BASIC QETWORKINGcisco > Network devices manufacturing company > Started in 1984 > Leader in network devices production > Started by a couple came from Sanfrancisco Cisco Network Academy Program 3 Levels are there in Cisco Network Academy Program Associate Level - CCNA, CCDA > Professional Level - CNP, CCDP, CCSP, CCVP > Expert Level - CCIE Cisco Certifications Path esky What is the role of CCNA? > LAN Management ‘© Local Area Network management > WAN Management © Wide Area Network managementWhat is a Network? Group of two or more computers/devices connected together. . What is the purpose of Network? To share the resources like printers, servers, folders etc What is the advantage of Network? Easy access to resources. Time save & Security eB What are the requirements of Network? > Computers with Operating system > NIC(Network interface card for every computer) > Cables and RJ-45 connectors > Centralized device (Hub/Switch) > IP Address for every computer(Intemet Protocol Address) ‘Types of Networks LAN & WAN > LAN - Local Area Network Network devices connected in a limited geographical area c Within room, within building, within campus No service provide existence a Computers are connected to switches Wide Area Network Network devices are in distant areas In different cities, countries Service provider existence Networks are connected with the help of routers v = 00000200000eo ed HYD LAN DELHI LAN What is Network topology? It is layout of a network It defines the physical structure of a network > Physical topology ‘© Physical structure of a network > Logical topology ‘© Logical behavior of a network> Bus topology > Ring topology Mesh topology > Star topology > Extended star/tree topology Bus Topology Ring Topology Mesh TopologyStar Topology ate = SS Extended Star Topology 3NETWORK DEVICES NIC Hub Switch Fr Router Network interface card - Gives the network services to the computer. Every computer must have NIC to communicate with other computers. Hub: Used to group the devices (Regenerates the signal). called as Multi port repeater Switch: Used to group the devices (Forwards data). Faster than HubNUMBERING SYSTEMS Binary Numbering System Octal Numbering System Decimal Numbering System Hexadecimal Numbering System Serpe 1, Binary Numbering System: Base 2 Digits: 01 2. Octal Numbering System: Base 8 Digits: 01234567 3. Decimal Numbering System: Base 10 Digits: 0123456789 4, Hexadecimal Numbering System: Base 16 Digits: 0123456789ABCDEF CONVERSIONS Decimal to Binary: 78 = 1001110 Binary to Decimal: fe Ses 2 1101011 264+25+0+29+0+214+20 = 64+32+8+2+1 = 107@.@ ca 2512 a 101024 p'1=2048 pi=4096 p'3=8192 3 14-16384 ls bi8-a2768 1865596 324204967296 HEXADECIMAL DECIMAL BINARY 0000 0001 : ‘coro 0011 0100 0101 0110 0111 1000 1001 10 1010 1 1011 12 1100 43 1101 14 1110 15 1411 so] oo} sJorfenfa} els] alo alm] O]o}c2]> |] co]slor}un| a |usl raf alo | BINARY. DECIMAL 00000000 oO a 10000000 128 11000000 192 11400000 224 41110000 240 2 11111000 248 11111100 252 14411110 254 Ps 44000114 255 10NIC - Addresses ‘Two addresses are associated with NIC Physical Address Logical Address Physical Address Logical Address MAC-media access control IP- Internet Protocol L2 Address L3 Address Permanent-BIA Logical (Can be changed) 48 Bit 32 Bit Hexadecimal notation Dotted decimat Notation Example: 01-5C-D9-6B-03-2E Example: 192.168.6.1 MAC addres 01-5E-7F-20-34-9D 00000001 01011111 01114141 00100000 00111010 10011101 ‘The first 24 Bits group in the MAC address is called OUI - Organizationally Unique Identifier OUI is manufacturer identification Double click on the Network icon and follow the steps below 1Double click on Local Area connection ‘General Connect utes A Heskek HVLRT NETO Fay Fook | Select Internet Protocol (TCP/IP), then properties tab 12eee eer ieconhcha pdhcana ies siainelecrser, ne ae ke feria ne eee (©) Oba ONS wet stbeeasntoasy -@ Use the lolowiig DNS secre action | lene ONS seve Enter IP address, Subnet Mask. Click OK How to check assigned IP address Open Command prompt (Start+ Run + cmd). Use the following commands. EUS ipconfig - To check the IP address ipconfig /all - To check complete IP information getmac - To check MAC address systeminfo - To check complete system information ping 192.168.6.1 - To check the connectivity 13CABLES 3 Types of Ethernet cable are used in Networking > Straight through Cable > Cross Over Cable > Roll over cable "Straight through cable, Cross over Cables are used for data transfer | Rollover cable is used to configure routers / switches / network devices __ Straight through Cable: > Straight cable is used to connect dissimilar devices > switch - router, switch - pc , hub - pe | Orange White 1 emmnrnmmnnmnunnnsenumiremnmnanun 4 Orange White Orange 2. 2 Orange Green White 30 eecunmmmunummmnnnnusuumusmmennnem 3 Green White Blue 4 4 Blue Blue White § ~-remcmnmmmannrnnmmnammncame 5 Blue White Green 6 ———_—. § Green Brown White 7 «meucnnnmmnuuammumunmumununnmnnmes 7 Brown White 8 Brown 8 —————————— 8 Brown Cross Over Cable: > Cross over cable is used to connect similar devices > switch - switch, router - pc , switch - hub , pc - pc Orange White 1 1 Green White Orange 2 2 Green Green White 3 3 Orange White Blue 4 4 Brown White Blue White 5 5 Brown Green 6 6 Orange Brown White 7 seo 7 Blue Brown 8 8 Blue WhiteRoll Over Cable: > Rollover cable is used to configure router/switch/Network devices > ‘Switch / router console connectivity Orange White 1 1 Brown Orange 2S. Sows 2 Brown White Green White 3 : <3 Green | Blue 4S La 4 Blue White Blue White § «0s 5 Blue Green 6 6 Green White Brown White 7 7 Orange Brown 8 8 Orange White Ethernet Cable connections 15System communication System communications are basically 3 types > Simplex > Half duplex > Full duplex Simplex: > Only one device can send the data. Other device can receive the data > Pager communication a One way communication only Half Duplex: > Two way communication is possible, but not at same time > At one time only one device can send the data or receive the data > Communication with Hub (Hub supports only Half duplex) > Collisions happer: in half duplex communication Two way communication Not at same time ee SS Full Duplex: > Two way communication is possible, at same time > Both devices can send and receive data at one time > Communication with Switch (Switch supports Half duplex & Full duplex) > Collisions do not happer: in full duplex communication oe--— <= roe ty contin) At same time 16Systems communication » UNICAST: One device - One device » BROADCAST: One device - All devices » MULTICAST: One device - Group of devicesSystems Communication ak > Protocol is a standard set of rules 1 ® Operation sequence to carryout a specific task > Example: DNS, DHCP, HTTP What is Port N > Port No is a channel of communication > Asystem can initiate multiple sessions with destination computer, Unique number is required to identify that session. This Number is port No. > Port No is 16 bit value > Range is 0 to 65535, Well Known 49152665535 > Destination Port is used to identify the service of the session at destination computer 18vVvvyvvYv Important Port Numbers Protocol Expansion Port No FIP File Transfer Protocol 20/24 SSH Secure Shell 2 TELNET Terminal Network B smtp |" simple Mail Transfer Protocol | _25 DNS Domain Naming System 33 DHCP _| Dynamic Host Configuration Protocol | __ 67, TRIP Trivial File Transfer Protocol oo HTTP Hyper Text Transfer Protocol 80 POP3 Post Office Protocol 110 SNMP |Simple Network Management Protocol] __161 HTTPS HTTP Secure 48 Systems Communication System sends some ccntrol information along with the data. This is the reason; data is directly forwarded to the correct destination. This control information is called header information System uses application to send the data System converts standard format of data to machine format System maintains sessions with destination systems System makes the data into small segments System adds Source port & Destination port ‘System adds Source IP & Destination IP System adds Source MAC & Destination MAC ‘System sends the data through the Cable This complex process can be explained by OSI layers 19oS! LAYER.» » P OSI Layers > OSI Layers explain the complete network communication process > It explains how the systems interact with each other > OSI Layered architecture was designed by ISO & ITU-T 180 - International standards Organization ITU-T - International Telecommunication Union - Telecom standard sector Application, Presentation, Session Layers are called Software Layers Transport Layer is called Heart of OSI Network, Data link, Physical layers are called Hardware Layers 21Functions: > It provides user interface > It gives network services to the user > Identification of port No depends on service Protocols: DNS, DHCP, HTTP, FTP, SMTP, Telnet 6. Presentation Layer Functions: > It converts data from standard format to machine format > Encryption and decryption > Compression and decompression Protocols: ASCII, EBCDIC, GIF, TIFF, BMP, JPEG MPEG, AVI, WAV ASCII - American standard code for Information Interchange EBCDIC - Extended binary coded decimal interchange code JPEG - Joint picture expert group TIFF - Tagged Image file format GIF - Graphical image Format BMP - Bitmap Image MPEG - Motion Picture expert group AVI-~ Audio video Interteave WAV - Windows audio video 5, Session Layer vY VY VVVVY Functions: > It establish, maintains and terminates a logical session Protocols: NFS - Network file system. RPC - Remote Procedure callFunctions: Segmentation Adding TCP/UDP header Sequencing & Reassembling Multiplexing & Demuttiplexing Error correction Flow control vvvvvy Protocols: TCP- Transmission Control Protocol UDP- User datagram Protocol Segmentation: > Itis not possible to handle whole data as a Unit a > TCP typically handles 64KB of data as payload i > The data is divided into smaller segments. > No of Segments = Total size / 64KB > Example: 1MB of data is made into 16 segments ees tei 4 > & Adding TCP/UDP Header: 2) > TCP/UDP Header is added to the data fragment > TCP Header size is 20 Bytes A 72 » i t 23& Sequencing & Reassembling: > Segments will be rearranged if they arrive in different order » This can be done with the help of sequence number in TCP Header. ing > When a system communicates with multiple systems, it sends segments to all systems simultaneously rror Correction; > Destination system queries the source for missing segments. Source needs to resend them & _.. & Flow Control: > Speed is adjusted automatically between source and destination computers, if one of the computers is slower oS" 4m 24& Sequencing & Reassembling: > Segments will be rearranged if they arrive in different order » This can be done with the help of sequence number in TCP Header. ing > When a system communicates with multiple systems, it sends segments to all systems simultaneously rror Correction; > Destination system queries the source for missing segments. Source needs to resend them & _.. & Flow Control: > Speed is adjusted automatically between source and destination computers, if one of the computers is slower oS" 4m 24ICP & UDP Differences ‘Transmission control protocol | ___User datagram protocol Connection oriented Connection less Reliable and slow Unreliable and fast Eg. Telnet, FTP, HTTP, SMTP Eg. SNMP, TFTP, DHCP _| TCP: 3 WAY HANDSHAKE eS 3. Network Layer Functions: > It provides logical IP Addressing Scheme > IP Header is added at Network layer > It chooses best path to destination > Carries the data in the chosen path 4 4 4 Protocols: 4 > Routing Protocols: Finds all possible paths and chooses the best path 5 * _ RIP - Routing information Protocol , = _ IGRP - Interior Gateway Routing Protocol , + EIGRP - Enhanced IGRP 7 * OSPF - Open Shortest Path First §) + ISIS- Intermediate system to Intermediate System 2 > Routed Protocols: Carries the data in the chosen path IP- Internet Protocol + IPX- Internet Packet exchange c = Apple talk , 25 eAdding IP Header: 20Byte IP Header is added to the segment Routed Protocols: 26 Pr & aData Link Layer Functions: > It gives network services to the computer > It does error detection (No correction) -FCS > Data link Header and Tailor are added to the packet Protocols/sub layers: > MAC Sub Layer : Media Access Control > LAN protocols (LAN connectivity) > FDDI, token ring, Ethernet > FDDI- Fiber Distributed Data Interface > LLC Sub Layer : Logical Link Control > WAN protocols (WAN connectivity) > HDLC, PPP, Frame-relay, X.25 Differences between HDLC and PPP: Point to Point Protocol Open Standard P Supports compression wait ‘Supports authentication etre PAP- Password Authentication protocol CHAP Challenge handshake Authentication protocol | Adding Data link Header and Tailor: 14 Byte Data linkHeader is added to the packet at beginning 4 Byte Data link Tailor is added to the packet at ending (FCS/CRC) Data link tailor is used for error checking Source computer generates one value by running CRC algorithm on the data and sends that value in the tailor. Destination computer also runs CRC and compares that value with original. Destination system accepts the data if it matches. 271. Physical Layer Functions: > It deals with electrical and mechanical properties > Cables, connectors, voltage levels > Eg. Rj-45, Rj-11 connectors, Transceiver, V.35 cables di 28aE ESE - FE aUpper Layers Software layers HTTP, SMTP, TFTP, FTP, Telnet, DHCP ASCII, EBCDIC, JPEG, BMP, MPEG RPC, NFS. Heart of os! TCP, UDP Packet / Datagram RIP, IGRP, EIGRP, OSPF, ISIS IP, IPX, Apple talk, IGMP,ICMP,ARP,RARP Lower Layers Hardware layers FDDI, Token ring, Ethernet HDLC, LLC, X.25, Frame-relay 0 Cables, ConnectorsTCP/IP REFERENCE MODEL TCP/IP Model is also called as DOD model Before 1980 ARPANet was used by US Department of defense (DoD) After 1980 ARPANet eventually turned to Internet TCP/IP reference model explains protocols related to TCP/IP protocol suite OSI reference model explains all protocols OS! REFERENCE MODEL TCP/IP REFERENCE MODELih Repeater Regenerates the weekend signal Layer 1 HUB Regenerates the signal, flooding (Multi port repeater) Layer 1 Bridge Filters and forwards the data Layer 2 Switch Filters and forwards the data (Multi port Bridge) Layer 2 NIC Gives network services to the system Layer 2 Router Communicates between different Networks Layer 3 Brouter Bridge with Layer 3 function Layer 3 | Multilayer Switch Switch with Layer 3 function (13 switch/MLS) Layer 3 PIX Firewall (Filters the unwanted traffic) Layer 3 32Communication Server Laptop Front End Voice-Enabled Processor Router are i sala Muitlayer —— Miuliayor Switch Switch with Text Switch Re ran aun ISDN/Frame Relay Route/Switch —_-Routa/Switeh vip Network Cloud | ‘Switch Processor Processor wi Si | ——_—_ ea Line: Ethemet Line: Serial Une: Switched Serial = asl 33IP pDDRESSING SUBNETTING =———_»' 5 OeIP Addressing IP Address is a 32 Bit Value 00000000.00000000,00000000.00000000 O 2 0 a 0 . 0 First IP Address MAT AAAI a 255. 255 . 255. 255 Last IP Address J dress ord 0.0.0.281 0.0.4.2610.0.255.260 265.256.265.245 0.0.1.262 0.0.255.251 255.286.265.246 0.0.1.263 9.0.255.252 265.266.266.247 00.1254 0.0,265.263 265.286.265.248 0.0.1.265 0.0.255.264 265.285.265.249 0020 0.0.258.255 255.255.265.260 002.4 258.256.255.251 0.0.22 255.265.256.252 cea 255.255.266.253 peas 255.255.265.254 oe - 255.255.266.255 9.0.2.7 0028 00.28 0.0.2.10 a5IP addresses from 0.0.0.0 to 255.255.255.255 are classified into 5 classes based on First octet value > > > > > lass Az ClassA 0-127 Class B 128-191 Class C 192-223 ClassD 224-239 Class E 240-255 Parity Bit - 0 00000000 = 0 01911111 = 127 Parity Bit - 10 10000000 = 128 40111111 = 191 Parity Bit - 110 110000000 = 192 4140111111 = 223 Parity Bit - 1110 111000000 = 224 114011111 = 239, Parity Bit - 1144 411100000 = 240 414111111 = 255 8 bi octet? octet? octet octet 192. 168. 6. 1 41000000.10101000.00000110.00000001 36 pwwe we > vy vy Subnet Mask Value ‘Subnet mask value defines properties of IP Address to which it can communicate and to which it can not Subnet mask value defines Network component and host component of an IP address IP address uses subnet mask to find out boundaries of network. Subnet mask value is a driver of IP Address Network Bits are always represented with 4 Host Bits are always represented with 0 Subnet Mask Structures: CLASS A Subnet Mask Structure N.H.H.H 1 11111111.00000000.00000000.00060000 | L 255.0.0.0 { { ~~ CLASS B Subnet Mask Structure 1 N.N.H.H t 11111111.111111141.00000000.00000000 ; « 255.255.0.0 ‘ A . 2 ® CLASS C Subnet Mask Structure a NAN.N.H A. 94411191.19111141.11111111 .00000000 & ee 255.255.255.0 b nl r C EgClass A Network: Number of Networks : 426 Number of Hosts per Network : 2 power 24 = 16777216 Class B Networks; Number of Networks : 16384 Number of Hosts per Network : 2 power 16 = 65536 Class C Networks: Number of Networks : 2097152 Number of Hosts per Network : 2 power 8 38 D 9Bn ) > )hat is Netw dress? >» Network Address is the identification address for all the systems in the network > The systems with same network address can communicate with each other > Systems with different network addresses can not communicate generally What is Broadcast Address? > Broadcast Address is used to deliver a broadcast message to all the computers in the network » The systems with same network address can have same broadcast address > All the systems in between Network address and broadcast address form a logical network to communicate with each other Network Address and Broadcast Address are the boundaries of a network They can’t be assigned to computers How to find out Network Address? > Identify class of IP Address and Subnet mask Structure. Replace Host portion with 0 (or) > Perform a logical AND operation between IP Address and subnet mask value find idress? » Identify class of IP Address and Subnet mask Structure Replace Host portion with 255 (or) > Perform a logical OR operation between IP Address and inverse subnetmask value ).185.223.19 ‘ N.HOHH Network Address = 10.0.0.0, Broadcast Address = 10.255.258.255| 4 172.20.18.86 N.NLHOH Network Address = 172.20,0.0 Broadcast Address = 172,20,255.255| 192.168.6.145 NON.N.H @3B ge Tam Network Address: We are 16777214 hosts Wecan communicate | << witheach other | ‘ {am Broadcast Addkess a Class B Networks: Class C Networ! Tam Network Adcress, 4016777214 40 128-191 N.N.HH 258.255.0.0 16384 65534 c 410 192.223 N.N.N.H 255.255,255.0 2097152 254 D 4110 224-239 Multicasting - Video Conference E 1414 240-255 Reserved by IETF — for R&D sae 2IP Address Percentage: BA OB ac =D BE P Address Related Organizations: JANA - Internet Assigned Numbers Authority. ICANN - Internet Corporation for Assigned Numbers and Names Private IP Addresses: > The IP addresses not routable in public network > Used to communicate within private network > Internet access is not possible with private IP address. > Defined in RFC 1918, CLASS A 10.0.0.0 /8 10.0.0.0 - 10.255.255.255 CLASS B 172.16.0.0 /12 172.16.0.0 - 172.31.255.255 CLASS C 192.168,0.0 /16 192.168.0.0 - 192.168.255.255 Special IP Addresses: > 0.0.0.0 Network is reserved for default routing. Can't be assigned to systems > 127.0.0.0 Network is reserved for loop back purpose (NIC diagnosis) > Class D Networks are reserved for multicasting. Not for systems > Class E Networks are reserved for Research and Development. Not for systems 42SUBNETTING What is Subnetting? Logically breaking the major network into smaller networks - Subnets Advantage of Subnetting "Reduce wastage of IP Addresses (Once the network is used, it can't be used again in the same organization) ‘Subnetting Procedure Increase network bits in the subnet mask value from left to right 1.91111111.11111111.00000000 255.255.255.0 19111111.11111111.11111111.11000000 255.255.255.192 14191111.11411111.111111141.14100000 255.255.255.224 43Subnetting Formulae: No of Networks = 2% Nz increased Network bits A No of Hosts per Network = H= remaining Host bits Example to understand Formulae: 4192,168.6.0 Subnetting ; 3 Network bits increased 111111141.11111111.11111111.11100000 255.255.255.224 Subnetting me! Subnetting can be done in two ways > Based on No of Networks > Based on No of Hosts 44 » Do®& O Saye » @ )SUBNETTING Calculations Based on No of Networks: * Identify required No of subnets = Refer 2 power chart + Identify N value + Increase the bits in the subnetmask value * Identify H value * Find out new subnet mask value *= Find out No of subnets and No of hosts * Subtract new subnet mask value from 255.255.255.255 y * Find out network address & Broadcast address of all subnets * Identify required No of Hosts per subnet = Refer 2 power chart * Identify H value * Increase the bits in the subnetmask value ‘ + Identify N value Based on No of Hosts: | 4 { “ * Find out new subnet mask value * Find out No of subnets and No of hosts * Subtract new subnet mask value from 255.255.255.255 1 * Find out network address & Broadcast address of all subnets 45Based on No of Networks Q1. Divide 192.168.6.0 into 4 subnets > Divide 192,168,6.0 into 4 Subnets 255,255.255.0 11141114.11111111.11111111.11000000 255.255.255.192 Nez He6 No of Networks = 2" = 4 No of Hosts per Network = 24—2 = 62 255.255.255.255 255.255.255.192 0.0.0.63 Network Aaaroas | Broadcast Adare ‘Subset # iszieas0 | 192160663 Subnet? ieaiesses | t0nieaei77 ‘Subnet3 yoz686128 | 192168691 ‘Subnet 4 qe2jea6.192 | 1921686255 0000 “t00 BREST Teo ? 46 &Based on No of Networks Q2. Divide 10.0.0.0 into 100 subnets > Divide 10.0.0.0 into 100 Subnets (255.0.0.0 11111111.11111110.00000000.00000000 peeserd Toorone 8 (255.254.0.0 { svac0000 [224 = a ‘iste ae ae wl 141300 | 252 No of Networks =2" =128 (use 100) SELLS 4-2 = 131070 No of Hosts per Network 255.255.255.255 255.254. 0 . 0 0. 1.255. 255 Network Aderess | Brondenst Adios Subnet 1 10.000 10.1.256.255 ‘Subnet 2 702.00 103.255 255 Subnet 3 70.400 105.255.2556 ‘Subnet 127 1025200 | 10.255.256255 ‘Subnet 128 7025400 | 10.256.256.255, 47Based on No of Networks Q3. Divide 172.16.0.0 into 64 subnets >Divide 172. 16.0.0 into 64 Subnets 255.255.0.0 11111111.11111141.11111100.00000000 pee 255,255.252.0 “eto | 230 Neo G Tari a8 sete [264 No of Networks = 2" = 64 lowe te No of Hosts per Network = 2%—2 = 1022 (255.255.255.255 255.255.252. 0 0.0.3 .255 Network Adress | Broncos Address | q7eseoo | 472183255 qra1ea0 | 172167255 yr21680 | 1721611256 W2Ae2480 | 47216251255 w2ie2s20 | 17216255255 48, @ afBased on No of Hosts [ Q1. Divide 192.168.6.0 into subnets with 28 hosts A > Divide 192.168.6.0 into Subnets with 28 hosts e 285.255.255.0 6 44411411.11111191.11111111.11100000 sonowelTis Tomo [a S 255.255.258.224 eae anne [aad No of Networks = 2" = 8 eee No of Hosts per Network = 2"—2= 30 4 255.255.255.255 4 255.255.255.224 4 0.0.0.31 s ss2teaso | 192168631 19216808 A 192.108.6.95 192.109.0127 * jez16a.8 120 | 1921000150 ‘ “921886160 | 1921686101 f 1921686.192 | 192.168.6223 r oa.reseza4 | 1021686 25 » h 49Based on No of Hosts ls Q2. Divide 10.0.0.0 into subnets with 4000 hosts _| > Divide 10.0.0.0 into Subnets with 4000 hosts 255.0.0.0 11111111.11111111.11110000.00000000 pee i “eso [a 255.255.240.0 “rieeno_[axt Ne12 He12 oe No of Networks = 2" = 4096 24—2= 4094 zeesie2 No of Hosts per Networ 255.255.255.255 255.255.240. 0 0.0.15 .255 ce Network Aadreor | Broad AGES ‘Subnet 10000 100.15.255 Subnet 2 700160 70031.255 ‘Subnet 3 100320 100.4725, Subnet 4 10.0480 10.0565 255 Subnet #004 | 10.255.2080 | 10256223755 ‘Subnet 2055 | 10.255.2240 | 10.256,200.255. Subnet 4006 | 102552400 | 10.256, 256.255 50Based on No of Hosts ls Q2. Divide 10.0.0.0 into subnets with 4000 hosts _| > Divide 10.0.0.0 into Subnets with 4000 hosts 255.0.0.0 11111111.11111111.11110000.00000000 pee i “eso [a 255.255.240.0 “rieeno_[axt Ne12 He12 oe No of Networks = 2" = 4096 24—2= 4094 zeesie2 No of Hosts per Networ 255.255.255.255 255.255.240. 0 0.0.15 .255 ce Network Aadreor | Broad AGES ‘Subnet 10000 100.15.255 Subnet 2 700160 70031.255 ‘Subnet 3 100320 100.4725, Subnet 4 10.0480 10.0565 255 Subnet #004 | 10.255.2080 | 10256223755 ‘Subnet 2055 | 10.255.2240 | 10.256,200.255. Subnet 4006 | 102552400 | 10.256, 256.255 50Based on No of Hosts | Q3. Divide 172.16.0.0 into subnets with 500 hosts _ | > Divide 172.16.0.0 into Subnets with 500 hosts. 255.255.0.0 44114111.11141111.11111110.00000000 ie 255.255.254.0 10000 12 “110000 | 240 “tttec0 se [wet fs | Ne7 Ho No of Networks = 2" = 128 ‘No of Hosts per Network = 24-2 = 612 (use 600) 255.255.255.255 255.255.254. 0 0.0. 1.255 Subnot# 4728600 | 472161.255 ‘Subnet 2 qie20_ | 172163255 Subnet 3 qeie40 | 172185255 ‘Subnet 4 3721660 | _172.16,7.255 Subnet 126 | 172162500 | 172.16.251 255 ‘Subnet 127 | 172162520 | 172.106.250.255 Subnet 126 | 172162540 | 172.16.265.255 51Subnet Mask Values 10 {20000000.00000000.00000000.00000000 0.0.0.0 a ‘10000000.00000000.00000000.00000000 128.0.0.0 2 11000000.00000000.00000000.00000000 192.0.0.0 B 11700000.00000000..60000000.00000000 224.0.0.0 4 111110000.00000000.00000000.00000000 240.0.0.0 5 11111000.00000000,00000000.00000000 248.0.0.0 16 11111100,00000000.00000000.00000000 252.0.0.0 7 14111110.00000000,00000000.00000000 254.0.0.0 7B 11111111.00000000.00000000.00000000 255.0.0.0 3 41111111. 10000000.00000000.00000000 255.128.0.0 710 11411111 11000000,.00000000.00000000 255..192.0.0 it 41111111.11 100000.00000000.00000000 255.224.0.0 72 41111111.11110000,00000000.00000000 255.240.0.0 [713 4111111.11111000,00000000.06000000 255.248.0.0 na 41111111.11111100,00000000.00000000 | __255.252.0.0 5 14111111.11711110,00000000.00000000 255.254.0.0 16 41119111.11111111,00000000.00000000 255,255.0.0 AT 41111117.11111111.10000000.00000000 255.255.128.0 18 41141111.11111111.11000000.00000000 255.255.192.0 79 44411111.19111111.11100000.00000000 255.255.224.0 720 14111111.19111111.11110000.00000000 255.255,240.0 7a 44414141.11111111.11111000,00000000 255, 255.248.0 122 14441144.41111111.11111100,00000000 255.255.252.0 723 14141144.11111411.11111110.00000000 255,255.254.0 724 49411914.41111111,11111111.00000000 255.255.255.0 125 444144141.19911141.197111441, 10000000 255.255.255.128 126 14499194.19991914.11111111.11000000 255.255.255.192 a7 44444144.19111911.11111111.11100000 255.255.255.224 128 11444949.419199141.19197111.411 10000, 255.255.255.240 123 19199999.999119994.19111111.11111000 755.255.255.248 730 TATA ATTA 19911191.1111 1100 255.255.255.252 734 194019991.190911999.19999191.11111110 255.255.255.254 Bz TATA att 255.255.255.255 = @ a @ =fWhat is VLSM? Variable Length Subnet Mask vy yy Also called as Subnetting of Subnetting Subnetting is used to break the network equally If these networks are subnetted again, different subnets may have different subnet mask values, also called as Variable length subnet masks v 192.168.6.0 SUBNETTING With VLSM, IP addressing scheme is used more efficiently without wastage 255.285.265.102 256.265.255.192 oe] 285.265.266.182 | 256.266.265.248 255.266.255.192 | 255.265.256.240 Subnetting & VLSM comparison: Breaking network equally Breaking network unequally ‘Sub-netting Subnetting of Subnetting Has same subnet mask valve Has different subnet mask values E Reduce IP wastage Reduce IP wastage more effectively | aaranch 1, 100} systems ,/ Required networks = 6 Brancht 101 hosts Branch? 26 hosts Branch3, 21 hosts Branch 1-2 wan link 2 hosts Branch 2-3 wan link 2 hosts Branch 3-1 wan tink Zhosts Branch 1.requires 101 hosts. Divide 192.168.6.0 into subnets based on No of Hosts 225 Further division Branch 2 requires 26 hosts, Branch 3 requires 21 hosts. Divide the subnet again Subnet 3 | 192.168.6.192 - 192.168.6223 ra Further division _ [Subnet 4 [192.168.6224 - 192. 168.6.255 7 Future use 54 -=—-tberePoint to Point links require 2 hosts. Divide the subnet again Tsien 192.168.6.204 - 192.168.6.207, 730, Future use Subnet 5 | 192.168.6.208 - 192.168.6.211 730 Future use. Subnet 6 |" 192.168.6.212 - 192.168.6.215 730, Future use Subnet 7 | 192.168.6.216 - 192.168.6.219 730 Future use. [Subnet 8 |” 192.168.6.220 - 192.168.6.223 730) Future use Network Solution 192,168.60 192,168.6.127 125 492.1686.195 192.168.5.199 150 Branch 2° 192.168.6.200 y’Branch 3°, q ie ces 492.168.6.203 130 moon ‘systems / \ systems i ea 3 192.168.6.128 192:168.8.160 1 |192.168.6.159 27 192.168.6.194 127 “ " , . ’ » > 55Supernetting ‘What is Supernetting? > > > v This is reverse procedure of Subnetting It is used to combine the networks / subnetworks To combine the networks decrease the network bits from right to left Generally Supernetting concept is used in router advertisements, called as route summarization Supernetting calculations are similar to Subnetting calculations 56! ROUTERS |What is Router? a > Communicates between different networks It provides WAN connectivity It does routing (Selects best paths) It works at Layer 3 It can read IP Header It maintains IP routing table which contains best paths to J destination networks vvyvy Types of Routers » Software Routers © Dual home system with routing enabled © Windows 2003 server, Linux Server > Hardware Routers Hardware device - Dedicated routing © Cisco router | cisco DAX JUNIPER LINKSYS NOKIA D-LINK ZYXEL 3COM vVvvvvyVY Types of Cisco Router: > Fixed Routers © Fixed No of interfaces © No hardware upgrade 0 Cheaper > Modular Routers © No of interfaces can be increased © Hardware upgrade is possible © Costlier 58Fixed Routers 59Internet Structure: Internet centers, companies are connected to local ISPs (Internet Service Provider) Local ISPs are connected to Regional ISPs Regional ISPs are connected to National ISPs National ISPs are connected to Global ISPs Data flow rate is low at Local ISPs and gradually increases till Global ISPs The devices at Global ISPs must be high end devicesCisco 3-Layer hierarchy Cisco routers are divided into 3 categories based on hardware capabilities > Access Layer > Distribution Layer > Core Layer VA Used for small Organizations Data transfer speed is low Local ISPs 1600, 1700, 2500 series routers Fixed Routers Distribution Layer: Used for medium level Organizations Data transfer speed is medium Regional ISPs, National ISPs 2600, 2800, 3600 series routers Modular Routers > > > > > vvyvy Core Layer: Used for medium level Organizations Data transfer speed is high National ISPs , Global ISPs 6000, 7000, 10000, 12000 series routers ‘Modular Routers vvvvy 612500 series has following models > Router Ports: > Interfaces: For data transfer + LAN interfaces: For LAN connectivity 2501 2503 2509 2511 2520 xter Co! one! * e0,e1,e2, fa0/0, faos/t © WAN interfac : For WAN connectivity © s0,s1, $2, 83, 50/0, 50/1 > Lines: For Router management Physical lines: Exist on router '* Console 0 (local), aux 0 (remote) % Logical tines: Not exist on router + Vty04 (also called as telnet) Ci 0 251 624 Router internal Components - Boot sequence PosT: vyy vvvvy vvvvy OE Power On Self Test Hardware Checkup RAM, CPU, Interfaces diagnosis Read onty Memory Bootstrap loader / Mini 10S Finds the location of complete 10S Complete 105 Image May have multiple 10S Images Router operates with single 10S Eg: c2500-d-l.120-7.bin Non Volatile Random Access Memory Permanent configuration File name : Startup-config Router always uses nvram configuration when booting Router copies NVRAM into RAM Random Access Memory Temporary configuration File name : Running-config Router copies NVRAM into RAM Router always works with RAM configuration only 63If there is no valid 10S, router uses bootstrap loader ‘The prompt would be Router (boot)> or Rommon> Router Boot Sequence: > — Router boot sequence depends on Configuration Register Value > This value decides the router to use 10S or Bootstrap loader > This value decides the router to use NVRAM or not v Configuration Register value is 16 Bit value What is Configuration Register? > > 16 Bit register which is used to define the boot sequence Every bit in the register has specific purpose Ns] This value (0x2102) indicates Normal Boot sequence 64 4ar ee w What is the Operating System in Router? » — Router works on 105 > — 10 - Internetwork Operating System » — Router works on singe 10S Image File Router Configuration is Mandatory? > Configuration is mandatory > — Router works if it is configured properly > Don’t connect the router without configuration > Router is not a zero touch configuration device e er? ® Use console 0 to configure the router for the first time » Connect roll over cable between console 0 on router & COM1 port on the computer/laptop “Eis “Gomer? 65Emulation Software: > One application is required on the taptop/system to access 10S ates configure the router. This software is called emulation software Eg: hyper terminal, Putty Hyper terminal is the default program in Windows XP er ter > Start -> Programs -> Accessories -> communications -> hyper terminal (or) > Type hypertrm at run prompt 66Porrere ooo REE 67Select Restore defaults (Cisco router accepts default settings) 68 o @ ¢ > wwRouter Modes > Cisco 10S has different modes > Every mode has its own functionalities > Cisco 10S is CLI (command line interface) based > Commands are mode specific Router Modes - Prompts: Router = Router # Router(contiginit fRouterieonrig-tneys [Reuter(contig-router Claires Privilege Mode Global Gonfiguration Ueto tarts (eee) Estcrnran ent o 69Router Modes - Navigation ROUTER MODES Router mode f router(config-router) # \ Interface mode "Cine mode, Fouter(config-if} # fouter(config-liney2 Router Modes - Functionalities - Commands 1..User mode: RGIHEES > To check the Connectivity > Ithas limited functionality Functions: ‘Commands: ae telnet ip to telnet into a device Ping ip to check connectivity Traceroute ip to trace the path Enable ‘ to enter privilege mode 2, Privil de: Functions: > View Entire configuration >» Backup & Recovery ( ‘Commands: { ‘Show run to see temporary configuration Show staré to see permanent configuration f Show int s 0 displays info about interface s 0 1 Show ip route displays routing table Show version displays version, config register value _ Show flash [displays flash contents /ios image A Show ip protocols displays configured routing protocols 1 Show ip int brief displays interface ip information Show controllers serial 0 | displays hardware info of sO -DCE/DTE 1 Reload restarts the router - Config t = enters into global configuration mode 1 Copy run start / Write save RAM contents to NVRAM , 1 1 o 71 .Functions: > To do entire configuration of router (globally) Command: No logging cor tums off logging (logging messages) __| Hostname hosti Enable password cisco changes the hostname set privilege mode password Enable secret cisco set secret password for privilege mode_| Ip routing Enables routing table No ip routing Disables routing table Config-register Ox2102 Sets the config register value to 2102 Ip route To configure static route Int's 0 Ints 1 to interface mode Int e 0. i Line con 0 Router eigrp 23 Router ospf 56 to line mode to router mode 4. Interface mode; aiieieeorssenas | Functions: > Configuration of interfaces Comman ip address | to configure ip address for interface No shutdown, activate the interface encapsulation hdlc set L2 encapsulation for wan ports clock rate 64000 set clock rate (DCE interfaces) bandwidth 64 set interface bandwidth 72wn, Functions: > Authentication of lines > Configuring console 0, aux 0, vty 04 Commands: Password ‘To configure password for line login To set login type rg $. Router mode: [@HPSMTESRITanrameZayg Functions: > To configure dynamic routing protocols Commands: Network _|To advertise networks in routins [Auto summarize networks > Use “2” to get the help > Use “tab” to get the complete command after entering unique 1 characters of a command > Use “no” keyword along with the command for reverse results 1 > Use “q” or “Ctrl+C” to terminate output " u » u V = 73Router & Switch properties Switch in LAN: Router in LAN: 74What is Default Gateway? Entry or Exit point of a network This is the IP address used to communicate with different networks Default gateway is typically the ip address of router Default gateway is not required within the network Default gateway must be configured in every computer to communicate with different networks vyvyy DEFAULT GATEWAY 10.00.4100 182.168.6100 Montene ‘Yeu cn ga P etn arigned ademas ¥yox ok note th cpa. Oheren jou vee oad jut ek dt a Ese ie Sompeenere iPaddese 1218.67 | Subnetmade Ea ae | Det stoner: i [a tea. 6. 100 1 [iss] © Obie 05 cae aioe ‘© Use efi DS caver adestox | Pelee On sec aThe list of networks that router knows Router can reach only those networks which are presented in its routing table Routing table contains only the best paths to reach networks Routing table includes network address, exit interface, metric =S Sa This is my routing table, so! can reach ‘these networks: = warn @ < 2000 = [re +4000 st 7 TT = 1326050 so] i008 EJ 200.10.30.0| Et 1721600 £2 11.000 53 19216860 E4 76Network design Rules All the connected interfaces must be different networks > > All the LANs must be different networks > LAN and default gateway must be in same network > Two directly connected interfaces must be same network the i ust be di t net tooo 11002 72.18.0.100 LANs must be Different Networ w2a700 ‘roa 4 3102168500 I 1 t : Wl ! 11.0.0. 1 b 77172.16 0.100 eee 78DCE - DTE > Data synchronization is required on WAN links (on serial interfaces) > In real time scenarios this synchronization is provided by modems connected to serial interfaces » Modems generate clock rate to synchronize the data between WAN ports REAL TIME SCENARIO > Because of no modems in practical scenarios, this clock rate need to be generated by one of the router in the point to point connectivity > DCE-DTE cable is used in practical scenarios between routers If one router is connected to DCE end, the second router will be connected to DCE: DCE- DTE differences: DTE end (in point to point connectivity, ‘one end is DCE, other end is DTE ble: im oe ROUTER DTE CABLE TE PRACTICAL SCENARIO Data communication Equipment Data terminating equipment _Master a SLAVE Generates clock rate (64000 Hz) ‘Accepts clock rate Dial up, leased line modems CSU/DSU PC, Router 79Router Initial Configuration > Router is not a zero-touch configuration device > It must be configured with proper IP Addresses. If not, it won't work aa a Hostname change Secure router Configure interfaces View and Save Re01 119.02 s € : 3 st ° Sens 172.18 fo.t00 1. Hostname Change: Router> enable Router# config t Router (config) hostname CHEN 2. Secure Router: CHEN(config)# enable password cisco CHEN(config)# enable secret ccna CHEN (config)# line con 0 CHEN(config-line)# password cisco CHEN(config-line)# login CHEN{(config-line)# exit CHEN(config)# line aux 0 CHEN(config-line)# password cisco CHEN (config-tine)# login 2 CHEN (config-line)# exit CHEN (configy# tine vty 05 CHEN config-line)# password cisco CHEN(config-tine)# login CHEN(config-tine}# exit ‘CHEN (config) service password-encryption CHEN (config)# exit 804. View & Save: 3. Configure interfaces: CHEN(config)# interface s 1 CHEN(config-if}# ip address 17.0.0.2 255.0.0.0 CHEN(config-if}#f no shutdown ‘CHEN(config-if)# bandwidth 64 CHEN (config-if)# clock rate 64000 CHEN(config-if)# encapsulation hdc CHEN(config)# interface s 0 CHEN(config-if)# ip address 12.0.0.1 255.0.0.0 CHEN(config-if}# no shutdown CHEN(config-if)# bandwidth 64 CHEN(config-if}# clock rate 64000 ‘CHEN (config-if}# encapsulation ppp CHEN(config)# interface e 0 CHEN(config-ifyft ip address 172.16.0, 100 255.255.0.0 CHEN(config-if)# no shutdown CHEN(config-if)# exit CHEN (config)# exit CHEN# show ip int brief CHEN# show run CHEN# show ip route CHEN# show interfaces CHEN# copy run start CHENE write 81Routing What is Routing? » Communication between two different networks » Router can communicate with those networks presented in its Routing Table > By default Routing table maintains connected networks Information > If there is no information in the routing table about a destination network router drops all the packets for that destination > So Destination networks must be added to the routing tabte > This process is called ROUTING Router(Config)# ip routing - To enable routing process Router (Config)# no ip routing - To disable routing process Router# show ip route ~ To view routing table Routing can be done in two ways > Static Routing > Dynamic Routing Static Routing: ‘Manual Routing Administrative work is more It is suitable for small networks Suitable for Fixed networks Administrative distance is 1 Single change may effect all the router configuration vyvvvy Dynamic Routing: Routing happens dynamically (auto) by using routing protocols Administrative work is less It is suitable for large networks Suitable for Scalable networks Administrative distance depends on routing protocol Single change will not effect the remaining routers configuration Destination network information is obtained and updated Automatically, vvvvyvy 82 ) @ @ AtStatic Routing BANG CHEN HYD DEL t2g0a_ a0 st002 1004 ono2 1029 geen a. = 3, 2 SS Syntax: er Router(Config)# ip route _ _ ( (or) f aes iL GS ee Aa nti ee i Syntax: tl Router(Config)# ip route Exit Interface: Interface on the home router which forwards the data to the next router 1 " Next hop IP address: K Interface IP Address of next immediate router towards the destination ¥ 83 2Bang: Chen: Hyd: Static Rou con Bang> enable Bangi show ip route Bang# config t Bang(config)# no ip routing Bang(config}# ip routing Bang(config)# ip route 172. 16.0.0 255.255.0.0s 1 Bang(config)# ip route 192.168.6.0 255.255.255.0 s 1 Bang(configy# ip route 192. 168.5.0 255.255.255.0s 1 Bang(config)# exit, Bang # show ip route Chen> enable Chen# show ip route Chen# config t Chen(config)# no ip routing Chen(config)# ip routing Chen(config}# ip route 172.17.0.0 255.255.0.0.s 0 Chen(config}# ip route 192. 168.6.0 255.255.255.0 s 1 Chen(config)if ip route 192.168.5.0 255.255.255.0s 1 Chen(config)# exit Chen # show ip route Hyd> enable Hydif show ip route Hyd# config t Hyd(config}# no ip routing Hyd(config)# ip routing Hyd(config)# ip route 172. 17.0.0 255.255.0.0s 1 Hyd(config)# ip route 172. 16.0.0 255.255.0.0s 1 Hyd(config)# ip route 192.168.5.0 255.255.255.0 s 0 Hyd(config}# exit Hyd # show ip route Del> enable Del# show ip route Deli config t Del(config)# no ip routing Del(config)# ip routing Del(config)# ip route 172. 17.0.0 255,255.0.0s 0 Del(config)# ip route 172. 16.0.0 255.255.0.0s 0 Del(config)# ip route 192. 168.6.0 255.255.255.050 Del(config)# exit Del # show ip route 84Bang: Chen: Hyd: Static Rou con Bang> enable Bangi show ip route Bang# config t Bang(config)# no ip routing Bang(config}# ip routing Bang(config)# ip route 172. 16.0.0 255.255.0.0s 1 Bang(config)# ip route 192.168.6.0 255.255.255.0 s 1 Bang(configy# ip route 192. 168.5.0 255.255.255.0s 1 Bang(config)# exit, Bang # show ip route Chen> enable Chen# show ip route Chen# config t Chen(config)# no ip routing Chen(config)# ip routing Chen(config}# ip route 172.17.0.0 255.255.0.0.s 0 Chen(config}# ip route 192. 168.6.0 255.255.255.0 s 1 Chen(config)if ip route 192.168.5.0 255.255.255.0s 1 Chen(config)# exit Chen # show ip route Hyd> enable Hydif show ip route Hyd# config t Hyd(config}# no ip routing Hyd(config)# ip routing Hyd(config)# ip route 172. 17.0.0 255.255.0.0s 1 Hyd(config)# ip route 172. 16.0.0 255.255.0.0s 1 Hyd(config)# ip route 192.168.5.0 255.255.255.0 s 0 Hyd(config}# exit Hyd # show ip route Del> enable Del# show ip route Deli config t Del(config)# no ip routing Del(config)# ip routing Del(config)# ip route 172. 17.0.0 255,255.0.0s 0 Del(config)# ip route 172. 16.0.0 255.255.0.0s 0 Del(config)# ip route 192. 168.6.0 255.255.255.050 Del(config)# exit Del # show ip route 84Static default Routing configuration It is a form of static routing Used when destination information is not available Used as the last option Configured at “End points” /stub network (with one exit interface) In default routing destination network address is 0.0.0.0 Used in Internet configuration vv vy Syntax: | Router(Config)# iproute 0.0.0.0 0.0.0.0 _ 0.0.0.0 Network with 0.0.0.0 subnet mask value represents all ip addresses from 0.0.0.0 to 255.255.255.255 Bang, Del routers are the end points/stub routers in the LAB network Bang: Bang> enable Bang# show ip route Bang# config t Bang(config}# no ip routing Bang(config) ip routing Bang(config)# ip route 0.0.0.0 0.0.0.05 4 Bang(config)# exit Bang # show ip route Del: Del> enable Delt show ip route Delf config t Del(config}# no ip routing Del (config)# ip routing Del(config)# ip route 0.0.0.0 0.0.0.050 Del(config)# exit Del # show ip route 85ernet r Configur: Corporate network Internetroutersenable Internetroutertshow fp route Intemetrouter# contig t Internetrouter(contigt ip routing Internetrouter (contig exit Internetroutert show ip route routing table before configuration: Internetrouter(contigh no ip routing [neemetroutericontigh ip route 0.0,0.0 0.0.0.0 s 0 ‘27 Fouting table after configuration outioo DB ” v vy What is Autonomous System (AS)? > > > > IGP & EGP protocols: Dynamic Routing Dynamic routing can be done through dynamic Routing Protocols Dynamic routing protocols choose the best path. Do not carry data Routed protocols carry the data in the chosen path Dynamic routing protocols are divided into two categories + IGP EGP Autonomous system is the collection of networks with single Administration Collection of networks with common routing policies Autonomous system is 16 bit value Range is 1-65535, AS 100 IGP category protocols work within AS EGP category protocols work between AS 87Intra domain routing: > — Routing within AS > Possible with IGP protocols Inter domain routing: > — Routing between AS > Possible with EGP protocols Routing Protocols Distance vector Link state Path vector IGP Routing Protocols: > _ IGP protocols are used to communicate with AS > IGP protocols are divided into 3 categories = Distance Vector > RIP, IGRP = Link State © OSPF, ISIS * Advanced Distance vector/ Hybrid + Ripv2, EIGRP The goal of every routing protocols is same That is to select the best path But the selection criteria is different vvyy 88 Every protocol has distinct characteristics in finding best pathsDistance Routing Information Protocol oe IGP Interior Gateway Routing Protocol OSPF ‘Open Shortest Path First Link state ee et Isis [Intermediate system to Intermediate system} Enhanced IGRP- Hybrid RIP version 2 ee ee | What is Administrative Distance (AD)? It is trustworthiness of a protocol > > tis a value given by > Itis 8Bit value : Ra > cisco that indicates reliability ge 0-255 Lesser the AD better the routing protocol Connected 0 Static route 1 RIP 420 IGRP 100 EIGRP 90 OSPF 110 Isis 115 RIPV2 120 [_Eigrp summary 5 External BGP 20 EGP, 140 ODR 160 External Eigrp 170997) Internal BGP 200 [Unknown 255 89io Ic lp vvvvVYV VY Syntax: RIPv1 Re ig Information Protocol (v1) AD=120 (Administrative distance) Metric=hop count (15=max, 16=invalid) Algorithm= bellman ford Update timer =30 sec Invalid timer =180 sec Hold down timer ~180 sec Flush timer =240 sec Load balancing =6 equal paths Classful routing (subneting “not”supported) Open Standard Router(config)# router rip Router (config-router)# network 90 »S 9.8Bang: Chen: Hyd: Del: Bang> enable Bang# config t Bang(config}# no ip routing Bang(config)# ip routing Bang(config)# router rip Bang(config-router)# version 1 Bang(config-router)# network 172.17.0.0 Bang(config-router)# network 12.0.0.0 Bang(config-router)# end Bang # show ip route Chen> enable Chen# config t Chen(config)# no ip routing Chen(config)# ip routing Chen(config)# router rip Chen(config-router)# version 1 Chen(config-router)# network 172.16.0.0 Chen(config-router}# network 12.0.0.0 Chen(coafig-router)# network 11.0.0.0 Chen{config-router)# end Chen # show ip route Hyd> enable Hyd# config t Hyd(config}# no ip routing Hyd(config)# ip routing Hyd(config)# router rip Hyd(config-router)# version 1 Hyd(config-router)# network 192.168.6.0 Hyd(config-router)# network 11.0.0.0 Hyd(config-router)# network 10.0.0.0 Hyd(config-router)# end Hyd # show ip route Del» enable Del config t Del(config)# no ip routing Del(config)# ip routing Del(config)# router rip Del(config-router)# version 1 Del(config-router)# network 192.168.5.0 Del(config-router)# network 10.0.0.0 Del(config-router)# end Del # show ip route otRIPv2 Routing Information Protocol (v2) AD=120 (Administrative distance) ‘Metric=hop count (15=max, 16-invalid) Algorithm= bellman ford Triggered updates ‘Multicast updates on 224.0.0.9 Load balancing =6 equal paths Classtess routing (subnetting supported) Open Standard vVvvvvvyy Syntax: Router(config)# router rip Router(config-router)# version 2 Router(config-router)# network enable Bang# config t Bang(config)# no ip routing Bang(config)# ip routing Bang(config)# router rip Bang(config- router} version 2 Bang(config-router)# network 172.17.0.0 Bang(config-router)# network 12.0.0.0 Bang(config-router)# end Bang # show ip route Chen> enable Chen# config t Chen(config)# no ip routing Chen(contig)# ip routing ‘Chen(config)# router rip Chen(config-router)# version 2 Chen(config-router)# network 172.16.0.0 Chen(config-router}# network 12.0.0.0 ‘Chen(config-router)# network 11.0.0. Chen(config-router)# end Chen # show ip route Hyd> enable Hyd# config t Hyd(config)# no ip routing Hyd(config)# ip routing Hyd{(config)# router rip Hyd(config-router}# version 2 Hyd (config-router)# network 192.168.6.0 Hyd(config-router)# network 11.0.0.0 Hyd{config-router)# network 10.0.0. Hyd(config-router}# end Hyd # show ip route Det> enable Del# config t Del(config)# no ip routing Del(config)# ip routing Del(config)# router rip Del(config-router)# version 2 Del(config-router)# network 192.168.5.0 Del(config-router)# network 10.0.0.0 Del(config-router}# end Del # show ip route 93& IGRP Interior Gateway Routing Protocol > AD=100 > Metric = 24 Bit Composite (Bandwidth+Delay+Load+Reliablity-MTU) Algorithm = Bellman Ford Update timer = 90 Sec Invalid timer = 270 Sec Hold On timer = 280 Sec Flush timer = 630 Sec Load balancing = 4-6 equal /unequal paths Classful routing ( subnetting “not” supported ) Cisco proprietary Vv VVVVVy Syntax: Router(config)# router igrp Router (config-router)# network BANG CHEN HYD safe JoBs > ) 94° py wo Bang: Chen: Hyd; Del: IGRP configuration Configure all-routers in the same Autonomous system IGRP communicates within AS only Bang> enable Bang# config t Bang(config)# no ip routing Bang(config)# ip routing Bang(config)# router igrp 87 Bang(config-router)# network 172.17.0.0 Bang(config-router)# network 12.0.0.0 Bang(config-router)# end Bang # show ip route Chen> enable Chen# config t Chen(config}# no ip routing Chen(config)# ip routing Chen(config}# router igrp 87 Chen config-router}# network 172.16.0.0 Chen(config-router)#f network 12.0.0.0 Chen(config-router)# network 11.0.0.0 CChen(config-router)# end Chen # show ip route Hyd> enable Hyd# config t Hyd (config)# no ip routing Hyd(config)# ip routing Hyd(config)# router igrp 87 Hyd(config-router)# network 192.168.6.0 Hyd(config-router}# network 11.0.0.0 Hyd(config-router)# network 10.0.0.0 Hyd(config-router)# end Hyd # show ip route Del> enable Delit config t Del(config)# no ip routing Del(config)# ip routing Del(config)# router igrp 87 Del(config-router)# network 192.168.5.0 Del(config-router)# network 10.0.0.0 Del(config-routery end Del # show ip route 95EIGRP Enhanced Interior Gateway Routing Protocol AD=90 Metric = 32 Bit Composite (Bandwidth+Delay+Load+Reliablity+MTU) Algorithm = DUAL ( Diffused update algorithm ) Hello timer = 5 sec It sends incremental, triggered updates Multicast updates on 224.0.0.10 Load balancing = 4-6 equal /unequal paths It is Classless ( Subnetting supported ) Cisco proprietary vv vy vvvyy ‘Syntax: Router(config)# router eigrp Router(config-router)# network _ What is WCM? Wild Card Mask Inverse of Subnet Mask Value Class ‘A WCM : 0,255.255.255 Class B WCM : 0.0.255.255 Class C WCM :.0.0.0.255 vvvvy BANG CHEN HYD DEL sraashite0 @ 96 3 9 ¢! { f f ft Bang: Chen: Hyd: Del: EIGRP configuration Configure all routers in the same Autonomous system EIGRP communicates within AS only Some older IOS versions may not support WCM for EIGRP Bang> enable Bang# config t Bang(config)# no ip routing Bang(config)# ip routing Bang(config)# router eigrp 145 Bang(config-router)# network 172.17.0.0 0.0.255.255 Bang(config-router}# network 12.0.0.0 0.255.255.255 Bang(config-router)# end Bang # show ip route Chen» enable Chen# config t Chen(config)# no ip routing Chen(config)# ip routing Chen(config)# router eigrp 145 Chen(config-router)if network 172.16.0.0 0.0.255.255, Chen(config-router)# network 12.0.0.0 0.255.255.255 Chen(config-router)# network 11.0.0.0 0.255.255.255 Chen(config-router)¥ end Chen # show fp route Hyd> enable Hyd# config t Hyd(config)# no ip routing Hyd(config)# ip routing Hyd(config)# router eigrp 145 Hyd(config-router)# network 192.168.6.0 0.0.0.255 Hyd(config-router)#f network 11.0.0.0 0.255.255.255 Hyd(config-router)# network 10.0.0.0 0.255.255.255 Hyd(config-router}# end yd # show ip route Del> enable Del# config t Del(config)# no ip routing Del (config)# ip routing I Del(config)# router eigrp 145 i Del(config-router)# network 192.168.5.0 0.0.0.255 s Del(config-router)# network 10.0.0.0 0.255.255.255 , Del(config-router)# end Del # show ip route b ik 7OSPF Ee Open Shortest Path First AD=110 Metric = cost (10*/bandwidth in bps) Algorithm = DIJKSTRA or SPF Hello timer = 10 sec Dead timer = 40 sec > Flush timer = 30 min Multicast updates on 224.0.0.5, 224.0.0.6 Itis Classless ( Subnetting supported ) Open Standard Vvvvvvyvy Syntax: Router(config)# router ospf Router(config-router)# network area What is WCM? > Wild Card Mask > Inverse of Subnet Mask Value > Class A WCM : 0.255.255,255 ).0.255.255 .0.0.255 What is Area? > Ospf maintains Link state information of every router to run SPF algorithm > Router consumes more resources if more routers present in the network > Areas are used to limit the link state database handled by router > Area is a logical boundary for OSPF routers > OSPF routers handle the link state information of all routers belong to same area > Area Border Routers(ABR) route the data between different areas 98eta yy What is Process id? > OSPF can be configured as multiple instances on the same router > Process id is used to identify the instance of OSPF > It need not be the same on all routers > Process id is 16 bit value > Range : 1- 65535 OSPF areas: > OSPF areas are basically two types “» Backbone area > Area 0 is called as backbone area > Transit area between different areas “+ Non Backbone area > Areas other than Backbone area > All non backbone areas must be directly connected to area 0 Non Backbone area OSPF Router Types: ** Backbone routers + Internal routers ; & ABR ; 4 ASBR A Backbone routers Routers in Back bone area (area 0). ih Internal routers Routers belong to same area (backbone or non back bone). Back bone routers are internal routers Router belongs to multiple areas. We 1 ABR - Area Border Router 1 For ABR, at least one interface must be in Back bone area 28 »3 8 .¢ ASBR - Autonomous system boundary router OSPF router that is connected to non OSPF network [ASBR is generally placed in area 0 Internal routers OSPF area Types: * Backbone area % Stub Area + Totally stub area 4 NSSA (Not so stubby area) LSA Types: > LSA -Link state Advertisement > It contains Link state information and networks available on that link Router SA | — Network LSA Summary LSA ‘ASBR summary ‘AS external LSA ‘Multicast OSPF NSSA LSA. Slolalajels 100Bang: Chen: Del: OSPF configuration Configure all routers in single area (Area 0) Process id can be different from router to router Bang> enable Bang# config t Bang(config)# no ip routing Bang(config)# ip routing Bang(config)# router ospf 14 Bang(config-router)# network 172.17.0.0 0.0.255.255 area 0 Bang(config-router)# network 12.0.0.0 0.255.255.255 area Bang(config-router)# end Bang # show ip route Chen> enable Chen# config t Chen(config)# no ip routing Chen(config)# ip routing Chen(config}# router ospf 1456 Chen(config-router)# network 172.16.0.0 0.0.255.255 area 0 Chen(config-router)# network 12.0,0.0 0.255.255.255 area 0 Chen(config-router)# network 11.0.0.0 0.255.255.255 are 0 Chen(config-router)# end Chen # show ip route Hyd> enable Hyd# config t Hyd(config)# no ip routing Hyd(config)# ip routing Hyd(config)# router ospf 258 Hyd(config-router)# network 192.168.6.0 0.0.0.255 area 0 Hyd(config-router)# network 11.0.0.0 0.255.255.255 area O Hyd(config-router)# network 10.0.0.0 0.255.255.255 area 0 Hyd(config-router)# end Hyd # show ip route Del» enable Det config t Del(config}# no ip routing Del(config)# ip routing Del(config)# router ospf 25696 Del(config-router)# network 192.168.5.0 0.0.0.255 area 0 Del(config-router)# network 10.0.0.0 0.255.255.255 area 0 Del(config-router)# end Del # show ip route 101 sey™ Routing information protocol Enhanced interior gateway routing protocol Open shortest path first _| Distance vector Advanced distance vector Link state 120 90. 110, IGP IGP IGP, Open standard Cisco Open standard 15 maximum Z24edefault: 258-maxinT, 255 Itis always better to take back up of router startup-configuration and 10S Image periodically > If something happens to router/configuration, or if the router is replaced with a ew one, it won't take much time to bring the router online (if backup is already taken) Requirements for Backup & Recovery: » TFTP server is required for backup & Recovery operations > TFTP (Trivial FTP) is used to transfer the files © from router to system(Backup) ‘© from system to router (Recovery) « > TFTP server is a small free software > Install TFTP server program in the computer/laptop > Always ensure TFTP server has connectivity with router while performing backup and recovery operations How to take Backup? ‘Startup-configuration Backup: ["Rowtert copy —running-contig” is] ir vi; Bi e Router# copy flash tftp [____Router# copy tftp _startup-config Elash recovery (or) 10S Image upgrade: Router copy tftp flash_ Router(boot)# copy tftp _ flash For backup and recovery operations router requires some information such as 105 image name, startup-config name, address of tftp server etc. Enter the required information correctly 103Router Password Recovery (2500 series) Restart the router (power cycling / force restart) Press ctrl+Break within one minute >olr Ox141 + setting config register value to 0x141 >a - Initialize Router restarts--- Router(boot)> enable Router(boot)# copy start run Router(boot)# config t Router boot) (config)# no enable secret Router (boot) (config)# no enable password Router(boot)(config)# line con Router (boot) (config-line)# no password Router(boot)(config-tine}# login Router (boot)(contig-line}# exit Router (boot) (config)# config-register 0x2102 Router(boot)(config)# exit Router(boot)# write Router(boot)# reload Router restarts. Router>enable Router# Some routers display Rommon> prompt instead of >. Then use these commands Rommon> confreg 0x141 (similar to > o/r 0x141) Rommon> reset (similar to >) Config - register values: 0x2102 zi normal boot sequence [ x14 bootstrap loader/ boot mode 104 @ 8 .@ 9| gWITCHE. |@ = & What is Hub? es layer 1 device 7 Dummy device (unintelligent) ‘No technology to handle MAC information ~ No memory It always broadcasts the data 5 It gets the data from one port, regenerates the data and sends the data to all ports " Also called as multi port repeater How does Hub forward the data? vo ovyvvyy Hue It gets the data from one port It regenerates the same data and floods the data to all ports All systems receive the same data; but only one system accepts it Hub is shared media Hub supports only half duplex communication Hub cannot read L2 header, L3 header, L4 Header VvyY vvyv LZ Header contains source MAC, destination MAC information 13 Header contains source IP, destination IP information L4 Header contains source Port, destination Port information 106 =What is CSMA? Carrier sense multiple Access > First system looks for the carrier whether it is free or not > If carrier is free it sends the data. If not it waits for some time > Multiple systems can access single carrier with CSMA mechanism Sata 2 3 4 5 6 7 8 > Multiple ports may sense the free carrier and try to send the data exactly at same time > If two ports want to send the data at same time the voltage levels from ‘one port mix up with other ports. Finally data is collided. data from other ports { > Collision is a situation where the data from one port collide with the 4 4 4 Nl Oc) See Parry > CSMA/CD s Carrier sense multiple access - Collision detection © The mechanism used to detect collision i > CSMA/CA ©. Carrier sense multiple access - Collision avoid © The mechanism to avoid the collisions (by setting random timer) 7 107What is Switch? a > layer 2 device > Intelligent device > Ithas RAM to handle MAC information > It maintains MAT (MAC Address Table) in RAM > It forwards the with the help of MAT > This is Hardware based device > Ithas specialized hardware called ASICS > Also called as multi port bridge (Bridge is software based device) How does switch forward the data? ‘swercit a a > Itgets the data from one port It reads source MAC and destination MAC from L2 Header Looks into MAT, finds the outgoing port information Then unicasts the data to outgoing port If there is no outgoing port information then broadcasts the data vyvy It enters source MAC, incoming port information in MAT If MAT already has that entry refreshes it Switch can work at full duplex or half duplex Switch has dedicated circuits between ports (Every port has dedicated bandwidth) vvvy Switch can read L2 header. It can’t read L3 header, L4 Header v L3 Header contains source IP, destination IP information 4 Header contains source Port, destination Port information [8 Header contains source MAC, destination MAC information 108What is ASICS? vyvvvy Application Specific Integrated Circuits ASICS is specialized hardware designed for faster switching Switch has dedicated circuits between ports Every port has dedicated bandwidth ‘Multiple ports can communicate at same time This hardware design is called micro segmentation @nN Ou awn ee ON On awn What is MAT? vvvvv vv MAC Address Table MAT contains port information, associated MAC information, entry type, vlan membership Switch maintains MAT in CAM (content addressable Memory) CAN js a part of Switch RAM If the switch is rebooted, MAT becomes blank Switch automatically builds MAT. MAT entry expires dynamically, if that port is idle for 5 minutes Vian Type MAG ADDRESS PORT 4 Dynamic 1206.34b0.92de Faon il Dynamic (A286. Tob3. 908 Fao 4 Dynamic 1bo88.78¥8.760a Fao 10 Dynamic 156.9005 6806 Fa ons 10, Dynamic “45ab 1570.6908 Fao saa nee neces i 35 Dynamic 1ec0.A561904 Fa0n % Dynamic 7e0b.896r-9012 Faone 109yn domai > Collision domain is the bounded area of a collision > It defines the area that a collision can span What is broadcast domain? > Broadcast domain is the bounded area of a broadcast > Itdefines the area that a broadcast can span 1 Switch | _ No of Ports (No of vians) Router No of ports No of ports Types of Cisco Switches: : > Fixed Switches © Fixed No of interfaces © No hardware upgrade o Cheaper > Modular Switches © No of interfaces/modules can be increased © Hardware upgrade is possible o Costlier Fixed Switches: 110 &wwCisco 3-Layer hierarchy: Cisco switches are divided into 3 categories based on hardware capabilities Access Layer: vyyyy vyvvy Core Layer: vvvvv Layer > Access Layer > Distribution Layer > Core Layer Used for small Organizations Data transfer speed is low Locai ISPs 1900, 2900 series switches Fixed switches Used for medium level Organizations Data transfer speed is medium Regional ISPs, National ISPs 3500, 3700, 4500, 5000, 6000 series switches Modular switches Used for medium level Organizations Data transfer speed is high Nationat ISPs , Global ISPS 6500, 7000, 10000 series switches Modular switches 112a » Switch Front and Rear Panels Switch - Ports: > Interfaces: For data transfer ‘In switches all the ports are called interfaces © fa0/1, fa 0/2, fa 0/3, fa 0/4 and so on > Lines: For Switch management Physical lines: Exist on router * Console 0 Logical tines: Not exist on router * Vty0 15 (also called as telnet) Port Speeds: e0 Ethernet 10 Mbps Fao/t Fast Ethernet 100 Mbps Gig 0/1 Gigabit Ethernet 4 Gbps 10Gig 0/1 | 10Gigabit Ethernet 10 Gbps Port Representation: Fixed switches have single module, indicated with 0 Modular switches have multiple modules start from 1, 2, 3 and so on Fa0/3 - Fast Ethemet Gig 248 - Gigabit Ethemet Module 0 Module 2 __ Port No - 13 ____PortNo= 48 112@ rN Swit vvy vyvvy vyvvyy vyy vvyvv internal Components - Boot sequence NYU Power On Self Test Hardware Checkup RAM, CPU, Interfaces diagnosis Read only Memory Bootstrap loader / Mini 10S Finds the location of complete 10S Complete 10S Image May have multiple 105 Images ‘Switch operates with single 10S Eg: C2950-lanbase-mz.122-25.SEE2 Switch maintains vlan information in a separate fite called vian.dat Vlan.dat resides in Flash rnemory Non Volatile Random Access Memory Permanent configuration File name : Startup-config Switch always uses nvram configuration when booting Switch copies NVRAM into RAM Random Access Memory Temporary configuration File name = Running-config ‘Switch copies NVRAM into RAM Switch always works with RAM configuration only 114wowie VLANs What is VLAN? Virtual Local Area Network It is a logical boundary on the switch All the ports in a vlan can communicate with each other The ports in different vians can not communicate in L2 switch Inter vlan communication is possible in L3 switch vvvvv The ports with same vlan id can communicate even though they belong to different switches v Vlan Range is 1-4005, Vian breaks the broadcast domain in the switch vy What is Default VLAN? By default a vlan exist on the switch with vlan id 1 This vlan 1 is called as default vlan or management vlan By default all the ports belong to vlan 1 in the switch Vlan 4 can’t be created or deleted Generally Vian 1 carries management information like edp, vtp What is management VLAN? > The active vlan to which ip address is assigned and operational > Management vlan carries switch management information > By default vlan 1 is management vlan vyvvy 115What is Trunking? > The link between different switches that can carry the data from various vians Switch Port Type: ‘ Access Port © Used to connect a computer © Access port car understand normal Ethernet frame © Access port belongs to only one vlan Trunk Port © Used to connect a switch © Trunk port can understand tagged Ethernet frames © Trunk port can be a member of multiple vians © Trunk port minimum speed is 100Mbps fhat is Fras ing? > — Trunk port inserts Vian id information within the frame before sending it through trunk tink > Trunk port removes Vian id information from the frame before sending it to system ‘Tagging vian id information to the original Ethernet frame is called frame tagging or frame encapsulation Frame Tagging methods: > Dotiq ISL + 116www Differences between dot1q and ISL IEEE 802.1q encapsulation Inter Switch Link Open standard Cisco proprietary _ Encapsulates Ethernet frame with new header & tailor Header is 26 bytes, Tailor is 4 bytes Original frame size is 1518 Bytes New frame size is 1548 Bytes | Inserts vlan id within the frame Inserts 4 bytes Original frame size is 1518 Bytes New frame size is 1522 Bytes Dotiq frame tagging: t > The vlan from which frames are not tagged > By default vlan 1 is native vian > Native vlans must match at both ends of trunk tink 1 Servers at trunk ports: M > — The ports from different vlans may need to access common servers > Servers with trunk NIC can be connected at trunk ports I > Trunk NIC can understand tagged frames W V ' he 117Al the systems in vian 10 communicate with each other All the systems in vien 20 communicate with each otherr==}=-* What is the Operating System in Switches? > — Switch works on 10S .» 10S - Internetwork Operating System > Switch works on singe 10S Image File Switch Configuration is Mandatory? > Configuration is not mandatory > Switch is a zero touch configuration device » — However switch can be configured to create vlans, security How to configure the switch? > Use console 0 to configure|the switch for the first time > — Connect roll over cable between console 0 on switch & COM1 port ‘on the computer/laptopmul: > — One application is required on the laptop/system to access 10S and to configure the switch. This software is called emulation software Eg: hyper terminal, Putty Hyper terminal is the default program in Windows XP How to access Hyper termina! > Start -> Programs -> Accessories -> communications -> hyper terminal (or) > Type hypertrm at run prompt 120name for the session122° — % Switch Modes e » Cisco 10S has different modes > Every mode has its own functionalities ® » Cisco 10S is CLI (command line interface) based es > Commands are mode specific -~ Switch Modes Prompts; J a Switch # Switch(config) # ‘Switeh(config-in# Switch(contig-line}é| Suitob(eonsig-viané | ) Canales ators Global Gonfiguration enranierec) WE Cert [OO ee“9 D9 @ os Switch Modes - Functionalities - Commands 1, User mode; Functions: 1 > To check the Connectivity \ » Ithas limited functionality | Commands: | telnet ip to telnet into a device - Ping ip ___| to check connectivity ‘Traceroute ip _ to trace the path [Enable __| to enter privilege mode 2. Privilege mode: Functions: > View Entire configuration » Backup & Recovery ‘Commands: = ‘Show run to see temporary configuration E Show start to see permanent configuration [Show int fa 074 aig displays info about interface fa 0/1 I Show version displays version Show flash displays flash contents /ios image. ‘Show ip int brief _| displays interface ip information Reload restarts the Switch [Config t | enters into global configuration mode _ Copy run start 7 Write _| save RAM contents to NVRAM ‘Show mac-address-table Displays MAC address Table a |'Show vian’ Displays Vian Information | Show int trunk Displays active trunk ports Show interface Displays all interface information ‘Show vtp status | Displays vtp information 124 :GI | configuration mode: Functions: > To do entire configuration of Switch (globally) Commands: No logging console = turns off logging (logging me: Hostname hostname changes the hostname | Enable password cisco | set privilege mode password Enable secret cisco Set secret password for privilege mode_| Int fa0/1 Int fa 0/2 to interface mode itrange fa 0/5 -8 pet ine con 0 al pae Line vty 015 oaibe mode Vian 40_ ‘to vlan mode (creates a vlan) Vip mode server Set vtp mode to server Vtp password Vto doniain 2 Spanning-tree mode pyst To set spanning-tree mode 4.Interface mode; _ ERRERITESTEREAEy Functions: > Configuration of interfaces (ports) Commands: Hp address <{p> | configure ip address for vlan interfre no shutdown activate the interface Speed 100 Sets speed to 100Mbps Duplex full Sets duplex to full [bandwidth 80 __[Sets bandwidth/port 5 Switchport mode access configure switchport as access port Switchport mode trunk configure switchport as trunk port | Switchport access vian 34 | Moves the port to specified vian Switchport trunk allowed Configure trunk port as a member of vlan all all vlans fSuatchport trunk enca dotiq | Sets dotiq encapsulation on trunk port Spanning-tree portfast. Enables portfast port _| 125Functions: > Authentication of tines ! > Configuring console 0, vty 015 Commands: To configure password for line [To set log Functions: > To configure vlans Commands: 126Switch Initial Configuration > Switch is a zero-touch configuration device > However, it can be configured to implement vlans, security, IP address Berea ’ : 1. Hostname change 2. Secure switch 3. Configure vlans 4. Configure interfaces 5. View and Save SUC tes ee eer) 1. Hostname Change: Switch> enable ‘Switch# config t Switch (config)¥ hostname 2950 1 2. Secure Switch: f 2950(config)t enable password cisco 2950(config)# enable secret ccna 2950(config)# tine con 0 2950(config-line)# password cisco 2950(config-line)# login 2950(config-line)# exit 2950(config)# line vty 0.15 2950 (config-line)# password cisco 2950(config-line)# login 2950(config-line)# exit 2950(config}# service password-encryption 1 4 ! J V 4 ' 2950(configh# exit ke 1273. Configure vians: 2950(config)# vlan 10 2950(config-vlan)# name mese 2950(config-vlan)# state active 2950(config-vian)# exit 2950(config)# vlan 20 2950(config-vlan)# name ccna 2950(config-vian)# state active 2950(config-vlan)# exit 2950(config)# vlan 30 2950(config-vlan)# name linux 2950(config-vian)# state active 2950(config-vian)# exit 4. Configure interfaces: Access Ports 2950(config)# interface range fa 0/1 - 8 2950 (config-if-range)# switchport mode access 2950(config-if-range)# switchport access vlan 10 2950(config-if-range)# no shutdown 2950(config-if-range)# exit 2950(config)# interface range fa 0/9 - 16 if-range)# switchport mode access 2950(config)# interface range fa 0/17 - 24 2950 (config-if-range)# switchport mode access 2950(config-if-range # switchport access vlan 30 2950(config-if-range)# no shutdown 2950(configif-range)# exit 128 @ @5. View & Save: Trunk Ports 2950(config)# interface gig 0/1 2950(config-if)# switchport mode trunk 2950(config-if}# switchport trunk allowed vian all 2950(config-if)# switchport trunk encapsulation dotq 2950(config-if)# no shutdown 2950(config-if)# exit 2950(config)# interface gig 0/2 2950(config-if)# switchport mode trunk 2950(config-if)# switchport trunk allowed vian all 2950 (config-if)# switchport trunk encapsulation dot1q 2950(config-if)# no shutdown 2950(config-if}# exit Assigning IP address 2950 config)# interface vlan 1 2950(config-if}# ip address 192.168.6.20 255.255.255.0 2950(config-if)# no shutdown 2950(config-if)# exit 2950(config)# exit 2950# show ip int brief 2950# show run 2950# show interface 2950# show vlan 2950# show vlan brief 2950# show mac-address-table 2950# show interface trunk 2950# copy run start 2950# write urPp? } > Vlan Trunking Protocol rs > In corporate networks, adding a single vlan in all switches consumes time > VIP carries vlan information from one switch to another switch > Vlans replicate automatically between switches with VIP » Vian replication is bounded by vtp domain » All the switches belong to same vtp domain synchronize vlan information VTP Mode: > Server Mode , > Client Mode > Transparent Mode Change the switch to one of these vtp modes as per requirement. Server is default. Vian configuration is |’ Vian configuration is not | Vlan configuration is possible possible possible i 5 Transparent does not Server is master | Client follows server follonriserver Vian replication Vian replication | “Novian replication —_| VIP Modes cenfiguration Set VTP Domain: 2950(config)# vtp domain Set VIP Mode: 2950(config)# vip mode i Set VTP Password: 2950(config)# vtp password Check VTP information: 2950 # show vtp status 130 aSwitch Functions 1. Builds MAT: Switch builds MAC Builds MAT. Forwarding Filtering Loop Avoidance address table based on L2 Header information. ‘Switch enters source MAC, sending port details in the MAT 2. Forwarding: ‘Switch forwards the data if source MAC and destination MAC appear at different ports in MAC address table reui2 [as e1 @ Ce SOURCE | DESTINATION a eo 3. Filtering: Switch filters the d: lata if source MAC and destination MAC appear at same port in MAC address table ‘SOURCE __| DESTINATION @ @ Switch avoids L2 loops with the help of STP (Spanning tree protocol) 131(hat is Loop in Switches? > Loops occur if a switch has multiple paths to another switch > This the situation where a single frame propagates between switches ‘multiple times, in various paths What is Broad cast Storm? > Ifa system broadcasts the data in the loop network, a single frame goes to all the systems as multiple copies in various paths > It consumes switch processing cycles and memory > Finally Network performance comes down > This situation is called broadcast storm Loops Broadcast storm 1327 ww 4 4 1 How to avoid loops > Ensure the switches have only one path to reach other switch No Loops No Broadcast storm eer eee gelin| hy tH itches need multiple paths 7 > Redundancy is required between switches to avoid network outages 2 > Backup paths are required to achieve 100% network uptime > At the same time loops must be avoided > This can be done spanning tree protocol (STP) dynamically > STP blocks some ports automatically which are causing loops Loma topieny “yt 133SPANNING TREE PROTOCOL - STP What is STP? > Spanning Tree protocol It is used to prevent loops in Layer 2 Networks STP builds new logical topology by blocking some ports > > It identifies the ports which are causing loops and blocks them > > If there is a problem with operational link, STP unblocks the blocked ports to provide redundant paths > If the link comes up, STP runs again to prevent loops What is STA? > Spanning Tree Algorithm. > Operations sequence in building new STP logical topology STP Port states: ‘STP Port Cost: Send/receive BPDU - Learn MAC -Build MAT 20sec ze data [| 15sec | 15 sec Send/receive BPDU - Forward Data _Message contains priority, switch MAC_| ‘Switch with best BPDU Switches other than RB Port on NRB that has best path to RB Designated Port Port in forwarding state Non Designated Port Port in Blocking state (BLK)owe y Jae Je, Pa) ae i SPANNING TREE Algorithm 1. Electing Root Bridge 2. Electing Root port per switch 3. Electing Designated port per segment (Switch to switch) 4. Electing Non designated ports - Electing Root Bridge: All ports on all switches are in blocked state initially Every switch treats itself as Root Bridge Every switch sends BPDU to the remaining switches Every switch compares received BPDU with its own BPDU Finally only one switch will be elected as Root Bridge vvvvy BPDU contains Switch Priority and Switch MAC address Default Priority is 32768 3 ‘The switch with Highest Priority becomes the Root Bridge If Priority is same, the switch with Highest MAC becomes Root Bridge vv ‘2768 + 5555 5585 555 a27e8 +2222 NRE sarees ssnsstst.sitt ‘NRE 1352. Electing Root Port: ce > Switch may have muttiple paths to reach root bridge ) > The port with best cost path to RB is elected as Root Port > High speed ports have best cost paths ) > Cost is inversely proportional to speed > Only one Root Port exists per switch > Root Port goes to forwarding state » If there is a tie in selecting Root Port, It prefers the link from the switch with best BPDU » ‘Still there is a tie, then looks at Port ID, the port with least port id is preferred 100 Mbps -19 1363. Electing Designated Ports: > vv v The port on the segment that has best cost path to RB is elected as designated Port (DP) Only one DP exists per segment (switch to switch link) DP goes to forwarding state All the ports on Root Bridge are Designated Ports If there is a tie in selecting Designated Port, It prefers the link from the switch with best BPDU Still there is a tie, then looks at Port ID, the port with least port id is preferred 100 Mbps - 19 1374, Electing Non Designated Ports: > The port neither RP nor DP becomes Non designated port > Non designated port goes to blocking state > NDP is also called as Blocked port (BLK) > These ports have the chances to become active if operational link fails > STP rebuilds the topology if something goes wrong with active links > STP rebuilds the new topology by activating blocked ports SIP "Spanning Tree 802.14 ‘Common Spanning Tree (CST) RSTP. Rapid Spanning Tree 802.1w For fast convergence | MSTP_|"Multiple Spanning Tree 802.15 ‘Multiple STP instances PVST+ Per Vian STP. Cisco proprietary | One STP instance per vlan 138 SSwi - 0; tins des 1. Store & Forward 2. Cut through 3. Fragment Free (or) Modified cut through 1. Store and Forward: > The entire frame is buffered > Runs CRC on complete frame before forwarding > Latency is high > Reliability is high Complete data (1518Bytes) is checked before forwarding 2. Cut through: > The frame is forwarded once the destination MAC address {first 6 bytes) are arrived > No CRC on the frame > Latency is tow > Reliability is tow DATA 1800 BYTES Frame is forwarded once the dest No data checking 3. Fragment Free(Modified cut through): > The frame is forwarded once the first 64 Bytes are arrived > CRC runs on the first 64 Bytes Ethernet collisions do not occur usually after the first 64 Bytes Latency is medium Reliability is medium vy First 64 Bytes are checked before forwarding beDifferences between Switch and Bridge Software Based Hardware Based (ASICS) Relatively Slow Comparatively fast No vlans. Vians exist One STP per Bridge __Many STPs possible Typically up to 16 ports Possibly hundreds of ports Out dated device Widely used device SaHEERIP Peak Power off the switch Type flash_init Type load_helper ‘Type dir flash: Type boot VY vvvvvvy Switch> will appear Type rename flash:/confis Switch is being restarted Power on the switch by pressing mode button (Initializes the flash) (displays contents of flash) (to restart the switch) ig.text flash:/config.old (renaming file) 140 2. @ARP & RARP ARP- Address Resolution Protocol RARP- Reverse Address Resolution Protocol ‘Systems communicate with the help of MAC address and IP Address Source computer needs destination computer MAC address to send the data. So source computer broadcasts a request to all computers to know destination MAC address. Only one computer will respond and send the reply Source computer maintains destination IP, MAC information in ARP table locally System uses ARP table contents to communicate with destinations ARP table entry expires if the communication is idle for a long time > ARP - Address Resolution Protocol Used to find MAC address for a known IP address > RARP - Reverse Address Resolution Protocol Used to find IP for a known MAC > ARP, RARP requests are Broadcast messages > ARP, RARP replies are unicast messages e ‘s s epee rata wae e 19216862 @ tvaseans > om =e ces 144cpp CDP - Cisco Discovery Protocol: > CDP is Cisco proprietary data tink layer protocol > CDP discovers directly connected neighbor cisco devices > CDP is enabled on cisco devices by default > Cisco devices exchange CDP messages to discover neighbors dynamically > CDP can obtain the following information of a neighbor = Name of the device 10S software version Hardware capabilities such as routing, switching Hardware platform, such as 2800 or 2960 Layer 3 address of a device The interface on which the CDP update was generated CDP - commands: 10S(configyfcdp run Enable CDP globally 10S(config)#no cdp run Disable CDP globally 10S(config-if}# cdp enable Enable CDP on the los# show cdp Status of CDP 10S# show cdp interface Show CDP on interface basis 10S# show cdp neighbors ‘Summary of all cisco neighbors 1OS# show cdp neighbors detail Complete details of all cisco neighbors | 10S# show cdp entry Details of a specified neighbor los# show cdp traffic Displays COP traf fic details a These commands are common for switches and routers 142143ACL (Access Control List What is ACL ? » Access Control List > Security implementation feature & It is used to filter the network traffic that crosses routers > ACLs the list of statements that allows or deni > With ACL, router works as packet filtering firewall ies the predefined traffic » Router takes filtering decisions based on L3 Header and L4 Header 13 Header contains Source IP, L4 Header contains Source Por destination IP, Protocol Number rt, destination Port numbers ACL Types: Basically ACL's are two types > Standard ACL > Extended ACL Standard - Extended ACL differences: Source IP It can take decisions based on It takes decisions based on Source IP - Destination IP Protocol Source Port - Destination Port Implemented close to destination Implemented close to source ACL creation Number: 1-99 ACL creation Number: 100-199 Works on both direction Works on single direction Works on all services ____Can work on single service | 144 4deny 17217008 deny 1 permit 7 permi 192.168.60 A deny 192.168.4.0 A permit 1721700 x 1 r See eee TG | 1 iJ ACL statements order: > Router checks ACL statements from top to bottom to find a match > if amatch is found, router wilt not check further statements > “deny any” statement presents as a last statement in the ACL list, which is called implicit deny. So by default router blocks everything with ACL > Implicit deny can be overridden by “permit any” statement 145172.17.0.0 172.16.0.0 10.0.0.0 192.168.6.0 192.168.4.0 172.17.0.0 Over riding Implicit deny deny any What is Match? > Match is 32 bit value that defines the scope of IP address > Itis similar to Wild card Mask value > Qis must match: 1 is ignore > It indicates on what range IP addresses action should be taken Examples: 172.16,5.145 0.0. 1 45, ~472..16.5.145 0.0.0.255 172.16.5.0 to 172.16.5.255 172.16.5.145 0.0.255.255 472. 16.0.0 to-172.16.255.255 172.16.5.145_| _0.255.255.255 172.0.0.0 to 172.255.255.255 172.16.5.145 | 255.255.255.255 Allip addresses ea 10.0.0.123 | 255.255.255.255 |_ Allip addresses 10.156.128.73 | 0.255.255.255 10.0.0.0 to 10.255.255.255 10.156.128.73 0.0.0.4 | 10.156.128.73 & 10.156.128.77 IP Address | 10.186.128.73 | 00001019.10011100.10000000.01001001 Match 0.0.0.4 '0000000.00000000.00000000.00000 100 Resuit | 19-158-128.73 | 00001010.10011100.10000000.01001001 10.156.128.77 | 00001010.10011100.10000000.01001101 In the Match 3” Bit indicates ignore. So 0 or 1 can be taken in the ip address 3 bit That results two IP addresses IP addressing, Binary operations knowledge is required to understand this concept 146 3y ACL implementation > First understand the requirement > Identify source ip, destination ip, protocol, source port, destination port > Select the type of ACL ( Standard / Extended) to implement > Identify the traffic flow (in bound, out bound) > Select the router as a filtering point > Create ACL on the router and implement ACL on appropriate interface fm _ i > First understand need to implement ACL > Which traffic should be denied and which traffic should be allowed Identify source ip, destination ip, protocol, source port, destination port: > Identify IP addresses from which to which the traffic should be filtered > Identify IP protocol to filter the traffic o TeP UDP P Eigrp icmp cospf > Identify TCP/UDP ports that should be filtered beep ftp dns smtp telnet ‘of ACL ( Stay ir 5 » Select Standard or Extended ACL which is best suitable for the task » Standard ACL is a subset of Extended ACL > Extended ACL can be implemented for all types of scenarios Identify traffic flow (in bound, out bound): > In bound : The traffic entering in to the router It filters the traffic before the packet is processed, does not consume router resources e0000 o0000 > Out bound : The traffic leaving from router It filters traffic after the packet is processed, consumes router Fesources 147In bound Out bound Select a router as a filtering point: > There may be number of routers appear in the traffic flow > Select one of the router as a best filtering point > Generally ACL is configured nearer to source or destination Create ACL on the router and implement ACL on appropriate interface > Create ACL in global configuration mode » Implement ACL on one of the interface, in interface mode > Maximum two ACL’s can be applied on one interface © One as inbound * Second as outbound 148Standard ACL Creation: Router(config}# access-list <1-99> «match» Router(config)# access-list <1-99> ematchs Router(config)# access-list <1-99> any Implementation: Router(config)# interface Router(config-if}# ip access-group <1-99> | Creation: z Router(configy#t access-list <100-199s Router(config)# access-list <100-199> Router (config) access-list <100-199> Implementation: Router (configh# interface Router(config-if# ip access-group <100-199> Extended ACL ssourceip> «match> <« any any Checking ACL: Router # show access-list Deleting ACL: Router(config)# no access-list 149eee ee ee Standard ACL Examples 1. Don't allow 172.17.0.1 and 172.16.0.5 tc access Delhi network (ATO, iensea8 Source Ip = 172.47.0.1 and 4721605] \" s724702 f 1721602 i 19246852 % sf = wires } { trteos { teztgass } | | Bestineton p~102.160.6.0 network h fatroa | \ iratoua | 19218084 || standard ACL implementation \qraitas,/ 721003 jsrail tan ae ree Creation: Dethi(config)# access-list 35° deny 172.17.0.1 0.0.0.0 Dethi(config)# access-list 35° deny 172.16.0.5 0.0.0.0 Dethi(config)# access-list 35 permit any Implementation: Dethi(config)# interface e 0 Delhi(config-if)# ip access-group 35 out : Dethi# show access-list 35 150 , s . z > 3. 6.#,% Standard ACL Examples 2, Don't allow 192,168.6.1, 192.168.6.2, 172.17.0.3 to access Chennai network J iraatots, (AT2A6 0.4% (792.168.8. As2.408.5:1%,| [Somcotp= ORi08t, EIEET V 172.1702 f 1721602 ; i s9zt08.62 i 192.6852 *| and 72.17.03 172.1703 | i arase03 | { ssatsess } { 492:1685.3 | pestinatonip= 1721800 network h arzaroa 4 1721604} \ 192.16864 ‘49246854 7) | sta eas SAT2ATO8" *ATZA6.08,7 492.168.6.5- \ejastteais.g:/|||| Serban Acer sae oe gets AS21085 | |__channai router 00 intertace Creation: Chen(configh# access-list 89 deny 192,168.6.1 0.0.0.0 Chen(config)# access-list, 89 deny 192.168.6.2 0.0.0.0 Chen(config)# access-list 89 deny 172.17.0.3 0.0.0.0 Chen(config)# access-list 89 permit any Es tions Chen(config)# interface e 0 Chen(config-if}# ip access-group 89 out Cheni show access-list 89 151Extended AC! Example: 1, Don’t allow 192.168.6.4, 172.17.0.2, 172.17.0,3 to access 172.16.0.5 CHEN ~ P p sy Pramas Ppa 92.168.84, 172.17.03| OU2ATOR 72.48.01, yte2se863., f2468.53, 247.93 I" sz2t702 5 { sz1802 ; \ ( 19216852 172.4703} { s2teo3 } { : { tez48a63 Destination n= 172:10.08 A wrasrog / \ smseoa } \ 1923 i ‘\192488.54 7] | extended ACL implementation [Marerog- 7218.05, S192.188.665, BOM | eee alo Gteation: Chen configh# access-list 167 deny ib 192.168.6.4 0.0.0.0 172.16.0.5. 0.0.0.0 Chen\configh# access-list 167 deny 1p 172.17.0.2 0.0.0.0 172:16.0.5 0.0.0.0 Chen(config)# access-list 167 deny 1p 172.17.0.3 0.0.0.0 172.16.0.5 0.0.0.0 Chen(config)# access-list 167 permit ip any any Implementation: Chen(config)# interface 0 Chen(config-if}i ip access-group 167 out Chen# show access-list 167Source Ip = 172.17.0.4,17247.0.6 Delhi# show access-list 153 ee os. 34 i . (ira604% (“As2168.63%, i92.t60.5:3. ees | \" wrasro2 §, #721602 t9216862 {19246852 % | | Destination ip = 192.168.5400 saroa } s7z1803 3 { sates | { seztses | | k azeazoa \aateoe | \isateasa | \ {9269.84 / | | Extended ACL implementation SEM es Se Delhi router~ 8 0 interface Creation: Dethi(config)# access-list 153° permit tep--172.17.0.1 0.0.0.0 192.168.5.4 0.0.0.0 eq 80 Delhi(config)# access-list 153° permit —tep-- 172.170.590.000 192.168.5.4 0.0.0.0 eq 80. Dethi(config)# access-list 153 permit — tcp. 172.16.0.3 0.0.0.0 192.168.5.4 0.0.0.0 eq 80 Dethi (config) access-list 153 deny tep any 192.168.5.4 0.0.0.0 eq a0. Delhi (config)# access-list 153° permit ip any any Implementation: Dethi(configy interface 0 Delhi(config-if}# ip access-group 153 out 153BANG CHEN HYD) fries, 1724 { arzteo3 } { ss2t6883 etnaton = Da vty 04 [estas Eat) Reh | eee /tra1609%, Controlling Teinet Access with ACL Permit 192.168.5.1, 192.168.5.2 to telnet into Delhi router 92:168.5.4, 102.108.5.2 Gesation: Delhi(config)# access-list Dethi(config)# access-list Dethi(config)# access-list Implementation: Dethi(config)# line vty 0 4 67 permit 192.168.5.1 0.0.6, 67 permit 192.168.5.2 0.0.6.0 67 deny any Dethi(config-line)# access-class 67 in Delhi#f show access-list 67 154 SPNumbered ACL limitations: > Numbered ACL can’t be modified once created > Numbered ACL’s have limited number range to create ACL > To overcome these limitations, Named ACL is introduced Named ACL > Named ACLs overcome the limitations with Numbered ACL > Named ACLs can be modified (ACL statements order can be changed) > > Named ACLs have no limi ition (as alphanumerical names are unlimited) Named ACLs are case sensitive Named ACL Types: Named ACLs are also two types. > Standard ACL > Extended ACL Named standard ACL has same properties of Numbered standard ACL Named exterided ACL has same properties of Numbered extended ACL Differences between Numbered & Named ACL Numbers are used Standard : 1-99 Extended : 100-199 Alphanumeric Names are used Standard : ccna Extended : Ccnp23 Names are unique and case sensitive Can't be modified __Can be modified Statement order cant be changed Statement orders can be changed Limited features Enhanced features Types: Standard “Extended Types: Standard Extended 155Standard Named ACL ‘Creation: Router(config)# ip access-list standard. Router(config-std-nacl)# Router(config-std-nacl)# any Implementation: Router(config)i interface Router(config-if}# ip access-group Extended Named ACL | Creation: Router(contig)# ip access-list extended Router(config-ext-nacl)# Router(config-ext-nacl)# port Router(config-ext-nacl)# Router(config-if}# ip access-group 156= eee ee RL — Standard Named ACL Examples 1. Don’t allow 172.17.0.1 and 172.16,0.5 to access Delhi network [Source ip = 172.17.04 and 172.160. Destination ip = 192168.6.0 nntwork ‘Standard ACL implementation, Dolhi routor— 0 0 interface “irs80% 4721602 1721603, 1721604} 472.1608, f72.4704%, 1724702 wrsto3 } Del(config)# ip access-list standard naga Del(config-std-nacl)# deny 172.17.0.1 0.0.0.0 Del(config-std-nacl)# deny 172.16.0.5 0.0.0.0 Del(config-std-nacl}# permit any Implementation: Del(config)# interface e 0 Del(config-if)f ip access-group naga out Delhi## show ip access-list 157ee Standard Named ACL Examples 2. Don’t allow 192.168.6.1, 192.168.6.2, 172.17.0,3 to access Chennai network BANG ‘CHEN HYD) i, /192.468.5.1, | [Source ip= 19316684, WReER f 192:168.62 \ f 192.168.5.2 and 72.47.03 $7216.03 { te2t6s63 | 1 182.168.5.3 | | bestinationp = 172:16.00 network \. 172.18.04 \, t9216864 se 29 | mietaed eaeeae IEE SSa lesen eevee Chen(config)# ip access-list standard naga Chen(config-std-nacl)# deny 192.168,6.1 0.0.0.0 Chen(config-std-nacl}# deny 192:168'6.2 0.0.0.0 Chen(config-std-nacl}# deny 172.17.0.3 0.0.0.0 Chen(config-std-nacl}# permit any Implementation: Chen(config)# interface e 0 Chen(config-if}# ip access-group naga out Chenit show ip access-list 158Extended Named ACL Examples 1, Don't allow 192.168.6.4, 172.17.0.2, 172.17.0.3 to access 172,16.0.5 BANG ‘CHEN HYD. DEL /TreATO4 /is2.1685, [Source ip = 192.188.6.4, 172.17.0.2 1724703 \" t72.17.03 / 18216852 ‘| rer a i fants: Destination ip = 172.1005, K aearos \ ss2sease / \, 18218854 /] | Extended ACL implementation Uae etek eters. ‘Chennai router - 0 interface Creation: Chen(config)# ip access-list extended naga Chen(config-ext-nact)# deny iP 192.168.6.4 0.0.0.0 172.16.0.5. 0.0.0.0 E Chen(config-ext-nacl)# deny 1p 172.17.0.2 0.0.0.0 172.16.0.5 0.0.0.0 Chen(config-ext-nacl)i# deny 1p 172.17.0.3. 0.0.0.0 172.16.05 0.0.0.0 Chen(config-ext-nacl)# permit ip any any Implementation: Chen(config)# interface e 0 Chen(config-if}# ip access-group naga out Cheni show ip access-list 159ee Extended Named ACL Examples 2, Permit 172.17.0.1, 172.17.0.5, 172.16.0.3 to access web services on 192.168.5.4 ‘Source Ip = 172.47.0.4,47217.08 inayat, ; ; scan || and 172.16,0.3, | s724702 (192 \ : ', | | Destination ip = 192,108.84; 60 sra703 | } es s1247.08 \ Extended ACL implementation Delhi routor—o Ointerface | Delhi(config)# ip access-list extended naga Delhi(config-ext-nacl)# permit tcp 172.17.0.1 Delhi(config-ext-nacl)# permit tep 172.17.0;5 Delhi(config-ext-nacl)# permit tcp 172.16.0.3 Delhi(config-ext-nact)# deny 192.168.5.4 0.0.0.0 eq 80 192.168.5.4 0.0.0.0 eq 80 192.168.5.4 0.0.0. a) tep any 192.168.5.4 0.0.0.0 eq 80 Delhi(config-ext-nacl)# permit ip any any Implementation: Delhi(config)# interface © 0 Delhi(config-if}# ip access-group naga out Delhi# show ip access-list 160 59 8 8 @Controlling Telnet Access with Named ACL Permit 192.168.5.1, 192,168.5.2 to telnet ‘nto Dethi router HYD DEL ] ae 704%, ‘ Source ip = 192.108.81, TwaT08a2 172.17.02 ! / sratro3a } i i featenss Destination = Dal vty 04 h arzazoa / \ smatso4 A t9a Standard ACL implementation ey SUgIED Delhi router~tine vty 04 Creation: Delhi(config)# ip access-list standard naga Delhi(config-std-nach# permit 192.168.5.1 0.0.0.0 Dethi(config-std-nacl)# permit 192.168.5.2 0.0.0.0 Dethi(config-sté-nacl)it deny any Implementation: Dethi(configh# line vty 0 4 Dethi(config-line}# access-class naga in Delhi# show ip access-list 161WAN aecHNOLoeieg.> WAN Technologoies What is WAN? > Wide Area Network > Communication between LANs which are in distant areas Like different cities, different countries > Service provider network is the transit area in WAN > Customer need to pay money to the service provider > Amount depends on speed of the WAN link a DELHI LAN WAN Technologies - Types > Leased lines f > Circuit Switching > Packet Switching 163Leased lines v A pre-established, private connection from one site to another through a provider’s network Also called a dedicated circuit or a dedicated connection Always a point-to-point connection between two end points Used when there is a constant flow of data, or when a dedicated amount of bandwidth is required Leased line is reliable, secured, always up, dedicated connection Billing is done on 24/7 basis. One router interface is connected to one destination site PPP and HDLC are used as WAN protocols vy vvyy Telecommunication Company. Service provider network Customer premises Equipment Network devices physically located at customer site Customer is typically required to maintain the equipment Equipment include router, CSU/DSU modems The link from the Telco to the customer location Also called as “last mile’ Normally distance is 5 -10 kilometers oat! Demarcation Point : > The line between customer site and provide network > Inside the Demarc is CPE > Outside the Demarc is the local loop 164Branch 2 Leased Line Telecom company 165HDLC & PPP HDLC and PPP are WAN link encapsulation protocols (LLC) HDLC: > High level data tink control > Cisco proprietary Protocol > Doesn't support authentication > No data compression HDLC configuration: Router (config) interface sO Router (config-if)# encapsulation hdlc PPP: > Point to Point Protocol > Open standard > Supports authentication > Data compression > PPP has three main components "Frame format (encapsulation) = Link control Protocol (LCP) = Network control Protocol (NCP) > LCP and NCP are responsible for establishing, configuring, authenticating and testing PPP connection Router (config) interface s 0 Router (config-if}# encapsulation ppp PPP Authentication PPP uses two methods to support authentication : PAP and CHAP PAP - Password Authentication Protocol CHAP - Chatlenge Handshake Authentication Protocol 166 » Bo@o 29 @ © yePAP = Password Authentication Protocol * Simplest but less secure * Two way hand shake process * Source sends its username and password i * Destination compares username and * Ifitis correct then sends accept mes in clear text to destination Password with its database sage otherwise sends reject message chennai Chennai (confight username password <12345» Chennai (config) int s 0 Chennai (config-if}# encapsulation ppp Chennai (config-if}# ppp authentication pap PAP client configuration: Bang (config)# interface s 1 Bang (config-ify# encapsulation ppp Bang (config-if)# ppp pap sent-username sbang> password <12345>CHAP Challenge Handshake Authentication Protocol ‘Three way hand shake process & secured than PAP Source sends its username to destination. Destination looks at username/password in its database and generates a challenge value using md5 and sends that value to source "Source uses that challenge and generates a hash value and sends it to destination Destination verify that hash value and sends accept or reject message = Password is never sent on the link to provide security Bang ‘chennai &.3—_=_@ pam] exmemp> | ~via | ersneige —k- fe) [ ieans aes ae chennal G2 —_=__@3 Coeeeeteg] em eas [aaah (ee CHAP server configuration: Chennai (config) username password <12345> Chennai (config)# int s 0 Chennai (config-if}# encapsulation ppp ‘Chennai (config-if}# ppp authentication chap CHAP client configuration: Bang (config)# interface s 1 Bang (config-if}# encapsutation ppp Bang (config-if)# ppp authentication chap Bang# debug ppp authentication 168Circuit Switching A dial-up connection through a provider’s voice-grade network Either uses an analog modem or an ISDN connection Used when only a slow-speed connection is needed, or when there is not much of a need to transfer a lot of data One call establishes a circuit to one destination site Establishes logical circuits between source and destination (circuit switching) PPP, HDLC, SLIP are the protocols used in circuit switching vvy vry ISDN Integrated services digital Network Guaranteed Bandwidth Digital Network (Error prune) Faster connectivity (2sec) Multiple services are processed simultaneously Economical “ Suitable for networks that require slow-speed connection Billing is done based on usage Vvvvvvvy ISDN channels: ISDN contains two channels > B-Channel - Bearer channel : carries the data > P-Channel - Control channel : carries control information/ signaling B CHANNEL J D CHANNEL 169ISDN face Ty > BRI- Basic Rate Interface > PRI - Primary Rate Interface BRI Bandwidth; \dwidt B-channel = 64 kbps D-channel = 16 kbps Bandwidth = 2B+1D = 128 +16 = 144kbps PRI Bandwidths: B-channel = 64 kbps D-channel = 64 kbps PRI has two standards globally 23x 64 + 64 kbps 1.544 Mbps 238 + 1D ' 308 + 1D 30 x 64 + 64 kbps 2.048 Mbps. Called as T4 link Called as E1 link U.S. follows this standard India follows this standard 170VV V VV vy Packet Switching Erame-relay Contains all features of leased line and ISDN VCs reduce required No of leased lines significantly PVC & SVC offers flexibility Very economical Billing can be done on any basis Bandwidth may boost (Free) Suitable for all scenarios Availability is an issue No frame-relay technology in India Leased lines L Frame-relay 171FRS___| Frame relay switch VC | Virtual Circuit (A logical circuit established between FRS) PVC | Permanent Virtual Circuit Hi: ‘SVC Switched/semi Virtual Circuit DLC! Data link connection identifier (tag attached to VC for identification) CIR___| Committed information rate (bandwidth committed by service provider) _| LMI Local Management interface (keep alive messages) FECN | Forward Explicit congestion notification BECN | Backward Explicit congestion notification BE Burst Excessive (boosting bandwidth) ae is ERS: The switch used at service provider end in frame-relay network ve: Logical connection between two Frame relay switches P nreuallciectt : The VC that is always available. Similar to dedicated line ‘Switched Virtual Circuit (svc): ‘The VC that is established when needed. Similar to ISDN DLC: Itis Identification for VC. Range is 16-1007. It is Local reference to one end of VC. The DLCI numbers are assigned by the frame relay service providers. CIR: ‘The bandwidth committed by service provider The maximum allowed bandwidth through the PVC from one end to the other. Each PVC can have a unique CIR. parry Signal checks the keep alive status: DTE to DCE ‘Signaling between router and the frame relay switch. LAI does not travel across the entire PVC from one end to the other. LMI types: 9933a, cisco, ansi 172EECN: Forward explicit congestion notification ‘Message from FRS to source if congestion occurs between FRS and destination BECN: Backward explicit congestion notification Message from FRS to destination, if congestion occurs between FRS and source BE: Frame-relay boosts the bandwidth of VC if network is free. 173rel, igurati FRAME-RELAY 172.47}0.100 192.168}.6.100 ee DLCI 100 DLCI.200 a eSur Frame-relay configuration (FRS) int 1 Bang(config)# int s 1 Bang(config-if)# ip address 20.0.0.2 255.0.0.0 Bang(config-if}# no shutdown Bang(config-if)# encapsulation frame-relay Bang(config-if)# frame-relay interface-dlci 100 Bang(config-if)# frame-relay Imi-type cisco Bang(config-if)# exit Bang(config)# router eigrp 10 Bang(config-router)#f network 20.0.0.0 Bang(config-router)#f network 172.17.0.0 Bang(config-router)# end End point 2 configuration: Hyd(configy# int s 1 Hyd (config-if)# ip address 20.0.0.1 255.0.0.0 Hyd{config-if)# no shutdown Hyd(config-if)# encapsulation frame-relay Hyd{(config-if)# frame-relay interface-dici 200 Hyd(config-if}# frame-relay lmi-type cisco Hyd(config-if}# exit Hyd(config)¥ router eigrp 10 Hyd{config-router)# network 20.0.0.0 Hyd(config-router}# network 192.168.6.0 Hyd(config-router)# end 175ERS configuration: Chen(config)# frame-retay switching Chen(config)# int s 0 Chen(config-if)ff no ip address ‘Chen(config-if)# no shutdown Chen (config-if}# encapsulation frame-relay Chen(config. Chen(config- ‘Chen(config-if}# frame-relay intf-type dee Chen(config-if)# frame-retay route 100 interface serial 1 200 Chen(config-if}i exit Chen(config)# int s 1 Chen(config-if}# no ip address Chen(config-if)# no shutdown Chen (config-if)# encapsulation frame-retay Chen(config-if}# clock rate 64000 Chen(config-if}# bandwidth 64 Chen(config-if)# frame-relay intf-type dee Chen(config-if}# frame-relay route 200 interface serial 0 100 Chen(config-if)# exit For practice, Router is configured as FRS. In-real time scenario FRS is different. 176[TS What is NAT? vvvy v Network Address Translation All the Local Area Networks use private IP addressing scheme Private IP addresses are not routable in public network To access public Network public IP address is required Systems within the LAN communicate with private IP addresses These private IP addresses need to be translated into public IP addresses while accessing public network (internet) When reply comes back, Public IP addresses are translated back to private IP addresses before forwarding data to system Private to Public and Public to Private IP translation is called NAT Generally NAT operations are taken’care by router NAT Operations: i Private Network 177NAT terms: [Inside local [An inside device with an assigned private Inside global__| An inside device with a mapped public IP Outside local __[ An outside device with an assigned private IP address _ | Inside network & & soos pone | 10.0.0.4 mappedto 1.1.1.1. / eon cline ar Inside local Outside global _| An outside device with a mapped public IP address. | x 4 10.0.0.1 192.1606 19216852 192.168.6.1 mapped to 2.2. ae Inside global 1.1.4.4 Outside local 192.168.6.1 Outside global 22:22. Types of NAT: » NAT is basically two types = Static NAT = Dynamic NAT 178Static NAT: > In static NAT one private IP address is mapped to one Public IP > Also called as 1 to 1 NAT > It is not possible to map every private IP to a public IP > Generally static NAT is used for public servers STATIC NAT 10.0.0.1 Se 1.4.1.1 | 40.0.0.2 | — 1.1.1.2 10.0.0.145 -_ 1.1.1.3 10.0.1.36 ‘peal acai 11.1.4 FRO | ered Perr ie 1.1.1.6 > In dynamic NAT a group of private ip addresses are mapped to a pool of public IP addresses > NAT happens dynamically on First come First serve basis > Access-list is created to specify a group of private ip addresses > Apool is created with public IP addresses > Access-list is mapped with the pool 1 J DYNAMIC NAT 1 , i 10.0.0.2 J 10.0.0.145 } 10.0.1.36 I 10.0.0.18 ’ 10.0.2.56 ' L 179What is PAT? vvv v > > With PAT multiple systems can access public network with a single Public IP Address Port Address Translation Overloading of NAT is called PAT In PAT all the private ip addresses are translated to a single Public IP address Router uses source port number as a reference to avoid ambiguity in translations If source port is also same, translates that port to a random value and memorize them in cache ‘When the reply comes back, Public IP address is translated to private IP addresses with source port reference Translated port numbers are changed to original value PAT 10,0.0.1 49152 1A 49182 10.0.0.2 60123 144d 50123 10.0.0.148 58896 ae 4401 58898 10.0.1.36 49156 444A 49158 10.0.0.18 50123 144A 180{ { ( i i I 1 i \ 0 { { f 1 1 1 J J J 1 I ' 1 ' L Static NAT coi Syntax: IP address Mapping: Router(config)# ip nat inside source static Apply NAT on the interface: Router (config)# interface Router(config-if)# ip nat inside | outside Example: NAT 192.168.1.1 to 200.200.200.1 / 192:160.1.12 192,400 Configuration: IP address Mapping: Router(config)# ip nat inside source static 192.168.1.1 Apply NAT on the interface: Router (config)# interface e 0 Router (config-if)# ip nat inside Router(config)# interface s 0 Router(config-if)# ip nat outside Checking NAT results: Routeri# show ip nat translations Routeri# show ip nat statistics 200.200.200.1 181Dyna IAT col ratio! Syntax: Create ACL: Router(config)# access-list <1-99> permit _ Create NAT Pool: Router(config)# ip nat pool _netmask ‘Map ACL to NAT Pool: Router(config)# ip nat inside source list <1-99> pool Apply NAT on the interface: Router (config)# interface Router (config-if)# ip nat inside | outside _ Example: NAT 192.168.1.10, 192.168.1.11, 192.168.1.12 to public IP pool dynamically = 192.168.4.12 . Public IP poot 200,200,200. to 200.200,200.6 | ogee 7fo2.1007 100 NAT in router Configuration: Create ACL: Router(config)#f access-list 73 permit 192.168.1.10 0.0.0.0 Router(config)# access-list 73 permit 192.168.1.11 0.0.0.0 Router(config)# access-list 73 permit 192.168.1.12 0.0.0.0 Create NAT Pool: Router(config)# ip nat pool naga 200.200.200.1 200.200.200.6 netmask 255.255.255.240 ‘Map ACL to NAT Pool: Router(config)# ip nat inside source list 73 pool naga Apply NAT on the interface: Router (config)# interface e 0 Router(config-if}# ip nat inside Router(config)# interface s 0 Router(config-if}# ip nat outside 182 a ¢ ao PAT configuration PAT is Dynamic NAT with single public IP in th? pool Syntax: E Create ACL: Router(config) access-list <1-99> permit _ Create NAT Pool: Router(config)# ip nat pool netmask Map ACL to NAT Pool: Router(config)# ip nat inside source list <1-99> pool overload Apply NAT on the interface: Router (config) interface Router (config-if)# ip nat inside | outside oy Example: PAT 192.168.1.10, 192.168.4.11, 192.168.1.12 to public IP 200.200.200.1 a 192.169.1.12 NAT in router Configuration: Create ACL: t Router(config)# access-list 19 permit 192.168.1.10 0.0.0.) Router(config)# access-list 19 permit 192.168.1.11 0.0.0.0 Router (config)# access-list 19 permit 192.168.1.12 0.0.0.0 Create NAT Pool: Router(config)# ip nat pool naga 200.200.2001 200.700.200.1 netmask 255.255.255.252 ‘Map ACL to NAT Pool: Router(config)# ip nat inside source list 19 pool naga overload Apply NAT on the interface: Router(config)# interface e 0 Router (config-if}# ip nat inside Router (config)# interface s 0 Router(config-if}# ip nat outside 183SDM (Security Device Manager) What is SDM? vVovv vvy > > Generally CLI is used to manage ICS devices Cisco also supports GUI as an altemative management method SDM- Security device manager is one GUI product to manage 10S devices SDM is a web-based application, implemented with Java ‘SDM can manage the basic administration and security features ‘SDM jis installed in the router's flash memory and is remotely accessed from an administrator's desktop using web browser with Java & SSL(secure socket layer) Cisco started supporting SDM in the routers released after June 2003 Routers manufactured before June 2003 do not support SDM PC requirements to use SD/ > > > > Microsoft XP / Vista / 2003 / 2000 professional Fire fox 1.0.6 and later / Internet Explorer 5.5 and later / Netscape 7.1, 7.2, 9.0 JRE(Java Run time Environment) 1.4.2 (08) (minimum) Screen Resolution 1024 x 768 as a minimum ‘SDM files in Router Flash: > > SDM is not supported on all 105 routers 10S router that supports SDM includes following files in Flash memory = Common. tar Es.tar Home.shtmt Home.tar Sdmconfig-wox.cfg Sdm.tar ox.sdf Securedesktop-ios-xxx-k9. pkg Sslclient-win-0ox. pkg Wlanui.tar (Use show flash or dir commands in privilege mode’ to view these files) Necessary router configuration to access SD) Router{config)# hostname Router (config}# ip domain-name Router(config)# ip http server Router(config)# ip http secure-server Router(config)# ip http authentication tocat Router(config)# username privilege 15 secret Router config)# ip http timeout-policy idle life Router (config)# line vty 015 Router(config-line)# privilege level 15 Router(config-line}# login tocat Router(config-tine)# transport input ssh 184Accessing SDM ‘Type https:// in web browser to access SDM = 10.10.10.1 is the default ip (https://10.10. 10.1)@ ) 2 De SDM Home Screen: " (87TH | Sve Displays home page - summary of router configuration Configure: To change the configuration of the router Monitor Information of the router such as logging and interface statistics Refresh: Refresh configuration (pulls running configuration into SDM) Save: Saves configuration into NVRAM Search: Quick search to find a screen. Displays hypertinks for the results. Help: Help on how to use SDM to configure the routerSDM configure Screen - Interfaces and connections task: Pee 188Interfaces and connections | Configuration of interfaces, their status Firewall and ACL Configure firewall policies and Access control list Virtual Private Network configuration. Create, edit, view NEN E __| IPsec site-site, remote access and SSL VPN ae Router Security auditing. Recommendation of security pecertAucic features what should be enabled and disabled. Routing Static, dynamic routing configuration a) NAT Configure Network Address Translations Intrusion Prevention Configure policies to look for network and host attacks | Quality of Service Ce re Qos prioritize the important traffic Additional Tasks NAC Defining Network Access control server a DHCP settings, user accounts management, telnet access control, setting up SSH and other management functions 187ror So ssn ae Ove ances enon taping Peers Peston eeeuter Monitoring usini Overview Displays overview of the operation of the router, interface status | Displays interface status with real time graphs such as bandwidth Firewall status Displays log messages of matches on ACL statements Displays status of VPN tunnels terminated on the router [VPN status Traffic status Displays traffic statistics if NBAR is enabled NBAR - Network Based application recognition [NAC status. Displays information about the interaction with NAC policy server Logging ______| Displays log messages stored in the router’s RAM [IPS status Displays the IPS alerts from attacks 190k< IN What is IPv6? > Internet Protocol version 6 (Also called as IPng - IP next generation) > IPv4 addressing scheme has 4294967296 IP addresses > IPv4 addresses are not enough in future with Internet evolution > IPV6 is introduced as IPv4 addresses are being saturated > IPV6 is 128 bit, Hexadecimal notation Differences between IPv4 and IPv6 Internet Protocol version 4 x Internet Protocol version 6 rae 32 bit value 128 bit value. 4294967296 ip addres: 3.4 x 10™ ip addresses Hexadecimal notation (string notation) Dotted decimal notation —_492.168.6.1 2000:58ab:0000:0000: 12cd:0011:8901:13f0 jses unicast, multicast, broadcast _ Uses unicast, multicast, any cast Classified into AB CD E classes ___No classification IPv6 Features: Very large Address space: IPv6 has 3.4 x 10° IP addresses. With IPV6 every device in every house can have IP address Security: IPSec {s in built into IPv6. Two devices can dynamically negotiate security parameters and build a secure tunnel between them with no user intervention Mobility: With the growth of mobile devices, such as PDAs and smart phones, devices cari roam between wireless networks without breaking their connectivity Streamlined encapsulation: IPv6 encapsulation is simpler than IPv4, providing faster forwarding rates by routers and better routing efficiency. No checksum is included in IPvé header Transition capabilities: Various solutions exist to allow IPv4 and IPV6 to successfully coexist when migrating between the two. 191idressin: leme: First IPv6 Address: 0000 0000 0000 0000 0000 0900 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000:0000:0000:0000:0000:0000:0000:0000 Last IPV6 Address: VUUT A044 A999 1440 1994 1494 1994 1999 1994 1404 1999-1990 1949 1994 4411 1911 TANT AAAG 1904 1099 1994 1994 1999 19900 1444 1944 1444 1994 1999 1999 1119: 1111 FFFF:FFFF: FFFF:FFFF:FFFF:FFFF: FFFF:FFFE IPV6 addressing scheme - simplification: A leading zero in a set of numbers can be omitted. Successive fields of zeroes are replaced with :: but only once If :: is used more than once, it leads to confusion to identify set of zeroes (0000:0000:0000:0000:0000:0000:0000:0000 Types of IPv6 Addresses > Unicast * One to one interface (same as IPv4) > Multicast "One to a group of devices (same as IPv4) > Anycast * One to nearest interface, where many interfaces can share the same address No Broadcast exists in IPVé 33s unspecified address that is 0000:0000:0000:0000:0000:0000:0000:0000 +:.11is loop back address that is 0000:0000:0000:0000:0000:0000:0000:0001 192woe ee Unicast: > One to one interface communication Private IPv6 addresses: (FE80::/10) IP addresses are used for devices that don’t need to access a public network Two kinds of private addresses: = Sitelocal FEC:: through FEF:: + Link-local FEB: through FEB: (locally specific in the LAN) (locally specific on the link) Global/Public IPv6 addresses: (2000::/3) IP addresses are used for devices that need to access a public network IANA has currently assigned only 2000::/3 addresses to the global pool, which is about 1/6” of the available IPv6 addresses Multicast: > One to group of devices communication FF::/8 is the address range First 8 bits are set to FF Next 4 bits are the lifetime of the address: 0 is permanent and 1 is temporary Next 4 bits indicate scope of the multicast address (Eg: 1 is for a node, 2 is for a link, 5 is for the site, 8 is for the organization, and E is global, the internet) 16 is a permanent link address 2/16 is a temporary address for a site For example FFO: One to nearest interface Anycast address identifies one or more interfaces Anycast is a hybrid of unicast and multicast address A packet is sent to any one member of a group of devices that are configured with the anycast address 1 By default packets sent to an anycast addresses are forwarded to the closest interface Anycast address is also known as one-to-the-nearest address vvyy v 4, ‘Anycast addresses are allocated from the global pool of unicast addresses in IPvé It is difficult to distinguish between unicast and anycast as they use common address space Don’t assign anycast addresses to hosts Anycast addresses can be assigned to routers Don’t put anycast address in the source of a packet - only the destination Anycast addresses and their uses are still in their infancy and some known problems can occur when using them vyvy vy 193IPv6 Address structure - Assignment IANA has assigned only 2000::/3 addresses to the global pool. Of these addresses, only 2001::/16 are assigned to various Internet address registries Global Unicast addresses are made up of two components = Subnet ID (64 bits) * Interface ID(EUI -64 bits) ‘Subnet ID contains: The Registry (which is responsible for assigning it, such as IANA) The ISP prefix (Which ISP is associated with the address) The site prefix (Which company is associated with the address) The subnet prefix (subnets within the site) h Dis EUI-64; EUL-64 Extended unique identifier 64 (EUI-64) = Static IP (specify alt 128-bits manually) = Dynamic IP (through DHCP server) " EUl- 64 (stateless auto configuration) IPV6 is auto configurable with EUI-64 as interface ID EUI-64 is obtained by inserting FF FE in between MAC address of the system to fulfill 64 bits 195Routers with IPv6 Enable IPv6 routing: Router(config)# ipv6 unicast-routing Assigning IPv6 address to interface: Router(config)# interface fa 0/1 Router(config-if)# ipvé address 2001:1cc1:dddd: 64 eui-64 ing pre for % RiPng (RIP new generation) OSPFV3, EIGRP for ipv6 JPv4 to IPv6 transi fons: Dual stacking ‘Manual IPv6-over-IPv4 (6to4) tunneling Dynamic 6to 4 tunneling Intra-site-Automatic tunnel addressing protocol tunneting (ISATAP) Teredo tunneling NAT Proxying and Translation (NAT-PT) 196LESS What is Wireless Network? Network that uses RF (Radio frequency) technology to communicate between systems, air as media es rel > No cables are required (or) little cabling > Mobility is possible within specified area o A Cables are required Cables are not required Copper/ fiber as the media Air as the media Electrical signal transmission Radio Wave transmission No user mobility User Mobility Full/ Half duplex Ei Half duplex Switch is the centralized device ‘Access Point (AP) is the centralized device IEEE 802.2, 802.3 standards Secured networks TEE 802.11, 802.16 standards 4 Comparatively low security z Signal distortions are low Signal distortions are high 1 Wired Network: Wireless Network: ACCESS POINT 4157Wireless Technologies; Basically Wireless Technologies are 3 types 1. Narrow band Used in WLAN Limited to a small area, such as a small campus Typically require license and operate at low data rate Only one frequency is used for transmission ‘900MHz, 2.4GHz or 5GHZ 2. Broad band For broader coverage "Typically National wide coverage (Wireless WAN - Vsat) "Provide tower data rates than narrowband solutions + Personal communication-services (PCS) 3. Circuit and Packet data solutions * Based on cellular technologies Provide tow data rate than narrowband and broadband * Cellular phone, 3G implementation Narrow band Wireless technology is used in Wireless LAN ess Point > Access Point is centralized device > It is responsible to maintain WLAN (Wireless LAN) > If two systems want to communicate, they must exchange the data through Access point > Access point is analogous to hub (serves function similar to hub) SID: Service Set Identifier Generally SSID the MAC address of AP’s wireless card SSID is set in Access Point & AP allows only the clients configured with same SSID SSID is used to group the devices Systems that share same SSID form a group and communicate with each other SSID is similar to Vlan in switching AP periodically broadcast signals, announcing its SSID to allow new clients vVYVY vyv B 198be WLAN operations: Every client must have Wireless NIC. Client can detect nearest AP dynamically > Clients may need to be authenticated to join the wireless network > Access point can transmit or receive data from only one client at a time > Fs v Half duplex communication WLAN uses CSMA/CA mechanism to avoid collisions © CSMA/CA. carrier sense multiple access - collision avoidance © Device uses RTS (ready to send) and CTS (clear to send) signals to avoid collisions > Security is low. Anybody with a compatible device can sniff the airwaves and may disturb the communication Factors that influence WLAN transmission; > Absorption * Walls, ceilings, floors absorb RF waves causing signal loss > Scattering . * Rough plaster on walls, carpet on the floor disperse the RF waves causing signal loss > Reflection i " Metal, glass objects reflect RF waves causing signal loss WLAN Standards Standards organizations are primarily responsible for implementing WLANs IEEE - Institute of Electrica! and Electronic Engineers * Wi-Fialliance WLAN uses IEEE 802.11 standards IEEE 802.11 standard uses unlicensed frequencies 2.4GHz, 5GHz 4 basic standards are currently in use: 802.11a, 802.11b, 802.11g, and 802.1 1n IEEE 802.11 standards: 54Mbps TiMbps | 54Mbps | 248Mbps 23Mbps 4.3Mbps T9Mbos 74Mbps 5GHz 2.4GHz 2.4GHz 2-4and/or : 5GHz None With 802.11g | With 802.11b | 802.11a,,g 35-120 38-140 38-140 70-250 3 Up to 23, 3 mw OFDM | Dsss DSSS/OFOM | MIMO OFDM - Orthogonal Frequency Division multiplexing DSSS - Direct sequence spread spectrum ‘MIMO - Multiple Input Multiple Output 199WLAt entication IEEE 802.11 defines only two authentication methods for AP to authenticate clients > Open Authentication (No security) Exchanging four hello packets that contains no verification > Shared key Authentication © Astatic encryption key is used with the Wireless Encryption Protocol WLAN Security Solutions WAN security solution should provide Encryption, Authentication, intrusion prevention ee Wireless Encryption Protocol Extensible Authentication protocol 802.1% EAP LEAP - Light weight EAP PEAP - Protected EAP Wi-Fi Protected Access 802.1x with EAP authentication and WEP/TKIP for encryption. Wi-Fi Protected Access 802.4x with EAP authentication and AES encryption WPA WPAZ / 802.111 soluti (ies 1997 2003 Static keys, | Dynamic keys, | Dynamic keys, Dynamic Ss Per packet, breakable cee Per packet nena Usernames User names. Usernames Rese Passwords Passwords, | Password certificates Certificates _| Certificates Pre-shared keys Pre-shared keys | Pre-shared keys. 200 D> @.¢€ y. WLAN Implementation Two IEEE 802.11 access modes can be used in a WLAN > Ad hoc mode " It is based on the Independent Basic Service Set (IBSS) Client can set up connections directly to other systems without AP ) = Peer to Peer connectivity > Infrastructure mode «It is based on BSS (Basic service set) and ESS (Extended service set) = Client can set up connections to other systems with intermediate AP " WLAN connectivity (security, scalability) BSS - systems in WLAN connected to AP (Limited coverage) ESS - two or more BSS are interconnected (wide coverage) WLAN Coverage Areas > The coverage area of Access point > Access point can cover only a limited area, The cell range depends on AP’s transmitting power { > The radiating power decreases while moving away from access point > The client nearer to AP can access network resources efficiently { > To cover more number of clients, WLAN requires multiple APs I CELL I I I f I 1 V L 201 5= e ‘Two types of coverage areas exist in WLAN > BSA - Basic Service Area = Asingle cett €3 * Only one AP exists to serve the clients > ESA- Extended Service Area = Multiple BSA > * Multiple APs exist to serve the clients BSA COVERAGE 202Troubleshooting WAN ‘ Ae seh ubleshootins stwork communication From Bangalore host ping all the nodes one by one in the path till Dethi host Use ping and traceroute as basic troubleshooting commands 1. If there is no response from Bangalore switch * Check the physical connectivity to switch " Switch configuration, mac-address-table, vlan configuration 2. If there is no response from Bangalore router * Check the physical connectivity to Bangalore router LAN interface = Router configuration, routing protocols, IP addresses, encapsulation etc 3. If there is no response from Chennai router = Check the physical WAN connectivity between Bangalore and Chennai routers * Router configuration, routing protocols, IP addresses, encapsulation etc 4. If there is no response from Hyderabad router, = Check the physical WAN connectivity between Chennai and Hyd routers = Router configuration, routing protocols, IP addresses, encapsulation etc 5. If there is no response from Delhi router = Check the physical WAN connectivity between Hyd and Delhi routers * Router configuration, routing protocols, IP addresses, encapsulation ete 6. If there is no response from Delhi switch * Check the physical connectivity to switch ‘* Switch configuration, mac-address-table, vian configuration In real time scenario check modems status in wan connectivity Contact service provider in case of wan link outages 203Sas MRS,Router(config-line)# login local Router|config)#boot system flash Router config)#username secret Router(config)#banner motd # # z Creating a user “To login into router with local users Setting Banner of the router Boot using a different 10S in flash Router(config)#fboot system tftp Boot from TFTP server Router|config)# boot system rom. | Router(contig)#config-register 0x2102 Boot from rom, Normal boot sequence Router config)#config-register 0x141 Router show version. Routeri# write erase Erasing nyram / startup-config Boot mode/Rommon mode Router# erase startup-config Erasing nvram / startup-confi Router# delete flash: Routeri# clock set_ctime> Setting clock Deletes specified file in flash memo [Router# show clock Displays command Displays clock Router show histe 3 tory buffer Router# auto secure Router (config)#interface loop back . tion way) auditing & configuration) Router# terminal ee size : Set the ea of the oe buffer Router setup Using setup utility (alternative configurat Creating a loop back interface (logical interface) Router(config)#interface sO. 1 Creating a sub interface (logical interface in physical) 205eR one Router(config-line}# exec-timeout jetting logout time for a line in idle state Router(config}# ip subnet-zero Using subnet-zero also (enabled by default) Router(config)# ip host Router# show hosts Creating a name for an ip address (static host) Displays static hosts Router(config)# ip name-server Setting dns server information Router(config)# no ip domain-lookup Disable DNS lookups. Router# show users Router show ip arp To see arp table Router#f cd flash: Change directory to flash Router dir Displays directories and files Router#fno debug all To disable all debugging Router undebug all To disable all debugging Router (contig)# service password-encryption Conver: all passwords into secret passwords To see the line users accessing this router Router# clear line | Router# show sessions fs Router# resume To clear a line user To see initiated telnet sessions from the router To resume a session Router# disconnect Router (config)#router rip ‘To disconnect a session Enabling rip as routing protocol Router(config- router)# network Advertising network Router{config-router)# version <1/2> Setting Router (config:router)# ip rip send Setting version to send updates Router config-router)i# ip rip receive Router# clear ip route * Setting version to receive updates { Clears ip routing table and rebuilds it Router# debug ip rip Router(config)#router eigrp Turn or debug for rip (rip back, Enabling eigrp as routing protocol Router (config: router)# network Advertising network Router(config-router)# variance Creating a keychain Router (config-keychain}# key Router (config: keychain key)# key-string Creating a key no in the keychain Associate key value with a key number Router (config-if}# ip authentication mode eigrp md5 enabling eigrp authentication mode on the interface Router config-if}# ip authentication key-chain elgrp Applying keychain on the interface Router (config-router)##default-information originate Making perimeter router as ASBR Router (config-router}#maximum- paths Customize load balancing paths (equal cost paths, max 16) Router(config-if}# ip ospf cost Customizing ospf cost Router# show ip ospf Overview of ospf configuration Router# show ip ospf interface Ospf configuration on interface basis Router#f show ip ospf neighbor Ospf ne-ghbors list Router debug ip ospf adj | Debugging ospf adjacency process Router’ debug ip ospf events Debugging ospf events on the router Router# debu ip ospf packets Router (configrif)#p ospf authentication-key Debugging ospf packets on the router (contents of LSA) Enabling neighbor authentication Router config-if)#ip ospf authentication message- digest Set type of authentication (cleartext/md5) Router (config:-router}#area authentication message digest jet authentication for area | Ss 207in local Switch(config)#boot system flash Switch(config)vusername secret Creating a user Swritch(config-liney# Boot using a different 10S in flash Switch(config)#boot system tftp Switch(config)# boot system rom Switch# write erase Boot from TFTP server Boot from rom Erasing nvram / startup-config Switch# erase startup-config Switch# delete flash: Switch# clock set_ _< Switch? show clock mancin Teor iE Switchi show history Setting clock Erasing nvram / startup-config Deletes specified file in flash memor Displays command history buffer Switch# terminal history size = Switch config-tine) )# execctimeout Setting logout time fora line in idle state Set the length us of the history buffer Switch(config}# ip host Switch# show hosts Creating a name for an ip address (static host) Displays static hosts Switch(config)# ip name-server Setting dns server information Switch(config)# ip default-gateway Set default gateway for the switch Switch show ip arp To see arp table Switch# cd flash: Change directory to flash 208.Switch# dir Switch (confi Displays directories and files Convert all passwords into secret passwords Switch show users Switch# clear line To see the line users accessing this Switch To clear a line user Switch show sessions To see initiated telnet se: al Switch# resume ‘To disconnect a session Switch(config)¥ mac-address-table static interface (Static mac binding) Z| Switch show mac-address-table To check the mac address table Switchi clear mac-address-table dynamic Clear mac-address-table (dynamic contents with a port in the vlan Switch (config-if# switchport port security J {Enable port-security on the switch Switch (config-if)# switchport Port-security maximum svalue> Maximum no of devices that can be associated with a port | | Se iG OF eer Foesea Biivictation Action to be taken if security is violated | Switch(config-if}# switchport port-securily mac-address To view spanning-tree features of the specified vian a Ss ee | 209a. corer eerie Switch(config-if)# channel-group mode «modes Configure an interface into a channel-group Load balancing method for the port channel Switch(config)# port-channel load-balance Stc-ip, dstip, sre-dst-ip, src-mac, dst-mac, ste-dst-mac Switch show port-channel Displays port channel information 105(config)# service dhep. Enable dhep feature 10$(config)# ip dhep pool Creating a dhep pool !0S{config-dhep)# network ‘Setting domain name 105(config-chep)# dns-Server Setting dns server | 105{config-dhep)# default-router a: Setting default gateway for the systems 105(config-dhcp)# lease Excluding specified i ip addresses from the pool [1OS# show ip dhep binding View dhep bindings 10S# clear ip dhep binding * Clear all dhep bindings 108# show ip dhep conflict Displays ip confliction with static IP addresses (Fan 210.Important Port Numbers (L4) FIP. File Transfer Protocol 20/21 SSH ‘Secure Shell 2 TELNET Terminal Network B ‘SMTP. Simple Mail Transfer Protocol 25 DNS Domain Naming System 53 DHCP _| Dynamic Host Configuration Protocol 67 FTP Trivial File Transfer Protocol 69 HTTP Hyper Text Transfer Protocol 80 POP3 Post Office Protocol 140 NTP Network Time protocol a] IMAP Internet message access protocol 143 SNMP __|Simple Network Management Protocol | 161 HTTPS: HTTP Secure 43 | [_Systog System log 514 rs (L3 1p Internet Protocol 0 ICMP__| internet control message protocol iL TCP Transmission control protocol 6 UDP User datagram protocol 1/7 RIP Routing information protocol 520 EIGRP Enhanced IGRP 88 OSPF Open shortest path first 89, 211IMPORTANT TERMS Authentication, authorization, accounting — ‘Acknowledgement ‘Access control list os ‘Access point ‘Advanced encryption standard ‘Authentication header American national standards institute ‘Address resolution protocol ‘Autonomous system _| Autonomous system Boundary router ‘American standard code for information interchange Application specific integrated circuits ‘Asynchronous transfer mode. Backup designated router Border gateway protocol Burnt in address Bridge protocol data unit Basic rate interface "| Basic service area Basic service set = Content address memory Context based access control CCK ‘Complementary code keying (wian) CO Cisco connection online cop Cisco discovery protecol_ Cer Cisco express forwarding CHAP. Challenge handshake authentication protocol CIDR Classless inter domain routing cu Command line interface COM ‘Communication port = CRC Cyclic redundancy check CsI — [Computer security institute ‘CSMATCA | Carrier sense multiple access / collision avoidance CSMA/CD___| Carrier sense multiple access / collision detection cst. ‘Common spanning tree = CSU7DSU Channel service unit/ data service unit CTs Clear to send DARPA Defense advanced research project agency DB Data bus DCE Data communication equipment DDR Dial on demand routing DES Data encryption standard DH fie-hellman protocol xa DHCP. Dynamic host configuration protocol DNS Domain naming system Pai DSL. Digital subscriber line a Dsss rect sequence spread spectrum 212( ( Ei ‘ a DTE Data communication equipment OTP. Dynamic trunking protocol DUAL Diffused update algorithm DWOM ion multiplexin; EAP Extensible authentication protocol EBCDIC Extended binary coded decimal interchange code EGP Exterior gateway protocol z EIGRP Enhanced interior gateway routing protocol EMI Electro magnetic interference ESA Extended service area [ESP Encapsulation security protocol __| Extended service set Federal communications commission European telecommunication standards in: | Extended unique identifier [F Frame check sequence Fiber distributed data interface transfer protocol a ie Gigabit interface card High level data link control Hashed message authentication protocol HSSI High speed serial interfaces HTTP. Hypertext transfer protocol IANA Intemet assigned numbers authority IBS Independent basic service set ICMP Internet control message protocol IDS/IPS Intrusion detection system / intrusion prevention system IEEE Institute of electrical and electronic engineers IETF Intemet engineering task force IFS 105 file system aa] IGP Interior gateway protocol IGRP Interior gateway routing protocol IKE Internet key exchange [MAPA Internet message access protocol los Internetwork operating system IPSEC [Internet protocol security e IPV4 Internet protocol version 4 1PV6 —_Hnternet Protocol version 6 Internet Packet exchange Interrupt request line Intermediate system to intermediate system Internet security association key management protocol Integrated services digital network Inter switch link International standards organization International telecom union - telecom standards sector Layer 2 tunneling protocol Link aggregation control protocol Local area network 213Link control protocol Lightweight extensible authentication protocol Light emitting diode Logical link control Link state advertisement Media access control Message digest 5 ‘Multimode fiber ‘Maximum transmission unit Network access control a _| Network address translation - protocol translation Network address translation sist Non broadcast multi access Network control protocol Network interface card Network termination 1 Network termination 2 Network file system Network time protocol nan ‘Orthogonal frequency division multiplexing ‘Open shortest path first ‘Open system interconnection Organizationally unique identifier One time password Pears A Password authentication protocol Port address redirection Port address translation ‘Personal communication service Protocol data unit Protected extensible authentication protocol Post office protocol Power on self test Plain old telephone system Point to point protocol Point to point tunneling protocol Pre shared key sep [ Permanent virtual circuit Per vlan rapid spanning tree protocol Quality of service Saat Remote access dial in user service Random access memory | Reverse address resolution protocol Ready to send Radio frequency Routing information protocol RIPng. Rip next generation RU-45 Registered jack 45 ROM Read only memory ROMMON | Rom monitorPC Personal computer. [RSA Rivest - Shamir -adelman RSTP. Rapid spanning tree protocol RTS, Ready to send ‘SAP Service access point SDH ‘Synchronous digital hierarchy SDM Security device manager SHA Secure hashing algorithm ‘SMDS ‘Switched multi-megabit data services SME Single mode fiber ‘SMTP. ‘Simple mail transfer protocol | SNAP ‘Sub network access protocol SNMP. ‘Simple network management protocol ‘SOH Section over head ‘SOHO ‘Small office home office SONET, ‘Synchronous Optical network SPAN ‘Switch Port analyzer SPF Shortest path first SSH Secure shell, SSID. Service set identifier SSL. ‘Secure socket layer STP. ‘Spanning tree protocol STP Shielded twisted pair SYN ‘Synchronize TAC Technical assistant centre TCP/IP Transmission control protocol / internet protocol TKIP. Temporal Key Integrity protocol ____ UDP. User datagram protocol UPS: Uninterrupted power supply uIP Unshielded twisted pair ‘VLSM Variable length subnet mask value VC Virtual circuit VLAN Virtual local area network ‘VPS. Vian management policy server VoIP. Voice over Internet protocol ‘VPN Virtual private network ‘VIP Vian trunking protocol viy Virtual type terminal ‘WAN Wide area network WEP. Wired equivalent Privacy ( Wireless Encryption Protocol) WLAN Wireless LAN WPA Wi-Fi Protected Access WiC Wireless Zero configurationVPN Basics What is VPN? Virtual Private Network Itisa logical secured tunnel established between networks in unsecured network Public network is unsecured network. The secured networks can communicate via internet with security using VPN The end network devices take care of encapsulation/encryption of packets With VPN, networks can have security equal to private network security Benefits of VPNs: i > Security = Security is provided through data encryption to protect confidentiality > Cost * VPN reduce WAN infrastructure cost of a company > Bandwidth Inexpensive high bandwidth connections, such as DSL can be used to interconnect offices to allow fast and secure access to corporate offices > Scalability * Companies can easily add large number of users and offices without building significant WAN structure 216VPN Types VPNs fall under two implementation types = Site to site VPN = Remote Access VPN Site to Site VPN: Site to site VPNs, sometimes called as LAN-to-LAN or L.2L VPNs Connect two locations or sites together (similar to P2P Wan connectivity) Two intermediate devices(VPN gateways) protect the traffic between two LANS The original IP packet from one LAN is encrypted by one gateway, forwarded to destination gateway and then decrypted and forwarded to the local LAN Traffic is protected by IPSec protocol Site to site VPNs are two types + Intranet: VPN between sites belong to same company + Extranet: VPN between sites belong to different companiesRemote Access VPN: = VPN connectivity between a site and remote user = Remote access VPN is used by mobile users to have the connectivity with site = The can have access to resources as they are in site VPN software is required in the PC to access site (cisco VPN client) * Traffic is protected by protocols like IPSec, SSL, PPTP, L2TP = Remote Access VPN has two implementations + Easy VPN + Web VPN Remote access VPN IPSec: * IPSec - IP security + It is open standard protocot + IPSec is actually a group of standards, protocols and technologies that work together to build a secure session, commonly called a tunnel, to a remote peer + It Works at Network layer and protects IP packets It can be used for Site-Site VPN and remote access VPN ss 218IPSec Services: IPsec provides four main services 1. Authentication Verifying the identify of remote'peers © Digital signatures are used to provide identity verification via pre-shared keys or digital certificates 2. Confidentiality ‘© Guaranteeing that no intermediate device can decipher the contents of the payload in a packet © Encryption is used to hide the real data 3, Integrity © Guaranteeing that the contents of a packet have not been changed by an intermediate device ‘0 HMAC functions are used to verify the source of every packet as well as ‘checking if it was tampered (changed) or not 4, Anti-replay protection ‘Verifying that each packet is unique and not duplicated Ensuring that copies of a valid packet are not used to create a denial of service attacks ‘© Protected sequence numbers are used to detect duplicate packets and drop them IPSec Protocols: IPsec is actually a group of standards, protocols that work together to build a secure session An IPSec tunnel comprises three connections one management connection and two unidirectional data connections Tunnel is built across two phases The management connection is built during Phase 1and is used to share IPSec- related information between the two peers The two data connections are built during Phase 2 and are used to transmit user traffic All three connections are protected ISAKMP - Internet security association and key management protocol, used to build and maintain the tunnel. It defines the format of the management payload IKE - Internet key exchange protocol is responsible for generating and managing keys used for encryption algorithms and HMAC functions DH - Diffie-Hellman process is used to securely exchange the encryption and HMAC keys that will be used to secure the management and data connections ‘AH - Authentication header protocol is used only to validate the origination and validity of data packets(on the data connections) received from a peer ESP - Encapsulation security payload protocol is used to provide packet confidentiality and authentication. It provides confidentiality through encryption and packet authentication through an HMAC functionInternational Organizations (Technical standards. IANA z Internet Assigned Numbers authority ICANN, Internet corporation for assigned names and numbers IEEE Institute of electrical and electronics engineers IETF Internet engineering task fc kus _EIA/TIA Electronic industry association /telecom industry association 150 International standard organization International telecommunications union-telecom standards sector Federal communications commission European Telecommunications standards insti ‘American national standards institute 220