defining WAN Encapsulation Protocols • Each WAN connection uses an encapsulation protocol to encapsulate traffic while it crossing the WAN link. • The choice of the encapsulation protocol depends on the underlying WAN technology and the communicating equipment. 575 .

Defining WAN Encapsulation Protocols • Typical WAN encapsulation types include the following: – – – – – – Point-to-Point Protocol (PPP) Serial Line Internet Protocol (SLIP) High-Level Data Link Control Protocol (HDLC) X.25 / Link Access Procedure Balanced (LAPB) Frame Relay Asynchronous Transfer Mode (ATM) 576 .

577 . • Cost – Making a compromise between the traffic you need to transfer and the type of service with the available cost that will suit you.Determining the WAN Type to Use • Availability – Each type of service may be available in certain geographical areas. • Bandwidth – Determining usage over the WAN is important to evaluate the most cost-effective WAN service.

578 .Determining the WAN Type to Use • Ease of Management – Connection management includes both the initial start-up configuration and the outgoing configuration of the normal operation. • Application Traffic – Traffic may be as small as during a terminal session . or very large packets as during file transfer.

25. WAN Speeds for WAN Connections WAN Type Asynchronous Dial-Up X.Max. ISDN – BRI ISDN – PRI Leased Line / Frame Relay Maximum Speed 56-64 Kbps 128 Kbps E1 / T1 E3 / T3 579 .

OSI Layer-2 Point-to-Point WANs • WAN protocols used on Point-to-Point serial links provide the basic function of data delivery across that one link. • The two most popular data link protocols used today are Point-to-Point Protocol (PPP) and High-Level Data Link Control (HDLC). 580 .

• It determines when it is appropriate to use the physical medium. 581 .HDLC • HDLC performs OSI Layer-2 functions. • Determines whether the sent data was received correctly or not (error detection). • Ensures that the correct recipient receives and processes the data that is sent.

every company (including Cisco) added its own field. 582 . so it became a proprietary protocol that can be used between only Cisco routers.HDLC • HDLC Frame Format • The original HDLC didn’t include any Protocol Type field.

583 . – Network Control Protocols (NCPs) that establishes and configure different network layer protocols. • It has the following main functional components – Link Control Protocol (LCP) that establishes.Point-to-Point Protocol (PPP) • PPP is a standard encapsulation protocol for the transport of different Network Layer protocols (including. authenticates. IP). but not limited to. and tests the data link connection.

and so it can be used with all types of routers (not Cisco Proprietary). • PPP is a standard protocol. 584 .Point-to-Point Protocol (PPP) • PPP discards frames that do not pass the error check.

PPP LCP Features • • • • • Authentication Compression Multilink PPP Error Detection Looped Link Detection 585 .

PAP Authentication 586 .

CHAP Authentication 587 .

– Stacker : it looks at the data stream and only sends each type of data once with information about where the type occurs and then the receiving side uses this information to reassemble the data stream. 588 .Compression • Compression enables higher data throughput across the link. – MPPC (Microsoft Point-to-Point Compression) : allows Cisco routers to compress data with Microsoft clients. • Different compression schemes are available: – Predictor : checks if the data was already compressed.

589 . synchronous.PPP Multilink • PPP Multilink provides load balancing over dialer interfaces-including ISDN. • This can improve throughput and reduce latency between systems by splitting packets and sending fragments over parallel circuits. and asynchronous interfaces.

and according to a predetermined value. 590 . the link can be brought down if it is thought that its performance is beyond limits accepted.Error Detection • PPP can take down a link based on the value of what is called LQM (Link Quality Monitor) as it gets the ratio of corrupted packets to the total number of sent packets.

• Every router will have a magic number. 591 . and if packets were received having the same router’s magic number. then the link is looped.Looped Link Detection • PPP can detect looped links (that are sometimes done by Teleco companies) using what is called Magic Number.

. • To configure Compression – Router(Config-if)#compress [predictor|stack|mppc] 592 .PPP Configuration Commands • To enable PPP – Router(config-if)#encapsulation ppp • To configure PAP authentication – Router(Config-if)#ppp authentication pap – Router(Config-if)#ppp pap username . password ..

BCMSN v2. Inc.0—2-593 . All rights reserved.Frame Relay 593 © 2003. Cisco Systems.

Frame Relay Components 594 .

Frame Relay • The switch examines the frame sent by the router that has a header containing an address called DLCI (Data Link Control Identifier) and then switches the frame based on the DLCI till it reaches the router on the other side of the network. 595 .

Frame Relay • Frame Relay networks use permanent virtual circuits (PVCs) or switched virtual circuits (SVCs) but most nowadays Frame Relay networks use permanent virtual circuits (PVCs). • The logical path between each pair of routers is called a Virtual Circuit (VC). 596 . • Each VC is committed to a CIR (Committed Information Rate) which is a guarantee by the provider that a particular VC gets at least this much of BW. • VCs share the access link and the frame relay network.

RS232) Switch Port UNI PVC PVC SVC SVC PBX Video Desktop & LAN Formats packets in frames Network access Frame Relay Network 597 . E1.35.PVC PC CPE Controller Router ISDN dial-up connection or direct connection (V.

• The encapsulation defines the headers used by a DTE to communicate some information to the DTE on the other end of a VC.LMI and Encapsulation Types • The LMI is a definition of the messages used between the DTE and the DCE. 598 . The endpoint routers (DTEs) do care about the encapsulation. • The switch and its connected router care about using the same LMI. the switch does not care about the encapsulation.

– Signal whether a PVC is active or inactive. Status messages perform two key functions: – Perform a keepalive function between the DTE and DCE. 599 .LMI • The most important LMI message is the LMI status inquiry message. the absence of keepalive messages implies that the link is down. Even though each PVC is predefined. If the access link has a problem. its status can change.

ITU. • Each LMI option is slightly different and therefore is incompatible with the other two.LMI • Three LMI protocol options are available in Cisco IOS software: Cisco. and ANSI. 600 .

601 . DE. as well as the DLCI. • The LAPF framing provides error detection with an FCS in the trailer. • The header and trailer are defined by the Link Access Procedure Frame Bearer Services (LAPF) specification. FECN.LAPF • A Frame Relay-connected router encapsulates each Layer 3 packet inside a Frame Relay header and trailer before it is sent out an access link. and BECN fields in the header.

• However. In the configuration. the encapsulation created by Cisco is called cisco.LAPF • DTEs use and react to the fields specified by these two types of encapsulation. each VC can use a different encapsulation. 602 . both DTEs must agree to the encapsulation used. but Frame Relay switches ignore these fields. Because the frames flow from DTE to DTE. and the other one is called ietf.

• When multiple VCs use the same access link. the Frame Relay switches know how to forward the frames to the correct remote sites. • The data-link connection identifier (DLCI) identifies each individual PVC. The DLCI is the Frame Relay address describing a Virtual Circuit 603 .DLCI Addressing Details • The logical path between a pair of DTEs is called a virtual circuit (VC).

DLCI=32 DLCI=16 R DLCI=17 DLCI=32 DLCI=17 B FR-network DLCI=16 DLCI=16 DLCI=21 R Virtual circuit R B Router Bridge Frame Relay switch 604 .

605 .DLCI Addressing Details • The difference between layer-2 addressing and DLCI addressing is mainly because the fact that the header has a single DLCI field. not both Source and Destination DLCI fields.

Global DLCI Addressing • Frame Relay DLCIs are locally significant. • Because local addressing is a fact. 606 . this means that the addresses need to be unique only on the local access link. Global addressing just makes DLCI assignment more obvious. global addressing does not change these rules. • Global addressing is simply a way of choosing DLCI numbers when planning a Frame Relay network so that working with DLCIs is much easier.

Global DLCI Addressing 607 .

using the destination’s global DLCI in the header. • The receiver thinks of the DLCI field as the source address. because it contains the global DLCI of the frame’s sender. • The sender treats the DLCI field as a destination address. 608 .Global DLCI Addressing • The final key to global addressing is that the Frame Relay switches actually change the DLCI value before delivering the frame.

Layer 3 Addressing • Cisco’s Frame Relay implementation defines three different options for assigning subnets and IP addresses on Frame Relay interfaces: – One subnet containing all Frame Relay DTEs – One subnet per VC – A hybrid of the first two options 609 .

One Subnet Containing All Frame Relay DTEs • The single-subnet option is typically used when a full mesh of VCs exists. each router has a VC to every other router. meaning that each router can send frames directly to every other router 610 . • In a full mesh.

One Subnet Containing All Frame Relay DTEs 611 .

One Subnet Containing All Frame Relay DTEs 612 .

works better with a partially meshed Frame Relay network. 613 .One Subnet Per VC • The single-subnet-per-VC alternative.

One Subnet Per VC 614 .

with Routers A. • Multipoint subinterfaces are used when more than two routers are considered to be in the same group— for instance. 615 . B.Hybrid Terminology • Point-to-point subinterfaces are used when a single VC is considered to be all that is in the group—for instance. between Routers A and D and between Routers A and E. and C.

Hybrid Terminology 616 .

Hybrid Terminology 617 .

• It is used so that after the router receives the packet with the intended IP address could be able to handle it to the right Frame Relay switch (with the appropriate DLCI) 618 .Frame Relay Address Mapping • Mapping creates a correlation between a Layer3 address (IP Address) and its corresponding Layer-2 address (DLCI in Frame Relay).

Mapping Methods • Mapping can be done either two ways: • Dynamic Mapping – Using the Inverse ARP that is enabled by default on Cisco routers. • Static Mapping – Using the frame-relay map command but you should first disable the inverse arp using the command no frame-relay inverse-arp 619 .

Inverse ARP Process 620 .

Frame Relay Configuration 621 .

Frame Relay Verification 622 .

BCMSN v2.0—2-623 . Inc. Cisco Systems.Integrated Services Digital Network (ISDN) 623 © 2003. All rights reserved.

ISDN Protocols 624 .

BRI & PRI B and D Channels 625 .

LAPD & PPP on D and B Channels 626 .

a router with an ISDN interface needs to send and receive signaling messages to and from the local ISDN switch to which it is connected. • LAPD provides the data-link protocol that allows delivery of messages across that D channel to the local switch. 627 . • Essentially.LAPD & PPP on D and B Channels • LAPD is used as a data-link protocol across an ISDN D channel.

931 protocol.931 message by setting up a circuit over the public network. 628 .931 call setup request from a router over the LAPD-controlled D channel. and it should react to that Q. the local switch can receive a Q. So.LAPD & PPP on D and B Channels • The call setup and teardown messages themselves are defined by the Q.

the switch asks for the configured SPID values. • Switches use a free-form decimal value.931 call setup messages are accepted. before any Q. call setup flows are accepted.LAPD & PPP on D and B Channels • An ISDN switch often requires some form of authentication with the device connecting to it. 629 . to perform authentication. If the values match what is configured in the switch. call the service profile identifier (SPID). • In short.

PRI Encoding and Framing • ISDN PRI in North America is based on a digital T1 circuit. • The two options for framing on T1s are to use either Extended Super Frame (ESF) or the older option—Super Frame (SF). 630 . In most cases today. new T1s use ESF. T1 circuits use two different encoding schemes—Alternate Mark Inversion (AMI) and Binary 8 with Zero Substitution (B8ZS).

• The main difference between the two is that Legacy DDR associates dial details with a physical interface. allowing a great deal of flexibility. whereas DDR dialer profiles disassociate the dial configuration from a physical interface.DDR (Dial On Demand Routing) • You can configure DDR in several ways. including Legacy DDR and DDR dialer profiles. 631 .

4. Determine when the connection is terminated.Legacy DDR Operation 1. 2. Dial (signal). Route packets out the interface to be dialed. Determine the subset of the packets that trigger the dialing process. 632 . 3.

Legacy DDR Operation 633 .

through normal routing processes. causing the dial to occur. • The router needs to route packets so that they are queued to go out the dial interface.DDR Step 1: Routing Packets Out the Interface to Be Dialed • DDR does not dial until some traffic is directed (routed) out the dial interface. 634 . Cisco’s design for DDR defines that the router receives some user-generated traffic and. routing the packet out BRI0 triggers the Cisco IOS software. • The router (SanFrancisco) can receive a packet that must be routed out BRI0. decides to route the traffic out the interface to be dialed.

– In the first method. interesting is defined as all packets of one or more Layer 3 protocols. 635 . – The second method allows you to define packets as interesting if they are permitted by an access list.DDR Step 2: Determining the Interesting Traffic • Packets that are worthy of causing the device to dial are called interesting packets. • Two different methods can be used to define interesting packets.

DDR Step 3: Dialing (Signaling) • Defining the phone number to be dialed. where string is the phone number (used when dialing only one site). 636 . • The dialer map command maps the different dialer numbers to the equivalent IP addresses of the routers to be dialed. • The command is dialer string .

it might not allow the BRI line to work unless the router announces the correct SPID values to the switch. SPIDs. • When the telco switch has configured SPIDs.Configuring SPIDs • You might need to configure the Service Profile Identifier (SPID) for one or both B channels. 637 . when used. provide a basic authentication feature. depending on the switch’s expectations.

Configure the type of ISDN switch to which this router is connected. Configure the T1 or E1 channel range for the DS0 channels used on this PRI (controller configuration mode). PPP encapsulation and IP address) on the interface representing the D channel. 3. 2. 4.ISDN PRI Configuration 1. Configure the T1 or E1 encoding and framing options (controller configuration mode). Configure any interface settings (for example. 638 .

PRI Configuration Commands 639 .

ISDN Switch Types 640 .

you will use all 24 DS0 channels in the PRI—23 B channels and the D channel. in almost every case.Configuring a T1 or E1 Controller • Your service provider will tell you what encoding and framing to configure on the router. Also. 641 .

• Dialer profiles configuration moves most of the DDR interface configuration to a virtual interface called a dialer interface. 642 .DDR With Dialer Profiles • Dialer profiles pool the physical interfaces so that the router uses any available B channel on any of the BRIs or PRIs in the pool.

Dialer Profiles Configuration 643 .

Dialer Profiles Configuration 644 .

Cisco Systems. 645 . Inc. All rights reserved. Keep In touch © 2003.With all my best wishes for you to succeed and distinguish in the CCNA International Exam.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.