CCNA Exam (200-301) - Technology Workbook

Prévia do material em texto

CCNA
Cisco Certified Network Associate
Exam (200-301)
Technology Workbook
www.ipspecialist.net
Document Control
Proposal Name : CCNA (200-301)
Document Version : Version 1
Document Release Date : 10th-March-2020
Reference : 200-301
http://www.ipspecialist.net
Copyright © 2018 IPSpecialist LTD.
Registered in England and Wales
Company Registration No: 10883539
Registration Office at: Office 32, 19-21 Crawford Street, London W1H 1PJ,
United Kingdom
www.ipspecialist.net
All rights reserved. No part of this book may be reproduced or transmitted in
any form or by any means, electronic or mechanical, including photocopying,
recording, or by any information storage and retrieval system, without the
written permission from IPSpecialist LTD, except for the inclusion of brief
quotations in a review.
Feedback:
If you have any comments regarding the quality of this book, or otherwise
alter it to better suit your needs, you can contact us through email at
info@ipspecialist.net
Please make sure to include the book’s title and ISBN in your message.
http://www.ipspecialist.net
mailto:info@ipspecialist.net
About IPSpecialist
IPSPECIALIST LTD. IS COMMITTED TO EXCELLENCE AND
DEDICATED TO YOUR SUCCESS.
Our philosophy is to treat our customers like family. We want you to
succeed, and we are willing to do everything possible to help you make it
happen. We have the proof to back up our claims. We strive to accelerate
billions of careers with great courses, accessibility, and affordability. We
believe that continuous learning and knowledge evolution are the most
important things to keep re-skilling and up-skilling the world.
Planning and creating a specific goal is where IPSpecialist helps. We can
create a career track that suits your visions as well as develop the
competencies you need to become a professional Network Engineer. We can
also assist you with the execution and evaluation of your proficiency level,
based on the career track you choose, as they are customized to fit your
specific goals.
We help you STAND OUT from the crowd through our detailed IP training
content packages.
Course Features:
❖ Self-Paced Learning
Learn at your own pace and in your own time
❖ Covers Complete Exam Blueprint
Prep-up for the exam with confidence
❖ Case Study Based Learning
Relate the content with real-life scenarios 
❖ Subscriptions that Suits You
Get more and pay less with IPS subscriptions
❖ Career Advisory Services
https://ipspecialist.net/
Let the industry experts plan your career journey
❖ Virtual Labs to Test Your Skills
With IPS vRacks, you can evaluate your exam preparations
❖ Practice Questions
Practice questions to measure your preparation standards
❖ On Request Digital Certification
On request digital certification from IPSpecialist LTD.
About the Authors:
This book has been compiled with the help of multiple professional
engineers. These engineers specialize in different fields e.g., Networking,
Security, Cloud, Big Data, IoT, etc. Each engineer develops content in his/her
own specialized field that is compiled to form a comprehensive certification
guide.
About the Technical Reviewers:
Nouman Ahmed Khan
AWS-Architect, CCDE, CCIEX5 (R&S, SP, Security, DC, Wireless), CISSP,
CISA, CISM, Nouman Ahmed Khan is a Solution Architect working with a
major telecommunication provider in Qatar. He works with enterprises,
mega-projects, and service providers to help them select the best-fit
technology solutions. He also works as a consultant to understand customer
business processes and helps select an appropriate technology strategy to
support business goals. He has more than fourteen years of experience
working in Pakistan/Middle-East & UK. He holds a Bachelor of Engineering
Degree from NED University, Pakistan, and M.Sc. in Computer Networks
from the UK.
Abubakar Saeed
Abubakar Saeed has more than twenty-five years of experience, managing,
consulting, designing, and implementing large-scale technology projects. He
also has extensive experience heading ISP operations, solutions integration,
heading Product Development, Pre-sales, and Solution Design. Emphasizing
on adhering to Project timelines and delivering as per customer expectations,
he always leads the project in the right direction with his innovative ideas and
excellent management skills.
Uzair Ahmed
Uzair Ahmed is a professional technical content writer holding a Bachelor’s
Degree in Computer Science from PAF-KIET University. He has sound
knowledge and industry experience in SIEM implementation, .NET
development, machine learning, Artificial intelligence, Python and other
programming and development platforms like React.JS Angular JS Laravel.
Muhammad Yousuf
Muhammad Yousuf is a professional technical content writer. He is a
Certified Ethical Hacker (CEHv10) and Cisco Certified Network Associate
(CCNA) in Routing and Switching, holding bachelor’s degree in
Telecommunication Engineering from Sir Syed University of Engineering
and Technology. He has both technical knowledge and sound industry
information, which he uses perfectly in his career
Afreen Moin
Afreen Moin is a professional Technical Content Developer. She holds a
degree in Bachelor of Engineering in Telecommunications from Dawood
University of Engineering and Technology. She has a great knowledge of
computer networking and attends several training programs. She possesses a
keen interest in research and design related to computers, which reflects in
her career.
Free Resources:
With each workbook purchased, IPSpecialist offers free resources to our
valuable customers.
Once you buy this book you will have to contact us at
support@ipspecialist.net or tweet @ipspecialistnet to get this limited time
offer without any extra charges.
mailto:support@ipspecialist.net
Free Resources Include:
Exam Practice Questions in Quiz Simulation: With 250+ Q/A,
IPSpecialist's Practice Questions is a concise collection of important topics to
keep in mind. The questions are especially prepared following the exam
blueprint to give you a clear understanding of what to expect from the
certification exam. It goes further on to give answers with thorough
explanations. In short, it is a perfect resource that helps you evaluate your
preparation for the exam.
Career Report: This report is a step-by-step guide for a novice who wants to
develop his/her career in the field of computer networks. It answers the
following queries:
What are the current scenarios and future prospects?
Is this industry moving towards saturation or are new opportunities
knocking at the door?
What will the monetary benefits be?
Why get certified?
How to plan and when will I complete the certifications if I start
today?
Is there any career track that I can follow to accomplish
specialization level?
Furthermore, this guide provides a comprehensive career path towards being
a specialist in the field of networking and also highlights the tracks needed to
obtain certification.
 
IPS Personalized Technical Support for Customers: Good customer
service means helping customers efficiently, in a friendly manner. It is
essential to be able to handle issues for customers and do your best to ensure
they are satisfied. Providing good service is one of the most important things
that can set our business apart from the others of its kind.
Great customer service will result in attracting more customers and attaining
maximum customer retention.
IPS is offering personalized TECH support to its customers to provide better
value for money. If you have any queries related to technology and labs you
can simply ask our technical team for assistance via Live Chat or Email.
Our Products
Technology Workbooks
IPSpecialist Technology workbooks are the ideal guides to developing the
hands-on skills necessary to pass the exam. Our workbook covers official
exam blueprint and explains the technology with real life case study based
labs. The content covered in each workbook consists of individually focusedtechnology topics presented in an easy-to-follow, goal-oriented, step-by-step
approach. Every scenario features detailed breakdowns and thorough
verifications to help you completely understand the task and associated
technology.
We extensively used mind maps in our workbooks to visually explain the
technology. Our workbooks have become a widely used tool to learn and
remember the information effectively.
vRacks
Our highly scalable and innovative virtualized lab platforms let you practice
the IP Specialist Technology Workbook at your own time and your own
place as per your convenience.
Quick Reference Sheets
Our quick reference sheets are a concise bundling of condensed notes of the
complete exam blueprint. It is an ideal and handy document to help you
remember the most important technology concepts related to the certification
exam.
Practice Questions
IP Specialists’ Practice Questions are dedicatedly designed from a
certification exam perspective. The collection of these questions from our
technology workbooks are prepared keeping the exam blueprint in mind
covering not only important but necessary topics as well. It’s an ideal
document to practice and revise your certification.
Content at a glance
Chapter 01: Network Fundamentals
Chapter 02: Network Access
Chapter 03: IP Connectivity
Chapter 04: IP Services
Chapter 05: Security Fundamentals
Chapter 06: Automation and Programmability
Answers:
Acronyms:
References:
About Our Products
Table of Contents
Chapter 01: Network Fundamentals
Technology Brief
Role and Function of Network Components
Routers
L2 and L3 Switches
Next-Generation Firewalls and IPS
Access Points
Controllers (Cisco DNA Center and WLC)
Endpoints
Servers
Characteristics of Network Topology Architectures
2 Tier
3 Tier
Spine-Leaf
WAN
Small Office/Home Office (SOHO)
On-Premises and Cloud
Physical Interface and Cabling Types
Cabling Type and Implementation Requirements
Ethernet Connectivity Recommendations
Single Mode Fiber, Multimode Fiber, Copper
Connections
Concepts of PoE
Identifying Interface and Cable Issues
Collisions
Errors
Duplex
Speed
TCP vs. UDP
TCP and UDP Working
IPv4 Addressing and Subnetting
Advantages of Subnetting
The Need for Private IPv4 Addressing
Case Study
IPv6 Addressing and Prefix
Restrictions for Implementing IPv6 Addressing and Basic Connectivity
IPv6 Address Formats
IPv6 Subnetting
IPv6 Packet Header
IPv6 Addressing and Subnetting
Mind Map
IPv6 Address Types
Global Unicast
Unique Local
Link Local
Anycast
Multicast
Modified EUI 64
IP Parameters for Client OS (Windows, Mac OS, Linux)
Windows
Linux
Mac OS
Wireless Principles
SSID
RF
Encryption
Virtualization Fundamentals
Benefits of Virtualization
Types of Virtualization
Switching Concepts
MAC Learning and Aging
Frame Switching
Frame Flooding
MAC Address Table
Mind Map
Summary
Role and Function of Network Components
Characteristics of Network Topology Architectures
Physical Interface and Cabling Types
Identify Interface and Cable Issues
TCP vs. UDP
IPv4 Addressing and Subnetting
The Need for Private IPv4 Addressing
IPv6 Addressing and Prefix
IPv6 Address Types
Wireless Principles
Virtualization Fundamentals
Switching Concepts
Practice Questions
Chapter 02: Network Access
Technology Brief
VLANs (Normal Range) Spanning Multiple Switches
Access Ports (Data and Voice)
Default VLAN
Connectivity
Interswitch Connectivity
Trunk Ports
802.1Q
Native VLAN
Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP)
Cisco Discovery Protocol (CDP)
LLDP (Link Layer Discovery Protocol)
(Layer 2/Layer 3) EtherChannel (LACP)
EtherChannel
Lab 2-01: VLAN, Inter-VLAN, Trunk Port, EtherChannel
Case Study
Topology
Configuration
Verification
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Configuring Rapid PVST+
Root Port, Root Bridge (Primary/Secondary), and other Port Names
Rapid PVST+ Port State
PortFast
Cisco Wireless Architectures vs. AP Modes
Cisco Unified Wireless Network Architecture
AP Modes
Physical Infrastructure Connections of WLAN Components (AP,
WLC, Access/Trunk Ports, and LAG)
Access Points
Wireless LAN Controllers
Access Ports/Trunk Ports
LAG
AP and WLC Management Access Connections (Telnet, SSH, HTTP,
HTTPS, Console, and TACACS+/RADIUS)
Access Point
Wireless Controllers Management Access Connections
Components of a Wireless LAN Access for Client Connectivity using
GUI
Step 1. Configure a RADIUS Server
Step 2. Create a Dynamic Interface
Step 3. Create a New WLAN
Mind Map of Network Access
Summary
VLANs (Normal Range) Spanning Multiple Switches
Interswitch Connectivity
Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP)
(Layer 2/Layer 3) EtherChannel (LACP)
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Cisco Wireless Architectures vs. AP Modes
Physical Infrastructure Connections of WLAN Components (AP,
WLC, Access/Trunk Ports, and LAG)
AP and WLC Management Access Connections (Telnet, SSH, HTTP,
HTTPS, Console, and TACACS+/RADIUS)
Components of a Wireless LAN Access for Client Connectivity using
GUI
Practice Questions
Chapter 03: IP Connectivity
Technology Brief
Components of the Routing Table
Routing Protocol Code
Prefix
Network Mask
Next Hop
Administrative Distance
Metric
Gateway of Last Resort
How a Router Makes Forwarding Decision by Default?
Longest Match
Administrative Distance
Routing Protocol Metric
IPv4 and IPv6 Static Routing
IP Addresses
IPv4 Address
IPv6 Address
Difference between IPv4 and IPv6 Addresses
Default Route
Network Route
Host Route
Floating Static
Case Study <IPV4 Static Routing>
Topology Diagram:
Configuration
Verification
Case Study <IPv6 Static Routing>
Topology Diagram
Configuration
Verification
Single Area OSPFv2
Neighbor Adjacency
Point-to-Point
Broadcast (DR/BDR Selection)
Router ID
Purpose of First Hop Redundancy Protocol
Types of Redundancy Protocols
Case Study <OSPF>
Topology Diagram
Configuration
Verification
Mind Map
Summary
Components of the Routing Table
A Router Makes Forwarding Decision by Default
Configure and Verify IPv4 and IPv6 Static Routing
Configure and Verify Single Area OSPFv2
Purpose of First Hop Redundancy Protocol
Practice Question
Chapter 04: IP Services
Technology Brief
Configure and Verify Inside Source NAT using Static and Pools
NAT Inside and Outside Addresses
Types of Network Address Translation (NAT)
Advantages of NAT
Disadvantages of NAT
NTP Operating in a Client and Server Mode
NTP Authentication
Role of DHCP and DNS within the Network
Configuring DHCP
TFTP, DNS, and Gateway Options
The Function of SNMP in Network Operations
SNMPv2:
SNMPv3:
Management Information Base (MIB):
Use of Syslog Features Including Facilities and Levels
Syslog
Syslog Facilities and Features
DHCP Client and Relay
Router/Switch as a DHCP Server
Forwarding Per-Hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
Classification:
Congestion
Queuing
Shaping
Policing
Differentiated Services
Network Devices for Remote Access using SSH
Capabilities and Functions of TFTP/FTP in the Network
File Transfer Protocol (FTP)
Trivial File Transfer Protocol (TFTP)
Differences between TFTP & FTP
Mind Map
Summary
Configure and Verify Inside Source NAT using Static and Pools
Configure and Verify NTP Operating in a Client and Server Mode
The Role of DHCP and DNS within the Network
The Function of SNMP in Network Operations
Use of Syslog Features
Configure and Verify DHCP Client and Relay
Forwarding Per-hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
Network Devices for Remote Access using SSH
Capabilities and Functions of TFTP/FTP in the Network
Practice Question
Chapter 05: Security Fundamentals
Technology Brief
Security Concepts
Threats
Vulnerabilities
Exploits
Mitigation Techniques
Security Program Elements
User Awareness
Training
Physical Access Controls
Configure Device Access Control using Local Passwords
Configure Local User-Specific Passwords
Configure AUX Line Password
Security Password PoliciesElements
Password Management
Password Complexity
Password Alternatives
Remote Access and Site-to-Site VPNs
VPN
Remote Access VPN
Site-to-Site VPN
Mind Map
Configure and Verify Access Control Lists
Inbound and Outbound ACL
Lab: NAT, DHCP, NTP, Syslog, and SSH
Case Study
Topology Diagram
Configuration
Verification
Layer 2 Security Features
DHCP Snooping
Dynamic ARP Inspection
Port Security
Authentication, Authorization, and Accounting Concepts
AAA Components
Wireless Security Protocols
WPA
WPA2
WPA3
Configure WLAN using WPA2 PSK using GUI
WPA2-PSK Configuration with GUI
Verifying WPA2 PSK
Mind Map
Summary
Security Concepts
Security Program Elements
Configure Device Access Control Using Local Passwords
Security Password Policies Elements
Remote-Access and Site-to-Site VPNs
Configure and Verify Access Control Lists
Layer 2 Security Features
Authentication, Authorization, and Accounting Concepts
Wireless Security Protocols
Configure WLAN using WPA2 PSK using GUI
Practice Question
Chapter 06: Automation and Programmability
Automation Impacts on Network Management
Why do we need to automate our network?
How automation of network can be beneficial?
Why Choose Cisco for Networking
Compare Traditional Networks with Controller-based Networking
Controller-based and Software Defined Architectures
SD- Access Architecture
Underlay
Overlay
Fabric
Separation of Control Plane and Data Plane
Northbound and Southbound APIs
Traditional Campus Device Management vs. Cisco DNA Center
Enabled Device Management
Characteristics of REST-based APIs
CRUD
HTTP Verbs
Capabilities of Configuration Management Mechanisms
Puppet
Chef
Ansible
Interpret JSON Encoded Data
PHP JSON Encode and Decode
Encoding and Decoding
PHP JSON Encode
Mind Map
Summary
Automation Impacts on Network Management
Compare Traditional Networks with Controller-based Networking
Controller-based and Software Defined Architectures
Traditional Campus Device Management vs. Cisco DNA Center
Enabled Device Management
Characteristics of REST-based APIs
Capabilities of Configuration Management Mechanisms
Interpret JSON Encoded Data
Practice Question
Answers:
Chapter 01: Network Fundamentals
Chapter 02: Network Access
Chapter 03: IP Connectivity
Chapter 04: IP Services
Chapter 05: Security Fundamentals
Chapter 06: Automation and Programmability
Acronyms:
References:
About Our Products
About this Workbook
This workbook covers all the information you need to pass the Cisco CCNA
200-301 exam (Latest Exam). The workbook is designed to take a practical
approach of learning with real life examples and case studies.
➢ Covers complete CCNA updated blueprint
➢ Summarized content
➢ Case Study based approach
➢ Ready to practice labs on Virtualized Environment
➢ 100% pass guarantee
➢ Mind maps
Cisco Certifications
Cisco Systems, Inc. specializes in networking and communications products
and services. A leader in global technology, the company is best known for
its business routing and switching products that direct data, voice, and video
traffic across networks worldwide.
Cisco also offers one of the most comprehensive vendor-specific certification
programs in the world, the Cisco Career Certification Program. The program
has six (6) levels, which begins at the Entry level and then advances to
Associate, Professional, and Expert levels. For some certifications, the
program closes at the Architect level.
Figure 1. Cisco Certifications Skill Matrix
How does Cisco certifications help?
Cisco certifications are a de facto standard in networking industry, which
help you boost your career in the following ways:
1. Gets your foot in the door by launching your IT career
2. Boosts your confidence level
3. Proves knowledge that helps improve employment opportunities
As for companies, Cisco certifications are a way to:
1. Screen job applicants
2. Validate the technical skills of the candidate
3. Ensure quality, competency, and relevancy
4. Improve organization credibility and customers’ loyalty
5. Meet the requirement in maintaining organization partnership level
with OEMs
6. Helps in Job retention and promotion
Cisco Certification Tracks
Figure 2. Cisco Certifications Track
About the CCNA Exam
➢ Exam Number: 200-301 CCNA
➢ Associated Certifications: CCNA
➢ Duration: 120 minutes
➢ Exam Registration: Pearson VUE
The Cisco Certified Network Associate (CCNA) composite exam (200-301)
is a 120-minute, assessment that is associated with the CCNA certification.
This exam tests a candidate's knowledge and skills related to secure network
infrastructure, understanding core security concepts, managing secure access,
VPN encryption, firewalls, intrusion prevention, web and email content
security, and endpoint security.
The following topics are general guidelines for the content likely to be
included on the exam:
➢ Network Fundamentals 20%
➢ Network Access 20%
➢ IP Connectivity 25%
➢ IP Services 10%
➢ Security Fundamentals 15%
➢ Automation and Programmability 10%
Complete list of topics covered in the CCNA 200-301 exam can be
downloaded from here.
https://learningcontent.cisco.com/cln_storage/text/cln/marketing/exam-topics/210-260-iins.pdf
Chapter 01: Network Fundamentals
Technology Brief
In computer networks, the term network refers to the interconnection of
devices such as computers, laptops, IoTs, servers, routers and much more.
This network of devices is capable of sharing the information among each
other and offers different services over the network. Evolution of computer
networks has raised the demand of network engineers to install, configure,
operate and troubleshoot the small personal area network to large scale
enterprise networks. Typical Networking Fundamentals topics include WAN
technologies, basic security and wireless concepts, routing and switching
fundamentals, and configuring simple networks.
In this chapter, we will discuss role and function of network component,
network characteristics of network topology architectures, TCP and UDP
network protocols, wireless principles, virtualization fundamentals (virtual
machines), switching concepts and their categories. This chapter also
examines the limitations of IPv4 and describes how IPv6 resolves these
issues while offering other advantages as well. The rationale of IPv6 and
concerns regarding IPv4 address depletion. This chapter presents a brief
history of both IPv4 and IPv6 addressing and address types. It also includes
the representation of IPv6 addresses, along with the IPv6 header.
Role and Function of Network Components
A network is the set of interconnected devices sharing the resources. A
computer network allows different computers/devices to connect to one
another and share resources. The integrant of network architecture consists of
numerous devices that perform a definite function or set of functions in a
network. It is essential to understand the purpose of each device so that an
individual would be familiar with the functionalities of the devices that are
used in the network. In this section, we will cover these requirements. 
Network Topology
Network topology demonstrate the relationship between, various elements of
networks. Network topology can be categorized as physical or logical
topology. Physical topology shows the physical network infrastructure
whereas logical topology shows the logical overview of the network.
Network topology boils down to two basic elements: nodes and links. Nodes
represent any number of possible network devices, such as routers, switches,
servers, phones, cameras, or laptops. The topological structure of a network
consists of nodes and links that are connected physically or logically.
Bus Topology
In the case of bus topology, all devices share single communication line or
cable. Bus topologies may have issues when multiple hosts send data at the
same time. Therefore, bus topology either uses CSMA/CD technology or
recognizes one host as the Bus Master to solve this issue. It isone of the
simplest forms of networking where a failure of a device does not affect the
other devices. But then again, failure of the shared communication line can
make all other devices stop functioning.
Figure 1-01: Bus Topology
Ring Topology
In ring topology, each host machine connects to exactly two other machines,
creating a circular network structure. When one host tries to communicate or
send a message to a host which is not adjacent to it, the data travels through
all intermediate hosts. To connect one more host in the existing structure, the
administrator may need only one more extra cable.
Figure 1-02: Ring Topology
Star Topology
The advantage of the star topology is that there is a central device that serves
as the mediator for every station and the station seems to be indirectly
connected to each other. The disadvantage is that it is too costly and is hub or
central device dependent.
The following figure illustrates the topology used in star topology:
Figure 1-03: Star Topology
Mesh Topology
If you observe, you will see that each computer is interconnected to every
other computer. That is the simplest way to explain Mesh though there are
some theoretical background that we can dig deeper with Mesh like Reed’s
law, flooding and routing, it is important for us to know the disadvantages of
Mesh are difficult installation and expensive cabling. On the other hand, it is
good when it comes to providing security. Privacy and troubleshooting would
be easy.
The following figure shows mesh topology structure:
Figure 1-04: Mesh Topology
Hybrid Topology
Hybrid topology is a mixture of more than one topology, which may include
mesh topology, start topology ring topology, etc. The disadvantage of one
topology may offset by the advantage of the other one. Thus, the reason of
making hybrid topology is to eliminate the shortcoming of the network.
Figure 1-05: Hybrid Topology
Routers
Routers are used to connect networks. A router receives a packet and
observes the destination IP address information to determine which network
the packet needs to reach, then sends the packet out of the corresponding
interface.
Routers are network devices that accurately route information about the
network by inspecting information as it reaches, the router can decide the
destination address for the information; then, by using tables of defined
routes, the router determines the best way for the data to continue its journey.
Unlike bridges and switches that use the hardware-configured MAC address
to determine the destination of the data, routers use the software-configured
network address to make decisions. This approach makes routers more
functional than bridges or switches, and it also makes them more complex
because they have to work harder to determine the information.
Figure 1-06: Router
Functions
Routers work on Internet Protocol (IP) specifically on the logical
address also known as IP address
Routers perform actions on the layer 3, i.e., Network Layer of the
OSI model
They route traffic from one network to the desired destination
network
As described, a router is an intelligent device that either first finds
out the network or the traffic that relates to their network
After deciding, the router forwards the traffic to the required
destination
Applications
Routers provide interfaces for different physical network
connections such as copper cables, optic fiber, or wireless
transmission 
The Network Administrator can configure the routing table
manually as well as dynamically
Routers learn its routing table by using static and dynamic routing
protocols
Multiple routers are used in interconnected networks
Dynamic exchange of information about the destination is made
possible by the dynamic routing protocol; the administrator will
have to advertise routing path manually for static networks
L2 and L3 Switches
Open System Interconnect (OSI) model is a reference model for describing
and explaining network communications, the terms Layers 2 & 3 are adopted
from it. The OSI model has seven layers that include: application layer,
presentation layer, session layer, transport layer, network layer, data link
layer and physical layer, amid which network layer is on Layer 3 and data
link layer is on Layer 2.
Figure 1-07: OSI Model
Layer 2 switches provides direct data transmission between two devices
within a LAN. A Layer 2 switch purpose is to keep a table of Media Access
Control (MAC) addresses. The data frames are switched through MAC
addresses individually inside the LAN and will not be identified outside it. A
Layer 2 switch can allocate VLANs to specific switch ports, which in turn are
in dissimilar layer 3 subnets. So the communication with other VLANs or
LANs desires the purpose or function of Layer 3.
Figure 1-08: Layer 2 & Layer 3 Switches
Difference between Layer 2 and Layer 3 Switches
The basic difference between Layer 2 and Layer 3 is the routing function.
A Layer 2 switch mechanism works only on MAC addresses and does not
concern IP addresses or any items of higher layers. A Layer 3 switch can
perform all the task that a Layer 2 switch can. Furthermore, it can do dynamic
routing and static routing. This means, a Layer 3 switch has both MAC
address table and IP routing table, and handles intra-VLAN communication
and packets routing between distinct VLANs as well. A switch that adds
merely static routing is known as a Layer 2+ or Layer 3 Lite. Other than
routing packets, Layer 3 switches similarly include some functions that need
https://www.fs.com/c/10g-switches-3256
the capability to understand the IP address information of data that is coming
to the switch, such as tagging VLAN traffic depending on IP addresses
instead of manually configuring a port. Layer 3 switches are more reliable
from security and power perspective.
Which Device Do You Need?
With the emergence of Layer 3 switches, deciding when to use a Layer 2
switch and when to use a Layer 3 switch, choosing a Layer 3 switch for
routing or choosing a router, and similar predicaments are troubling many
people. Which device is the better one according your needs?
Figure 1-09: Layer 2 Switch, Layer 3 Switch and Router
When lingering between Layer 2 and Layer 3 switches, you should think
about where it will be used. If you have a pure Layer 2 domain, you can
simply go for Layer 2 switch; if you need to do inter-VLAN routing, then you
need a Layer 3 switch. A pure Layer 2 domain is where the hosts are
connected, so it will work fine there. This is usually called access layer in a
network topology. If it is required for the switch to aggregate multiple access
switches and do inter-VLAN routing, then a Layer 3 switch will be needed.
This is known as distribution layer in network topology.
Since both the Layer 3 switch and the router have routing functions, which
one is better? Actually, it is less a question of which is better for routing, as
both are useful in particular applications. If you want to do multiple
switching and inter-VLAN routing, and need no further routing to the
Internet Service Provider (ISP)/WAN, then you can go well with a Layer 3
switch. Otherwise, you should go for a router with more Layer 3 features.
Layer 2 Switch Layer 3 Switch
Functions
Switches filter the
MAC addresses of
all the connected
devices
Switches perform
functioning on
Data link layer
(Layer 2) of OSI
model.8
It learns the
physical address of
all the devices that
are connected to it
and then uses the
MAC address to
control traffic flow
Switches forward
the data frames
only to the
destination address
rather than forward
the data to all the
connected ports
Switches reduce
the traffic by
Multilayer switches
have an advance
functioning, a switch
with some router
characteristics
Multilayer switches
can be connected to
other multilayer
switches to provide
scalability to the
network
It can be logically
segmented into
multiple broadcast
domains
Layer 3 switch must
be capable enough to
make a forwarding
decision
Switches must store
networkflows so that
forwarding can occur
in hardware
spontaneous
segmentation of
network
Applications
It connects the
departments of one
company to the
other without
involving in their
communication
Switches can
transfer large files
within the local
area network
without affecting
the upper layer
traffic flow of the
network
Switches can be
used to create
virtual local area
networks (VLANs)
to improve the
flexibility of the
network
It is very efficient
as it does not
forward the data
that have errors
It avoids collision
domains
Multilayer switches
are efficiently used in
VLANs networks
Multilayer switches
can create VLANs
and decide VLANs
route
Multilayer switches
can connect to other
multilayer switches
and basic switch to
extend the VLANs
throughout the
organization
Table 1-01: Layer 2 & Layer 3 Switches
Next-Generation Firewalls and IPS
Firewalls have evolved beyond simple packet filtering and stateful
inspection. Most companies are deploying next-generation firewalls to block
modern threats such as advanced malware and application-layer attacks.
According to Gartner, Inc.’s definition, a next-generation firewall must
include:
● Standard firewall capabilities like stateful inspection
● Integrated intrusion prevention
● Application awareness and control to see and block risky apps
● Upgraded paths to include future information feeds
● Techniques to address evolving security threats
Figure 1-10: Firewall
Traditional Firewall Vs. Next Generation Firewalls
As their names suggest, next generation firewalls are a more advanced
version of the traditional firewall, and they offer the same benefits. Like
regular firewalls, NGFWs use both static and dynamic packet filtering and
VPN support to ensure that all connections between the network, internet,
and firewall are valid and secure. Both firewall types should also be able to
translate network and port addresses in order to map IPs.
There are also fundamental differences between the traditional firewall and
next generation firewalls. The most obvious difference between the two is an
https://digitalguardian.com/about/security-change-agents/trusted-information-systems
NGFW’s ability to filter packets based on applications. These firewalls have
extensive control and visibility of applications that it is able to identify using
analysis and signature matching. They can use whitelists or a signature-based
IPS to distinguish between safe applications and unwanted ones, which are
then identified using SSL decryption. Unlike most traditional firewalls,
NGFWs also include a path through which future updates will be received.
Importance of Next Generation Firewalls
Installing a firewall is necessary requirement for any business. In today’s
environment, having a next generation firewall is a mandatory part of
network. Threats to personal devices and larger networks are changing every
day. With the flexibility of a NGFW, it protects devices and companies from
a much broader spectrum of intrusions. Although these firewalls are not the
right solution for every business, security professionals should carefully
consider the benefits that NGFWs can provide, as it has a very large upside .
Firepower announced its Next-Generation Firewall (NGFW) that combines
IPS threat prevention, integrated application control and firewall capabilities
in a high-performance security appliance.
Functions
NGFWs are able to block malware from entering a network
They are better equipped to address Advanced Persistent Threats
(APTs)
NGFWs can be a low-cost option for companies looking to
improve their basic security because they can incorporate the
work of antiviruses, firewalls, and other security applications into
one solution
Applications
NGFWs being more intelligent and with deeper traffic inspection,
they may also be able to perform intrusion detection and
prevention. Some next-gen firewalls might include enough IPS
functionality that a stand-alone IPS might not be needed
NGFWs can also provide reputation-based filtering to block
applications that have a bad reputation. This can possibly check
phishing, virus, and other malware sites and applications
https://digitalguardian.com/blog/101-data-protection-tips-how-keep-your-passwords-financial-personal-information-safe
https://digitalguardian.com/blog/what-malware-definition-tips-malware-prevention
They can identify and filter traffic based upon the specific
applications, rather than just opening ports for any and all traffic.
This prevents malicious applications and activity from using non-
standard ports to evade the firewall
Access Points
An access point is a device that offers network connectivity to the large
number of endpoints. Wireless access point typically connects to a wired
router, switch, or WLC to provide wireless connectivity. For example, if you
want to enable Wi-Fi access in your company's reception area but do not have
a router within range, you can install an access point near the front desk and
run an Ethernet cable through the ceiling back to the server room.
Figure 1-11: Access Point
Advantages of Using Wireless Access Points
When you have both employees and guests connecting with their laptops,
mobile phones, and tablets, several devices will be connecting and
disconnecting from the network. To support these simultaneous connections,
an access points gives scalability to connect the number of devices on your
network. But that’s only one of the advantages of using these network
enhancers—consider these points:
● Business-grade access points can be installed anywhere you can run an
Ethernet cable. Newer models are also compatible with Power over
Ethernet Plus, or PoE+ (a combination Ethernet and power cord), so
there is no need to run a separate power line or install an outlet near the
access point
● Additional standard features include Captive Portal and Access Control
List (ACL) support, so you can limit guest access without
compromising network security, as well as easily manage users within
your Wi-Fi network
● Selected access points include a Clustering feature—a single point
from which the IT administrator can view, deploy, configure, and
secure a Wi-Fi network as a single entity rather than a series of
separate access point configurations
Controllers (Cisco DNA Center and WLC)
Cisco DNA Center is the foundational controller and analytics platform.
DNA Center is the heart of Cisco’s intent-based network architecture. Cisco
DNA Center offers centralized, intuitive management that makes it fast and
easy to design, provision, and apply policies across your network
environment. The Cisco DNA Center UI provides end-to-end network
visibility and uses network insights to optimize network performance and
deliver the best user and application experience.
The Cisco Wireless Controller (WLC) series devices provide a single
solution to configure, manage and support corporate wireless networks,
regardless of their size and locations. Cisco WLCs have become very popular
during the last decade as companies move from standalone Access
Point (AP) deployment designs to a centralized controller-based design,
reaping the enhanced functionality and redundancy benefits that come with
controller-based designs.
Cisco currently offers a number of different WLC models, each targeted for
different sized networks. As expected, the larger models (WLC 8500, 7500,
5760, etc.) offer more high-speed gigabit network interfaces, high availability
and some advanced features required in large & complex networks, for
example supporting more VLANs and WiFi networks, thousands of AP &
Clients per WLC device, and much more.
Recently, Cisco has begun offering WLC services in higher-end Catalyst
switches by embedding the WLC inside Catalyst switches e.g., Catalyst 3850,
but also as a virtual image 'Virtual WLC' that runs under VMware ESX/ESXi
4.x/5.x. Finally, Cisco ISR G2 routers 2900 & 3900 series can accept Cisco
UCS–E server modules, adding WLC functionality and supporting up to 200
accesspoints and 3000 clients.
Exam Tip: WLC interfaces, their physical and logical ports, how they
connect to the network and how Wireless SSIDs are mapped to VLAN
interfaces, these topics are very important for exam.
Endpoints
An endpoint is a remote computing device that communicates back and forth
with a network to which is it connected. Examples of endpoints include:
Desktops
Laptops
Smartphones
Tablets
Servers
Workstations
Endpoints represent key vulnerable points of entry for cybercriminals.
Endpoints are where attackers execute code and exploit vulnerabilities, and
where there are assets to be encrypted, exfiltrated or leveraged. With
organizational workforces becoming more mobile and users connecting to
internal resources from off-premise endpoints all over the world, endpoints
are increasingly susceptible to cyberattacks. Objectives for targeting
endpoints include, but are not limited to:
➢ Take control of the device and use in a botnet to execute a DoS
https://www.paloaltonetworks.com/products/secure-the-endpoint/traps
https://www.paloaltonetworks.com/cyberpedia/what-is-botnet
https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos
attack
➢ Use the endpoint as an entry point into an organization to access
high-value assets and information
For several decades, organizations have heavily relied on the antivirus as a
means to secure endpoints. However, traditional antiviruses can no longer
protect against today’s modern threats. An advanced endpoint security
solution should prevent known and unknown malware and exploits;
incorporate automation to alleviate security team workloads; and protect and
enable users without impacting system performance.
Servers
A server is a computer program or a device that provides functionality for
other programs or devices. A server is a software or hardware device that
accepts and responds to requests made over a network. The device that makes
the request, and receives a response from the server, is called a client. On the
internet, the term "server" commonly refers to the computer system that
receives a request for a web document, and sends the requested information
to the client.
Servers are used to manage network resources. For example, a user may set
up a server to control access to a network, send/receive emails, manage print
jobs, or host a website. They are also proficient at performing intense
calculations. Some servers are committed to a specific task, often referred to
as dedicated. However, many servers today are shared servers that can take
on the responsibility of emails, DNS, FTP, and even multiple websites in the
case of a web server.
Types of Servers
Servers are frequently categorized in terms of their purpose. A few instances
of the types of servers available are:
A web server is a computer program that serves
requested HTML pages or files. In this circumstance, a
web browser acts as the client or user
An application server is a program in a computer in
a distributed network that offers the business rationality for an
application program
A proxy server is software that acts as an intermediary between
an endpoint device, such as a computer, and another server from
which a user or client is requesting a service
A mail server is an application that receives incoming emails
from local users (people within the same domain) and remote
senders and forwards outgoing emails for delivery
A virtual server is a program running on a mutual server that is
configured in such a way that it appears to individual users that
they have complete control of a server
A blade server is a server framework for housing multiple shrill,
modular electronic circuit boards, known as server blades. Each
blade is a server in its own right, often dedicated to a solitary
application
A file server is a computer responsible for the central storage and
management of information documents so that different
computers on the same network can access them
https://whatis.techtarget.com/definition/Web-server
https://www.theserverside.com/definition/HTML-Hypertext-Markup-Language
https://searchwindevelopment.techtarget.com/definition/browser
https://searchsqlserver.techtarget.com/definition/application-server
https://whatis.techtarget.com/definition/distributed
https://searchnetworking.techtarget.com/definition/network
https://whatis.techtarget.com/definition/proxy-server
https://whatis.techtarget.com/definition/endpoint-device
https://searchmicroservices.techtarget.com/definition/mail-server-mail-transfer-transport-agent-MTA-mail-router-Internet-mailer
https://whatis.techtarget.com/definition/domain
https://searchnetworking.techtarget.com/definition/virtual-server
https://searchdatacenter.techtarget.com/definition/blade-server
https://searchdatacenter.techtarget.com/definition/server-blade
https://searchnetworking.techtarget.com/definition/file-server
A policy server is a security element of a policy-based network
that provides authorization services and facilitates tracking and
control of files 
Characteristics of Network Topology Architectures
Network topology is defined as the graphical arrangement of computer
systems, or nodes to form a computer network.
There are two types of network topology: physical topology and logical
topology. Physical topology of a network refers to the physical arrangement
of computer nodes based on configuration of computers, cables, and other
peripherals. Whereas, logical topology is the method used to permit
the information between workstations.
Both topologies exist in a Local Area Network (LAN). All the nodes in LAN
are connected with each other through a valid media that shows its physical
arrangement based on hardware used while data flow through this
arrangement shows logical topology.
The characteristics of network topology architecture are as follows:
2 Tier
The word "tier" usually refers to splitting the two software layers onto two
distinctive physical pieces of hardware. Multi-layer programs can be based
on one tier or level, but because of operational partialities, many two-tier
architectures utilize a computer for the first tier and a server for the second
tier.
A two-tier or level architecture is a software architecture in which a
presentation layer or interface keeps running on a client, and a data layer or
data structure gets stored on a server. Separating these two components into
different locations represents a two-tier architecture.
https://searchmobilecomputing.techtarget.com/definition/policy
https://searchsoftwarequality.techtarget.com/definition/authorization
Figure 1-12: Two-Tier Network Design Model
3 Tier
A three-tier or level architecture is a client-server architecture design in
which the functional procedure logic, information access, computer
information storage and UI (user interface) are created and maintained as
independent modules on discrete platforms. Three-tier architecture is a
software configuration design pattern and a well-established software
architecture structure.
Three-tier or level architecture permits any one of the three tiers to be
promoted or substituted autonomously. The UI (User Interface) is
implemented on a desktop PC and it utilizes a standard GUI (Graphical User
Interface) by different modules running on the application server.
The following three layers included in a typical three-tier architecture
network design are:
Core Layer: Provides ideal channel between high-performance
routing and sites. Due to the criticality of the core layer, the design
principles of the core should provide a suitable level of flexibility
that offers the capability to recoup rapidly and easily after any
network or system failure experience with the core block
Distribution Layer: Provides policy-based connectivity and
boundary control between the access and core layers
Access Layer: Provides user/workgroup access to the system or
network. The two essential and common hierarchical design
architectures of enterprise campus networksare the three-level
and two-level layer models
Figure 1-13: Three-Tier Network Design Model
The design model, illustrated in the above figure is usually used in large
enterprise campus systems or networks that are constructed by multiple
functional distribution layer blocks.
The hierarchical network design model breaks the complex level system into
multiple smaller and more manageable networks. Each tier or level in the
hierarchy is focused on a specific set of roles. This design approach offers
network designers a high degree of flexibility to optimize and select the right
network hardware, software, and features to perform specific roles for the
different network layers .
Spine-Leaf
With the increased emphasis on massive information transmissions and
instantaneous information travel in the network, the aging three-tier
architecture within a data center is interchanged with the Leaf-Spine
architecture. A Leaf-Spine architecture is adaptable to the continuously
changing requirements of companies in big data industries with evolving data
centers.
Leaf-Spine Network Topology
With Leaf-Spine configurations, all devices are exactly the same number of
segments that contain an expected and consistent amount of latency or delay
for voyaging data. It can be only possible because of the new topology design
that has two layers, the Leaf layer and Spine layer. The Leaf layer consists of
access switches that connect to devices like servers, load balancers, firewalls,
and edge routers. The Spine layer (made up of switches that perform routing)
is the backbone of the network, where every Leaf switch is interconnected
with each and every Spine switch.
Figure 1-14: Leaf-Spine Architecture Design
WAN
Wide Area Network helps organizations to expand geographically around the
globe. By using WAN services from service providers usually called “off-
sourcing” or “outsourcing”, organizations just have to focus on their local
connectivity while rest of the network is taken care of by the internet service
providers. The following figure shows the basic network topology seen under
Wide Area Network in use today:
Figure 1-15: WAN Network
WAN Topology Options
There are four types of basic topologies for a WAN design.
Point-to-Point
The connection between two endpoints or nodes is known as Point-to-Point
connection. Typically, point-to-point connection is used when a dedicated
link is required from customer premises to the provider’s network. Point-to-
point communication links usually offer high service quality, if they have
adequate bandwidth. The dedicated capacity removes latency or jitter
between the endpoints.
Figure 1-16: Point-to-Point Topology
Hub and Spoke
In this topology, there is a single hub (central router) that provides access
from remote networks to a core router. You can see below the diagram for
Hub and Spoke.
Figure 1-17: Hub & Spoke Topology
Communication among the networks travels through the core router. The
advantages of a star physical topology are less cost and easier administration,
but the disadvantages can be significant:
● (HUB) The central router represents a single point of failure
● (HUB) The central router limits the overall performance for access to
centralized resources. It is a single pipe that manages all traffic
intended either for the centralized resources or for the other regional
routers
Full Mesh
In Full Mesh, each routing node on the edge of a given packet-switching
network has a direct path to every other node on the cloud. You can see its
working flow in the following diagram.
Figure 1-18: Full Mesh Topology
Configuration of this topology provides a high level of redundancy, but the
costs are the highest. In conclusion, a fully meshed topology really is not
viable in large packet-switched networks. Here are some issues you will
contend by using a fully meshed topology:
● Many virtual circuits are required-one for every connection between
routers, which brings up the cost
● Configuration of this topology is more complex for routers without
multicast support in non-broadcast environments
Figure 1-19: Partially Meshed Topology
Single vs Dual-Homed
On one end of a WAN link, when a single connection is implemented using a
single network interface, it is called a single-homed connection. When an
additional network interface is dedicated to the same WAN link, it is called a
dual-homed connection. This is typically done for purposes of
redundancy. 
This concept is applied to the organization's connection to its ISP in many
cases. Taking this concept a step further, both single-homed and dual-homed
connections can be duplicated, with one set of connections to one ISP and
another set of connections to a different ISP, providing both link redundancy
and ISP redundancy. When this is done with a dual-homed connection to
each ISP, they are called dual-multi-homed connections. If a single-homed
connection is provided for each ISP, it is called dual-single-homed
connection.
WAN Access Connectivity Options
WAN can use a number of different connection types available on the market
today. The figure below shows the different WAN connection types that can
be used to connect your LANs (made up of data terminal equipment, or DTE)
together over the Data Communication Equipment (DCE) network.
Figure 1-20: WAN Access Connect Options
Let’s apprehend the different WAN connectivity options:
Dedicated (Leased Lines): These are usually called point-to-point or
dedicated connections. A leased line is a pre-established WAN
communications' path that goes from the CPE through the DCE switch, and
then over to the CPE of the remote site. The CPE enables DTE networks to
communicate at any time with no cumbersome setup procedures to muddle
through before transmitting data.
Circuit Switched: Whenever you see term circuit switching, think phone
call. The big advantage is cost; Plainest Old Telephone Service (POTS) and
ISDN dial-up connections are not flat rate, which is their advantage over
dedicated lines because you pay only for what you use, and you pay only
when the call is established. No data can be transferred before an end-to-end
connection is established. Circuit switching uses dial-up modems or ISDN
and is used for low-bandwidth data transfers.
Packet Switched: A WAN switching method that allows you to share
bandwidth with other companies to save money, just like a super old party
line, where homes shared the same phone number and line to save
money. Packet switching can be thought of as a network that is designed to
look like a leased line, yet it charges you less, like circuit switching does. As
usual, you get what you pay for, and there is definitely a serious downside to
this technology.
Small Office/Home Office (SOHO)
SOHO is generally a remote office or enterprise environment with small to
medium infrastructure. SOHO users are connected to corporate headquarter
by using WAN MPLS or some other technology based services provided by
service providers. Normally, access switches are used to provide connectivity
with SOHO environment.
Figure 1-21: SOHO Network Topology
On-Premises and Cloud
On-premises system monitoring software has been the standard for quite a
long time. Presently, a few associations are moving to cloud-based network
monitoring and management. A few applications make a lot of sense in the
cloud, like CRM software and marketing automation solutions. Deploying in
the cloud can spare your organization expenses and give you more
noteworthy adaptability.
Physical Interface and Cabling Types
Physical interfaces consist of a software driver and a connector into which
you connect network media, such as an Ethernet cable. Whereas, cabling
is the channel through which data usually transfers from one network device
to another. There are numerous types of cable that are generally used with
LANs. In some cases, a network will utilize only one type of cable, other
networks will use a multiple types of cable.
The typeof cable selected for a network is related to the protocol, network’s
topology, and size. Understanding the features of different types of cables
and how they relate to further aspects of a network is essential for the
evolution of a successful network.
The following sections discuss the categories of cables used in networks
and other related topics.
Cabling Type and Implementation Requirements
Selecting The Appropriate Cabling Type Based On Implementation
Requirements. Several types of cables and connectors can be used in a
network, depending on the requirements for the network and the type of
Ethernet to be implemented. These connectors also vary depending on the
type of media that you have installed.
Nowadays, Ethernet is considered the king when it comes to cabling. The
table below shows some forms of Ethernet cabling of which you should be
aware:
Common
Name
Speed Alternative
Name
Name of
IEEE
Standard
Cable Type,
Maximum
Length
Ethernet 10 Mbps 10BASE-T IEEE 802.3 Copper, 100
m
Fast Ethernet 100 Mbps 100BASE-
TX
IEEE
802.3u
Copper, 100
m
Gigabit
Ethernet
1000 Mbps 1000BASE-
LX,
1000BASE-
SX
IEEE
802.3z
Fiber, 550 m
(SX) 5 km
(LX)
Gigabit 1000 Mbps 1000BASE-T IEEE Copper, 100
Ethernet 802.3ab m
10GigE
(Gigabit
Ethernet)
10 Gbps 10GBASE-
SR,
10GBASE-
LR
IEEE
802.3ae
Fiber, up to
300 m (SR),
up to 25 km
(LR)
10GigE
(Gigabit
Ethernet)
10 Gbps 10GBASE-T IEEE
802.3an
Copper, 100
m
Table 1-02: Various Cabling Options
Ethernet Connectivity Recommendations
Network
Hierarchy
Layer
Ethernet 10
Mbps
Fast Ethernet
100 Mbps
Gigabit
Ethernet
1000 Mbps
10 Gigabit
Ethernet
10000 Mbps
Access
Layer
Connects
users with low
to moderate
bandwidth
requirements
Connects
users with
high-speed
requirements
or servers
with low to
moderate
usage
Connects
servers with
high usage
Not currently
recommended
at this layer
Distribution
Layer
Not
recommended
at this layer
Connects
routers and
switches with
moderate
usage
Interconnects
access
switches with
Fast Ethernet
users and is
used to
connect
distribution
switches to
core layer
Not currently
recommended
at this layer
Core Layer Not
recommended
at this layer
Not
recommended
at this layer
Interconnects
core switches
in networks
with
Interconnects
core switches
with high
usage
moderate use
Table 1-03: Cabling Requirements over Different Layers
Straight and Crossover Cables: Making the right choice of cable can be tricky
for troubleshooting. Just imagine, you already checked the running
configurations, all of which you thought you programmed accurately and
then all of a sudden, one of the power indicator for the switch is not lighting
up because you used the wrong cable.
Figure 1-22: Ethernet Cable
Straight cable wiring scheme is similar at both ends but in case of crossover,
is different that’s why crossover cables are called crossover cables because
the strands crossover. Just notice 1 and 2 crossovers with 3 and 6 and
vice versa or keep in mind, orange pair wires are replaced with green pairs.
Let’s figure out what type of cables we have to use based on the device
implementation:
● Crossover cable is used for same devices
● Straight through cable is used for dissimilar devices
All of the devices attached to the switch must use straight through cable
- Except: switch to switch and switch to hub
Crossover cable is used for devices given
below:
● Similar Devices
● Switch to Switch
● Router to Router
● Hub to Hub
● Switch to Hub
● Pc to Pc
● Router to Pc
Straight through cable is used for devices given
below:
● Switch and Hub
● Switch to Router
● Switch to PC
● Switch to Server
● Hub to PC
● Hub to Server
● Router and Hub
Single Mode Fiber, Multimode Fiber, Copper
Single Mode Cable
Single Mode Cable is a single stand (most applications use 2 fibers) of glass
fiber with a diameter of 8.3 to 10 microns that has one mode of
communication. Single Mode Fiber with a relatively narrow diameter,
through which only one mode will propagate is usually 1310 or 1550nm. This
mode requires higher bandwidth than multimode fiber, but requires a light
source with a narrow spectral width.
Single Modem Fiber is used in many applications where data is sent at multi-
frequency (WDM Wave-Division-Multiplexing) so only one cable is needed -
(single-mode on one single fiber)
Single-mode fiber gives you a higher transmission rate and up to 50 times
more distance than multimode, but it also costs more. Single-mode fiber has a
much smaller core than multimode. The small core and single light-wave
virtually eliminate any distortion that could result from overlapping light
pulses, providing the least signal attenuation and the highest transmission
speeds of any fiber cable type. 
Single-mode optical fiber is an optical fiber in which only the lowest order
bound mode can propagate at the wavelength of interest typically 1300 to
1320nm.
Multimode Cable
Multimode Cable has a little bit bigger diameter, with mutual diameters in the
50-to-100 micron range for the light carry component (in the US, the most
common size is 62.5um). Most applications in which multimode fiber is used,
2 fibers are used (WDM is not usually used on multi-mode fiber).
Multimode fiber gives you high bandwidth at high speeds (10 to 100MBS -
Gigabit to 275m to 2km) over medium distances. Light waves are dispersed
into numerous paths, or modes, as they travel through the cable's core, which
is typically 850 or 1300nm. Typical multimode fiber core diameters are 50,
62.5, and 100 micrometers. However, in long cable runs (greater than 3000
feet [914.4 meters]), multiple paths of light can cause signal distortion at the
receiving end, resulting in an unclear and incomplete data transmission. So,
designers now call for single mode fiber in new applications using Gigabit
and beyond. 
Copper Cable
Networks use copper media because it is inexpensive, easy to install, and has
low resistance to electrical current. However, copper media is limited by
distance and signal interference .
Data is transmitted on copper cables as electrical pulses between networks. A
detector in the network interface of a destination device must receive a signal
that can be successfully decoded to match the signal sent. However, the
longer the signal travels, the more it deteriorates in a phenomenon referred to
as signal attenuation. For this reason, all copper media must follow strict
distance limitations as specified by the guiding standards.
Copper Media
In networking, there are three main types of copper media used:
Unshielded Twisted-Pair (UTP)
Shielded Twisted-Pair (STP)
Coaxial
Fiber Optic Cable
Unshielded Twisted Pair (UTP) Cable
Twisted pair cabling comes in two varieties: shielded and unshielded.
Unshielded Twisted Pair (UTP) is the most popular and is generally the best
option for school networks.
Figure 1-23: Unshielded Twisted Pair
The quality of UTP may vary from telephone-grade wire to extremely high-
speed cable. A cable has four pairs of wires inside a jacket. Each pair is
twisted with a different number of twists per inch to help eliminate
interference from adjacent pairs
and other electrical devices. The EIA/TIA (Electronic
Industry Association/Telecommunication Industry Association) has
established standards of UTP and rated five categories of wire.
Type Use
Category 1 Voice Only (Telephone Wire)
Category 2 Data to 4 Mbps (Local Talk)
Category 3 Data to 10 Mbps (Ethernet)
Category 4 Data to 20 Mbps (16 Mbps Token Ring)
Category 5 Data to 100 Mbps (Fast Ethernet)
Category
5e
Data to 10 Gbps (Giga Ethernet)
Category 6 Data to 100 Gbps
Table 1-04: Categories of Unshielded Twisted Pair
Unshielded Twisted Pair Connector
The standard connector for unshielded twisted pair cabling is a RJ-45
connector. This is a plastic connector that looks like a large telephone-style
connector. A slot allows the RJ-45 to be inserted only one way.RJ stands for
Registered Jack, implying that the connector follows a standard borrowed
from the telephone industry.
This standard designates which wire goes with each pin inside the connector.
Figure 1-24: RJ-45 Connector
Shielded Twisted Pair (STP) Cable
A disadvantage of UTP is that it may be susceptible to radio and electrical
frequency interference. Shielded Twisted Pair (STP) is suitable for
environments with electrical interference; however, the extra shielding can
make the cables quite bulky. Shielded twisted pair is often used on networks
using Token Ring technology.
Figure 1-25: Shielded Twisted Pair (STP)
Coaxial Cable
Coaxial Cabling has a single copper conductor at its center. A plastic layer
provides
insulation between the center conductor and a braided metal shield. The metal
shield helps to block any outside interference from fluorescent lights, motors,
and other computers.
Figure 1-26: Coaxial Cable
Coaxial Cable Connectors
The most common type of connector used with coaxial cables is the Bayone-
Neill-Concelman (BNC) connector. Different types of adapters are available
for BNC connectors, including a T-connector, barrel connector, and
terminator. Connectors on the cable are the weakest points in any network.
To help avoid problems with your network, always use the BNC connectors
that crimp, rather than screw, onto the cable.
Figure 1-27: BNC Connector
Fiber Optic Cable
Fiber Optic Cabling consists of a center glass core surrounded by several
layers of protective materials. It transmits light rather than electronic signals,
eliminating the problem of electrical interference. This makes it ideal for
certain environments that contain a large amount of electrical interference.
Due to its immunity to the effects of moisture and lighting, it has become the
standard for connecting networks between buildings.
Fiber optic cable has the ability to transmit signals over much longer
distances than coaxial and twisted pair. It also has the capability to carry
information at vastly greater speeds. This capacity broadens communication
possibilities to include services such as video conferencing and interactive
services. The cost of fiber optic cabling is comparable to copper cabling;
however, it is more difficult to install and modify.
Figure 1-28: Fiber Optic Cable
Fiber Optic Cable Connector
The most common connector used with fiber optic cable is a ST (Straight
Tip) connector. It is barrel shaped, similar to a BNC connector. A newer
connector, the SC (Subscriber Connector), is becoming more popular. It has a
squared face and is easier to connect in a confined space.
Specification Cable Type Maximum Length
10BaseT Unshielded Twisted
Pair
100 meters
10Base2 Thin Coaxial 185 meters
10Base5 Thick Coaxial 500 meters
10BaseF Fiber Optic 2000 meters
Table 1-05: Ethernet Cable Summary
Connections
Point-to-Point:
Computers are connected by communication channels that each
connect exactly two computers with access to full channel
bandwidth
Forms a mesh or point-to-point network
Allows flexibility in communication hardware, packet formats,
etc.
Provides security and privacy because communication channel is
not shared
Number of channels grows as square of number of computers for
n computers: (n2 -n)/2
Shared or Broadcast Channel:
All computers are connected to a shared broadcast-based
communication channel and share the channel bandwidth
Security issues as a result of broadcasting to all computers
Cost effective due to reduced number of channels and interface
hardware components
Concepts of PoE
Power over Ethernet (PoE) is a technology for wired Ethernet Local Area
Networks (LANs) that allows the electrical current necessary for the
operation of each device to be carried by the data cables rather than by power
cords. Doing so minimizes the number of wires that must be strung in order
to install the network. PoE was originally developed in 2003 to support
devices like Wi-Fi Access Points (APs). PoE made AP installations easier
and more flexible, especially on ceilings.
For PoE to work, the electrical current must go into the data cable at the
power-supply end, and come out at the device end, in such a way that the
current is kept separate from the data signal so that neither interferes with the
other. The current enters the cable by means of a component called an
injector. If the device at the other end of the cable is PoE compatible, then
that device will function properly without modification. If the device is not
PoE compatible, then a component called a picker (or tap) must be installed
to remove the current from the cable. This "picked-off" current is routed to
the power jack.
Identifying Interface and Cable Issues
Interface and cable issues can be due to collisions, errors, duplex mismatch or
speed mismatch. To show interface command on a switch displays a ton of
potential errors and problems that might happen due to interface and cable
issues.
Example 1-1: The “show interface” Output on a Cisco Switch
Switch#show interface gi 0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is iGbE, address is fa16.3eb4.b62b (bia fa16.3eb4.b62b)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
https://searchnetworking.techtarget.com/definition/Ethernet
https://searchnetworking.techtarget.com/definition/local-area-network-LAN
https://whatis.techtarget.com/definition/current
https://searchmobilecomputing.techtarget.com/definition/access-point
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Unknown, Unknown, link type is auto, media type is unknown media type
output flow-control is unsupported, input flow-control is unsupported
Auto-duplex, Auto-speed, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 32562
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
6783 packets input, 0 bytes, 0 no buffer
Received 14 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
108456 packets output, 7107939 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Switch#
Collisions
A collision is the mechanism used by Ethernet to control access and allocate
shared bandwidth among stations that want to transmit at the same time on
a shared medium. The mechanism where the medium is shared is known as
collision detection. It must exist where two stations can detect that they want
to transmit data at the same time. Collision detection is disabled in full-
duplex Ethernet. Ethernet uses CSMA/CD (Carrier Sense Multiple
Access/Collision Detect) as its collision detection method. Here is a
simplified example of Ethernet operation:
Figure 1-29: Collision Architecture
1. Station A wishes to send a frame. First, it checks if the medium is
available (Carrier Sense). If it is not, it waits until the current
sender on the medium has finished.
2. Suppose Station A believes the medium is available and attempts
to send a frame. Because the medium is shared (Multiple Access),
other senders might also attempt to send at the same time. At this
point, Station B tries to send a frame at the same time as Station A.
3. Shortly after, Station A and Station B realize that there is another
device attempting to send a frame (Collision Detect). Each station
waits for a random amount of time before sending again. The time
after the collision is divided into time slots; Station A and Station
B,each pick a random slot for attempting a retransmission.
4. Should Station A and Station B attempt to retransmit in the same
slot, they extend the number of slots. Each station then picks a
new slot, thereby decreasing the probability of retransmitting in
the same slot.
Errors
Errors may occur in your network for a wide variety of reasons. For example,
there could be electrical interference somewhere, or there is a bad Network
Interface Card that is not able to frame things correctly for the network.
Remember, the Frame Check Sequence often is the source for catching these
errors. Each time a router forwards a packet on an Ethernet network, it
replaces and rewrites the Layer 2 Ethernet header information, along with a
new FCS.
Duplex
This used to be a big concern in Ethernet LANs. Because you might be using
half-duplex due to having hubs in your network, you need to ensure
that duplex mismatches did not occur between full-duplex (switched) areas
and half-duplex areas. Today, auto negotiation to full-duplex between devices
is common. If an older device is hard coded to half-duplex and you code the
LAN device connected to full duplex, a duplex mismatch can still result.
These can be difficult to track down since some packets typically make it
through the connection fine, while others are dropped. In networks that
operate in half duplex, the technology of Carrier Sense Multiple Access with
Collision Detection (CSMA/CD) is used to allow devices to operate on a
half-duplex network.
Speed
Speed is another area where conflict can occur, but is also becoming a less
common problem as technologies advance. For example, 1 Gigabit per
second interfaces is quite common now and operate with each other
seamlessly at 1 Gbps. The issue again is older equipment that might default
to a slower speed causing a speed mismatch.
There are some terms used in the above example, so we need to explore these
terms briefly:
Runts Giants Baby Giant
Frames
Runts are Ethernet
frames that are less
than 64 bytes and may
be caused by excessive
collisions. Of course,
Today many
technologies are
enhancing networks by
adding information to
Ethernet frames. This
What if your Ethernet
frame is just a little
larger than the standard
MTU of 1500 bytes?
Specifically, what if
these frames have
become more rare as
networks have become
nearly collision free
results in Jumbo
Frames (Giants). This
often indicates frames
of 9216 bytes for
Gigabit Ethernet, but
technically can refer to
anything over the
standard IP MTU
(Maximum
Transmission Unit) of
1500 bytes
your frame is 1600
bytes in size? You have
what networkers term
a Baby Giant
Table 1-06: Cable Terminologies
TCP vs. UDP
There are two types of Internet Protocol (IP) traffic. They
are TCP or Transmission Control Protocol and UDP or User Datagram
Protocol. TCP is connection oriented. Once a connection is established, data
can be sent bidirectional. UDP is a simpler, connectionless internet protocol.
Multiple messages are sent as packets in chunks using UDP. Unlike the TCP,
UDP adds no reliability, flow-control, or error-recovery functions to IP
packets. Because of UDP’s simplicity, UDP headers contain fewer bytes and
consume less network overhead than TCP.
The following table demonstrates the comparison of TCP and UDP protocol:
Parameters Transmission Control
Protocol (TCP)
User Datagram Protocol
or Universal Datagram
Protocol (UDP)
Connection TCP is a connection-
oriented protocol
UDP is a connectionless
protocol
Function As a message makes its
way across the internet
from one computer to
another, this is
connection based
UDP is also a protocol
used in message transport
or transfer. This is not
connection based, which
means that one program
can send a load of packets
to another and that would
be the end of the
relationship
Usage TCP is suited for
applications that
require high reliability,
and the transmission
time is relatively less
critical
UDP is suitable for
applications that need fast,
efficient transmission,
such as games. UDP's
stateless nature is also
useful for servers that
answer small queries from
huge numbers of clients
Used by Other
Protocols
HTTP, HTTPs, FTP,
SMTP, Telnet
DNS, DHCP, TFTP,
SNMP, RIP, VOIP
Ordering of Data
Packets
TCP rearranges data
packets in the order
specified
UDP has no inherent
order, as all packets are
independent of each other.
If ordering is required, it
has to be managed by the
application layer
Speed of Transfer The speed for TCP is
slower than UDP
UDP is faster because
error recovery is not
attempted. It is a "best
effort" protocol
Reliability There is an absolute
guarantee that the data
transferred remains
intact and arrives in the
same order in which it
was sent
There is no guarantee that
the messages or packets
sent would reach at all
Header Size TCP header size is 20
bytes
UDP Header size is 8
bytes
Common Header
Fields
Source port,
Destination port,
Check Sum
Source port, Destination
port, Check Sum
Streaming of Data Data is read as a byte
stream, no
distinguishing
Packets are sent
individually and are
checked for integrity only
indications are
transmitted to signal
message (segment)
boundaries
if they arrive. Packets
have definite boundaries,
which are honored upon
receipt, meaning a read
operation at the receiver
socket will yield an entire
message as it was
originally sent
Weight TCP is heavyweight.
TCP requires three
packets to set up a
socket connection,
before any user data
can be sent. TCP
handles reliability and
congestion control
UDP is lightweight. There
is no ordering of
messages, any tracking
connections, etc. It is a
small transport layer
designed on top of IP
Data Flow Control TCP does Flow
Control. TCP requires
three packets to set up
a socket connection,
before any user data
can be sent. TCP
handles reliability and
congestion control
UDP does not have an
option for flow control
Error Checking TCP does error
checking and error
recovery. Erroneous
packets are
retransmitted from the
source to the
destination
UDP does error checking
but simply discards
erroneous packets. Error
recovery is not attempted
Fields 1. Sequence Number 2.
AcK Number 3. Data
Offset 4. Reserved 5.
Control Bit 6. Window
7. Urgent Pointer 8.
1. Length 2. Source Port 3.
Destination Port 4. Check
Sum
Options 9. Padding 10.
Check Sum 11. Source
Port, 12. Destination
Port
Acknowledgement Acknowledgement
segments
No Acknowledgment
Handshake SYN, SYN-ACK,
ACK
No handshake
(connectionless protocol)
Table 1-07: Comparison of TCP and UDP Protocol
TCP and UDP Working
Figure 1-30: TCP and UDP Working
IPv4 Addressing and Subnetting
In this topic, we are going to explore IPV4 addressing and subnetting. So first
of all, you should know what an IP address is.
IP Address: IP address is the way to present a host in a network or, in simple
words, a unique string of numbers separated by full stops that identifies each
computer using the Internet Protocol to communicate over a network. An
example is given below:
192 . 168 . 1 . 4
11000000 10101000 00000001 00000100
One byte = Eight bits
Thirty-Two bits (4*8), or 4 bytes
An IPv4 address is a 32-bit number that we like to represent in dotted
decimal notation. Consider using a conversion chart for the 8 bits that exist in
an octet to help you with the various subnetting exercises you might
encounter in the exam.
A Conversion Chart for IPv4 Addressing and Subnetting
Questions
128 64 32 16 8 4 2 1
Table 1-08: Comparison Chart for IPV4 Addressing and Subnetting
Example: We have to calculate 186 then we will ON these bits: 10111010.
So from above table, you can easily calculate these values.
CIDR (Classless Inter-Domain Routing) is a slash notation of subnet mask.
CIDR tells us the number of on bits in a network address.
IPv4 address is a 32 bit, 4-octet number in a format of 192.168.1.1/24
/24 is CIDR notation, it defines the number of host and networks.
Earlier on, in the development of TCP/IP, the designers created address
classes to attempt towardaccommodate networks of various sizes. Notice that
they did this by setting the initial bit values
IP addresses are broken into the two components:
Network Component: Defines network segment of device.
Host Component: Defines the specific device on a particular network
segment
Address Class High-Order Bit Setting 1st Octet Range in Decimal
A 0 0.0.0.0 –
127.255.255.255
(1 – 127)
B 10 128.0.0.0 –
191.255.255.255
(128 – 191)
C 110 192.0.0.0 –
223.255.255.255
(192 – 223)
D (Multicast) 1110 224.0.0.0 –
239.255.255.255
(224 – 239)
E (Experimental) 240.0.0.0 –
254.255.255.255
(240 – 254)
Table 1-09: Ipv4 Address Range
0 [Zero] is reserved and represents all IP addresses
127 is a reserved address and is used for testing, like a loop back
on an interface. For example: 127.0.0.1
255 is a reserved address and is used for broadcasting purposes
IPV4 Subnetting: Subnetting is a process of dividing a large network into
the smaller networks based on layer 3 IP address. Every computer on network
has an IP address that represent its location on the network. Two versions of
IP addresses are available, which are IPv4 and IPv6. In this workbook, we
will perform subnetting on IPv4.
Another critical memorization point here is the default subnet masks for these
address classes. Remember, it is the job of the subnet mask to define what
portion of the 32-bit address represents the network portion versus the host
portion. The table below defines the default masks.
Address Class Default Mask Prefix Notation Mask Bits
A 255.0.0.0 /8
B 255.255.0.0 /16
C 255.255.255.0 /24
Table 1-10: IPV4 Subnetting
Note that subnet masks must use continuous on bits (1). This results in the
only possible values in a subnet mask octet as shown in the table below:
ON Bits Value
11111111 255
11111110 254
11111100 252
11111000 248
11110000 240
11100000 224
11000000 192
10000000 128
0 0
Table 1-11: Subnet Mask Values
Subnet Mask: Subnet Mask is a 32-bit long address used to distinguish
between network address and host address in IP address. Subnet mask is
always used with IP address. Subnet mask has only one purpose, to identify
which part of an IP address is network address and which part is host address.
For example, how will we figure out network partition and host partition
from IP address 192.168.1.4? Here, we need subnet mask to get details about
network address and host address.
In decimal notation subnet mask value 1 to 255 represent network address
and value 0 [Zero] represent host address.
In binary notation subnet mask, ON bit [1] represents network address
while OFF bit [0] represents host address.
In Decimal Notation
IP address 192.168.1.4
Subnet mask 255.255.255.0
Network address is 192.168.1.0 and host address is 192.168.1.4. The binary
notation for the host address will be:
In Binary Notation
IP address 11000000.10101000.00000001.00000100
Subnet mask 11111111.11111111.11111111.00000000
Network address is 11000000.10101000.00000001 and host address is
00001010.
Advantages of Subnetting
Subnetting breaks a large network in smaller networks and smaller
networks are easier to manage
Subnetting reduces network traffic by removing collision and
broadcast traffic, that overall improves performance
Subnetting allows you to apply network security polices at the
interconnection between subnets
Subnetting allows you to save money by reducing the requirement
for IP range
Example Class C Subnetting
192.168.1.4/27
CIDR /27 has subnet mask 255.255.255.224 and 224 is 11100000 in
binary. We used three host bits in network address.
Default Subnet Mask _ Host_
11111111. 11111111. 11111111. 111 00000
N (We have used three host bits as network bit to extend the default subnet
mask ----- N=3 H=5)
Subnet Mask: 255.255.255.224
N = 3
H = 5
Total subnets (2N): 2^3 = 8
Block size (256 - subnet mask): 256 - 224 = 32
Valid_subnets(Count_blocks_from_0):0,32,64,96,128,160,192,224
(0+32=32, 32+32=64, 32+64=96, 96+32=128 and so on…….)
Total hosts (2H): 2^5 = 32
Valid hosts per subnet (Total host - 2): 32 - 2 = 30
Subnets Sub
1
Sub
2
Sub
3
Sub
4
Sub
5
Sub
6
Sub
7
Sub
8
Network ID 0 32 64 96 128 160 192 224
First host 1 33 65 97 129 161 193 225
Last host 30 62 94 126 158 190 222 254
Broadcast
ID
31 63 95 127 159 191 223 255
Table 1-12: Subnet Mask Status
You can see clearly that 192.168.1.4 belongs to Subnet 1, so by using this
simple method, you can calculate things easily.
Network Id: 192.168.1.0
Valid First Host IP Address: 192.168.1.1
Next: 192.168.1.2
.
Our Host: 192.168.1.4
.
.
Last Host in this Subnet: 192.168.1.30
Broadcast: 192.168.1.31
Example 2: Given- 172.18.27.0 123 Hosts
172 . 18 . 27 . 0
101011000 000100100 00011011 00000000
Find: Network ID, Broadcast ID, Subnet Mask, 1st usable, last usable, # of
subnets:
Now, how we can find 300 hosts? For this, we have to use 2^. If we do 2^7,
then we can get 123 hosts in the range of 128 hosts (2^7 = 128).
Default Subnet Mask _ Host_
11111111 . 11111111 . 11111111 . 1 0000000
N (We have used one host bits as network bit to extend the default
subnet mask ----- N=1 H=7)
Subnet Mask: 255.255.255.128
N = 1
H = 7
Total Subnets ( 2^N ): 2^1 = 2
Block Size (256 - subnet mask): 256 - 128 = 128
Valid Subnets(Count_blocks_from_0): 0,128 (0+128 = 128)
Total Hosts (2^H): 2^7 = 128
Valid Hosts Per Subnet (Total host - 2): 128 - 2 = 126
Subnets Sub 1 Sub 2
Network ID 172.18.27.0 172.18.27.128
First Host 172.18.27.1 172.18.27.129
Next Host 172.18.27.2 172.18.27.130
. . .
. . .
Last Host 172.18.27.126 172.18.27.255
Broadcast ID 172.18.27.127 172.18.27.256
Table 1-13: Subnet Mask Table
The Need for Private IPv4 Addressing
The designers of IPv4 created private address space to help alleviate the
depletion of IPv4 addresses. This address space is not routable on the public
internet. The address space can be used as needed inside corporations and
would then be translated using Network Address Translation (NAT) to allow
access to and through the public internet.
The use of private addresses and NAT is tending to see the same addresses
ranges used in homes today (typically in the 192.168.1.X range). Table
below shows you the private address space:
Address Class Range of Private Addresses
A 10.0.0.0 to 10.255.255.255
B 172.16.0.0 to 172.31.255.255
C 192.168.0.0 to 192.168.255.255
Table 1-14: The IPv4 Private Address Ranges
Case Study
A local bank in your city has recently revamped their WAN and LAN
network. The bank has 14 branches in the city connected to Head Office over
frame relay network. All links are point to point (unique subnet). The Head
office has around 400 hosts and each of the branches has 15 to 20 hosts. You
are assigned the task of designing the private network schema for the bank.
Solution
You have decided to use the Class A “10.0.0.0” network segment for the
bank network.
Figure 1-31: IPV4 Addressing and Subnetting
Head Office LAN
Let’s start with HO (Head Office) LAN, which has 400 hosts. You discussed
with your senior and he advised that 400 hosts in a single segment could
create a lot of broadcast traffic. You decided to break the LAN segment into
two subnets.
1. Network: 10.0.0.0 Mask: 255.0.0.0
You only need 200 hosts in your LAN segment.
Use the formula 2^n – 2 to calculate the number of hosts per subnet, where n
is the number of bits for the host portion.
2. No of Hosts:(2^8)-2=254
Default Class A
Subnet Mask
Decimal255 0 0 0
Binary 11111111 00000000 00000000 00000000
As n=8, starting from the far left will keep the last 7 values as "0" and rest of
all as "1"
New Subnet
Mask
Binary 11111111 11111111 11111111 00000000
Decimal255 255 255 0
LAN Subnet 1
Network Address 10 1 1 0
Subnet Mask 255 255 255 0
Broadcast
Address 10 1 1 255
First Host 10 1 1 1
Last Host 10 1 1 254
LAN Subnet 2
Network Address 10 1 2 0
Subnet Mask 255 255 255 0
Broadcast
Address 10 1 2 255
First Host 10 1 2 1
Last Host 10 1 2 254
Branches LAN
No of branches:14
No of hosts in each branch: 15-20
No of Hosts: (2^5)-2=30
No of Subnets: (2^5)-2=30
Note: We could have taken (2^4)-2=14 for the number of networks but it will
just be enough for the current scenario. We should always leave some buffer
for future expansion.
We will start from subnet 10.1.3.0/27, which will give us 30 hosts in each
subnet.
Branch
Network
Address Subnet Mask
Broadcast
Address
First
Host Last Host
1 10.1.3.0 255.255.255.224 10.1.3.31 10.1.3.1 10.1.3.30
2 10.1.3.32 255.255.255.224 10.1.3.65 10.1.3.33 10.1.3.64
3 10.1.3.66 255.255.255.224 10.1.3.95 10.1.3.67 10.1.3.94
4 10.1.3.96 255.255.255.224 10.1.3.127 10.1.3.97 10.1.3.126
5 10.1.3.128 255.255.255.224 10.1.3.159 10.1.3.12910.1.3.158
6 10.1.3.160 255.255.255.224 10.1.3.191 10.1.3.16110.1.3.190
7 10.1.3.192 255.255.255.224 10.1.3.223 10.1.3.19310.1.3.222
8 10.1.3.224 255.255.255.224 10.1.3.255 10.1.3.22510.1.3.254
9 10.1.4.0 255.255.255.224 10.1.4.31 10.1.4.1 10.1.4.30
10 10.1.4.32 255.255.255.224 10.1.4.65 10.4.1.33 10.1.4.64
11 10.1.4.66 255.255.255.224 10.1.4.95 10.1.4.67 10.1.4.94
12 10.1.4.96 255.255.255.224 10.1.4.127 10.1.4.97 10.1.4.126
13 10.1.4.128 255.255.255.224 10.1.4.159 10.1.4.12910.1.4.158
14 10.1.4.160 255.255.255.224 10.1.4.191 10.1.4.16110.1.4.190
Table 1-15: LAN Branch Status
WAN
As all the links are point to point; there will be 14 subnets in total with each
subnet having 2 hosts.
No of hosts (routers) in each subnet: 2
No of point-to-point segments: 14
No of Hosts: (2^1)-2=2
No of Subnets (2^5)-2=30
We will start from subnet 10.1.3.0/30, which will give us 2 hosts in each
subnet.
WAN
Network
Address Subnet Mask
Broadcast
Address First Host
Last
Host
1 10.1.5.0 255.255.255.252 10.1.5.3 10.1.5.1 10.1.5.2
2 10.1.5.4 255.255.255.252 10.1.5.7 10.1.5.5 10.1.5.6
3 10.1.5.8 255.255.255.252 10.1.5.11 10.1.5.9 10.1.5.10
4 10.1.5.12 255.255.255.252 10.1..5.15 10.1.5.13 10.1.5.14
5 10.1.5.16 255.255.255.252 10.1.5.19 10.1.5.17 10.1.5.18
6 10.1.5.20 255.255.255.252 10.1.5.23 10.1.5.21 10.1.5.22
7 10.1.5.24 255.255.255.252 10.1.5.27 10.1.5.25 10.1.5.26
8 10.1.5.28 255.255.255.252 10.1.5.31 10.1.5.29 10.1.5.30
9 10.1.5.32 255.255.255.252 10.1.5.35 10.1.5.33 10.1.5.34
10 10.1.5.36 255.255.255.252 10.1.5.39 10.1.5.37 10.1.5.38
11 10.1.5.40 255.255.255.252 10.1.5.43 10.1.5.41 10.1.5.42
12 10.1.5.44 255.255.255.252 10.1.5.47 10.1.5.45 10.1.5.46
13 10.1.5.48 255.255.255.252 10.1.5.51 10.1.5.49 10.1.5.50
14 10.1.5.52 255.255.255.252 10.1.5.55 10.1.5.53 10.1.5.54
Table 1-16: WAN Branch Status
IPv6 Addressing and Prefix
IPv6, formerly named IPng (next generation), is the latest version of the
Internet Protocol (IP). IP is a packet-based protocol used to exchange data,
voice, and video traffic over digital networks. IPv6 was proposed when it
became clear that the 32-bit addressing scheme of IP version 4 (IPv4) was
inadequate to meet the demands of internet growth. After extensive
discussion, it was decided to base IPng on IP but add a much larger address
space and improvements such as a simplified main header and extension
headers. IPv6 is described initially in RFC 2460, Internet Protocol, Version 6
(IPv6). Specification, issued by the Internet Engineering Task Force (IETF).
Further RFCs describe the architecture and services supported by IPv6.
Internet Protocol version 6 (IPv6) expands the number of network address
bits from 32 bits (in IPv4) to 128 bits, which provides more than enough
globally unique IP addresses for every networked device on the planet. The
unlimited address space provided by IPv6 allows Cisco to deliver more and
newer applications and services with reliability, improved user experience,
and increased security.
Implementing basic IPv6 connectivity in the Cisco software consists of
assigning IPv6 addresses to individual device interfaces. IPv6 traffic
forwarding can be enabled globally, and Cisco Express Forwarding switching
for IPv6 can also be enabled. The user can enhance basic connectivity
functionality by configuring support for AAAA (Authentication,
Authorization, Accounting, and Auditing) record types in the Domain Name
System (DNS) name-to-address and address-to-name lookup processes, and
by managing IPv6 neighbor discovery.
Restrictions for Implementing IPv6 Addressing and Basic Connectivity
IPv6 packets are transparent to Layer 2 LAN switches because the switches
do not examine Layer 3 packet information before forwarding IPv6 frames.
Therefore, IPv6 hosts can be directly attached to Layer 2 LAN switches.
Multiple IPv6 global addresses within the same prefix can be configured on
an interface.
IPv6 Address Formats
IPv6 addresses are represented as a series of 16-bit hexadecimal fields
separated by colons (:) in the format: x:x:x:x:x:x:x:x. Following are two
examples of IPv6 addresses:
2001:DB8:7654:3210:FEDC:BA98:7654:3210
2001:DB8:0:0:8:800:200C:417A
IPv6 addresses commonly contain successive hexadecimal fields of zeros.
Two colons (::) may be used to compress successive hexadecimal fields of
zeros at the beginning, middle, or end of an IPv6 address (the colons
represent successive hexadecimal fields of zeros). The table below lists
compressed IPv6 address formats.
A double colon may be used as part of the ipv6-address argument when
consecutive 16-bit values are denoted as zero. You can configure multiple
IPv6 addresses per interfaces, but only one link-local address.
Exam Tip
Two colons (::) can be used only once in an IPv6 address to represent the
longest successive hexadecimal fields of zeros. The hexadecimal letters in
IPv6 addresses are not case-sensitive.
IPv6
Address
Type
Preferred Format Compressed Format
Unicast 2001:0:0:0:DB8:800:200C:417A 2001::DB8:800:200C:417A
Multicast FF01:0:0:0:0:0:0:101 FF01::101
Loopback 0:0:0:0:0:0:0:1 ::1
Unspecified 0:0:0:0:0:0:0:0 ::
Table 1-17: Compressed IPv6 Address Formats
The loopback address listed in the table above may be used by a node to send
an IPv6 packet to itself. The loopback address in IPv6 functions the same as
the loopback address in IPv4 (127.0.0.1).
Exam Tip
The IPv6 unspecified address cannot be assigned to an interface. The
unspecified IPv6 addresses must not be used as destination addresses in
IPv6 packets or the IPv6 routing header.
An IPv6 address prefix, in the format ipv6-prefix/prefix-length, can be used
to represent bit-wise contiguous blocks of the entire address space. The ipv6-
prefix must be in the form documented in RFC 2373 where the address is
specified in hexadecimal using 16-bit values between colons. The prefix
length is a decimal value that indicates how many of the high-order
contiguous bits of the address comprise the prefix (the network portion of the
address). For example, 2001:DB8:8086:6502::/32 is a valid IPv6 prefix.
IPv6 Subnetting
Figure 1-32: IPv6 Subnetting
As shown in the figure, IPv6 address can be subnetted in three ways. You can
either divide Site bits, Sub Site bits and Host bits or Only in Site and Host
bits for large host support.
IPv6 Packet Header
The basic IPv4 packet header has 12 fields with a total size of 20 octets (160
bits) (see the figure below). The 12 fields may be followed by an Options
field, which is followed by a data portion that is usually the transport-layer
packet. The variable length of the Options field adds to the total size of the
IPv4 packet header. The shaded fields of the IPv4 packet header shown in the
figure below are not included in the IPv6 packet header.
Figure 1-33: IPv4 Packet Header Format
The basic IPv6 packet header has 8 fields with a total size of 40 octets (320
bits). Fields were removed from the IPv6 header because, in IPv6,
fragmentation is not handled by devices and checksums at the network layer
are not used. Instead, fragmentation in IPv6 is handled by the source of a
packet and checksums at the data link layer and transport layer are used. In
IPv4, the UDP transport layer uses an optional checksum. In IPv6, use of the
UDP checksum is required to check the integrity of the inner packet.
Additionally, the basic IPv6packet header and Options field are aligned to 64
bits, which can facilitate the processing of IPv6 packets.
Field Description
Version Similar to the Version field in the IPv4 packet header,
except that the field lists number 6 for IPv6 instead of
number 4 for IPv4
Traffic Class Similar to the Type of Service field in the IPv4 packet
header, the Traffic Class field tags packets with a traffic
class that is used in differentiated services
Flow Label A new field in the IPv6 packet header, the Flow Label
field tags packets with a specific flow that differentiates
the packets at the network layer
Payload
Length
Similar to the Total Length field in the IPv4 packet header,
the Payload Length field indicates the total length of the
data portion of the packet
Next Header Similar to the Protocol field in the IPv4 packet header, the
https://www.cisco.com/c/dam/en/us/td/i/000001-100000/50001-55000/51001-51500/51457.ps/_jcr_content/renditions/51457.jpg
value of the Next Header field determines the type of
information following the basic IPv6 header. The type of
information following the basic IPv6 header can be a
transport-layer packet, for example, a TCP or UDP packet,
or an Extension Header, as shown in the figure
immediately above
Hop Limit Similar to the Time to Live field in the IPv4 packet header,
the value of the Hop Limit field specifies the maximum
number of devices that an IPv6 packet can pass through
before the packet is considered invalid. Each device
decrements the value by one. Because no checksum is in
the IPv6 header, the device can decrement the value
without needing to recalculate the checksum, which saves
processing resources
Source
Address
Similar to the Source Address field in the IPv4 packet
header, except that the field contains a 128-bit source
address for IPv6 instead of a 32-bit source address for IPv4
Destination
Address
Similar to the Destination Address field in the IPv4 packet
header, except that the field contains a 128-bit destination
address for IPv6 instead of a 32-bit destination for IPv4
Table 1-18: IPv6 Header Field
Following the eight fields of the basic IPv6 packet header, which are optional
extension headers and the data portion of the packet. If present, each
extension header is aligned to 64 bits. There is no fixed number of extension
headers in an IPv6 packet. The extension headers form a chain of headers.
Each extension header is identified by the Next Header field of the previous
header. Typically, the final extension header has a Next Header field of a
transport-layer protocol, such as TCP or UDP.
IPv6 Addressing and Subnetting
The IPv6 address format is eight sets of four hex digits. A colon separates
each set of four digits. For example:
2001:1111: A231:0001:2341:9AB3:1001:19C3
Remember, there are two rules for shortening these IPv6 address:
Once in the address, you can represent consecutive sections of
0000s with a double colon (::)
As many times as you can in the address, you can eliminate
leading 0s; you can even take a section of all zeros (0000) and
represent it as simply 0
Here is an example of the application of these rules to make the address the
most convenient to read and type:
2001:0000:0011: 0001:0000:0000: 0001:1AB1
2001:0:11:1::1:1AB1
You present the subnet mask in prefix notation only. For example, an IPv6
address, that uses the first 64 bits to represent the network could be shown as:
2001:0:11:1::1:1AB1 /64
This section of your exam blueprint focuses on the global unicast address
space for IPv6. These function like the public IPv4 addresses that we are
accustomed to. Other types of IPv6 addresses are elaborated upon later in this
chapter.
The Internet Assigned Numbers Authority (IANA) does the management of
the IPv6 address space. IANA assigns blocks of address spaces to regional
registries, who then allocate address spaces to network service providers.
Your organization may request address spaces from a service provider. For
example, a company may be assigned the address space similar to
2001:DB8:6783: :/48 and from that network address space, they can create
and use subnets.
To simplify subnetting in IPv6, companies often use a /64 mask. Remember,
this means a 64-bit network portion and a 64-bit host portion.
IPv6 Stateless Address Auto Configuration
If you think the ability to have the IPv6 network device configure its own
host address (modified EUI) is pretty awesome, what is even more exciting is
having one network device assist another in the assignment of the entire
address. This is Stateless Address Auto Configuration (SLAAC). Stateless
simply means that a device is not keeping track of the address
information. For example, in IPv4 and IPv6, you can use a DHCP server in a
“stateful” manner. A DHCP device provides the address information that
devices need, and tracks this information in a database. Obviously, there is a
fair amount of overhead involved in this process for the DHCP server.
Fortunately, in IPv6, you can use SLAAC and stateless DHCP to provide a
host with all of the information it might need. This of course includes things
like the IPv6 address, the prefix length, the default gateway address, and the
DNS server(s) address.
With SLAAC, the IPv6 device learns its prefix information automatically
over the local link from another device (such as the router), and then can
randomly assign its own host portion of the address. Remember, since
SLAAC cannot provide additional information such as DNS server addresses,
we often combine SLAAC with the use of stateless DHCP in IPv6.
Note
Remember, Cisco routers that support IPv6 are ready for any of the IPv6
interface addressing methods with no special configuration. However, if the
router needs to run IPv6 routing protocols (such as OSPF or EIGRP), you
must use the ipv6 unicast-routing command as was discussed earlier in this
chapter.
What’s wrong with IPv4?
Addressing
Not enough addresses-
Current addressing scheme allows for over 2 million networks, but
most are Class “C”, which are too small to be useful
Most of the Class “B” networks have already been assigned
Quality of Service
Flow control and QoS options are not available in IPv4 header that
allows better connections of high bandwidth and high reliability
applications
Security
IP packets can be easily snooped from the network
No standard for authentication of the user to a server
No standard for encryption of data in packets
Packet Size
Maximum packet size is 216 – 1 (65,535)
May be too small considering newer, faster networks
IPv6 Enhancements
• Expanded address space up to 128 bits
• Improved option mechanism by separating optional headers between
IPv6 header and transport layer header
• Improved speed and simplified router processing
• Dynamic assignment of addresses and auto configuration
• Increased addressing flexibility by anycast (delivered to one of a set of
nodes) and improved scalability of multicast addresses
• Support for resource allocation
– Replaces type of service
– Labeling of packets to particular traffic flow
– Allows special handling, e.g., real time video
Mind Map
Figure 1-34: Mind Map of Network Fundamentals
IPv6 Address Types
IPv6 address types are defined in RFC 4291, IP Version 6 Addressing
Architecture. In this section, we examine a brief look at the different types of
IPv6 addresses that are as follows:
Figure 1-35: IPv6 Address Types
Note
IPv6 does not have a broadcast address. Other options exist in IPv6, such as
a solicited-node multicast address and an all-IPv6 devices multicast
address.
Global Unicast
Global Unicast Addresses (GUAs) are globally routable and reachable in the
IPv6 Internet; they are equivalent to public IPv4 addresses. GUA addresses
are also known as aggregatable global unicast addresses. It contains global
routing prefix, subnet ID and interface ID. They have global unicast prefix.
These addresses are used on those links that are aggregated upward
eventually to ISPs (InternetService Provider). The initial 3 bits are set from
001 to 111 hence ranges from 2000::/3 to E000::/3 having 64 bit EUI.
Figure 1-36: Aggregatable Global Address
Unique Local
Unique Local is similar to the concept of private use only addresses (RFC
1918) in IPv4 and not intended to be routable in the IPv6 Internet. However,
unlike RFC 1918 addresses, these addresses are not intended to be state-fully
translated to a global unicast address.
Figure 1-37: Unique Local Address
Link Local
As the name makes it clear, these addresses only function on the local link.
IPv6 devices automatically generate them in order to perform many
automated functions between devices. The Link Local address uses the prefix
FE80: :/10. These addresses are used for Stateless Auto-Configuration and
Neighbor Discovery Protocol.
Figure 1-38: Link Local Address
Anycast
An IPv6 anycast address is an address that can be assigned to more than one
interface (typically different devices). In other words, multiple devices can
have the same anycast address. A packet sent to an anycast address is routed
to the “nearest” interface having that address, according to the router’s
routing table.
There is no special prefix for an IPv6 anycast address. An IPv6 anycast
address uses the same address range as global unicast addresses. Each
participating device is configured to have the same anycast address. For
example, servers A, B, and C in the below figure could be DHCPv6 servers
with a direct Layer 3 connection into the network. These servers could
advertise the same /128 address using OSPFv3. The router nearest the client
request would then forward packets to the nearest server identified in the
routing table.
Figure 1-39: Anycast Address
Multicast
Just like in an IPv4 environment, multicast traffic is beneficial in IPv6.
Remember, multicasting means a packet is sent to a group of devices
interested in receiving the information. In IPv6, multicasting actually replaces
completely the IPv4 approach of broadcasting. In IPv6, if your device wants
to reach all devices, it sends traffic to the IPv6 multicast address of FF02::1.
Modified EUI 64
Modified Extended Unique Identifier (EUI) is an IPv6 feature that allows the
host to assign IPv6 EUI-64 to itself. EUI is of 64 bits. It eliminates the need
of manual configuration and DHCP as a key benefit over IPv4. EUI-64 is
formed by 48-bit MAC address including 16-bit FFFE in the middle of the
OUI and NIC.
Figure 1-40: Modified EUI-64
IP Parameters for Client OS (Windows, Mac OS, Linux)
An operating system is considered to be the backbone of any system. Without
an operating system, users and systems cannot interact. We mainly have three
kinds of operating systems namely, Linux, MAC, and Windows. To begin
with, MAC is an OS which focuses on graphical user interface and was
developed by Apple Inc. for their Macintosh systems. Microsoft developed
the Windows operating system. It was developed so as to overcome the
limitation of the MS-DOS operating system. Linux is UNIX like a source
software and can use an operating system that provides full memory
protection and multi-tasking operations.
Windows
In order to verify OS Parameters for windows operating system, following
steps are used:
1. Open the Command Prompt and enter the ipconfig command. It
will display the list of all the connections.
https://www.educba.com/windows-interview-questions/
Figure 1-41: The “ipconfig” Command
Here, you can see the IP address is 192.168.100.108; we will change this
address by providing the system static IP address.
2. Click on Adaptor setting, you will see this window that shows the
connected media to the operating system.
 
Figure 1-42: Network Connections
3. Right click on “Wi-Fi”. Select “Properties”, you will see this
window:
Figure 1-43: Wi-Fi Properties
4. After selecting properties, select the “Internet Protocol Version 4
(TCP/IPv4)” option. Then assign the new IP address, DNS server
and alterate DNS server to the system.
Figure 1-44: Internet Protocol Version 4 Properties
5. After providing the Static IP address, verify the IP address
parameters by executing the ipconfig command on command
prompt.
Figure 1-45: Command Prompt
Linux
In order to verify OS Parameters for Linux Operating system, follow the
steps which are given below:
1. Open the Terminal and enter the ifconfig command. It will display
the list of all the connections.
Figure 1-46: Kali Linux
Figure 1-47: The “ifconfig” Command
Here, you can see the IP address is 192.168.100.125 netmask 255.255.255.0
and broadcast 192.168.100.255, we will change this address by providing the
system static IP address.
2. Click on “Settings, then select “network”. You will see the
window that shows the connected media to the operating system.
Figure 1-48: Kali Linux Setting
In wired, go to “Setting”, the next window will appear.
3. Select “IPv4” and provide the new static IP address, netmask,
gateway and DNS server.
Figure 1-49: Wired Connections
4. Select “Manual” and provide the fields.
Figure 1-50: Wired Settings
Mac OS
1. To set up a network connection on MAC OS, select “Setting”, go
to “System Preferences” and click on “Network”.
Figure 1-51: System Preferences
2. A new network window will open, change the location from
automatic to “Manual”.
Figure 1-52: Network Settings
3. Provide the appropriate IP address and subnet mask and then click
the “Advanced” button.
Figure 1-53: Ethernet Status
4. Select the DNS tab and then click the “+” button.
Figure 1-54: Ethernet DNS Settings
5. Enter the DNS server address and then click “Ok”.
Figure 1-55: Ethernet DNS Server
6. Now, click the “Apply” button to save the changes.
Figure 1-56: Providing Static IP Address
Wireless Principles
Wireless is a popular networking technology. By using this technology, we
can exchange the information between two or more devices. To establish a
reliable system, there are some challenges that are discussed below:
Non-overlapping Wi-Fi channels
There are channel settings in your router's settings. Most routers have channel
settings that are set to "Auto", but if you look through the channels, there are
at least a dozen of WLAN channels. So how do you know which Wi-Fi
channels are faster than the others in that list? Choosing the suitable Wi-Fi
channel can vastly improve your Wi-Fi coverage and performance. But even
if you discover the fastest channel there, it does not always mean you should
select it right away.
Various frequency bands (2.4GHz, 3.6 GHz, 4.9 GHz, 5 GHz, and 5.9 GHz)
have their own range of channels. Usually, routers will use the 2.4GHz band
with a total of 14 channels, however in reality, it may be 13 or even less that
are used around the world.
There are five combinations of available non-overlapping channels, which are
given below:
Figure 1-57: Wi-Fi Channels
From the diagram above, it can be seen that Wi-Fi channels 1, 6, 11, or 2, 7,
12, or 3, 8, 13 or 4, 9, 14 (if allowed) or 5, 10 (and possibly 14 if allowed)
can be used together as sets.
All Wi-Fi versions through 802.11n (a, b, g, n) work between the channel
frequencies of 2400 and 2500 MHz. These 100 MHz in between are split in
14 channels, 20 MHz each. As a result, each 2.4GHz channel overlaps with
two to four other channels (see diagram above). Overlapping makes wireless
network throughput quite poor. Most common channels for 2.4 GHz Wi-Fi
are 1, 6, and 11, because they do not overlap with one another.
The whole spectrum is 100 MHz wide and the channel centers are separated
by 5 MHz only. This leaves no choice to eleven channels but to overlap.
SSID
The Service Set Identifier (SSID) is an ASCII string that is used to establish
wireless networking devices and maintain wireless connectivity. Same SSIDs
can be used by multiple access points on a network or sub-network. They are
case sensitive and can contain up to 32 alphanumeric characters.
You may configure up to 16 SSIDs on your access point and assign different
configuration settingsto each SSID. All the SSIDs may be active at the same
time; that is, client devices can associate to the access point using any of
the SSIDs. Following are some settings you can assign to each SSID:
VLAN
Client authentication settings
Client authenticated key management settings
Insert AP or Authentication Parameter (while using AP to AP
links, such as bridges)
Insert Management frame protection settings (Cisco
MFP/802.11w)
Maximum number of client associations by using the SSID
RADIUS accounting for traffic using the SSID
Guest mode (it defines if the SSID string should be broadcasted in
the beacons)
Define legacy AP to AP authentication method, once using PSK or
LEAP security in AP to AP links
Redirection of packets received from client devices
If you want the access point SSID to be visible to all wireless clients,
including clients not having a profile to that particular SSID, you can setup a
guest SSID. The access point mentions the guest SSID in its beacon. If the
guest mode is disabled, the AP will still send beacons for this SSID, but
the SSID string will not be mentioned.
If your access point is projected to be a repeater or a non-root bridge, you can
setup credentials, on the repeater or on the non-root bridge side, so that the
root or primary AP can authenticate the repeater or the non-root bridge. You
can assign an authentication username and password to the repeater-
mode SSID to allow the repeater to authenticate to your network like a client
device.
If your network uses VLANs, you can allocate to individual SSID a VLAN,
and client devices using the SSIDs that are grouped in VLANs.
RF
RF stands for radio frequency. It is a wireless communication that initiated at
the turn of the 20th century, more than 100 years ago, when Marconi
established the first successful and practical radio system. A Radio
Frequency (RF) signal refers to a wireless electromagnetic signal used as a
form of communication. It is an alternating current that inputs to an antenna,
to generate an electromagnetic field that can be used
for wireless broadcasting and/or communications. The field is referred to as
an RF field or a radio wave. Radio waves are a form of electromagnetic
radiation with identified radio frequencies that range from 3 kHz to 300 GHz.
Encryption
As encryption is defined at the interface (VLAN or radio) level of the access
point, and can be common to several SSIDs, encryption is usually configured
before the SSID and its authentication mechanism. Just as someone within
range of a radio station can tune to the station's frequency and listen to the
signal, any wireless networking device within range of an access point can
receive the access point's radio transmissions. Because encrypted
communication is the initial line of defense against attackers, Cisco
recommends that you use full encryption on your wireless network.
The original encryption mechanism described in the 802.11 standard is WEP
(Wired Equivalent Privacy). The encryption of WEP scrambles the
communication between the access point and client devices to keep the
communication private. In this mode, WEP keys are statically defined by the
client and the AP. The access point and client devices both uses the same
WEP key to encrypt and unencrypt radio signals. WEP keys encrypt mutually
unicast and multicast messages. Unicast messages are addressed to just a
single device on the network. Multicast messages are addressed to multiple
devices on the network.
Virtualization Fundamentals
A virtual machine is a computer software program that runs an operating
system and applications. Each virtual machine contains its own virtual, or
software-based, hardware, including a virtual CPU, memory, hard disk, and
network interface card.
Virtualization is the process of creating a software-based, or virtual,
representation of something, such as virtual applications, servers, storage and
networks. It is the single most effective way to reduce IT expenses while
boosting efficiency and agility for all size businesses.
Benefits of Virtualization
Virtualization can increase IT agility, adaptability and versatility while
making critical cost deductions. Greater workload mobility, increased
performance and availability of resources, automated operations, these
benefits of virtualization make IT simpler to manage and less costly to
possess and work. Additional benefits include:
Reduced capital and operating or working expenses
Downtime is minimized or eliminated
Increased IT profitability, proficiency agility and responsiveness
Provide faster provisioning of applications and resources
Greater business coherence and disaster recovery
Simplified data center management
Availability of a genuine Software-Defined Data Center
Types of Virtualization
There are three main types of virtualization that are as follows:
Server Virtualization
Server virtualization allows multiple operating systems to run on a single
physical server as highly proficient virtual machines. Key advantages of
server virtualization includes:
Greater IT efficiencies
Reduced operating or working expenses
Quicker workload deployment
Improved application performance
Higher server accessibility
Eliminated server sprawl and difficulty
Network Virtualization
Network virtualization presents logical networking devices and services such
as logical ports, switches, routers, firewalls, load balancers, VPNs and more
https://www.vmware.com/topics/glossary/content/server-virtualization
https://www.vmware.com/topics/glossary/content/network-virtualization
to connected workloads. Network virtualization enables applications to run
on a virtual network as if they were running on a physical network yet with
more prominent operational advantages and all the hardware equipment
independencies of virtualization. 
Desktop Virtualization
Deploying desktops as a managed service administration empowers IT
associations to respond faster to changing work environment needs and
emerging opportunities. Virtualized desktops and applications can also be
quickly and easily delivered to branch offices, outsourced and offshore
employees, and mobile workers using iPad and Android tablets.
Switching Concepts
Layer 2 switches and bridges are faster than routers because they do not take
up time looking at the Network layer header information. Instead, they look
at the frame's hardware addresses before deciding to either forward, flood, or
drop the frame. The next sections are related to functions a switch preforms
and the components it uses to do so.
MAC Learning and Aging
To learn the MAC address of devices is the fundamental responsibility of
switches. The switch transparently observes incoming frames. It records the
source MAC address of these frames in its MAC address table. It also records
the specific port for the source MAC address. Based on this information, it
can make intelligent frame forwarding (switching) decisions. Notice that a
network machine could be turned off or moved at any point. As a result, the
switch must also age MAC addresses and remove them from the table after
they have not been seen for some duration.
Frame Switching
Along with building a MAC address table (learning MAC address to port
mappings), the switch also forwards (switches) frames intelligently from port
to port. Think about this as the opposite of how a Layer 1 Hub works. Device
hub takes in a frame and always forwards this frame out all other ports. In a
hub-based network, every port is part of the same collision domain. The
switch is too smart for that. If its MAC address table is fully populated for all
ports, then it “filters” the frame from being forward out ports unnecessarily. It
forwards the frame to the correct port based on the destination MAC address.
https://www.vmware.com/products/nsx.html
Frame Flooding
What happens when a frame has a destination address that is not in the MAC
address table? The frame is flooded out to all ports (other than the port on
which the frame was received). The flooding happens when theswitch in its
MAC address table has no entry for the frame’s destination. With flooding,
the frame is sent out to every port except the frame it came in on. This also
happens when the destination MAC address in the frame is the broadcast
address.
MAC Address Table
The MAC address table is a critical component in the modern switch and acts
as a brain of the switch operation. It contains the MAC address to port
mappings so the switch can work its network magic.
The below example shows how easy it is to examine the MAC address table
of a Cisco switch.
Example: Examining a Real MAC Address Table
Switch#show mac address-table
 Mac Address Table
---------------------------------------------------------------------
Vlan Mac Address Type Ports
---- ----------------- -------- -----
1 e213.5864.ab8f DYNAMIC Gi0/0
1 fa16.3ee3.7d71 DYNAMIC Gi1/0
Mind Map
Figure 1-58: Mind Map of Network Fundamentals
Summary
Role and Function of Network Components
Network Fundamentals teaches the building blocks of modern
network design. In this session, we have briefly discussed about
the network components related to their functions and
performance
A Router receives a packet and observes the destination IP
address information to determine what network the packet needs
to reach, then sends the packet out of the corresponding interface
A Layer 2 switch mechanism works only on MAC addresses and
does not worry about IP address or any items of higher layers. A
Layer 3 switch can perform all the task that a Layer 2 switch can
Firewalls have evolved beyond simple packet filtering and stateful
inspection. Most companies are deploying next-generation
firewalls to block modern threats such as advanced malware and
https://www.fs.com/c/10g-switches-3256
application-layer attacks
An access point is a device that creates a Wireless Local Area
Network, or WLAN, usually in an office or large building
The Cisco Wireless Controller (WLC) series devices provide a
single solution to configure, manage and support corporate
wireless networks, regardless of their size and locations
An endpoint is a remote computing device that communicates
back and forth with a network to which is it connected such as
desktop, laptop etc.
A server is a computer program or device that provides a facility
to another computer program and its client
Characteristics of Network Topology Architectures
Network topology is defined as the physical arrangement of nodes
to form a computer network. There are two types of network
topology: physical topology and logical topology
A two-tier or level architecture is a software architecture in which
a presentation layer or interface keeps running on a client, and a
data layer or data structure gets stored on a server
A three-tier or level architecture is a client-server architecture
design in which the functional procedure logic, information
access, computer information storage and UI (User Interface) are
created and maintained as independent modules on discrete
platforms
A Leaf-Spine architecture is adaptable to the continuously
changing requirements of companies in big data industries with
evolving data centers
Wide-Area Network helps organizations to expand geographically
around the globe. Using WAN services from service providers
usually called “off-sourcing” or “outsourcing”
SOHO is generally a remote office or enterprise environment with
small to medium infrastructure. SOHO users are connected to
corporate headquarter by using WAN MPLS or some other
technology based services provided by service providers
On-premises system monitoring software has been the standard
for quite a long time. Presently, a few associations are moving to
http://www.linksys.com/us/c/business-wireless-access-points/
https://www.paloaltonetworks.com/products/secure-the-endpoint/traps
https://searchsoftwarequality.techtarget.com/definition/program
cloud-based network monitoring and management
Physical Interface and Cabling Types
Physical interfaces consist of a software driver and a connector
into which you connect network media
The type of cable selected for a network is related to the protocol,
network’s topology, and size
Single Modem fiber is used in many applications where data is
sent at multi-frequency (WDM Wave-Division-Multiplexing) so
only one cable is needed
Multimode fiber gives you high bandwidth at high speeds (10 to
100MBS - Gigabit to 275m to 2km) over medium distances
Networks use copper media because it is inexpensive, easy to
install, and has low resistance to electrical current. However,
copper media is limited by distance and signal interference
Computers connected by communication channels that each
connect exactly two computers with access to full channel
bandwidth is known as point-to-point connection whereas, all
computers connected to a shared broadcast-based communication
channel and share the channel bandwidth is known as shared or
broadcast connection
Power over Ethernet (PoE) is a technology for
wired Ethernet local area networks (LANs) that allows the
electrical current necessary for the operation of each device to be
carried by the data cables rather than by power cords. It made AP
installations easier and more flexible, especially on ceilings
Identify Interface and Cable Issues
A collision is the mechanism used by Ethernet to control access
and allocate shared bandwidth among stations that want to
transmit at the same time on a shared medium
Errors may occur in your network for a wide variety of reasons.
For example, there could be electrical interference somewhere, or
there is a bad Network Interface Card that is not able to frame
things correctly for the network
Duplex used to be a big concern in Ethernet LANs. Because you
https://searchnetworking.techtarget.com/definition/Ethernet
https://searchnetworking.techtarget.com/definition/local-area-network-LAN
https://whatis.techtarget.com/definition/current
might be using half-duplex due to having hubs in your network,
you need to ensure that duplex mismatches do not occur between
full-duplex (switched) areas and half-duplex areas
TCP vs. UDP
There are two types of Internet Protocol (IP) traffic. They are TCP
or Transmission Control Protocol and UDP or User Datagram
Protocol
TCP is connection oriented. Once a connection is established, data
can be sent bidirectional
UDP is a simpler, connectionless Internet protocol. Multiple
messages are sent as packets in chunks using UDP
Unlike the TCP, UDP adds no reliability, flow-control, or error-
recovery functions to IP packets. Because of UDP’s simplicity,
UDP headers contain fewer bytes and consume less network
overhead than TCP
IPv4 Addressing and Subnetting
In this section, we have explored IPV4 addressing and subnetting.
We also configured and verified the classes and subnet mask of
IPv4 by performing lab
The Need for Private IPv4 Addressing
The designers of IPv4 created private address space to help
alleviate the depletion of IPv4 addresses
This address space is not routable on the public internet
The address space can be used as needed inside corporations and
would then be translated using Network Address Translation
(NAT) to allow access to and through the public internet
IPv6 Addressing and Prefix
Internet Protocol version 6 (IPv6) expands the number of network
address bits from 32 bits (in IPv4) to 128 bits, which provides
more than enough globally unique IP addresses for every
networked device on the planet
The unlimited address space provided by IPv6 allows Cisco to
deliver more and newer applications and services with reliability,
improved user experience, and increased security
Implementing basic IPv6 connectivity in the Cisco software
consists of assigning IPv6 addresses to individual device
interfaces. IPv6 traffic forwarding can be enabled globally, and
Cisco Express Forwarding switching for IPv6 can also be enabled
The user can enhance basic connectivity functionality by
configuring support for AAAA (Authentication, Authorization,
Accounting, and Auditing)record types in the Domain Name
System (DNS) name-to-address and address-to-name lookup
processes, and by managing IPv6 neighbor discovery
IPv6 Address Types
Global Unicast Addresses (GUAs) are globally routable and
reachable in the IPv6 Internet, they are equivalent to public IPv4
addresses
Unique local is similar to the concept of private use only
addresses (RFC 1918) in IPv4 and not intended to be routable in
the IPv6 Internet
Local link addresses only function on the local link. IPv6 devices
automatically generate them in order to perform many automated
functions between devices
An IPv6 anycast address is an address that can be assigned to
more than one interface
Multicasting means a packet is sent to a group of devices
interested in receiving the information. In IPv6, multicasting
actually replaces completely the IPv4 approach of broadcasting
Modified Extended Unique Identifier (EUI) is an IPv6 feature that
allows the host to assign IPv6 EUI-64 to itself. EUI is of 64 bits. It
eliminates the need of manual configuration and DHCP as a key
benefit over IPv4
Wireless Principles
There are channel settings in your router's settings. Most routers
have channel settings that are set to "Auto", but if you look
through the channels, there are at least a dozen of WLAN
channels
The SSID is an ASCII string that is used to establish wireless
networking devices and maintain wireless connectivity. Same
SSIDs can be used by multiple access points on a network. They
are case sensitive and can contain up to 32 alphanumeric
characters
RF stands for Radio Frequency. It refers to
a wireless electromagnetic signal used as a form
of communication
As encryption is defined at the interface (VLAN or radio) level of
the access point, and can be common to several SSIDs, encryption
is usually configured before the SSID and its authentication
mechanism
Virtualization Fundamentals
A virtual machine is a computer software program that runs an
operating system and applications. Each virtual machine contains
its own virtual, or software-based, hardware, including a virtual
CPU, memory, hard disk, and network interface card
Virtualization is the process of creating a software-based, or
virtual, representation of something, such as virtual applications,
servers, storage and networks. It is the single most effective way
to reduce IT expenses while boosting efficiency and agility for all
size businesses
Virtualization can increase IT agility, adaptability and versatility
while making critical cost deductions. Greater workload mobility,
increased performance and availability of resources, automated
operations, these benefits of virtualization makes IT simpler to
manage and less costly to possess and work
Switching Concepts
To learn the MAC address of devices is the fundamental
responsibility of switches. The switch transparently observes
incoming frames. It records the source MAC address of frames in
its MAC address table
Along with building a MAC address table (learning MAC address
to port mappings), the switch also forwards (switches) frames
intelligently from port to port
The frame is flooded out to all ports (other than the port on which
the frame was received). The flooding happens when the switch in
its MAC address table has no entry for the frame’s destination
The MAC address table is a critical component in the modern
switch and acts as a brain of the switch operation. It contains the
MAC address to port mappings so the switch can work its network
magic
Practice Questions
1. Your system is sending email to the local SMTP server. What type
of IPv4 traffic is the most likely given that shows these two
systems have communicated seconds ago?
A. Broadcast
B. Multicast
C. Unicast
D. Any cast
2. What does it mean when you see FF: FF: FF: FF: FF: FF as the
destination address in an Ethernet frame?
A. It means the frame is a multicast
B. It means the frame is a unicast
C. It means the frame should be dropped
D. It means the frame is a broadcast
3. Examine the following diagram. What is the most likely reason
Host A being unable to ping Host B?
A. The subnet masks are incorrect for the link between R1 and R2
B. Host A has an invalid IP address
C. Host B is attempting to use the subnet ID as an IP address
D. The R2 interface to R1 is attempting to use a subnet broadcast IP
address
4. What is the typical network portion of an IPv6 global unicast
address?
A. 32 bits
B. 48 bits
C. 64 bits
D. 128 bits
5. What command do you need in order to enable IPv6 routing
capabilities on a Cisco router?
A. ipv6 unicast-routing
B. ipv6 routing
C. ipv6 routing enable
D. ipv6 unicast-enable
6. What is the default aging time for MAC address entries on a typical
Cisco switch?
A. 60 seconds
B. 120 seconds
C. 300 seconds
D. 1200 seconds
7. Which of the following is defined as physical or logical
arrangement of network?
A. Topology
B. Routing
C. Networking
D. None of the above
8. TCP groups a number of bytes together into a packet called?
A. Packet
B. Buffer
C. Segment
D. Stack
9. Which of the following is false with respect to UDP?
A. Connection-oriented
B. Unreliable
C. Transport layer protocol
D. All of the above
10. A ______ is a device that forwards packets between
networks by processing the routing information included in the
packet.
A. Bridge
B. Firewall
C. Router
D. All of the above
11. Which of the following communication channel is shared by
all the machines on the network?
A. Broadcast
B. Unicast
C. Multicast
D. None of the above
12. The header length of an IPv6 datagram is ___________.
A. 10bytes
B. 25bytes
C. 30bytes
D. 40bytes
 
13. IPv6 does not use ______type of address.
A. Broadcast
B. Multicast
C. Anycast
D. None of the above
14. The size of IP address in IPv6 is ____________.
A. 4bytes
B. 12bytes
C. 8bytes
D. 100bits
15. If the value in protocol field is 17, the transport layer
protocol used is ________.
A. TCP
B. UDP
C. Either TCP and UDP
D. None of the above
16. Which of the following is not applicable for IP?
A. Error Reporting
B. Handle Addressing Conventions
C. Datagram Format
D. Packet Handling
17. Select one of the following Encryption technique that is used
to improve a network.
A. Performance
B. Reliability
C. Security
D. Longevity
18. Select one of the main advantage of UDP.
A. More Overload
B. Reliable
C. Less Overload
D. Fast
19. A computer network that spans a large physical area,
connecting several sites of an organization across cities, countries
and continents is known as __________.
A. LAN
B. MAN
C. WAN
D. PAN
20. Which device reduces the traffic by spontaneous
segmentation of a network?
A. Modem
B. Switch
C. Router
D. Hub
21. On which two layers of the OSI model does the multilayer
switch operate?
A. Layer 1 and Layer 2
B. Layer 1 and Layer 3
C. Layer 2 and Layer 3
D. Layer 1 and Layer 4
22. Which physical device or software defends an internal
network or system from unauthorized access by performing as a
filter?
A. HIDS
B. IPS/IDS
C. Content Filter
D. Firewall
23. Which type of server performs mapping of private IP
address into public IP address?
A. IPS/IDS Server
B. NAT Translation Server
C. DNS Server
D. Proxy Server
24. Which connector provides communication and controlling
factor in network devices?
A. RJ-11
B. RJ-48C
C. RJ-45
D. DB-9
25. Select two right statements about IPv4 and IPv6 addresses.
A. An IPv6 address is 128 bits long, represented in decimal
B. An IPv4 address is 32 bits long, represented in decimal
C. An IPv6 address is 32 bits long, represented in hexadecimal
D. An IPv6 address is 128 bits long, represented in hexadecimal
Chapter 02: Network Access
Technology Brief
This chapter defines the network access in general; both from physical and
logical perspective. Gaining access to network resources is based on
identification through authentication, proving the identity, requesting access,
and being granted the requested access. This chapter first describes the
different type of LAN technologies and other related technologiesand
protocols. We will briefly discuss the WLAN architecture introduced by the
Cisco, where we will describe the accessing mechanism of WLAN
architecture. 
VLANs (Normal Range) Spanning Multiple Switches
A Virtual LAN is a switched network that is logically divided by function,
project team or application without regarding physical locations of the users
or host. VLANs have similar attributes as physical LANs, but you can group
end stations/hosts even if they are not physically situated on the same LAN
segment. Any switch port can belong to a VLAN; and unicast, multicast, and
broadcast packets are forwarded and flooded only to end points in the VLAN.
Every VLAN is considered a logical network, and packets destined for
stations that do not belong to the VLAN must be forwarded via router or a
switch supporting fallback bridging. VLANs can be created with ports across
the stack; because a VLAN is considered a separate logical network that
contains its own bridge Management Information Base (MIB) information
and can support its own implementation of spanning tree.
VLANs are often linked with IP subnetwork. For example, all the end
stations/host in a particular IP subnet belongs to the same VLAN. Traffic
between VLANs must be routed. LAN port VLAN membership is assigned
manually on port-by-port basis.
The switch supports VLANs in VTP client mode, server mode, and
transparent mode.
Cisco IOS Release 12.2SY supports 4096 VLANs in accordance with the
IEEE 802.1Q standard. These VLANs are organized into several ranges; you
use each range slightly differently. Some of these VLANs are propagated to
other switches in the network when you use the VLAN Trunking Protocol
(VTP). The extended-range VLANs are not propagated, so you must
configure extended-range VLANs manually on each network device. VLANs
0 & 4095 are reserved for system use only, we cannot access these VLANs.
 The port-channel range is 1 to 6. VLAN identification, which is a number
from 1 to 4094 . VLAN IDs 1002-1005 are reserved for Token Ring & FDDI
VLANs.
Figure 2-01: VLAN IDs
The following example demonstrates how to create Ethernet VLAN 2, name
it test2, and add it to the VLAN database:
Switch# configure terminal
Switch(config)# vlan 2
Switch(config-vlan)# name test2
Switch(config-vlan)# end
The following example shows how to configure a port as an access port in
VLAN 2:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 2
Switch(config-if)# end
Configuring Normal-Range VLANs
Normal-range VLANs are VLANs with VLAN IDs 1-1005. If the switch is in
VTP server or VTP transparent mode, you can add, modify or remove
configurations for VLANs 2 to 1001 in the VLAN database.
You can configure VLANs in vlan global configuration command by typing a
VLAN ID. Type a new VLAN ID to create a VLAN, or enter an existing
VLAN ID to modify the VLAN. You can use the default VLAN
configuration or use multiple commands in order to create the VLAN. When
you have completed the configuration, you must exit VLAN configuration
mode for the configuration to show the effect. To show the VLAN
configuration, enter the show vlan within privileged EXEC command.
The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN
database (vlan.dat file). If the VTP mode is transparent, they are also saved in
the running configuration file of switch. You can enter the copy running-
config start-upconfig privileged EXEC command to save the configuration in
the start-up configuration file. In a switch stack, the entire stack uses the
same vlan.dat file and running configuration. To display the VLAN
configuration, enter the show vlan privileged EXEC command.
When you save VLAN and VTP information (including extended-range
VLAN configuration information) in the start-up configuration file and
reboot the switch, the switch configuration is selected as follows:
If the VTP mode is transparent in the start-up configuration, and the
VLAN database and the VTP domain name from the VLAN database
matches that in the start-up configuration file, the VLAN database is
ignored (cleared), and the VTP and VLAN configurations in the start-
up configuration file are used. The VLAN database revision number
remains unchanged in the VLAN database
In VTP versions 1 and 2, if VTP mode is server, the domain name
and VLAN configuration for only the first 1005 VLANs use the
VLAN database information. VTP version 3 also supports VLANs
1006 to 4094
If the VTP mode or domain name in the start-up configuration does
not match the VLAN database, the VTP mode and domain name and
configuration for the first 1005 VLANs use the VLAN database
information
Access Ports (Data and Voice)
Traffic is both received and sent in native formats without VLAN
information (tagging) whatsoever. Any information arriving on access port,
simply belongs to the VLAN assigned to that port.
Data: A data VLAN is a VLAN that is configured to carry user-generated
traffic. A VLAN carrying voice or management traffic would not be part of
a data VLAN. It is common practice to separate voice and management
traffic from data traffic.
Voice: Most switches allow you to add a second VLAN on a switch port for
your voice traffic, called the voice VLAN. The voice VLAN used to be called
the auxiliary VLAN, which allowed it to be overlapped on top of the data
VLAN for enabling both types of traffic to travel through the same port.
Although it is technically considered to be a different type of link, it just
happens because of the access port that can be configured for both data and
voice VLANs. It allows you to connect both phone and PC to one switch port
but in a separate VLAN.
 
Default VLAN
Cisco switches always have VLAN 1 as the default VLAN, which is needed
for many protocol communications between switches like spanning-tree
protocol. All control traffic is set on VLAN 1. It cannot be disabled and poses
a security risk as a lot of Cisco services run on the default VLAN. It is
recommended to set all ports to a different VLAN other than default VLAN.
Connectivity
End-to-end Connectivity is a successful connection between to endpoints,
ports, nodes. Communications between two endpoints include a number of
intermediary devices that process or forward the packet toward the
destination. End-to-end connectivity means that these intermediary devices
do not alter the essential data in the packets during communication. Issues
related to end-to-end connectivity are the unavailability of remote endpoint,
closed ports of application server, incorrect access control list, and others.
Interswitch Connectivity
Cisco originally created their own way of marking traffic with a VLAN ID
for transport over an interswitch link. It was named Inter Switch Link (ISL)
and it acquired an interesting approach. It fully re-encapsulated the frame in
order to add a VLAN marking. 802.1Q takes a different approach. It injects
in a tag value in the existing frame.
Trunk Ports
A trunk port is a port that is allocated to carry traffic for all the VLANs that
are accessible by a specific switch, a process known as trunking. Trunk
ports mark frames with unique identifying tags, either 802.1Q tags or
Interswitch Link (ISL) tags as they move between switches.
Add and Remove VLANs on a Trunk
For Adding and Removing VLANs on a trunk, we have to perform few steps,
which are given below:
To restrict the traffic that trunk carries, issue the switchport
trunk vlan-list interface configuration command. This removes
specific VLANs from the allowed list
To add a VLAN to the trunk, issue the switchport trunk allowed
vlan add vlan-list command
Note
VLANs 1 and 1002 through 1005 are reserved VLANs and cannot be
http://tools.cisco.com/Support/CLILookup/cltSearchAction.do?Application_ID=CLT&IndexId=IOS&IndexOptionId=123&SearchPhrase=%22switchport%20trunk%22&Paging=25&ActionType=getCommandList&Bookmark=Trueremoved from any trunk link.
To configure VLANs on a Cisco switch, use the global
config vlan command. In the following example, we are going to demonstrate
how to configure VLANs on the Switch by creating three VLANs.
Remember that VLAN 1 is the native and management VLAN by default.
Switch(config)#int eth0/0
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 1,10,20
Switch(config-if)#exit
802.1Q
802.1Q is an IEEE standard trunking protocol that supports Virtual LANs
(VLANs) on an Ethernet network. Cisco switches supports both Inter Switch
Link (ISL) and 802.1Q. The IEEE 802.1Q standard states the operation of
VLAN Bridges that allows the definition, operation and administration of
Virtual LAN topologies within a Bridged LAN infrastructure.
The concept for the IEEE 802.1Q to perform the above functions is in its
tags. 802.1Q-compliant switch ports can be configured to transmit tagged or
untagged frames. A tag field containing VLAN information can be inserted
into an Ethernet frame.
802.1Q adds a 4-Byte header to the frame indicating the VLAN (Virtual
LAN) membership as compared to ISL, which encapsulates (adds header and
trailer) to the frame.
Exam Tip
Dot1Q is actually the IEEE standard 802.1Q that is used for trunking
encapsulation. In a switched network, Dot1Q encapsulation on a trunk port
allows the tagged frames of multiple VLANs to be transported.
Following figure illustrate the original and tagged Ethernet frames format:
Figure 2-02: Ethernet Original and Tagged Frame Format
Following figure represents sub-fields of Tag Field:
Figure 2-03: Sub-field of Tag Filed
Field Descriptions:
Tag Protocol Identifier (TPID): A 16-bit field reserve to a value of 0x8100 in
order to categorize the frame as an IEEE 802.1Q-tagged frame.
Priority Field: 3-bit priority describe the priority of the packet (8 priority
levels)
Canonical Format Indicator (CFI): 1 bit CFI indicates the drop of frames in
case of network blocking
VLAN Identifier (VID): A 12-bit field specifying the VLAN to which the
frame belongs.
Native VLAN
By default, VLAN 1 is referred to as native VLAN. Usually, in Cisco’s LAN
connection, the switch leaves the native VLAN untagged on 802.1Q trunk
ports. VLAN1 is the only untagged VLAN in the architecture. Cisco
introduces this special feature of VLAN for management traffic and this
crucial traffic can still flow between devices even if a link fails its trunking
status.
Layer 2 Discovery Protocols (Cisco Discovery Protocol and
LLDP)
Cisco Discovery Protocol (CDP)
Cisco Discovery Protocol (CDP) is a Device Discovery protocol, which
operates at data-link layer (Layer 2) on all Cisco-manufactured devices and
permits network management applications for discovering Cisco devices that
are neighboring devices. By means of CDP, network management
applications can learn the device type and the Simple Network Management
Protocol (SNMP) agent address of neighboring devices running lower-layer,
transparent protocols. This feature enables applications to send SNMP
queries to neighboring devices.
CDP runs on each media that support Subnetwork Access Protocol (SNAP).
As CDP runs over the data-link layer only, two systems that support various
network-layer protocols can learn the network
Every CDP-configured device sends periodic messages to a multicast
address, advertising at least one address at which it can receive SNMP
messages. The advertisements also contain Time to Live (TTL) or hold-time
information, which is the length of time for receiving device that holds CDP
information before discarding it. Every device listens to the messages
forwarded by other devices to learn about neighboring devices.
Figure 2-04: CDP Features
To enable:
Switch(config)# cdp run
Switch(config)# end
To disable:
Switch(config)#no cdp run
Switch(config)# end
LLDP (Link Layer Discovery Protocol)
Cisco Discovery Protocol is a device discovery protocol that runs over Layer
2 (the data link layer) on all devices manufactured by Cisco-like routers,
bridges, access servers, and switches. CDP permits network management
applications to automatically discover and learn about other Cisco devices
that are connected to the network.
To support non-Cisco devices and allow for interoperability between other
devices, the switch supports the IEEE 802.1AB LLDP. LLDP is a neighbor
discovery protocol that is used for network devices to advertise information
about themselves to other devices on the network. This protocol runs over the
data-link layer (Layer 2), which permits two systems running different
network layer protocols in order to learn each other network. LLDP supports
a set of aspects that it uses to discover neighbor devices. These attributes
contain length, type and value descriptions and are referred to as Type-
Length-Values (TLVs). LLDP supported devices may use TLVs to receive
and send information to their neighbors. Details like configuration
information, device identity, and device capabilities can be advertised by
using this protocol.
The switch supports the following simple management TLVs, which are
optional:
Port Description TLV
System Capabilities TLV
Management Address TLV
System Name TLV
System Description TLV
Following example shows how to configure a hold-time of 120 second, a
delay time of 2 seconds and an update frequency of 20:
Switch# configure terminal
Switch(config)# lldp holdtime 120
Switch(config)# lldpreinit 2
Switch(config)# lldp timer 20
Switch(config)# end
Following example shows how to transmit only LLDP packets:
switch# configure terminal
switch(config)# no lldp receive
switch(config)# end
If you want to receive LLDP packets again, do the following:
switch# configure terminal
switch(config)# lldp receive
switch(config)# end
Following example shows how to globally disable LLDP.
Switch# configure terminal
Switch(config)# no lldp run
Switch(config)# end
Following example shows how to globally enable LLDP.
Switch# configure terminal
Switch(config)# lldp run
Switch(config)# end
Following example shows how to enable LLDP on an interface.
Switch# configure terminal
Switch(config)# interface GigabitEthernet 1/1
Switch(config-if)# lldp transmit
Switch(config-if)# lldp receive
Switch(config-if)# end
To monitor and maintain LLDP and LLDP-MED on your device, execute one
or more of the following tasks, beginning in privileged EXEC mode:
show lldp
show lldp entry entry-name
show lldp errors
show lldp interface [interface-id]
show lldp traffic
show lldpneighbors [interface-id] [detail]
(Layer 2/Layer 3) EtherChannel (LACP)
EtherChannel
An EtherChannel consists of Fast Ethernet or Gigabit Ethernet links bundled
into a single logical link as shown in figure below.
Figure 2-05: EtherChannel
The EtherChannel offers full-duplex bandwidth up to 800 Mb/s (Fast
EtherChannel) or 8Gb/s (Gigabit EtherChannel) between one switch to
another switch. An EtherChannel can consist of up to eight compatibly
configured Ethernet ports.
All ports in every EtherChannel must be configured as either Layer 2 or
Layer 3 ports. The number of EtherChannel is limited to 48. The
EtherChannel Layer 3 ports are designed with routed ports. Routed ports are
physical ports that are configured to be in Layer 3 mode by entering no
switchport interface configuration command.
Link Aggregation Control Protocol
The Link Aggregation Control Protocol (LACP) is specified in IEEE as
802.3ad. It allows Cisco switches to handle Ethernet channels among
switches. LACP allows the automatic creation of EtherChannels by
exchanging the LACP packets between Ethernet ports. The switch learns the
status of partners capable of supporting LACP and the capabilities of each
port by using LACP. After that, it dynamically groups similarly configured
ports into a single logical link (channel or aggregate port). Ports that are
configured similarly are grouped based on hardware, administrative and port
parameter controls. For example, LACPgroups the ports with the same
speed, duplex mode, native VLAN, VLAN range, and trunking status and
type. While grouping the links into an EtherChannel, LACP adds the group to
the spanning tree as a single switch port.
Mode Description
Active Sets a port into an active negotiating state in which the port
initiates negotiations with other ports by sending LACP packets
Passive Sets a port into a passive negotiating state in which the port
responds to LACP packets that it receives, but does not send
LACP packet negotiation. This setting reduces the transmission
of LACP packets
Table 2-01: LACP Mode
Both active mode and passive LACP mode allows ports for negotiation with
partner ports to an EtherChannel based on defined criteria such as port speed
and, for Layer 2 EtherChannels, trunking state and VLAN numbers.
Ports can form an EtherChannel while they are in different LACP modes as
long as the modes are compatible.
For example:
A port in the active mode can form an EtherChannel with another
port that is in active or passive mode
A port in the passive mode cannot form an EtherChannel with
another port that is also in passive mode because neither port starts
LACP negotiation
Configuring Layer 2 EtherChannels
This example demonstrates how to configure an EtherChannel on a switch. It
assigns two ports as static-access ports in VLAN 11 to channel 4 with the
LACP mode active:
Switch# configure terminal
Switch(config)# interface range gigabitethernet 2/0/1 -2
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 11
Switch(config-if-range)# channel-group 4 mode active
Switch(config-if-range)# end
Configuring Layer 3 EtherChannels
Following example shows how to create the logical port channel 4 and assign
172.10.10.10 as its IP address:
Switch# configure terminal
Switch(config)# interface port-channel 4
Switch(config-if)# no switchport
Switch(config-if)# ip address 172.10.10.10 255.255.255.0
Switch(config-if)# end
Following example demonstrates how to configure an EtherChannel. It
assigns two ports to channel 4 with the LACP mode active:
Switch# configure terminal
Switch(config)# interface range gigabitethernet2/0/1 -2
Switch(config-if-range)# no ip address
Switch(config-if-range)# no switchport
Switch(config-if-range)# channel-group 4 mode active
Switch(config-if-range)# end
Lab 2-01: VLAN, Inter-VLAN, Trunk Port, EtherChannel
Case Study
Consider a company in which different departments namely management,
production, and marketing have to be connected all the time. Therefore, the
company hired a network engineer to deploy a network that provides
seamless connection among the department.
Topology
Figure 2-06: Topology Diagram
Configuration
The network engineer deployed a network to provide connectivity among the
various departments by configuring VLANs, Inter-vlans, Trunk port, and
EtherChannel. 
To provide a seamless connectivity, configure a Hot Standby Routing
Protocol (HSRP). 
S2
S2>enable
S2#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
//Configuring Etherchannel
S2(config)#interface Port-channel2
S2(config-if)#no shutdown
//Configuring Trunk Port
S2(config-if)#switchport trunk allowed vlan 10,20,30
S2(config-if)#switchport trunk encapsulation dot1q
S2(config-if)#switchport mode trunk
S2(config-if)#exit
//Configuring Etherchannel
S2(config)#interface Port-channel3
S2(config-if)#no shutdown
//Configuring Trunk Port
S2(config-if)#switchport trunk allowed vlan 10,20,30
S2(config-if)#switchport trunk encapsulation dot1q
S2(config-if)#switchport mode trunk
S2(config-if)#exit
//Configuring Vlan 30
S2(config)#interface Ethernet0/0
S2(config-if)#no shutdown
S2(config-if)#switchport access vlan 30
S2(config-if)#switchport mode access
S2(config-if)#exit
S2(config)#interface Ethernet0/1
S2(config-if)#no shutdown
S2(config-if)#switchport access vlan 10
S2(config-if)#switchport mode access
S2(config-if)#exit
S2(config)#interface Ethernet0/2
S2(config-if)#no shutdown
S2(config-if)#switchport access vlan 20
S2(config-if)#switchport mode access
S2(config-if)#exit
//Configuring Trunk Port
S2(config)#inertface Ethernet0/3
S2(config-if)#no shutdown
S2(config-if)#switchport trunk allowed vlan 10,20,30
S2(config-if)#switchport trunk encapsulation dot1q
S2(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S2(config-if)#channel-group 2 mode passive
S2(config-if)#exit
//Configuring Trunk Port
S2(config)#interface Ethernet1/0
S2(config-if)#no shutdown
S2(config-if)#switchport trunk allowed vlan 10,20,30
S2(config-if)#switchport trunk encapsulation dot1q
S2(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S2(config-if)#channel-group 3 mode active
S2(config-if)#exit
//Configuring Trunk Port
S2(config)#interface Ethernet1/1
S2(config-if)#no shutdown
S2(config-if)#exit
S2(config)#interface Ethernet1/2
S2(config-if)#no shutdown
S2(config-if)#switchport trunk allowed vlan 10,20,30
S2(config-if)#switchport trunk encapsulation dot1q
S2(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S2(config-if)#channel-group 2 mode passive
//Configuring Trunk Port
S2(config-if)#interface Ethernet1/3
S2(config-if)#no shutdown
S2(config-if)#switchport trunk allowed vlan 10,20,30
S2(config-if)#switchport trunk encapsulation dot1q
S2(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S2(config-if)#channel-group 3 mode active
S2(config-if)#exit
S3
S3>en
S3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
//Configuring Etherchannel
S3(config)#interface Port-channel1
S3(config-if)#no shutdown
//Configuring Trunk Port
S3(config-if)#switchport trunk allowed
S3(config-if)#switchport trunk allowed vlan 10,20,30
S3(config-if)#switchport trunk encapsulation dot1q
S3(config-if)#switchport mode trunk
S3(config-if)#exit
//Configuring Etherchannel
S3(config)#interface Port-channel3
S3(config-if)#no shutdown
//Configuring Trunk Port
S3(config-if)#switchport trunk allowed vlan 10,20,30
S3(config-if)#switchport trunk encapsulation dot1q
S3(config-if)#switchport mode trunk
S3(config-if)#exit
//Configuring Vlan
S3(config)#interface Ethernet0/0
S3(config-if)#no shutdown
S3(config-if)#switchport access vlan 30
S3(config-if)#switchport mode access
S3(config-if)#exit
//Configuring Trunk Port
S3(config)#interface Ethernet0/1
S3(config-if)#no shutdown
S3(config-if)#switchport trunk allowed vlan 10,20,30
S3(config-if)#switchport trunk encapsulation dot1q
S3(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S3(config-if)#channel-group 1 mode active
S3(config-if)#exit
//Configuring Vlan
S3(config)#interface Ethernet0/2
S3(config-if)#no shutdown
S3(config-if)#switchport access vlan 20
//Configuring Etherchannel mode
S3(config-if)#switchport mode access
S3(config-if)#exit
//Configuring Vlan
S3(config)#interface Ethernet0/3
S3(config-if)#no shutdown
S3(config-if)#switchport access vlan 10
S3(config-if)#switchport mode access
S3(config-if)#exit
//Configuring Trunk Port
S3(config)#interface Ethernet1/0
S3(config-if)#no shutdown
S3(config-if)#switchport trunk allowed vlan 10,20,30
S3(config-if)#switchport trunk encapsulation dot1q
S3(config-if)#switchport mode trunk
S3(config-if)#exit
S3(config)#interface Ethernet1/1
S3(config-if)#no shutdown
S3(config-if)#switchport trunk allowed vlan 10,20,30
S3(config-if)#switchport trunk encapsulation dot1q
S3(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S3(config-if)#channel-group 1 mode active
S3(config-if)#exit
//Configuring Trunk Port
S3(config)#interface Ethernet1/2
S3(config-if)#no shutdown
S3(config-if)#switchport trunk allowed vlan 10,20,30
S3(config-if)#switchport trunk encapsulation dot1q
S3(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S3(config-if)#channel-group 3 mode passive
S3(config-if)#exit
//Configuring Trunk Port
S3(config)#interface Ethernet1/3
S3(config-if)#no shutdown
S3(config-if)#switchport trunk allowed vlan10,20,30
S3(config-if)#switchport trunk encapsulation dot1q
//Configuring Etherchannel mode
S3(config-if)#channel-group 3 mode passive
S3(config-if)#exit
S4
S4>en
S4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
//Configuring Etherchannel
S4(config)#interface port-channel2
S4(config-if)#no shutdown
//Configuring Trunk Port
S4(config-if)#switchport trunk allowed vlan 10,20,30
S4(config-if)#switchport trunk encapsulation dot1q
S4(config-if)#switchport mode trunk
S4(config-if)#exit
//Configuring Etherchannel
S4(config)#interface port-channel1
S4(config-if)#no shutdown
//Configuring Trunk Port
S4(config-if)#switchport trunk allowed vlan 10,20,30
S4(config-if)#switchport trunk encapsulation dot1q
S4(config-if)#switchport mode trunk
S4(config-if)#exit
//Configuring Vlan
S4(config)#interface Ethernet0/0
S4(config-if)#no shutdown
S4(config-if)#switchport access vlan 30
S4(config-if)#switchport mode access
S4(config-if)#exit
S4(config)#interface Ethernet0/1
S4(config-if)#no shutdown
S4(config-if)#switchport access vlan 10
S4(config-if)#switchport mode access
S4(config-if)#exit
S4(config)#interface Ethernet0/2
S4(config-if)#no shutdown
S4(config-if)#switchport access vlan 20
S4(config-if)#switchport mode access
S4(config-if)#exit
//Configuring Trunk Port
S4(config)#interface Ethernet0/3
S4(config-if)#no shutdown
S4(config-if)#switchport trunk allowed vlan 10,20,30
S4(config-if)#switchport trunk encapsulation dot1q
S4(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S4(config-if)#channel-group 2 mode active
S4(config-if)#exit
//Configuring Trunk Port
S4(config)#interface Ethernet1/0
S4(config-if)#no shutdown
S4(config-if)#switchport trunk allowed vlan 10,20,30
S4(config-if)#switchport trunk encapsulation dot1q
S4(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S4(config-if)#channel-group 1 mode passive
S4(config-if)#exit
//Configuring Trunk Port
S4(config)#interface Ethernet1/1
S4(config-if)#no shutdown
S4(config-if)#switchport trunk allowed vlan 10,20,30
S4(config-if)#switchport trunk encapsulation dot1q
S4(config-if)#switchport mode trunk
//Configuring Etherchannel mode
S4(config-if)#channel-group 1 mode passive
S4(config-if)#exit
//Configuring Trunk Port
S4(config)#interface Ethernet1/2
S4(config-if)#no shutdown
S4(config-if)#switchport trunk allowed vlan 10,20,30
S4(config-if)#switchport trunk encapsulation dot1q
S4(config-if)#switchport mode trunk
//Configuring Etherchannel mde
S4(config-if)#channel-group 2 mode active
S4(config-if)#exit
//Configuring Trunk Port
S4(config)#interface Ethernet1/3
S4(config-if)#no shutdown
S4(config-if)#switchport trunk allowed vlan 10,20,30
S4(config-if)#switchport trunk encapsulation dot1q
S4(config-if)#switchport mode trunk
S4(config-if)#exit
HSRP1
HSRP1>en
HSRP1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
HSRP1(config)#interface FastEthernet0/0
HSRP1(config-if)#ip address 100.10.1.2 255.255.255.252
HSRP1(config-if)#duplex half
HSRP1(config-if)#exit
HSRP1(config)#interface Ethernet1/0
HSRP1(config-if)#no ip address
HSRP1(config-if)#shutdown
HSRP1(config-if)#duplex full
HSRP1(config-if)#exit
HSRP1(config)#interface Ethernet1/1
HSRP1(config-if)#no ip address
HSRP1(config-if)#shutdown
HSRP1(config-if)#duplex full
HSRP1(config-if)#exit
HSRP1(config)#interface Ethernet1/2
HSRP1(config-if)#no ip address
HSRP1(config-if)#shutdown
HSRP1(config-if)#duplex full
HSRP1(config-if)#exit
HSRP1(config)#interface Ethernet1/3
HSRP1(config-if)#no ip address
HSRP1(config-if)#duplex full
HSRP1(config-if)#exit
//Configuring HSRP
HSRP1(config)#interface Ethernet1/3.1
HSRP1(config-subif)#encapsulation dot1Q 10
HSRP1(config-subif)#ip address 172.16.1.2 2
HSRP1(config-subif)#standby 0 ip 172.16.1.1
HSRP1(config-subif)#exit
HSRP1(config)#interface Ethernet1/3.2
HSRP1(config-subif)#encapsulation dot1Q 20
HSRP1(config-subif)#ip address 172.16.2.2 255.255.255.0
HSRP1(config-subif)#standby ip 172.16.1.1
HSRP1(config-subif)#exit
HSRP1(config)#interface Ethernet1/3.3
HSRP1(config-subif)#encapsulation dot1Q 30
HSRP1(config-subif)#ip address 172.16.3.2 255.255.255.0
HSRP1(config-subif)#exit
HSRP1(config-subif)#ip address 172.16.3.2 255.255.255.0
HSRP1(config-subif)#standby 2 ip 172.16.3.1
HSRP1(config-subif)#exit
HSRP1(config)#interface fastEthernet2/0
HSRP1(config-if)#no ip address
HSRP1(config-if)#duplex half
HSRP1(config-if)#exit
HSRP1(config)#router ospf 1
HSRP1(config-router)#network 100.10.1.0 0.0
HSRP1(config-router)#exit
HSRP1(config)#interface Ethernet1/3
HSRP1(config-if)#no ip address
HSRP1(config-if)#duplex half
HSRP1(config-if)#exit
HSRP1(config)#interface Ethernet1/3.1
HSRP1(config-subif)# encapsulation dot1Q 10
HSRP1(config-subif)# ip address 172.16.1.2 255.255.255.0
HSRP1(config-subif)# standby 0 ip 172.16.1.1
HSRP1(config-subif)#exit
//Configuring HSRP
HSRP1(config)#interface Ethernet1/3.2
HSRP1(config-subif)# encapsulation dot1Q 20
HSRP1(config-subif)# ip address 172.16.2.2 255.255.255.0
HSRP1(config-subif)# standby 1 ip 172.16.2.1
HSRP1(config-subif)#exit
HSRP1(config)#interface Ethernet1/3.3
HSRP1(config-subif)# encapsulation dot1Q 30
HSRP1(config-subif)# ip address 172.16.3.2 255.255.255.0
HSRP1(config-subif)# standby 2 ip 172.16.3.1
HSRP1(config-subif)#exit
//Configuring OSPF
HSRP1(config)#router ospf 1
HSRP1(config-router)#network 100.10.1.0 0.0.0.3 area 0
HSRP1(config-router)# network 172.16.1.0 0.0.0.255 area 1
HSRP1(config-router)# network 172.16.2.0 0.0.0.255 area 1
HSRP1(config-router)# network 172.16.3.0 0.0.0.255 area 1
HSRP1(config-router)#exit
HSRP2
HSRP2>en
HSRP2#config t
Enter configuration commands, one per line. End with CNTL/Z.
HSRP2(config)#interface fastEthernet0/0
HSRP2(config-if)#ip address 200.10.1.2 255.255.255.252
HSRP2(config-if)#duplex half
HSRP2(config-if)#exit
HSRP2(config)#interface
HSRP2(config)#interface Ethernet1/0
HSRP2(config-if)#no ip address
HSRP2(config-if)#duplex half
HSRP2(config-if)#exit
//Configuring HSRP
HSRP2(config)#interface Ethernet1/0.1
HSRP2(config-subif)#encapsulation dot1Q 10
HSRP2(config-subif)#ip address 172.16.1.3 255.255.255.0
HSRP2(config-subif)#standby 0 ip 172.16.1.1
HSRP2(config-subif)#exit
HSRP2(config)#interface Ethernet1/0.2
HSRP2(config-subif)#encapsulation dot1Q 20
HSRP2(config-subif)#ip address 172.16.2.3 255.255.255.0
HSRP2(config-subif)#standby 1 ip 172.16.2.1
HSRP2(config-subif)#exit
HSRP2(config)#interface Ethernet1/0.3
HSRP2(config-subif)#encapsulation dot1Q 30
HSRP2(config-subif)#ip address 172.16.3.3 255.255.255.0
HSRP2(config-subif)#standby 2 ip 172.16.3.1
HSRP2(config-subif)#exit
HSRP2(config)#interface Ethernet1/1
HSRP2(config-if)#no ip address
HSRP2(config-if)#shutdown
HSRP2(config-if)#duplex full
HSRP2(config-if)#exit
HSRP2(config)#interface Ethernet1/2
HSRP2(config-if)#no ip address
HSRP2(config-if)#shutdown
HSRP2(config-if)#duplex full
HSRP2(config-if)#interface Ethernet1/3
HSRP2(config-if)#no ip address
HSRP2(config-if)#shutdown
HSRP2(config-if)#duplex full
HSRP2(config-if)#exit
HSRP2(config)#interface fastEthernet2/0
HSRP2(config-if)#no ip address
HSRP2(config-if)#duplex full
HSRP2(config-if)#exit
//Configuring OSPF
HSRP2(config)#router ospf 1
HSRP2(config-router)# network 172.16.1.0 0.0.0.255 area 1
HSRP2(config-router)# network 172.16.2.0 0.0.0.255 area 1
HSRP2(config-router)# network 172.16.3.0 0.0.0.255 area 1
HSRP2(config-router)# network 200.10.1.0 0.0.0.3 area 0
HSRP2(config-router)#exit
GatewayRouter
Router>en
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname GatewayRouter
GatewayRouter(config)#interface fastEthernet0/0
GatewayRouter(config-if)#ip address 100.10.1.1 255.255.255.252
GatewayRouter(config-if)#duplex auto
GatewayRouter(config-if)#speed auto
GatewayRouter(config-if)#exit
GatewayRouter(config)#interface fastEthernet0/1
GatewayRouter(config-if)#ip address 200.10.1.1 255.255.255.252
GatewayRouter(config-if)#duplex auto
GatewayRouter(config-if)#no duplexauto
GatewayRouter(config-if)#speed auto
GatewayRouter(config-if)#full-duplex
GatewayRouter(config-if)#exit
GatewayRouter(config)#interface fastEthernet1/0
GatewayRouter(config-if)#no ip address
GatewayRouter(config-if)#shutdown
GatewayRouter(config-if)#duplex auto
GatewayRouter(config-if)#speed
GatewayRouter(config-if)#speed auto
GatewayRouter(config-if)#exit
GatewayRouter(config)#interface fastEthernet2/0
GatewayRouter(config-if)#no ip address
GatewayRouter(config-if)#shutdown
GatewayRouter(config-if)#duplex auto
GatewayRouter(config-if)#speed auto
GatewayRouter(config-if)#exit
//Configuring OSPF
GatewayRouter(config)#router ospf 1
GatewayRouter(config-router)# router-id 1.1.1.1
GatewayRouter(config-router)# network 100.10.1.0 0.0.0.3 area 0
GatewayRouter(config-router)# network 200.10.1.0 0.0.0.3 area 0
GatewayRouter(config-router)#exit
Verification
1. Verify the VLANs
S2#show vlan
From the output, we can see that VLAN 10, 20, and 30 are assigned to
department Management, Production, Marketing with respect to their
interfaces.
2. Verify Trunk Ports
S2#show interface Trunk
From the output, we can see that Trunk mode is active on Port 2 & 3 and
VLANs are allowed on Po3 & 2, and encapsulation is enabled by 802.1q.
3. Verify EtherChannel
S2#show etherchannel
From the output, it is clear that the EtherChannel is enabled among the
switches as Group 2 and Group 3.
4. Verify the EtherChannel Port-channel
S2# show etherchannel port-channel
From the output, describe the status of Group 2 and Group 3. Group 2 is
passive mode and Group 3 is in active mode according to the network
topology. 
5. Verify the Connectivity
Ping from the PC1 to PCs of different VLANs
From the ping result, it has been cleared that the switches of different
VLANs are connected to each other.
Ping from the VPC to Virtual Interfaces of HSRP
The above ping result shows the connection between the switches and
virtual interfaces of HSRP is established.
Ping from the GatewayRouter to HSRP
The above ping result shows the connectivity between the virtual interfaces
of HSRP and GatewayRouter established.
Ping from VPC to GatewayRouter
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Rapid PVST+ is the IEEE 802.1w (RSTP) standard configured on per
VLAN. A single instance of STP runs on each configured VLAN (if you do
not manually disable STP). Each Rapid PVST+ instance on a VLAN has a
single root switch. You may enable and disable STP on a per-VLAN basis
when you are running Rapid PVST+.
Exam Tip
Rapid PVST+ is the default STP mode for the switch.
Rapid PVST+ uses point-to-point link to provide rapid convergence of the
spanning tree. The spanning tree reconfiguration can occur in less than 1
second with Rapid PVST+ (in contrast to 50 seconds with the default settings
in the 802.1D STP).
Exam Tip
Rapid PVST+ supports one STP instance for each VLAN.
STP convergence occurs rapidly by using Rapid PVST+. Each assigned or
root port in the STP sends out a Bridge Protocol Data Unit (BPDU) every 2
seconds by default. On an assigned or root port in the topology, if hello
messages are missed three consecutive times, or if the maximum time
expires, the port immediately clears all protocol information in the table. A
port deliberates that it loses connectivity to its direct neighbor root or
assigned port if it misses three BPDUs or if the maximum time expires. This
rapid aging of the protocol information allows quick failure detection. The
switch automatically checks the Port VLAN ID (PVID).
Rapid PVST+ provides for rapid recovery of connectivity resulting the failure
of a network device, a switch port, or a LAN. It provides rapid convergence
for edge ports, new root ports, and ports connected through point-to-point
links.
Configuring Rapid PVST+
Rapid PVST+ has the 802.1w standard applied to the Rapid PVST+ protocol,
it is the default STP configuration in the software.
You enable Rapid PVST+ on a per-VLAN basis. The software maintains a
separate instance of STP for each VLAN (except on those VLANS on which
you disable STP). Rapid PVST+ is enabled on the default VLAN and on each
VLAN that you create by default.
Enabling Rapid PVST+
Once you enable Rapid PVST+ on the switch, you must enable Rapid PVST+
on the assigned VLANs.
Rapid PVST+ is the default STP mode. You cannot run MST and Rapid
PVST+ simultaneously.
To enable Rapid PVST+ on the switch, perform this task:
switch# configure terminal
switch(config)# spanning-tree mode rapid-pvst
Following example shows how to enable Rapid PVST+ on the switch:
switch# configure terminal
switch(config)# spanning-tree mode rapid-pvst
Root Port, Root Bridge (Primary/Secondary), and other Port Names
Port Roles
Rapid PVST+ provides rapid convergence of the spanning tree by assigning
port roles and learning the active topology. Rapid PVST+ builds upon the
802.1D STP to select the switch with the highest priority (lowest numerical
priority value).
Rapid PVST+ then assigns one of these port roles to individual ports:
Root Port: Provides the best path (lowest cost) when the switch forwards
packets to the root bridge.
Designated Port: The port through which the designated switch is attached
to the LAN is called the designated port.
Alternate Port: Provides an alternate path toward the root bridge to the path
provided by the existing root port. An alternate port provides an alternative
path to another switch port in the topology.
Backup Port: Acts as a backup for the path provided by a designated port
toward the ports of the spanning tree. A backup port exists only when two
ports are connected in a loopback with a point-to-point link. A backup port
provides another path in the topology to the switch.
Disabled Port: No role within the operation of the spanning tree.
In a stable topology with persistent port roles throughout the network, Rapid
PVST+ ensures that every root port and designated port rapidly transition to
the forwarding state because all alternate and backup ports are always in the
blocking state. Designated ports start in the blocking state. The port state
controls the operation of the forwarding and learning processes.
Root Bridge (Primary/Secondary)
The software keeps a separate instance of STP for each active VLAN in
Rapid PVST+. For each VLAN, the switch with the lowest bridge ID
becomes the root bridge for that VLAN.
Configuring the Primary Root Bridge
To configure a VLAN instance to become the root bridge, modify the bridge
priority from the default value (32768) to a considerably lower value.
When you type the spanning-tree vlan vlan_ID root command, the switch
checks the bridge priority of the current root bridges for each VLAN. The
switch sets the bridge priority for the specified VLANs to 24576 if this value
will cause the switch to become the root for the specified VLANs. If any root
bridge for the specified VLANs has a bridge priority lower than 24576, the
switch sets the bridge priority for the specified VLANs to 4096 less than the
lowest bridge priority.
Exam Tip
The spanning-tree vlan vlan_ID root command fails if the value required to
be the root bridge is less than 1.
To configure a switch to become the primary root bridge for a VLAN in
Rapid PVST+, perform this steps:
switch# configure terminal
switch(config)# spanning-tree vlan vlan-range root primary [ diameter dia [
hello-time hello-time ]]
Configures a software switch as the primary root bridge. The vlan-range
value can be 2 through 4094 (except reserved VLAN values.) The diameter
default is 7. The hello-time can be from 1 to 10 seconds, and the default value
is 2 seconds.
Following example shows to configure the switch as the root bridge for
VLAN 5 with a network diameter of 4:
switch# configure terminal
switch(config)# spanning-tree vlan 5 root primary diameter 4
Configuring a Secondary Root Bridge
When you configure a software switch as the secondary root, the STP bridge
priority is modified from the default value (32768) so that the switch is
expected to become theroot bridge for the specified VLANs if the primary
root bridge fails (assuming the other switches in the network use the default
bridge priority of 32768). STP sets the bridge priority to 28672.
Enter the diameter keyword to specify the network diameter (that is, the
maximum number of bridge hops between any two end stations in the
network). When you specify the network diameter, the software
automatically selects an optimal hello time, forward delay time, and
maximum age time for a network of that diameter, which can significantly
reduce the STP convergence time. You can enter the hello-time keyword to
override the automatically calculated hello time.
You configure more than one switch in this manner to have multiple backup
root bridges. Enter the same network diameter and hello time values that you
used when configuring the primary root bridge.
To configure a switch to become the secondary root bridge for a VLAN in
Rapid PVST+, perform this steps:
switch# configure terminal
switch(config)# spanning-tree vlan vlan-range root secondary [ diameter
dia [ hello-time hello-time ]]
Configures a software switch as the secondary root bridge. The vlan-range
value can be 2 through 4094 (except reserved VLAN values.) The diameter
default is 7. The hello-time can be from 1 to 10 seconds, and the default value
is 2 seconds.
Following example shows how to configure the switch as the secondary root
bridge for VLAN 5 with a network diameter of 4:
switch# configure terminal
switch(config)# spanning-tree vlan 5 root secondary diameter 4
Rapid PVST+ Port State
Transmission delays occur when protocol information passes through a
switched LAN. As a result, topology changes can take place at different times
and at different places in a switched network. When a LAN port transitions
directly from non-contributing in the spanning tree topology to the
forwarding state, it can create temporary data loops. Ports must wait for new
topology information to transmit through the switched LAN before beginning
to forward frames.
Each LAN port on a software using Rapid PVST+ or MST exists in one of
the following four states:
Blocking: The LAN port does not contribute in frame forwarding.
Learning: The LAN port prepares to contribute in frame forwarding.
Forwarding: The LAN port forwards frames.
Disabled: The LAN port does not contribute in STP and is not forwarding
frames.
When you enable Rapid PVST+, every port in the software, VLAN, and
network goes through the blocking state and the transitory states of learning
at power up. If properly configured, each LAN port stabilizes to the
forwarding or blocking state.
Blocking State
A LAN port in the blocking state does not contribute in frame forwarding.
A LAN port in the blocking state performs as follows:
Discards frames received from the attached segment
Discards frames switched from another port for forwarding
Does not incorporate the end station location into its address
database
Receives BPDUs and directs them to the system module
Receives, processes, and transmits BPDUs received from the
system module
Receives and responds to network management messages
Forwarding State
A LAN port in the forwarding state forwards frames. The LAN port enters
the forwarding state from the learning state.
A LAN port in the forwarding state performs as follows:
Forwards frames received from the attached segment
Forwards frames switched from another port for forwarding
Incorporates the end station location information into its address
database
Receives BPDUs and directs them to the system module
Processes BPDUs received from the system module
Receives and responds to network management messages
PortFast
PortFast is a feature of spanning tree that changes a port immediately to a
forwarding state as soon as it is operates. This is beneficial in connecting
hosts so that they can start communicating on the VLAN instantaneously,
rather than waiting on spanning tree. To prevent ports that are configured
with PortFast from forwarding BPDUs, which could change the spanning tree
topology, BPDU guard can be enabled. At the acceptance of a BPDU, BPDU
guard disables a port configured with PortFast.
PortFast Benefits
We know the great advantage of configuring Portfast, a port configured with
Portfast will immediately start transmitting data in the ‘forwarding’ state
bypassing the other spanning-tree states. This is definitely a great feature to
have configured on your downstream ports connecting to your end-user
systems or your servers. There is also another great reason to configure
Portfast on your client edge ports, that is not such commonly known.
Whenever a switchport goes up or down the switch generates a Topology
Change Notification (TCN) packet and sends this TCN packet to the root
bridge, the root bridge then responds back with a Topology Change
Acknowledge (TCA) packet simply to acknowledge the TCN packet. The
root bridge then transmits another BPDU with the Topology Change (TC) bit
set to every switch within the Spanning-Tree domain. When the other
switches receive this TC marked packet, it resets the aging time of every
entry in the CAM table (also known as the MAC address table) down to 15
seconds, which can cause the switch to rebuilt it’s CAM table if the entries
start aging out. Now depending on the size of your layer 2 network, this can
waste a lot of resources on your switches. It will cause a lot of unnecessary
traffic overhead, since we have a set of BPDUs transmitted with the TCN,
TCA, and TC flags set individually. Also remember that if CAM table entries
start expiring, this can cause unnecessary ARP traffic for additional
information the switch already had.
Cisco Wireless Architectures vs. AP Modes
Cisco Unified Wireless Network Architecture
The Cisco unified wireless network architecture offers secure, scalable, cost-
effective wireless LANs solution for business critical mobility. The Cisco
Unified Wireless Network is the enterprise’s only unified wired and wireless
solution that cost-effectively addresses the Wireless LAN (WLAN) security,
deployment, management, and control issues. This powerful indoor and
outdoor solution combines the best elements of wired and wireless
networking to deliver high performance, manageable, and secure WLANs
with low ownership cost.
Figure 2-07: Cisco Unified Wireless Network Architecture in the Enterprise
The inter-linked elements that work together to deliver a unified enterprise-
class wireless solution include:
Client Devices
Access Points (APs)
Network unification through controllers
World-class network management
Mobility Services
Core Components
The Cisco Unified Wireless Network (CUWN) is designed to provide a high
performance and scalable 802.11ac wireless services for service providers
and as well as for enterprises. A Cisco wireless solution simplifies the
deployment and management of large-scale wireless LANs in centralized or
distributed deployments while providing the best security, user experience
and services.
The Cisco Unified Wireless Network consists of:
Cisco Wireless LAN Controllers (WLCs)
Cisco Aironet Access Points (APs)
Cisco Prime Infrastructure (PI)
Cisco Mobility Services Engine (MSE)
Cisco Wireless LAN Controllers
Cisco Wireless LAN Controllers are enterprise-standard, high-performance,
wireless switching platforms that support 802.11a/n/ac and 802.11b/g/n
protocols. WLC operates under control of the operating system, which
contains Radio Resource Management (RRM) by creating a CUWN solution
that can automatically adjust to real-time variations in the 802.11 RF
environment. Controllers are built-in high-performance network and security
hardware, resulting in highly reliable 802.11 enterprise networks with
exceptional security.
Cisco 2504 Wireless Controllers
The Cisco 2504 Wireless Controllers enable large-scale wireless functions for
small to medium-sized enterprises and branch offices. It is designed for
802.11n and 802.11ac performance. Cisco 2504 Wireless Controllers are
basic level controllersthat provide real-time communications between Cisco
Aironet access points to simplify the deployment and operation of wireless
networks.
Cisco 5508 Wireless Controllers
Cisco 5508 Wireless Controllers deliver reliable performance, enhanced
flexibility, and minimum service-loss for mission-critical wireless. Interactive
multimedia applications, such as voice and video, can now perform
flawlessly over the wireless network, and clients can conveniently roam
without service interruption. Flexible licensing allows users to easily enable
access point support or premium software features.
Cisco 5520 Wireless Controllers
The Cisco 5520 Series Wireless LAN Controller is a highly scalable, service
full, robust, and flexible platform that is ideal for medium to large enterprise
and campus deployments. As part of the Cisco Unified Access Solution, the
5520 is optimized for the next generation of wireless networks like 802.11ac
Wave 2.
Cisco Flex 7500 Wireless Controllers
The Cisco Flex 7500 Wireless Controller is available in a model designed to
fulfil the scaling requirements to deploy the FlexConnect solution in branch
networks. FlexConnect is designed to support wireless branch networks by
allowing the data to be swapped locally within the branch site, while the
access points are being controlled and managed by a centralized controller.
The Cisco Flex 7500 Series Cloud Controller purposes to deliver a cost
effective FlexConnect solution on a large scale.
Cisco 8510 Wireless Controllers
The Cisco 8510 Wireless Controller is a highly scalable and flexible platform
that enables crucial wireless networking deployments for enterprise and
service provider.
Cisco 8540 Wireless Controller
Cisco 8540 Wireless Controller is optimized for 802.11ac Wave2
performance, the Cisco 8540 Wireless Controller is a highly scalable, service-
full, robust, and flexible platform that enables next-generation wireless
networks deployment for medium to large enterprises and campuses.
Cisco Wireless Services Module 2
The Cisco Wireless Services Module 2 (WiSM2) for the Catalyst 6500 Series
switches ideal for crucial wireless networking for medium to large single-site
WLAN environments where an integrated solution is preferred. The WiSM2
provide lower hardware costs and flexible configuration options.
Virtual Wireless LAN Controller
The controller allows IT professionals to configure, manage, and troubleshoot
up to 200 access points and 6000 clients. The Cisco Virtual Wireless
Controller supports secure guest access, rogue detection for Payment Card
Industry (PCI) compliance, and in-branch (locally switched) Wi-Fi voice and
video.
Cisco Aironet Access Points
Cisco Aironet Series wireless access points can be deployed in a distributed
or centralized network for a branch office, campus, or large enterprise. To
achieve an exceptional end-user experience on the wireless network, these
wireless access points provide a variety of capabilities, including:
Cisco CleanAir Technology: For a self-healing, self-optimizing
network that avoids RF interference
Cisco ClientLink 2.0 or 3.0: To improve reliability and coverage for
clients
Cisco BandSelect: To improve 5 GHz client connections in mixed
client environments
Cisco VideoStream: Leverages multicast to improve multimedia
applications
Indoor 802.11n Access Points
The following outlines the various models of Cisco indoor 802.11n APs and
their capabilities.
Cisco
Aironet 600
Series
Cisco
Aironet
700W Series
Cisco
Aironet 1600
Series
Cisco
Aironet 2600
Series
Cisco Aironet
3600 Series
Wi-Fi
Standard
802.11a/b/g/n 802.11a/b/g/n 802.11a/b/g/n 802.11a/b/g/n 802.11a/b/g/n/ac
Number of
Radios
Dual (2.4Ghz
and 5 Ghz)
Dual (2.4Ghz
and 5 Ghz)
Dual (2.4Ghz
and 5 Ghz)
Dual (2.4Ghz
and 5 Ghz)
Tri (2.4Ghz and
5 Ghz)
Max Data
Rate
300 Mbps 300 Mbps 300 Mbps 450 Mbps 450 Mbps
(802.11n)
1.3Gbps
(802.11ac
Module)
MIMO
Radio
Design
2x3 2x2 3x3 3x4 802.11n: 4x4
802.11ac: 3x3
Spatial
Streams
2 Spatial
Streams
2 Spatial
Streams
2 Spatial
Streams
3 Spatial
Streams
3 Spatial
Streams
Antennas Internal Internal 1600i
Internal
1600e
External
2600i:
Internal
2600e:
External
3600i: Internal
3600e: External
3600p: External
CleanAIR — — CleanAir Yes Yes
2.0 Express
ClientLink
2.0
— — Yes Yes Yes
Cisco
Innovations
— BandSelect
Videostream
BandSelect
Videostream
BandSelect
Videostream
BandSelect
Videostream
Modularity USB* — — — 802.11ac Wave
1 Module
USC Small Cell
Module
Wireless
Security Module
(WSM)
Power AC DC,
802.3afPoE,
802.3at PoE+
DC,
802.3afPoE
DC,
802.3afPoE
DC,
802.3afPoE,
802.3at PoE+,
Enhanced PoE,
Universal PoE
Interfaces 5x1G
Ethernet
Ports (RJ-)45
1x1G
Ethernet
WAN Ports
(RJ-45)
1x1G
Ethernet
Uplink Port
(RJ-45)
4x1G
Ethernet User
Ports (RJ-45)
1x1G
Ethernet
Uplink Port
(RJ-45)
1x1G
Ethernet
Uplink Port
(RJ-45)
1x1G Ethernet
Uplink Port (RJ-
45)
Table 2-02: Indoor 802.11n Access Points
Indoor 802.11ac Access Points
The following table outlines the various models of Cisco indoor 802.11ac
APs and their capabilities.
Cisco Aironet
1700 Series
Cisco Aironet
1850 Series
Cisco Aironet
2700 Series
Cisco Aironet
3700 Series
Wi-Fi
Standard
802.11a/b/g/n/ac
(Wave 1)
802.11a/b/g/n/ac
(Wave 2)
802.11a/b/g/n/ac
(Wave 1)
802.11a/b/g/n/ac
(Wave 1)
Number of Dual (2.4Ghz Dual (2.4Ghz Dual (2.4Ghz Dual (2.4Ghz and 5
Radios and 5 Ghz) and 5 Ghz) and 5 Ghz) Ghz)
Max Data
Rate
867 Mbps 1.7 Gbps 1.3 Gbps 1.3 Gbps
MIMO
Radio
Design
3x3 4x4 3x4 4x4
Spatial
Streams
2 Spatial
Streams
4 Spatial
Streams (SU
MIMO)
3 Spatial
Streams (MU
MIMO)
3 Spatial
Streams
3 Spatial Streams
Antennas 1700i:internal 1850i Internal
1850e: External
2700i Internal
2700e External
3700i: Internal
3700e: External
3700p: External
CleanAIR
2.0
CleanAir
Express
CleanAir
Express
Yes Yes
ClientLink
3.0
Tx Beam
Forming
Tx Beam
Forming
Yes Yes
Cisco
Innovations
BandSelect
Videostream
BandSelect
Videostream
BandSelect
High Density
Experience
Videostream
BandSelect
StadiumVision
High Density
Experience
Videostream
Modularity — USB 2.0* — 802.11ac Wave 2
Module
USC Small Cell
Module
Hyperlocation
Module
Wireless Security
Module (WSM)
Power DC,
802.3afPoE,+,
DC,
802.3afPoE,+,
DC,
802.3afPoE,+,
DC,
802.3afPoE,802.3at
Enhanced PoE Enhanced PoE Enhanced PoE PoE+, Enhanced
PoE, Universal
PoE
Interfaces 1x1G Ethernet
Uplink Port (RJ-
45)
1x1G Ethernet
Aux Port (RJ-
45)
1x1G Ethernet
Uplink Port (RJ-
)45w/AutoLAG
1x1G Ethernet
AUX Port (RJ-
45)w/AutoLAG
1x1G Ethernet
Uplink Port (RJ-
45)
1x1G Ethernet
Aux Port (RJ-
45)
1x1G Ethernet
Uplink Port (RJ-
45)
Table 2-03: Indoor 802.11ac Access Points
Cisco Prime Infrastructure
Wireless communication has introduced a new phenomenon. Mobile device
expansion, extensive voice and video collaboration, and cloud and data center
virtualization are transforming the network like never before. However, it is
confirmed that new technologies always come up with the new challenges.
There is the need for higher service levels, guaranteed application delivery,
and simplified end-user experiences, while maintaining business continuity
and controlling operating costs.
To address these challenges, IT professionals introduced a Cisco Prime
Infrastructure that provides a comprehensive solution, which enables
managing the network from a single graphical interface. It provides lifecycle
management and service assurance network range, from the wireless user in
the branch office, across the WAN, through the access layer, and now to the
data center. We call it One Management.
Figure 2-08: Cisco Prime Infrastructure - One Management
Cisco Prime Infrastructure is a network management that connects the
network to the device to the user to the application, end-to-end and all in one.
Its features allow:
Single Pane View Management: Delivers a single, unified platform
for day-0 and day-1 provisioning and day-n assurance. It accelerates
device and services deployment, helping you to quickly resolve
problems that can affect the end-user experience
SimplifiedDeployment of Cisco Value-Added Features: Makes the
design according to theCisco distinguished features and services fast
and effective. With support for technologies such as Intelligent WAN
(IWAN), Distributed Wireless with Converged Access, Application
Visibility and Control (AVC), Zone-Based Firewall, and Cisco
TrustSec 2.0 Identity-Based Networking Services
Application Visibility: Configured and used as a source of
performance data embedded Cisco instrumentation and industry-
standard technology to deliver networkwide, application-aware
visibility. These technologies include NetFlow, Network-Based
Application Recognition 2 (NBAR2), Cisco Medianet technologies,
Simple Network Management Protocol (SNMP), and more. The
innovative co-ordination of application visibility and lifecycle
management of Cisco Prime Infrastructure makes it easier to find and
resolve problems by providing awareness into the health of
applications and services in the circumstance of the health of the
underlying infrastructure
Management for Mobile Collaboration: Solution to the who, what,
when, where, and how of wireless access. It includes 802.11ac
support, correlated wired-wireless client visibility, unified access
infrastructure visibility, spatial maps, converged security and policy
monitoring and troubleshooting with Cisco Identity Services Engine
(ISE) integration, location-based tracking of interferers, rogues, and
Wi-Fi clients with Cisco Mobility Services Engine (MSE) and Cisco
CleanAir integration, lifecycle management, RF prediction tools, and
more
Management Across Network and Compute: Provides powerful
lifecycle management and service assurance to help you manage and
maintain the many devices and services running on your branch-
office, campus, and data center networks. It provides significant
capabilities such as discovery, inventory, configuration, monitoring,
troubleshooting, reporting, and administration
Centralized Visibility of Distributed Networks: Large or global
organizations often distribute network management by domain,
region, or country. Cisco Prime Infrastructure Operations Center
visualizes up to 10 Cisco Prime Infrastructure instances, scaling your
network-management infrastructure during maintaining central
visibility and control
Licensing Options
Cisco Prime Infrastructure is a single installable software package with
licensing options to expand and grow functions and coverage as needed.
Lifecycle: Simplifies the day-to-day operational tasks related with managing
the network infrastructure across all lifecycle phases (design, deploy,
operation, and report) for Cisco devices including routers, switches, access
points, and more.
Assurance: Provides application performance visibility using device support
as a source of rich performance data to help assure consistent application
delivery and an optimal end-user experience.
Cisco UCS Server Management: Offers lifecycle and assurance management
for Cisco UCS B- and C-Series Servers.
Operations Center: Enables visualization of up to 10 Cisco Prime
Infrastructure instances from one central management console. One license is
required for each Cisco Prime Infrastructure supported instance.
High-Availability Right to Use (RTU): Allows high-availability configuration
with one primary and one secondary instance in a high-availability pair.
Collector: Increases the NetFlow processing limit on the Cisco Prime
Infrastructure management node. This license is used in combination with the
Assurance license.
Ready-to-Use Gateway RTU: Enables you to configure a separate gateway
for use with the ready-to-use feature, where new devices can call in to the
gateway to receive their configuration and software image.
Cisco Mobility Services Engine
The Cisco Mobility Services Engine is an open platform that provides a new
approach to the delivery of mobility services in a centralized & scalable
manner. A combination of hardware and software, the Cisco 3300 Series
Mobility Services Engine (MSE) is an appliance-based solution that supports
a set of software services. The Mobility Services Engine transforms the
wireless LAN into a mobility network by extracting the application layer
from the network layer, which effectively delivers mobile applications across
wired and wireless networks.
The Cisco MSE provides the capability to track the physical location of
Network Devices, both wired and wireless, using Wireless LAN Controllers
(WLCs) and Cisco Aironet CAPWAP APs. This solution allows you to track
any Wi-Fi device, including clients, active RFID tags, and rogue clients and
APs. It was designed according to the following requirements:
Manageability: Cisco Prime Infrastructure is used to administer and monitor
the MSE. Furthermore, the MSE integrates directly into the wireless LAN
architecture, which provides one unified network to manage instead of
multiple separated wireless networks.
Scalability: The Cisco MSE series can simultaneously track 25,000 elements
in CAS and 5,000 APs in wIPS. The CPI can manage multiple Mobility
Services Engines for greater scalability. The Wireless LAN Controller
(WLC), CPI, and MSE are implemented through separate devices to deliver
greater scalability and optimum performance.
Security: The WLC, CPI, and MSE provide robust secure interfaces and
secure protocols to access data. The MSE records past location information
that can be used for audit trails and regulatory compliance.
Open and Standards Based: The MSE has a SOAP/XML API that can be
accessed by external systems and applications that can influence location
information from the MSE.
Easy Deployment of Business Applications: The MSE can be integrated with
new business applications such as asset tracking, inventory management,
location-based security, or automated workflow management.
AP Modes
Many Cisco APs can operate in both modes either autonomous or
lightweight, depending on the code image, which is loaded and run. From the
Wireless LAN Controller (WLC), you can also configure a lightweight AP to
operate in one of the following special-purpose modes:
Local: The default lightweight mode that offers one or more operating Basic
Service Sets (BSSs) on a specific channel. During the times that it is not
transmitting, the AP will scan the other channels to measure the level of
noise, measure interference, discover rogue devices, and match against
Intrusion Detection System (IDS) events.
Monitor: The AP does not transmit at all, but its receiver is enabled to act as
a dedicated sensor. The AP checks for IDS events, detects rogue access
points, and determines the position of stations through location-based
services.
FlexConnect: An AP at a remote site can locally switch traffic between an
SSID and a VLAN if its Control and Provisioning of Wireless Access Points
(CAPWAPs) tunnel to the WLC is down and if it is configured to do so.
Sniffer: An AP dedicates its radios to receiving 802.11 traffic from other
sources, much like a sniffer or packet capture device. The captured traffic is
then forwarded to a PC running network analyzer software such as
Wildpackets OmniPeek or WireShark, where it can be analyzed further.
Rogue Detector: An AP dedicates itself to detecting rogue devices by
correlating MAC addresses heard on the wired network with those heard over
the air. Rogue devices are those that appear on both networks.
Bridge: An AP becomes a dedicated bridge (point-to-point or point-to-
multipoint) between two networks. Two APs in bridge mode can be used to
link two locations separated by a distance. Multiple APs in bridge mode can
form an indoor or outdoor mesh network.
Flex+Bridge: FlexConnect operation is enabled on a mesh AP.
SE-Connect: The AP dedicates its radios to spectrum analysis on all wireless
channels. You can remotely connect a PC running software such as
MetaGeek Chanalyzer or Cisco Spectrum Expert to the AP to collect and
analyze the spectrum analysis data to discover sources of interference.
Physical Infrastructure Connections of WLAN Components
(AP, WLC, Access/TrunkPorts, and LAG)
The mobile user wants the same accessibility, security, quality-of-service,
and high availability enjoyed by wired users. Whether you are on-site, at
home, on the road, locally or internationally, there is a need to connect. The
technological challenges are obvious, but to this end, mobility plays a role to
facilitate everyone. Companies are obtaining business value from mobile and
wireless solutions.
Wireless LANs contains a list of components similar to traditional Ethernet-
wired LANs. In fact, wireless LAN protocols are similar to Ethernet and
comply with the same form factors. The major difference, however, is that
wireless LANs do not require wires.
Access Points
An access point has a radio card that communicates with individual user
devices on the wireless LAN, as well as a wired NIC that interfaces to a
distributed system, such as Ethernet. System software within the access point
links together the wireless LAN and distribution sides of the access point.
The system software distinguishes access points by providing changing
degrees of management, installation, and security functions.
In many cases, the access point provides an http interface that enables
configuration changes to the access point through an end-user device that is
equipped with a network interface and a web browser. Some access points
also have a serial RS-232 port for configuring the access point through a
serial cable as well as a user device running terminal emulation and Telnet
software, such as hyper terminal.
Wireless LAN Controllers
A WLAN is a wireless design that aims to meet changing network
requirements. A WLAN controller manages wireless network access points
that allow wireless devices to connect to the network. A wireless LAN
controller is used in combination with the Lightweight Access Point Protocol
(LWAPP) to manage light-weight access points in large quantities by the
network administrator or network operations center. The wireless LAN
controller is an important part of the Cisco Unified Wireless Model. The
WLAN controller automatically handles the configuration of wireless access-
points.
Access Ports/Trunk Ports
An access port is related to and carries out the traffic of only one VLAN.
Traffic is both received and sent in native formats without VLAN
information (tagging) whatsoever. Any information arriving to the access
port, simply belongs to the VLAN assigned to that port.
A trunk port is a port that is assigned to carry traffic for all the VLANs that
are accessible by a specific switch, a process known as trunking. Trunk ports
mark frames with unique identifying tags, either 802.1Q tags or Interswitch
Link (ISL) tags as they move between switches.
A WLAN corresponds a Service Set Identifier (SSID) to an interface or an
interface group. It is configured with security, Quality of Service (QoS), radio
policies, and other wireless network parameters. Up to 512 WLANs can be
configured per controller. Each controller port connection is an 802.1Q trunk
and should be configured as such on the neighbor switch. On Cisco switches,
the native VLAN of an 802.1Q trunk is an untagged VLAN. If you configure
an interface to use the native VLAN on a neighboring Cisco switch, ensure
that you configure the interface on the controller to be untagged. The default
(untagged) native VLAN on Cisco switches is VLAN 1. When controller
interfaces are configured as tagged, the VLAN must be allowed on the
802.1Q trunk configuration on the neighbor switch and not be the native
untagged VLAN.
We mentioned that tagged VLANs should be used on the controller. You
should also allow only relevant VLANs on the neighbor switch’s 802.1Q
trunk connections to controller ports. All other VLANs should be disabled or
pruned in the switch port trunk configuration. This method is extremely
important for optimal performance of the controller.
LAG
Link Aggregation (LAG) is a fractional implementation of the 802.3ad port
aggregation standard. It ties all of the controller’s distribution system ports
into a single LAG port channel. LAG reduces the number of IP addresses
required to configure the ports on the controller. When LAG is enabled, the
system dynamically manages port redundancy and load balances access
points clearly to the user.
LAG simplifies controller configuration because there is no longer the need
to configure primary and secondary ports for each interface. If any of the
controller ports fail, traffic is automatically moved to one of the other ports.
Though at least one controller port is functioning, the system continues to
operate, access points remain connected to the network, and wireless clients
continue to send and receive data.
AP and WLC Management Access Connections (Telnet, SSH,
HTTP, HTTPS, Console, and TACACS+/RADIUS)
Access Point
An access point has a radio card that communicates with individual user
devices on the wireless LAN, as well as a wired NIC that interfaces to a
distributed system, such as Ethernet. System software within the access point
links together the wireless LAN and distribution sides of the access point.
The system software distinguishes access points by providing changing
degrees of management, installation, and security functions.
Dependency on networks is higher than ever. Cisco Catalyst® and Cisco
Aironet® Access Points are the next generation of Cisco® wireless Access
Points.
Wireless Controllers Management Access
Connections 
A WLAN is a wireless design that aims to meet changing network
requirements. A WLAN controller manages wireless network access points
that allow wireless devices to connect to the network. A wireless LAN
controller is used in combination with the Lightweight Access Point Protocol
(LWAPP) to manage light-weight access points in large numbers by the
network administrator or network operations center. A browser-based GUI is
built into the controller. It allows up to five users to concurrently browse into
the controller HTTP or HTTPS (HTTP + SSL) management pages to
configure parameters and monitor the operational status of the controller and
its related access points.
Telnet and SSH
Telnet is a network protocol used to provide access to the controller’s
browser. Secure Shell (SSH) is a more secure version of Telnet for data
transfer that uses data encryption and a secure channel. You can use the
controller GUI or CLI to configure Telnet and SSH sessions.
Configuring Telnet and SSH Sessions (GUI)
Procedure
Step 1: Select Management > Telnet-SSH to open the Telnet-SSH
Configuration page.
1
Figure 2-09: Configuring Telnet and SSH Sessions
Step 2: In the Telnet Login Timeout option, enter the number of minutes
that a Telnet session is allowed to remain inactive before being terminated.
The valid range is 0 to 160 minutes (inclusive), and the default value is 5
minutes. A value of 0 indicates no timeout.
Step 3: From the Maximum Number of Sessions drop-down list, choose
the number of simultaneous Telnet or SSH sessions allowed. The valid
range is 0 to 5 sessions (inclusive), and the default value is 5 sessions. A
value of zero indicates that Telnet/SSH sessions are disallowed.
Step 4: To forcefully close current login sessions, choose Management >
User Sessions > close from the CLI session drop-down list.
Step 5: From the Allow New Telnet Sessions drop-down list, choose Yes
or No to allow or disallow new Telnet sessions on the controller. The
default value is No.
Step 6: From the Allow New SSH sessions, choose Yes or No to allow or
disallow new SSH sessions on the controller from the drop-down list. The
default value is Yes.
Step 7: Click Apply.
Step 8: Click Save Configuration.
Step 9: To see a summary of the Telnet configuration settings, choose
Management > Summary. The summary page will appear.
Figure 2-10: Summary of Configuring Telnet and SSH Sessions
HTTP and HTTPS
This session provides guidelinesto enable the distribution system port as a
web port (using HTTP) or as a secure web port (using HTTPS). You can
protect communication by enabling HTTPS with the GUI. HTTPS protects
HTTP browser sessions by using the Secure Sockets Layer (SSL) protocol.
When you enable HTTPS, the controller generates its own local web
administration SSL certificate and automatically applies it to the GUI. You
also have an option of downloading an externally generated certificate.
Configuring HTTP and HTTPS (GUI)
Procedure
Step 1: Select Management > HTTP-HTTPS.
The HTTP-HTTPS Configuration page is displayed.
Step 2: To enable web mode, which allows users to access the controller
GUI using http://ip-address, choose Enabled from the HTTP Access
drop-down list. Otherwise, choose Disabled. The default value is disabled.
Web mode is not a secure connection.
Step 3: To enable secure web mode, which allows users to access the
controller GUI using https://ip-address, choose Enabled from the HTTPS
Access drop-down list. Otherwise, select Disabled. The default value is
enabled. Secure web mode is a secure connection.
Step 4: In the Web Session Timeout field, enter the amount of time, in
minutes, before the web session times out due to inactivity. You can enter a
value between 10 and 160 minutes (inclusive). The default value is 30
minutes.
Step 5: Click Apply.
Step 6: If you enabled secure web mode in Step 3, the controller generates
a local web administration SSL certificate and automatically applies it to
the GUI. The details of the current certificate appear in the middle of the
HTTP-HTTPS Configuration page.
Step 7: Choose Controller > General to open the General page.
http://ip-address
https://ip-address
Select one of the following options from the drop-down list of Web Color
Theme:
Default—Configures the default web color theme for the controller GUI.
Red—Configures the web color theme as red for the controller GUI.
Step 8: Click Apply and Click Save Configuration
Figure 2-11: Configuring HTTP and HTTPS
Step 9: To see a summary of the Telnet configuration settings, choose
Management > Summary. The summary page will appear.
Figure 2-12: Summary of Configuring HTTP and HTTPS
Console (CLI)
The Cisco wireless solution, Command Line Interface (CLI) is a built-in
feature in every controller. CLI allows you to use a VT-100 terminal
emulation program to locally or remotely configure, monitor, and control
individual controllers and its related lightweight access points. CLI is a text-
based, tree-structured interface that allows up to five users with Telnet-
capable terminal emulation programs to access the controller.
Configuring CLI
Procedure
Step 1: Connect console cable; connect one end of a standard Cisco
console serial cable with an RJ45 connector to the controller’s console port
and the other end to your PC’s serial port.
Step 2: Configure terminal emulator program with default settings:
9600 baud
8 data bits
1 stop bit
No parity
No hardware flow control
Step 3: Log on to the CLI; when prompted, enter a valid username and
password to log on to the controller. The administrative username and
password that you created in the configuration wizard are case sensitive.
Note
The default username is admin, and the default password is admin.
The CLI displays the root level system prompt:
(Cisco Controller) >
TACACS+/RADIUS
There are two common security protocols of AAA used to control access in a
network, which are RADIUS and TACACS+. These protocols are generally
used as a language of communication between a networking device and AAA
server.
RADIUS:
Remote Authentication Dial-In User Service (RADIUS) is an access server
that uses AAA protocol, it secures remote access of network and network
services from unauthorized users. Data transaction between RADIUS and
client are authenticated by the use of shared secret key and all the passwords
are sent encrypted, so it reduces the chances of password detection by an
unauthorized user even in an unsecured network. RADIUS does
authentication and authorization simultaneously. RADIUS is an open
standard, which means that all vendors can use it in their AAA
implementation.
Authentication: It is the process of verifying users when they attempt to log
into the controller. Users must enter a valid username and password in order
for the controller to authenticate users to the RADIUS server.
Accounting: It is the process of recording user actions and changes.
Whenever a user successfully executes an action, the RADIUS accounting
server logs the changed attributes, the user ID of the person who made the
change, the remote host where the user is logged in, the date and time when
the command was executed, the authorization level of the user, and a
description of the action performed and the values provided.
Configuring RADIUS (GUI)
Procedure
Step 1: Select Security > AAA > RADIUS.
Step 2: Configure one of the following:
If you want to configure a RADIUS server for authentication,
select Authentication
If you want to configure a RADIUS server for accounting, select
Accounting
Step 3: From the Acct Call Station ID Type drop-down list, select the
option that is sent to the RADIUS server in the Access-Request message.
The following options are available:
IP Address
System MAC Address
AP MAC Address
AP MAC Address:SSID
AP Name:SSID
AP Name
AP Group
Flex Group
AP Location
VLAN ID
AP Ethernet MAC Address
AP Ethernet MAC Address:SSID
Step 4: Enable RADIUS-to-controller key transport using AES key wrap
protection by checking the Use AES Key Wrap check box. The default
value is unchecked. This feature is required for FIPS customers.
Step 5: From the MAC Delimiter drop-down list, select the option that is
sent to the RADIUS server in the Access-Request message.
The following options are available:
Colon
Hyphen
Single-hyphen
None
Step 6: Click Apply.
Figure 2-13: Configuring RADIUS
Perform one of the following:
➢ To edit an existing RADIUS server, select the server index
number for that server. The RADIUS Authentication (or
Accounting) Servers > Edit page appears
➢ To add a RADIUS server, click New. The RADIUS
Authentication (or Accounting) Servers > New page appears
Figure 2-14: Configuring RADIUS
Step 7: If you are adding a new server, choose a number from the Server
Index (Priority) drop-down list to specify the priority order of this server in
relation to any other configured RADIUS servers providing the same
service.
Step 8: If you are adding a new server, enter the IP address of the RADIUS
server in the Server IP Address text box.
Step 9: From the Shared Secret Format drop-down list, select ASCII or
Hex to specify the format of the shared secret key to be used between the
controller and the RADIUS server. The default value is ASCII.
Step 10: In the Shared Secret and Confirm Shared Secret text boxes, enter
the shared secret key to be used for authentication between the controller
and the server.
Note
The shared secret key must be same for both server and the controller.
Step 11: Check the Apply Cisco ISE Default settings check box (optional).
Enabling Cisco ISE Default settings changes the following parameters:
CoA is enabled by default
The Authentication server details (IP and shared-secret) are also
applied to the Accounting server
The Layer 2 security of the WLAN is set to WPA+WPA2
802.1X is the default AKM
MAC filtering is enabled if the Layer 2 security is set to None
The Layer 2 security is either WPA+WPA2 with 802.1X or
None with MAC filtering
You can change these default settings if required.
Step 12: If you are configuring a new RADIUS authentication server and
want to enable AES key wrap, which makes the shared secret between the
controller and the RADIUS server more secure, follow these steps:
Step 13: If you are configuring a new server, enter the RADIUS server’s
UDP port number for the interface protocols in the Port Number text box.
The valid range is 1 to 65535, and the default value is 1812 for
authentication and 1813for accounting.
Step 14: From the Server Status text box, select Enabled to enable this
RADIUS server or select Disabled to disable it. The default value is
enabled.
Step 15: If you are configuring a new RADIUS authentication server, by
the Support for CoA drop-down list, select Enabled to enable change of
authorization, which is an extension to the RADIUS protocol that allows
dynamic changes to a user session, or select Disabled to disable this
feature. By default, this is set to disabled state.
Step 16: In the Server Timeout text box, enter the number of seconds
between retransmissions. The valid range is 2 to 30 seconds, and the
default value is 2 seconds.
Ensure the Key Wrap check box.
Step 17: Ensure the Network User check box to enable network user
authentication (or accounting), or uncheck it to disable this feature. The
default value is unchecked.
Step 18: If you are configuring a RADIUS authentication server, ensure
the Management check box to allow management authentication, or
uncheck the check box to disallow this feature. The default value is
checked.
Step 19: Enter the Management Retransmit Timeout value, represents the
network login retransmission timeout for the server.
Step 20: If you want to enable a tunnel gateway as AAA proxy, ensure the
Tunnel Proxy check box. The gateway can operate as a proxy RADIUS
server as well as a tunnel gateway.
Step 21: Ensure the PAC Provisioning check box to allow PAC for
RADIUS authentication (or accounting), or uncheck it to disallow this
feature. The default value is unchecked.
Step 22: Ensure the IPSec box check to enable the IP security mechanism,
or uncheck the check box to disable this feature. The default value is
unchecked.
Figure 2-15: Configuring RADIUS
Step 23: If you used IPsec, follow these steps to configure additional IPsec
parameters:
From the IPSec drop-down list, select one of the following options as the
authentication protocol to be used for IP security: HMAC MD5 or HMAC
SHA1. The default value is HMAC SHA1
From the IPSec Encryption drop-down list, select one of the following
options to specify the IP security encryption mechanism:
➢ DES—Data Encryption Standard that is a process of data
encryption using a private (secret) key. DES applies a 56-bit key to
each 64-bit block of data
➢ 3DES—Data Encryption Standard that applies three keys in
succession. This is the default value
➢ AES CBC—Advanced Encryption Standard that uses keys with
a length of 128, 192, or 256 bits to encrypt data blocks with a length
of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in
Cipher Block Chaining (CBC) mode
➢ 256-AES—Advanced Encryption Standard that uses keys with a
length of 256 bits
From the IKE Phase 1 drop-down list, select one of the following options
to specify the Internet Key Exchange (IKE) protocol: Aggressive or Main.
The default value is Aggressive
In the Lifetime text box, type a value (in seconds) to specify the timeout
interval for the session. The valid range is 1800 to 57600 seconds, and the
default value is 1800 seconds
From the IKE Diffie Hellman Group drop-down list, select one of the
following options to specify the IKE Diffie Hellman group: Group 1 (768
bits), Group 2 (1024 bits), or Group 5 (1536 bits). The default value is
Group 1 (768 bits).
Figure 2-16: Configuring RADIUS
Step 24: Click Apply.
Step 25: Click Save Configuration.
Figure 2-17: Configuring RADIUS
TACACS+
TACACS+ stands for Terminal Access Control Access Control Server and it
is Cisco proprietary. As RADIUS, TACACS+ is also used as a
communication between networking device and AAA server. Unlike
RADIUS, TACACS+ encrypts the entire packet body, and attaches
TACACS+ header to the message body. TACACAS+ ensures reliable
delivery between clients and servers as it uses TCP connection, since it is a
Cisco proprietary, it has a granular control over Cisco’s router and switches.
TACACS+ does authentication, authorization and accounting separately, so
different methods of controlling AAA functions can be achieved separately.
One of the main differences between RADIUS and TACACS+ is that
RADIUS only encrypts password and transacts other RADIUS packets as
clear text over the network.
Authentication: It is the procedure of verifying users when they attempt to
log in to the controller. Users must enter a valid username and password in
order for the controller to authenticate users to the TACACS+ server. The
authentication and authorization services are bind to one another.
Authorization: It is the procedure of determining the actions that users are
allowed to take on the controller based on their level of access. For
TACACS+, authorization is based on privilege rather than specific actions.
The available roles correspond to the seven menu options on the controller
GUI: MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY,
MANAGEMENT, and COMMANDS. An additional role, LOBBY, is
available for users who require only lobby ambassador privileges. The roles
to which users are assigned are configured on the TACACS+ server. Users
can be authorized for one or more roles.
Accounting: It is the procedure of recording user actions and changes. Any
time a user successfully executes an action, the TACACS+ accounting server
logs the changed action, the user ID of the person who made the change, the
remote host where the user is logged in, the date and time when the command
was executed, the authorization level of the user, and the explanation of the
action performed and the values provided.
Configuring TACACS+ (GUI)
Procedure
Step 1: Choose Security > AAA > TACACS+.
Step 2: Perform one of the following:
If you want to configure a TACACS+ server for authentication,
select Authentication
If you want to configure a TACACS+ server for authorization,
select Authorization
If you want to configure a TACACS+ server for accounting,
select Accounting
Note
The pages used to configure authentication, authorization, and accounting
are all placed in the same text boxes. Therefore, these instructions go
through the configuration only once, using the Authentication pages as
examples. You would follow the same steps to configure multiple services
and/or multiple servers.
For basic management authentication by TACACS+ to succeed, it is
required to configure authentication and authorization servers on the WLC.
Accounting configuration is optional.
The TACACS+ (Authentication, Authorization, or Accounting) Servers
page will appear. This page lists any TACACS+ servers that have already
been configured.
If you want to delete an existing server, float your cursor over the blue
drop-down arrow for that server and choose Remove.
If you want to make sure that the controller can reach a particular server,
float your cursor over the blue drop-down arrow for that server and choose
Ping.
Step 3: Configure one of the following:
➢ To edit an existing TACACS+ server, click the server index
number for that server. The TACACS+ (Authentication,
Authorization, or Accounting) Servers > Edit page appears
➢ To add a TACACS+ server, click New. The TACACS+
(Authentication, Authorization, or Accounting) Servers > New
page appears
Step 4: If you are adding a new server, choose a number from the Server
Index (Priority) drop-down list to specify the priority order of this server in
relation to any other configured TACACS+ servers providing the same
service. You can configure up to three servers. If the controller cannot
reach the first server, it tries the second one in the list and then the third if
need.
Step 5: If you are adding a new server, enter the IP address of the
TACACS+ server in the Server IP Address text box.
Step 6: From the Shared Secret Format drop-down list, choose ASCII or
Hex to specify the format of the shared secret key to be used between the
controller and the TACACS+ server. The default format is ASCII.
Step 7: In the Shared Secret and Confirm Shared Secret text boxes, enter
the shared secret key to be used for authentication betweenthe controller
and the server.
Note
The shared secret key must be the same on both the server and the
controller.
Step 8: If you are adding a new server, enter the TACACS+ server’s TCP
port number for the interface protocols in the Port Number text box. The
valid range is 1 - 65535, and the default value is 49.
Step 9: In the Server Status text box, choose Enabled to enable this
TACACS+ server or choose Disabled to disable it. The default value is
enabled.
Step 10: In the Server Timeout text box, enter the number of seconds
between retransmissions. The valid range is 5 to 30 seconds, and the
default value is 5 seconds.
Step 11: Click Apply.
Figure 2-18: Configuring TACACS+
Components of a Wireless LAN Access for Client Connectivity
using GUI
A wireless LAN controller and an access point work in parallel provide
network connectivity to wireless clients. From a wireless standpoint, the AP
advertises a Service Set Identifier (SSID) for clients to join. From a wired
standpoint, the controller connects to a Virtual LAN (VLAN) through one of
its dynamic interfaces. To complete the path between the SSID and the
VLAN, you must first define a WLAN on the controller.
Figure 2-19: Connecting Wired and Wireless Networks with a WLAN
The above figure shows a Wireless LAN Controller (WLC) and an Access
Point (AP) that are connected to a network cloud on the right and left
respectively. The AP has a wireless connection with a subnet
192.168.199.0/24 that represents an SSID Engineering. The AP and WLC are
connected by a Control and Provisioning of Wireless Access Points
(CAPWAP). This connection presents a complete WLAN. The WLC has a
wired connection on the right with a subnet 192.168.199.199/24. VLAN 100
exists in the connection that presents VLAN (Interface Engineering). The
controller will connect the WLAN to one of its interfaces and then by default
push the WLAN configuration out to all of its APs. From the point forward,
wireless clients will be able to learn about the new WLAN by receiving its
beacons and will be able to search and join the new Basic Service Set (BSS).
Like VLANs, you can use WLANs to separate wireless users and their traffic
into logical networks. Users connected with one WLAN cannot cross over
into another one unless their traffic is bridged or routed from one VLAN to
another through the wired network infrastructure.
Before you create new WLANs, it is usually smart to plan your wireless
network first. In a large enterprise, you might have to support an extensive
variety of wireless devices, user communities, security policies, and etc. You
might be tempted to create a new WLAN for every event, just to keep groups
of users separated from each other or to support different types of devices.
Although it is an attractive strategy, you should be aware of two restrictions:
Cisco controllers support a maximum of 512 WLANs, but only 16
of them can be actively configured on an AP
Advertising each WLAN to potential wireless clients uses up
valuable airtime
Every AP must broadcast beacon management frames at a particular time to
advertise the existence of a BSS. Because each WLAN is bound to a BSS,
each WLAN must be advertised with its own beacons. Beacons are usually
sent 10 times per second, or once every 100 minutes, at the lowest mandatory
data rate.
According to the rule of thumb, always limit the number of WLANs to five
or fewer; a maximum of three WLANs is best. By default, a controller has a
limited initial configuration, so no WLANs are defined.
Before you create a new WLAN, think about the following parameters that
will be required:
SSID string
Controller interface and VLAN number
Type of wireless security needed
As we work through this section, we will create the appropriate dynamic
controller interface to support the new WLAN; then we will enter the
necessary WLAN parameters. Each configuration step is performed using a
Graphical User Interface (GUI) that is connected to the WLC’s management
IP address.
Step 1. Configure a RADIUS Server
If your new WLAN uses a security scheme that requires a RADIUS server,
such as WPA2-Enterprise or WPA3-Enterprise, you will need to define the
server first.
Select Security > AAA > RADIUS > Authentication
Click New to create a new server.
Enter the server’s IP address, shared secret key, and port number, as shown in
Figure 2-20. Because the controller already has two other RADIUS servers
configured, the server at 192.168.200.30 will be indexed as number 3. Be
sure to set the server status to Enabled so that the controller can start using it.
At the bottom of the page, you can select the type of user that will be
authenticated with the server.
Check Network User to authenticate wireless clients or Management to
authenticate wireless administrators that will access the controller’s
management functions.
Click Apply to complete the server configuration.
Figure 2-20: Configuring a New RADIUS Server
Step 2. Create a Dynamic Interface
A dynamic interface is used to connect the controller to a VLAN on the wired
network. When you create a WLAN, you will connect the dynamic interface
and VLAN to a wireless network.
To create a new dynamic interface, navigate to Controller > Interfaces. You
would see a list of all the controller interfaces that are currently configured.
In Figure 2-21, two interfaces named “management” and “virtual” already
exist.
Click the New button to define a new interface.
Figure 2-21: Displaying a List of Dynamic Interfaces
Enter a name for the interface and the VLAN number it will be bound to.
Figure 2-22, shows the interface named Engineering is mapped to wired
VLAN 100.
Click the Apply button.
Figure 2-22: Defining a Dynamic Interface Name and VLAN ID
Next, enter the IP address, subnet mask, and gateway address for the
interface. You should also define primary and secondary DHCP server
addresses that the controller will use when it relays DHCP requests from
clients that are bound to the interface.
Figure 2-23: shows the interface named Engineering has been configured
with IP address 192.168.100.10, subnet mask 255.255.255.0, gateway
192.168.100.1, and DHCP servers 192.168.1.17 and 192.168.1.18.
Click the Apply button to complete the interface configuration and return to
the list of interfaces.
Figure 2-23: Editing the Dynamic Interface Parameters
Step 3. Create a New WLAN
You can show a list of the currently defined WLANs by selecting WLANs
from the top menu bar.
In Figure 2-24, the controller does not have any WLANs already defined.
You can create a new WLAN by selecting Create New from the drop-down
menu and then clicking the Go button.
Figure 2-24: Displaying a List of WLANs
Next, enter a descriptive name as the profile name and the SSID text string.
In Figure 2-25, the profile name and SSID are identical, just to keep things
clear. The ID number is used as an index into the list of WLANs that are
defined on the controller. The ID number becomes useful when you use
templates in Prime Infrastructure (PI) to configure WLANs on multiple
controllers at the same time.
Figure 2-25: Creating a New WLAN
Go to the next page that will allow you to edit four categories of parameters,
corresponding to the tabs across the top as shown in Figure 2-26.
Figure 2-26: Configuring the General WLAN Parameters
You can control whether the WLAN is enabled or disabled with the Status
check box. Under Radio Policy, select the type of radio that will offer the
WLAN. By default, the WLAN will be offered on all radios that are joined
with the controller.
Next, select which of the controller’s dynamic interfaces will be bound to the
WLAN. By default, the management interface is selected. The drop-down list
contains all the interface names that are available. In Figure 2-26, the new
IPSpecialist WLAN will be bound to the Engineering interface.
Finally, enable the Broadcast SSID by selecting the check box. APs should
broadcast the SSID name in the beacons they transmit. Broadcasting SSIDs is
usually more convenient forusers for connecting to the WLAN because their
devices can learn and display the SSID names automatically.
Configuring WLAN Security
Select the Security tab to configure the security settings. By default, the
Layer 2 Security tab is selected. From the Layer 2 Security drop-down menu,
select the appropriate security scheme to use.
WPA+WPA2 has been selected from the pull-down menu; then only WPA2
and AES encryption have been selected. WPA and TKIP have been avoided
because they are outdated methods.
Under the Authentication Key Management section, you can select the
authentication methods the WLAN will use. PSK will be selected, so the
WLAN will allow only WPA2-Personal with pre-shared key authentication
as shown in Figure 2-27.
Figure 2-27: Configuring Layer 2 WLAN Security
Configuring WLAN QoS
Select the QoS tab to configure quality of service settings for the WLAN, as
shown in Figure 2-28.
By default, the controller will consider all frames in the WLAN to be normal
data and handled in a “best effort” manner.
You can set the Quality of Service (QoS) drop-down menu to classify all
frames in one of the following ways:
Platinum (voice)
Gold (video)
Silver (best effort)
Bronze (background)
Figure 2-28: Configuring QoS Settings
Configuring Advanced WLAN Settings
Finally, you can select the Advanced tab to configure a variety of advanced
WLAN settings.
You can enable functions such as coverage hole detection, peer-to-peer
blocking, client exclusion, client load limits, and so on as shown in the Figure
2-29.
Figure 2-29: Configuring Advanced WLAN Settings
Finalizing WLAN Configuration
When you are satisfied with the settings in each of the WLAN configuration
tabs, click the Apply button in the upper-right corner of the WLAN Edit
page.
Figure 2-30: Finalizing WLAN Configuration
Finally, the WLAN will be created and added to the controller configuration.
The WLAN ‘Engineering’ has been added as WLAN ID 1 as shown in Figure
2-31 and is enabled for use.
Figure 2-31: Displaying WLANs Configured on a Controller
Mind Map of Network Access
Figure 2-32: Mind Map of Network Access
Summary
VLANs (Normal Range) Spanning Multiple Switches
A Virtual LAN (LAN) is a switched network that is logically
divided by function, project team or application without regarding
physical locations of the users or host
VLANs have similar attributes as physical LANs, but you can
group end stations/hosts even if they are not physically situated on
the same LAN segment
Normal-range VLANs are VLANs with VLAN IDs 1-1005
A data VLAN is a VLAN that is configured to carry user-
generated traffic
Most switches allow you to add a second VLAN on a switch port
for your voice traffic, called the voice VLAN
Interswitch Connectivity
Cisco originally created their own way of marking traffic with a
VLAN ID for transport over an interswitch link. It was named
Inter Switch Link (ISL)
Trunk ports mark frames with unique identifying tags, either
802.1Q tags or Interswitch Link (ISL) tags as they move between
switches
802.1Q adds a 4-Byte header to the frame indicating the VLAN
(Virtual LAN) membership as compared to ISL, which
encapsulates (adds header and trailer) to the frame
Layer 2 Discovery Protocols (Cisco Discovery Protocol and LLDP)
Cisco Discovery Protocol (CDP) is a Device Discovery protocol,
which operates at data link layer (Layer 2) on all Cisco-
manufactured devices and permits network management
applications for discovering Cisco devices that are neighboring
devices
To support non-Cisco devices and allow for interoperability
between other devices, the switch supports the IEEE 802.1AB
LLDP
(Layer 2/Layer 3) EtherChannel (LACP)
An EtherChannel consists of Fast Ethernet or Gigabit Ethernet
links bundled into a single logical link
The EtherChannel offers full-duplex bandwidth up to 800 Mb/s
(Fast EtherChannel) or 8Gb/s (Gigabit EtherChannel) between one
switch to another switch
LACP allows the automatic creation of EtherChannels by
exchanging the LACP packets between Ethernet ports
Basic Operations of Rapid PVST+ Spanning Tree Protocol
Rapid PVST+ provides rapid convergence of the spanning tree by
assigning port roles and learning the active topology
To configure a VLAN instance to become the root bridge, modify
the bridge priority from the default value (32768) to a considerably
lower value
The great advantage of configuring Portfast, a port configured with
Portfast will immediately start transmitting data in the
‘forwarding’ state bypassing the other spanning-tree states
Cisco Wireless Architectures vs. AP Modes
The Cisco unified wireless network architecture offers secure,
scalable, cost-effective wireless LANs solution for business
critical mobility
The Cisco Unified Wireless Network is the enterprise’s only
unified wired and wireless solution that cost-effectively addresses
the Wireless LAN (WLAN) security, deployment, management,
and control issues
The core components of Cisco Unified Wireless Network are
Cisco Wireless LAN Controllers (WLCs), Cisco Aironet Access
Points (APs), Cisco Prime Infrastructure (PI), Cisco Mobility
Services Engine (MSE)
Physical Infrastructure Connections of WLAN Components (AP, WLC,
Access/Trunk Ports, and LAG)
An access point has a radio card that communicates with
individual user devices on the wireless LAN, as well as a wired
NIC that interfaces to a distributed system, such as Ethernet
A WLAN controller manages wireless network access points that
allow wireless devices to connect to the network
LAG simplifies controller configuration because there is no longer
the need to configure primary and secondary ports for each
interface
AP and WLC Management Access Connections (Telnet, SSH, HTTP,
HTTPS, Console, and TACACS+/RADIUS)
A wireless LAN controller is used in combination with the
Lightweight Access Point Protocol (LWAPP) to manage light-
weight access points in large numbers by the network
administrator or network operations center
Telnet is a network protocol used to provide access to the
controller’s browser
Secure Shell (SSH) is a more secure version of Telnet for data
transfer that uses data encryption and a secure channel
HTTP/HTTPs session provides guidelines to enable the
distribution system port as a web port (using HTTP) or as a secure
web port (using HTTPS)
There are two common security protocols of AAA used to control
access in a network, which are RADIUS and TACACS+
Components of a Wireless LAN Access for Client Connectivity using
GUI
Before you create a new WLAN, think about the following
parameters that will be required:
• SSID string
• Controller interface and VLAN number
• Type of wireless security needed
A wireless LAN controller and an access point work in parallel to
provide network connectivity to wireless clients
From a wireless standpoint, the AP advertises a Service Set
Identifier (SSID) for the client to join
From a wired standpoint, the controller connects to a virtual LAN
(VLAN) through one of its dynamic interfaces
To complete the path between the SSID and the VLAN, you must
first define a WLAN on the controller
Practice Questions
1. Switch SW1 sends a frame to switch SW2 using 802.1Q trunking.
Which of the answers describes how SW1 changes or adds to the
Ethernet frame before forwarding the frame to SW2?
A. It inserts a 4-byte header and does change the MAC addresses
B. It inserts a 4-byte header and does not change the MAC
addresses
C. It encapsulates the original frame behind an entirely new
Ethernet header
D. None of the other answers are correct
2. Which of the following commands identify switch interfaces as
being trunking interfaces: interfaces that operate as VLAN trunks?
(Choose 2)
A. show interfaces
B. show interfaces switchport
C. show interfaces trunk
D. show trunks
3. What STP feature causes an interface to be placed in the
forwarding state as soon as the interface is physically active?
A. STP
B. EtherChannel
C. Root Guard
D. PortFast
4. Which type value on the spanning-tree mode type global commandenables the use of RSTP?
A. rapid-pvst
B. pvst
C. rstp
D. rpvst
5. A lab engineer configures a switch to put interfaces G0/1 and G0/2
into the same Layer 2 EtherChannel. Which of the following terms
is used in the configuration commands?
A. EtherChannel
B. PortChannel
C. Ethernet-Channel
D. Channel-group
6. An access point is set up to offer wireless coverage in an office.
Which one of the following is the correct 802.11 term for the
resulting standalone network?
A. BSA
B. BSD
C. BSS
D. IBSS
7. What command allows you to view the VLANs and interface
assignments on your switch?
A. show vlan brief
B. show vlan status
C. show vlan information
D. show vlan database
8. What command assigns an access port to VLAN 20?
A. switchport vlan 20sexi
B. switchport mode vlan 20
C. switchport assign vlan 20
D. switchport access vlan 20
9. What command assigns an access port to Voice VLAN 10?
A. switchport voice vlan 10
B. switchport access vlan 10 voice
C. switchport vlan 10 voice
D. switchport access vlan 10
10. What command configures an interface to trunk?
A. switchport trunk
B. switchport trunk dot1q
C. switchport mode trunk
D. switchport trunk enable
11. What command allows you to quickly view all of the trunks
on your switch?
A. show vlans trunk
B. show interface trunk
C. show trunk interface
D. show trunk all
12. When you would like to connect to a WLC to configure a
new WLAN on it, which one of the following is a valid method to
use?
A. SSH
B. HTTPS
C. HTTP
D. All of the above
13. Which one of the following correctly describes the single
logical link formed by bundling all of a controller’s distribution
system ports together?
A. EtherChannel
B. Trunk ports
C. LAG
D. VLAN
14. Which two of the following elements are bound together
when a new WLAN is created? (Choose 2)
A. VLAN
B. AP
C. Controller Interface
D. SSID
15. What is the maximum number of WLANs you can configure
on a Cisco’s wireless controller?
A. 8
B. 16
C. 1024
D. 512
16. Which of the following parameters are necessary when
creating a new WLAN with the controller GUI? (Choose all that
apply)
A. SSID
B. VLAN number
C. Interface
D. BSSID
17. Which of the following is a fractional implementation of the
802.3ad port aggregation standard?
A. LAG
B. CAPWAP
C. LACP
D. Rapid PVST+
18. When you need to connect a lightweight AP to a network,
which one of the following link types would be required?
A. Access Mode
B. Trunk Mode
C. LAG Mode
D. EtherChannel
19. Switch Dept1 sends a frame to switch Dept2 using 802.1Q
trunking. Which of the answers describes how Dept1 changes or
adds to the Ethernet frame before forwarding the frame to Dept2?
A. It inserts a 4-byte header and does change the MAC addresses
B. It inserts a 4-byte header and does not change the MAC
addresses
C. It encapsulates the original frame behind an entirely new
Ethernet header
D. None of the other answers are correct
20. What STP feature causes an interface to be placed in the
forwarding state as soon as the interface is physically active?
A. STP
B. EtherChannel
C. Root Guard
D. PortFast
Chapter 03: IP Connectivity
Technology Brief
In the previous chapter, we have discussed the roles and functions of different
components that include routers, L1 & L2 switches, firewalls, and servers.
We discussed characteristics of network topology architecture, physical
interfaces and cabling types, how the issues with these cable types could be
identified, and subnetting. We also looked at the configuration of VLAN
spanning multiple switches and the verification of their connectivity. In this
chapter, we will discuss the routing concept with the support of static routing
for both IPV4 & IPV6 and the OSPFv2 routing protocol.
Components of the Routing Table
Entries to networks are part of a routing table. It shows that the networks are
either directly connected, statically configured or dynamically learned. The
“show ip route” command is used to view a routing table. Using this
command will present you with something like the following:
The IP Routing Table on a Cisco Router
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
L 10.10.10.1/32 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
Routing Protocol Code
The term routing refers to taking a packet from one device and sending it
through the network to another device on a different network.
Following are the basic operation of routing:
Routing is a process to discover far end networks
Routing is a process use to discover multiple paths to far end
networks
Routing is used to select the best path
Once you create an internetwork by connecting your WANs and LANs to a
router, you will need to configure logical network addresses, like IP
addresses, to all hosts on that internetwork for them to communicate
successfully throughout it.
The information necessary to forward a packet along the best path towards its
destination resides in the routing table. It contains the information about the
packet’s origin and destination. Upon receiving a packet, a network device
examines the packet and matches it to the routing table entry and provides the
best match for its destination. The packet is then provided with the
instructions for sending them to the next hop on their route across the
network.
The following information is included in a basic routing table:
Destination: The IP address of the packet's final destination
Next Hop: The IP address to which the packet is forwarded
Interface: The outgoing network interface the device should use
when forwarding the packet to the next hop or final destination
Metric: Assigns a cost to each available route so that the most
cost-effective path can be chosen
Routes: Includes directly-attached subnets, indirect subnets that
are not attached to the device but can be accessed through one or
more hops, and default routes to use for certain types of traffic or
when information is lacking
The routing protocol code identifies which route was learned by which
routing protocol.
Routing protocol code are located at the very beginning of a routing table
entry. Cisco is kind to us and even provides a legend at the beginning of the
show output to explain what each value means. Here are those values for
your ease of reference:
• L—local
• C—connected
• S—static
• R—RIP
• M—mobile
• B—BGP
• D—EIGRP
• EX—EIGRP external
• O—OSPF
• IA—OSPF inter area
• N1—OSPF NSSA external type 1
• N2—OSPF NSSA external type 2
• E1—OSPF external type 1
• E2—OSPF external type 2
• i—IS-IS
• su—IS-IS summary
• L1—IS-IS level-1
• L2—IS-IS level-2
• ia—IS-IS inter area
• *—candidate default
• U—per-user static route
• o—ODR
• P—periodic downloaded static route
• +—replicated route
Prefix
The network address is simply termed as a prefix. The prefix is the
destination network address in the routing table. The shorthand way toexpress a subnet mask using CIDR notation is a prefix-length e.g., for the
subnet mask 255.255.255.0, the prefix-length is /24.
Notice that the routing table lists the parent and children prefixes reachable in
the table. For example, in the table above, the entry 172.16.0.0/24 is
subnetted, three subnets are listing the parent prefix, then the specific child
prefixes below are of 172.16.1.0, 172.16.2.0, and 172.16.3.0.
Network Mask
As we mentioned earlier, the prefix-length is simply a shorthand way to
express a network mask using CIDR notation. A network mask is also called
a subnet mask or net mask for short.
Notice, in the routing table list given, the parent prefix lists the network mask
in prefix notation. So for the 172.16.0.0 example above, the network mask
is /24. Remember, in non-prefix notation, this is 255.255.255.0.
Network address Prefix-length Type of route Subnet mask
0.0.0.0/0 Zero Default route 0.0.0.0.
172.16.0.0/16 /16 A summary route for
the four 172.16.x.x
networks
255.255.0.0
172.16.1.0/24 /24 A summary route 255.255.255.0
172.16.1.1/32 /32 A preferred route for
this specific IP
address
255.255.255.255
Table 3-01: Types of Route and Subnet Mask
Next Hop
The IP address of the next router inline is identified by next hop to forward
the packet. The next hop IP address follows the “via” word for a child prefix
entry. The next hop refers to the IP address of the next router in the path
when forwarding packets to a remote destination.
Administrative Distance
Administrative distance is used to select the best path when a router has two
different paths to the same destination via two different routing protocols.
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
L 10.10.10.1/32 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
 RIP AD 
R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
192.168.1.0/32 is subnetted, 1 subnet
O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
192.168.2.0/32 is subnetted, 1 subnet OSPF AD
O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
As shown in the above outputs. The administrative distance for RIP is 120 for
172.16.1.0 connected through 10.10.10.3 while AD for OSPF is 110 for
192.168.2.2 connected through 10.10.10.2.
The Administrative Distance for the Prefix
Note that the Administrative Distance (AD) associated with the 172.16.0.0/24
prefixes is 120. This is because these routes were learned via RIP, and 120 is
the default administrative distance for RIP. Most of the routing protocols are
not compatible with other protocols. It is a critical task to select the best path
between multiple protocols in a network with multiple routing protocols. The
reliability of a routing protocol is defined by an administrative distance. An
administrative distance value prioritizes each routing protocol in order of
most to least reliable. IPv6 also uses the same distances as IPv4.
The AD is used to rate the trustworthiness of routing information received on
a router from a neighbour router. An administrative distance is an integer
from 0 to 255, where 0 is the most trusted and 255 means no traffic will be
passed via this route.
If a router receives two updates listing the same remote network, the first
thing the router checks is the AD. If one of the advertised routes has a lower
AD than the other route with the lowest AD will be chosen and placed in the
routing table.
Default Administrative Distances
The default administrative distances are shown in the table given below:
Routing Protocol Administrative Distance
Connected 0
Static 1
Eigrp Summary Route 5
BGP (external) 20
EIGRP 90
IGRP 100
OSPF 110
IS-IS 115
RIP 120
External EIGRP 170
BGP(internal) 200
Unknown 255 (This route will never be used)
Table 3-02: Values for the Administrative Distances
Metric
The metric is a value that is produced by the routing protocol's algorithm.
The best path to a destination network within a routing protocol is determined
by the metric value.
The metric varies for the dynamic routing protocol involved. It is a measure
of the “distance” to reach the prefix. In our 172 prefixes, it is a hop count.
This is the simple metric used by RIP. It indicates how many routers you
must cross to reach the destination prefix in question. Different protocols
have different matrices as described in the table given below:
Protocol Matric
RIP Hop Count
EIGRP K values
OSPF Reference Bandwidth
Table 3-03: Matrices for Different Protocols
Routes to a destination are compared using metric value by the same routing
protocol. The preferred routes to be followed by the lower matric values.
Routing Information Protocol (RIP) Metric Value
Hop count is used by the RIP (Routing Information Protocol) as
the metric
Data must pass from source network to reach the destination by
passing through the number of routers termed as hop count
Hop Count is the Number of Routers data must pass from source
network to reach the destination
Figure 3-01: Hop Count
In the topology given above, the Source Network router is R1 and the
Destination Network router is R4. An IP datagram must hop three routers to
reach the Destination Network. The middle route consists of R2, and R3 to
reach the destination R4.
Gateway of Last Resort
The default route configured on the router is termed as the gateway of last
resort. Packets that are addressed to networks not explicitly listed in the
routing table are directed using default routes. When learning all the more
specific networks topologies that are not desirable, default routes become
invaluable.
Any of the following commands can be used to configure the gateway of last
resort:
ip default-gateway a.b.c.d
http://www.omnisecu.com/cisco-certified-network-associate-ccna/introduction-to-routing-information-protocol-rip.php
ip default-network a.b.c.d
ip route 0.0.0.0 0.0.0.0 a.b.c.d
Notice again in our routing table example, it is indicated that there is no
Gateway of Last Resort set. This means that there is no default route 0.0.0.0/0
setup that allows the router to send traffic somewhere if it does not have a
specific prefix entry for the destination IP address. The Gateway of Last
Resort can be dynamically learned, or can be set using three different
commands: ip default-gateway, ip default-network, and ip route 0.0.0.0
0.0.0.0.
The IP Routing Table on a Cisco Router
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, FastEthernet0/0
L 10.10.10.1/32 is directly connected, FastEthernet0/0
172.16.0.0/24 is subnetted, 3 subnets
R 172.16.1.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.2.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
R 172.16.3.0 [120/1] via 10.10.10.3, 00:00:19, FastEthernet0/0
192.168.1.0/32 is subnetted, 1 subnet
O 192.168.1.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
192.168.2.0/32 is subnetted, 1 subnet
O 192.168.2.2 [110/2] via 10.10.10.2, 00:00:37, FastEthernet0/0
How a Router Makes Forwarding Decision by Default?
Longest Match
The longest prefix match is an algorithm used in Internet Protocol (IP)
networking for selecting an entry from a forwardingtable. Each entry in a
forwarding table specifies a sub-network. More than one forwarding table
entry may be matched with one destination address. In the matching table
entries, the one with the longest subnet mask is called the longest prefix
match. It is the entry where the largest number of leading address bits of the
destination address match those in the table entry.
Example
Let’s look at a scenario; a router with varying prefix lengths has four routing
processes running on it, and each process has received these routes:
EIGRP (internal): 192.168.32.0/26
RIP: 192.168.32.0/24
OSPF: 192.168.32.0/19
In the routing table, the installed routes will be with the one having best
administrative distance. In this example EIGRP internal routes have the best
administrative distance, it is tempting to assume the first one will be installed.
Making Forwarding Decisions
The three routes installed in the routing table can be shown by the command:
router# show ip route
....
D 192.168.32.0/26 [90/25789217] via 10.1.1.1
R 192.168.32.0/24 [120/4] via 10.1.1.2
O 192.168.32.0/19 [110/229840] via 10.1.1.3
....
If a packet destined for 192.168.32.1 arrives on a router interface, the route to
be chosen depends on the prefix length, or the number of bits set in the
subnet mask. Longer prefixes are always preferred over shorter ones when
forwarding a packet.
A packet destined to 192.168.32.1 is directed toward 10.1.1.1 as 192.168.32.1
falls within the 192.168.32.0/26 network. It also falls within the other two
routes available, but the 192.168.32.0/26 has the longest prefix within the
routing table (26 bits verses 24 or 19 bits).
Administrative Distance
By using the administrative distance, one routing protocol is preferably
chosen over another when both accounts have the same destination network.
The routing information received from different protocols of a Cisco router
for the same destination network, the Routing Protocol having a lower
administrative distance will be used.
Static routes have a lower AD than any of the dynamic routing protocols. The
routes for same destination network learned from dynamic routing protocols
will preferably be followed.
The multiple static routes can be specified via different interfaces with higher
administrative distance for the purpose of failover. If the router’s interface
goes down, it will remove the route through it and install the other static route
with a higher AD. These routes are called floating static routes.
Routing Protocol Metric
The routers use the Metrics cost value. Metric determines the best path to a
destination network. The preferred or shortest path to a particular destination
is determined by the dynamic routing protocols. The main factors for the
decision include metrics and algorithms. The preferred path to be followed by
the packets is decided by Metrics. These are static and may not be changed
for some routing protocols. A network administrator may assign these values
for other routing protocols. The hop, bandwidth, delay, reliability, load, and
cost are the most common metric values.
Hop
This metric value is used to measure distance based on the number
of networks a datagram crosses
A single hop count is considered each time a router forwards a
datagram onto a segment
Routing protocols observing hops as their primary metric value
consider the best or preferred path to a destination to be the one
with the least number of network hops
Routing protocols that only reference hops as their metric do not
always select the best path through a network
Just because a path to a destination contains fewer network hops
than another does not make it the best
The upper path may contain a slower link, such as 56Kb dial-up
link along the second hop, whereas the lower path may consist of
more hops but faster links, such as gigabit Ethernet
If this were the case, the lower path would undoubtedly be faster
than the upper. However, routing protocols that use hops do not
consider other metric values in their routing decisions
Bandwidth
This metric is used by protocols that consider the capacity of a link
Bits per second is used to measure the Bandwidth
Links supporting the higher transfer rates like gigabit are preferred
over lower capacity links like 56Kb
The bandwidth capacity of each link along the end-to-end path is
determined and considered by these protocols
The path chosen as the best route is with the overall higher
bandwidth
Delay
Delay is measured in tens of microseconds
The symbol μ is used to indicate a delay
Delay represents the amount of time it takes for a router to
process, queue, and transmit a datagram out an interface
Protocols that use this metric must determine the delay values for
all links along the end-to-end path, considering the path with the
lowest (cumulative) delay to be a better route
Reliability
An administrator may configure this matric as a fixed value. It is measured
dynamically over a specific time frame. The attached links, reporting
problems, such as link failures, interface errors, lost datagrams are observed
by the routers. Links having more problems would be considered less
reliable. The higher the reliability is, the better is the path. The link reliability
will change with a constant changing network conditions. This value is
generally measured as a percentage of 255, with 255 being the most reliable
and 1 being the least reliable.
Load
Load is a variable value that indicates the traffic load over a
specific link
Load is a variable value, generally measured over a five-second
window indicating the traffic load over a specific link
The amount of traffic occupying the link over this time frame as a
percentage of the link's total capacity is measured by the load
The value 255 is equivalent to 100% utilization or load
The higher the value, the higher will be the traffic load (bandwidth
utilization) across this link
Increasing this value results in the increase of the traffic
Congestion is indicated by the values approaching 255, while
lower values indicate moderate traffic loads
The less congested path is mostly preferred Cost
The way routers make path decisions can be affected by network
administrators
It is by setting arbitrary metric values on links along the end-to-
end path
These arbitrary values are typically single integers with lower
values indicating better paths
IPv4 and IPv6 Static Routing
IP Addresses
An Internet Protocol address is also called IP address. This is a numerical
label assigned to each device connected to a computer network that uses the
IP for communication. For a specific machine on a particular network, the IP
address act as an identifier. It is also called IP number and internet address.
The technical format of the addressing and packets scheme is specified in the
IP address. IP is combined with a TCP in most of the networks. A virtual
connection development between a destination and a source is allowed in IP
addresses.
IPv4 Address
The first version of IP was IPv4. It was deployed in the ARPANET for
production, in 1983. It is the most widely used IP version nowadays. Devices
on a network are identified by using an addressing system. A 32-bit address
scheme is used in IPv4 that allows to store 2^32 addresses, which is more
than 4 billion addresses.
IPv6 is a successor of IPv4. With IPv4, a system will be able to simplify
address assignments and additional network security features and will also
offer far more numerical addresses. The IPv4 to IPv6 transition is likely to be
rough, though.
This underlying technology allows us to connect our devices to the web. A
device accessing the internet is assigned a unique, numerical IP address such
as 99.48.227.227. A data packet must be transferred across the network
containing the IP addresses of both devices in order to send data from one
computer to another through the web. Computers would not be able to
communicate and send data to each other without IP addresses.
Features of IPv4
It is a connectionless Protocol
It allows creating a simplevirtual communication layer over
expanded devices
Less memory and ease of remembering addresses are required in
this addressing scheme 
Millions of devices support this protocol
Video libraries and conferences are offered in IPV4
The Reason Why We Are Running out of IPv4 Addresses
32-bits internet addresses are used in IPv4. Around 4.29 billion, i.e., 2^32 IP
addresses in total can be supported in this scheme. All these 4.29 billion IP
addresses have now been assigned to various institutions, leading to the crisis
we face today. Many of them are unused and in the hands of institutions like
MIT and companies like Ford and IBM. More IPv4 addresses will be traded
or sold and many are available to be assigned but they will become a rarer
product over the next two years until it produces problem for the web.
Commands used to add a static route to a routing table from global config are
given below:
ip route [destination_network] [mask] [nexthop_address orexitinterface]
[administrative_distance] [permanent]
This list describes each command in the string:
ip route: The command used to create the static route.
destination network: The network you are placing in the routing table.
mask: The subnet mask used on the network.
next-hop address: This is the IP address of the next-hop router that will
receive packets and forward them to the remote network, which must signify
a router interface that is on a directly connected network. You must be able to
successfully ping the router interface before you can add the route. Important
note to self is that if you type in the wrong next-hop address or the interface
to the correct router is down, the static route will show up in the router's
configuration but not in the routing table.
Exitinterface: Can be used in place of the next-hop address if you want, and
it shows up as a directly connected route.
administrative distance: By default, static routes have an administrative
distance of 1 or 0 if you use an exit interface instead of a next-hop address.
You can change the default value by adding an administrative weight at the
end of the command.
Permanent: If the interface is shut down or the router cannot communicate to
the next-hop router, the route will automatically be discarded from the
routing table by default. Choosing the permanent option keeps the entry in
the vector.
IPv6 Address
The most recent version of the Internet Protocol is IPv6. It was initiated in
early 1994 by the Internet Engineer Taskforce. The design and development
of that suite is now called IPv6. It is the sixth revision to the Internet Protocol
and the successor to IPv4. The need for more internet addresses is fulfilled by
deploying this new IP address version. The issues associated with IPv4 has
been resolved with this addressing scheme. Three hundred and forty (340)
undecillion unique address spaces are allowed with 128-bit address space. It
is also called IPng (Internet Protocol next generation). It functions likewise to
IPv4 and provides the unique, numerical IP addresses essential for internet-
enabled devices to communicate. The one major difference of this addressing
scheme is that it utilizes 128-bit addresses.
Features of IPv6
It offers hierarchical addressing and routing infrastructure
It allows stateful and stateless configurations
It supports Quality of Service (QoS)
For neighboring node interaction, it is an ideal protocol
Problem Solved with IPv6
As IPv6 utilizes 128-bit internet addresses, 2128 internet addresses can be
supported in this scheme. Hence, it contains
340,282,366,920,938,000,000,000,000,000,000,000,000 addresses. They are
a lot of addresses and it requires a hexadecimal system to display the
addresses. There are more than enough IPv6 addresses to keep the internet
operational for a very, very long time.
Difference between IPv4 and IPv6 Addresses
Both IPv4 & IPv6 are IP addresses representing binary numbers
IPv4 is 32bit binary number while IPv6 is 128-bit binary number
address
IPv4 address are separated by full stops (.) while IPv6 address are
separated by colons (;)
Both are used to identify machines connected to a network
In principle, they are the same, but they are different in how they
work
IPv4 and IPv6 can exist together on the same network but cannot
communicate with other. This is also known as Dual Stack.
Default Route
Default route is used by IP to forward any packet with a destination not found
in the routing table, which is why it is also called a gateway of last resort.
Here is the configuration:
Router(config)#ip route 0.0.0.0 0.0.0.0 172.16.10.2
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.10.2 Default Route
Network Route
When a route is created to a network (as most route entries do), it is called a
network route. This simply means that the route points to a group of hosts, as
does the following entry:
Router(config)#ip route 200.100.50.0 255.255.255.0 172.16.10.2
 Network Route
Router(config)#do show ip route
S 200.100.50.0/24 [1/0] via 172.16.10.2
Host Route
In most cases, we create routes to networks, but you can create a route
leading to a single host. An example of a host route is shown below. Note
that the mask that goes with the route is 32 bits in length, meaning it is a
route to a single IP address.
There are dynamically created host routes called local host routes as well.
One of these will be placed in the routing table for each router interface. An
example is shown below. Note that it has an L next to it and is preceded by
the network route for the directly connected network in which the interface
resides.
Router(config)#do show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 172.16.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.10.2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.10.0/24 is directly connected, Ethernet1/0
L 172.16.10.1/32 is directly connected, Ethernet1/0 Host
Route
S 172.16.20.0/24 is directly connected, Ethernet1/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/0
L 192.168.1.1/32 is directly connected, FastEthernet0/0 Host Route
S 192.168.2.0/24 is directly connected, Ethernet1/0
S 200.100.50.0/24 [1/0] via 172.16.10.2
Floating Static
A floating static route is simply one that has been created as a backup to a
route learned though a routing protocol. By creating the static route with an
administrative distance larger than that of the routing protocol, we can
prevent the use of the static route unless the dynamic route is unavailable.
The following example configures a static route with a distance of 125, which
would prevent it from being placed in the routing table as long as a route to
the same network with a lower distance value is present.
Router(config)#ip route 192.168.4.0 255.255.255.0 125
A static route that the router uses to back up a dynamic routeis known as a
floating static route. A floating static route must be configured with a higher
administrative distance than the dynamic route that it backs up. A dynamic
route is preferred to a floating static route at this instance. A floating static
route could be used as a replacement on losing a dynamic route.
Note
A RIP route has a distance of 120. A static route is preferred to a dynamic
route by default as a static route has a smaller administrative distance than
a dynamic route.
Case Study <IPV4 Static Routing>
An organization has interconnected three networks. All the networks need to
be connected statically to route traffic. The networks are able to access the
ISP. if any route to ISP gets disconnected, it should be able to access the ISP
through the floating static route with a greater administrative distance. The
configuration has been implemented using IPV4.
Topology Diagram:
Figure 3-02: IPV4 Static Routing
Configuration
R1
Router>enable
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#ip routing
R1(config)#interface eth 0/0
R1(config-if)#ip add 192.168.100.1 255.255.255.0
R1(config-if)#duplex full
R1(config-if)#no shutdown
R1(config-if)#ex
R1(config)#
*Nov 28 05:49:42.907: %LINK-3-UPDOWN: Interface Ethernet0/0,
changed state to up
*Nov 28 05:49:43.911: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Ethernet0/0, changed state to up
R1(config)#
R1(config)#interface serial 1/0
R1(config-if)#ip add 172.16.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#ex
R1(config)#
R1(config)#
*Nov 28 05:50:09.320: %LINK-3-UPDOWN: Interface Serial1/0, changed
state to up
*Nov 28 05:50:10.320: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial1/0, changed state to up
R1(config)#
R1(config)#interface serial 1/2
R1(config-if)#ip add 172.16.
R1(config-if)#ip add 172.16.3.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#ex
R1(config)#
*Nov 28 05:50:28.633: %LINK-3-UPDOWN: Interface Serial1/2, changed
state to up
*Nov 28 05:50:29.640: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial1/2, changed state to up
R1(config)#
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
//Default route
R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
//Floating static route
R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.3.2 5
//Host route
R1(config)#ip route 8.8.8.8 255.255.255.255 172.16.1.2
//Network route
R1(config)#ip route 192.168.200.0 255.255.255.0 172.16.3.2
R1(config)#
R2
Router>
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#ip routing
R2(config)#interface eth 0/0
R2(config-if)#ip add 192.168.200.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#ex
R2(config)#
*Nov 28 05:56:01.551: %LINK-3-UPDOWN: Interface Ethernet0/0,
changed state to up
*Nov 28 05:56:02.555: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Ethernet0/0, changed state to up
R2(config)#
R2(config)#interface serial 1/2
R2(config-if)#ip add 172.16.3.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#ex
R2(config)#
R2(config)#interface serial 1/1
R2(config-if)#ip add 172.16.2.1 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#ex
R2(config)#
*Nov 28 05:57:04.314: %LINK-3-UPDOWN: Interface Serial1/1, changed
state to up
*Nov 28 05:57:05.314: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial1/1, changed state to up
R2(config)#
//Default route
R2(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
//Floating static route
R2(config)#ip route 0.0.0.0 0.0.0.0 172.16.3.1 5
//Host route
R2(config)#ip route 8.8.8.8 255.255.255.255 172.16.2.2
//Network route
R2(config)#ip route 192.168.100.0 255.255.255.0 172.16.3.1
R2(config)#
ISP
Router>
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip routing
Router(config)#interface serial 1/0
Router(config-if)#ip add 172.16.1.2 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#ex
Router(config)#interface serial 1/1
Router(config-if)#ip add 172.16.2.2 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#ex
Router(config)#hostname ISP
ISP(config)#interface loopback 0
ISP(config-if)#
*Nov 28 05:59:55.412: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Loopback0, changed state to up
ISP(config-if)#ip add 8.8.8.8 255.255.255.255
ISP(config-if)#no shutdown
ISP(config-if)#ex
ISP(config)#
//Network route
ISP(config)#ip route 192.168.200.0 255.255.255.0 172.16.2.1
ISP(config)#ip route 192.168.100.0 255.255.255.0 172.16.1.1
ISP(config)#
//Floating static route
ISP(config)#ip route 192.168.100.0 255.255.255.0 172.16.2.1 5
ISP(config)#ip route 192.168.200.0 255.255.255.0 172.16.1.1 5
ISP(config)#
Verification
As shown, default route is passing the traffic from R1’s serial interface
(172.16.1.2) directly connected to ISP.
Network route is working properly. User11 can successfully ping the
192.168.200.1 node.
Now, turn down the serial link between R1 and ISP for testing Floating
Static route.
R1(config)#interface serial 1/0
R1(config-if)#shutdown
R1(config-if)#ex
R1(config)#
*Nov 28 06:22:15.373: %LINK-5-CHANGED: Interface Serial1/0,
changed state to administratively down
*Nov 28 06:22:16.380: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial1/0, changed state to down
R1(config)#
ISP(config)#interface serial 1/0
ISP(config-if)#sh
ISP(config-if)#ex
ISP(config)#
*Nov 28 06:22:45.066: %LINK-5-CHANGED: Interface Serial1/0,
changed state to administratively down
*Nov 28 06:22:46.066: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial1/0, changed state to down
ISP(config)#
Now, floating static route is added in the routing table.
As shown, Backup route is added in the routing table with configured
administrative distance value 5.
Now, test the packet trace if backup route is successfully delivering the
packets
As shown, backup route is functional and R1 is passing the traffic via R2
(172.16.3.2) to ISP.
Case Study <IPv6 Static Routing>
An organization has interconnected three networks. All the networks need to
be connected statically to route traffic. The networks are able to access the
ISP. If any of the route to ISP, let’s say the link between R1 and ISP, gets
disconnected, it should be able to access the ISP through the floating static
route with a greater administrative distance. The configuration has now been
implemented using IPv6.
Topology Diagram
Figure 3-03: IPV6 Static Routing
Configuration
R1
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#ipv6 unicast-routing
R1(config)#interface eth 0/0
R1(config-if)#ipv6 add 2001:AAAA:BBBB:0001::1/64
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#
*Nov 28 05:49:42.907: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Nov 28 05:49:43.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0,
changed state to up
R1(config)#
R1(config)#interface serial 1/0
R1(config-if)# ipv6 add 2001:AAAA:BBBB:0004::1/64
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#
*Nov 28 05:50:09.320: %LINK-3-UPDOWN: Interface Serial1/0, changed state to up
*Nov 28 05:50:10.320: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed
state to up
R1(config)#
R1(config)#interface serial 1/2
R1(config-if)# ipv6 add 2001:AAAA:BBBB:0003::1/64
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#
*Nov 28 05:50:28.633: %LINK-3-UPDOWN: Interface Serial1/2, changed state to up
*Nov 28 05:50:29.640: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/2, changed
state to up
R1(config)#
R1#config t
Enter configuration commands, one per line. End with CNTL/Z.
//Default route
R1(config)#ipv6 route ::/0 2001:AAAA:BBBB:4::2
//Floating static route
R1(config)#ipv6 route ::/0 2001:AAAA:BBBB:3::2 100
//Network route
R1(config)#ipv6 route 2001:AAAA:BBBB:0002::1/64 2001:AAAA:BBBB:0003::2
R1(config)#
R2
Router>
Router>en
Router#config t
Enter configuration commands, one per line. Endwith CNTL/Z.
Router(config)#hostname R2
R2(config)# ipv6 unicast-routing
R2(config)#interface e0/0
R2(config-if)#ipv6 add 2001:AAAA:BBBB:0002::1/64
R2(config-if)#no sh
R2(config-if)#ex
R2(config)#
*Nov 28 05:56:01.551: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Nov 28 05:56:02.555: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0,
changed state to up
R2(config)#
R2(config)#interface serial 1/2
R2(config-if)#ipv6 add 2001:AAAA:BBBB:0003::2/64
R2(config-if)#no sh
R2(config-if)#ex
R2(config)#
R2(config)#interface s1/1
R2(config-if)#ipv6 add 2001:AAAA:BBBB:0005::1/64
R2(config-if)#no sh
R2(config-if)#ex
R2(config)#
*Nov 28 05:57:04.314: %LINK-3-UPDOWN: Interface Serial1/1, changed state to up
*Nov 28 05:57:05.314: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/1, changed
state to up
R2(config)#
//Default route
R2(config)# ipv6 route ::/0 2001:AAAA:BBBB:0005::2
//Floating static route
R2(config)#ipv6 route ::/0 2001:AAAA:BBBB:0003::1 100
//Network route
R2(config)#ipv6 route 2001:AAAA:BBBB:0001::2/64 2001:AAAA:BBBB:0003::1
R2(config)#
ISP
Router>
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ipv6 unicast-routing
Router(config)#hostname ISP
ISP (config)#interface serial 1/1
ISP (config-if)#ipv6 add 2001:AAAA:BBBB:0005::2/64
ISP (config-if)#no sh
ISP (config-if)#ex
ISP (config)#interface serial 1/0
ISP (config-if)#ipv6 add 2001:AAAA:BBBB:0004::2/64
ISP (config-if)#no sh
ISP (config-if)#ex
ISP (config)#hostname ISP
ISP(config)#interface loopback 0
ISP(config-if)#
*Nov 28 05:59:55.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
ISP(config-if)#ipv6 add 2001:AAAA:BBBB:0000::1/128
ISP(config-if)#no sh
ISP(config-if)#ex
ISP(config)#
//Default route
ISP(config)#ipv6 route ::/0 2001:AAAA:BBBB:0004::1
ISP(config)#ipv6 route ::/0 2001:AAAA:BBBB:0005::1
//Network route
ISP(config)#ipv6 route 2001:AAAA:BBBB:0001::0/64 2001:AAAA:BBBB:0004::1
ISP(config)#ipv6 route 2001:AAAA:BBBB:0002::0/64 2001:AAAA:BBBB:0005::1
ISP(config)#ipv6 route 2001:AAAA:BBBB:003::0/64 2001:AAAA:BBBB:0005::1
//Floating static route
ISP(config)#ipv6 route ::/64 2001:AAAA:BBBB:0005::0 100
ISP(config)#ipv6 route ::/64 2001:AAAA:BBBB:0004::0 100
ISP(config)#
Verification
R1#show ip route
Now turn down the serial link between R1 and ISP for testing Floating
Static route.
R1(config)#interface serial 1/0
R1(config-if)#sh
R1(config-if)#ex
R1(config)#
*Nov 28 06:22:15.373: %LINK-5-CHANGED: Interface Serial1/0,
changed state to administratively down
*Nov 28 06:22:16.380: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial1/0, changed state to down
R1(config)#
ISP(config)#interface serial 1/0
ISP(config-if)#sh
ISP(config-if)#ex
ISP(config)#
*Nov 28 06:22:45.066: %LINK-5-CHANGED: Interface Serial1/0,
changed state to administratively down
*Nov 28 06:22:46.066: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial1/0, changed state to down
ISP(config)#
Now, floating static route is added in the routing table
As shown, backup route is added in the routing table with configured
administrative distance value 100.
As shown, backup route is functional and R1 is passing the traffic via R2
(2001:AAAA:BBBB:0003::2) to ISP with interface
2001:AAAA:BBBB:0005::2.
Traceroute Loopback Output
In the output above the route to loopback address has been traced. As it is
shown clearly in the figure above, the traffic from virtual user is first sent
to the next hop that is 2001:AAAA:BBBB:1::1 then it takes the route of
network 3 at the interface 2001:AAAA:BBBB:3::2 and finally reaches the
destination 2001:AAAA:BBBB::1.
Single Area OSPFv2
Configuring basic OSPF is not as simple as configuring RIP and EIGRP, and
it can get really complex once the many options that are allowed within
OSPF are factored in. But that's okay because you really only need to focus
on the basic, single-area OSPF configuration at this point.
Next, we will show you how to configure single-area OSPF. The two factors
that are foundational to OSPF configuration are enabling OSPF and
configuring OSPF areas.
Common terminologies for OSPF are:
Router Types:
Internal Router: All interfaces reside within the same area
Backbone Router: A router with an interface in area 0 (the
backbone)
Area Border Router (ABR): Connects two or more areas
Autonomous System Boundary Router (ASBR): Connects to
additional routing domains, typically located at the backbone
Area Types:
Standard Area: Default OSPF area type
Stub Area: External link (type 5) LSAs are replaced with a default
route
Totally Stubby Area: Type 3, 4, and 5 LSAs are replaced with a
default route
Not So Stubby Area (NSSA): A stub area containing an ASBR;
type 5 LSAs are converted to type 7 within the area
Enabling Single: The easiest and also least scalable way to configure OSPF
is to use a single area. Doing this requires a minimum of two commands.
The first command used to activate the OSPF routing process is as follows:
Router(config)#router ospf?
The following commands are used to create neighbor
Router(router-config)#network 10.0.1.0 0.0.0.255 area 0
Router(router-config)#router-id 1.1.1.1
Process ID <1-65535>
The OSPF process ID values range from 1 to 65535.
Purpose: the process ID is used to enable one or more OSPF processes on a
router. An OSPF process can be removed by using the no form of the
command.
A value in the range from 1 to 65,535 identifies the OSPF process ID. It is a
unique number on this router that groups a series of OSPF configuration
commands under a specific running process. Different OSPF routers do not
have to use the same process ID to communicate.
The Show IP OSPF Interface Command
The show ip ospf interface command reveals all interface-related OSPF
information. Data is displayed about OSPF information for all OSPF-enabled
interfaces or for specified interfaces. Here are some of the more important
factors highlighted for you:
Area0-R1#show ip ospf interface gigabitethernet 0/0
Router#show ip ospf interface gigabitethernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.0.0.2/8, Area 1
Process ID 2, Router ID 192.168.3.1, Network Type BROADCAST,
Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.1.1, Interface address 10.0.0.1
Backup Designated Router (ID) 192.168.3.1, Interface address 10.0.0.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Index 2/2, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 192.168.1.1 (Designated Router)
Suppress hello for 0 neighbor(s)
So this command has given us the following information:
Interface IP Address
Area Assignment
Process ID
Router ID
Network Type
Cost
Priority
DR/BDR Election Information (if applicable)
Hello and Dead Timer Intervals
Adjacent Neighbor Information
The reason the show ip ospf interface g0/0 command is used is because there
would be a designated router elected on the GigabitEthernet broadcast multi-
access network.
The show ip ospf neighbor command is super-useful because it summarizes
the pertinent OSPF information regarding neighbors and the adjacency state.
If a DR or BDR exists, that information will also be displayed. Here is a
sample:
Area0-R1#show ip ospf neighbor
Router#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.1.1 1 FULL/DR 00:00:38 10.0.0.1 GigabitEthernet0/0
192.168.2.1 1 FULL/BDR 00:00:38 11.0.0.1 GigabitEthernet0/1
The Show IP Protocols Command
The show ip protocols command is also highly useful, whether you are
running OSPF, EIGRP, RIP, BGP, IS-IS, or any other routing protocol that
can be configured on your router. It provides an excellent overview of the
actual operation of all running protocols.
Area0-R1#show ip protocols
Router#show ip protocol
Routing Protocol is "ospf 2"
Outgoingupdate filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 192.168.3.1
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
192.168.3.0 0.0.0.255 area 0
10.0.0.0 0.255.255.255 area 1
11.0.0.0 0.255.255.255 area 2
Routing Information Sources:
Gateway Distance Last Update
192.168.1.1 110 00:23:43
192.168.2.1 110 00:21:40
192.168.3.1 110 00:21:41
Distance: (default is 110)
Figure 3-07: Showing the IP Protocols
The table below defines OSPF verification commands:
Command Description
Provides the
following
Verifies your OSPF-enabled interfaces
show ip ospf
neighbor
Displays OSPF-related information on an OSPF-
enabled interface
Show ip protocols Verifies the OSPF process ID and that OSPF is
enabled on the router
show ip ospf
interface
Verifies the routing table, and displays any OSPF
injected routes
Displays OSPF-
related information
on an OSPF-
enabled interface
Lists a summary of the LSAs in the database, with
one line of output per LSA, organized by type
Table 3-04: OSPF Verification Commands
Loopback Interfaces are logical interfaces, which means that they are
virtual, software-only interfaces, not actual, physical router interfaces. A big
reason we use loopback interfaces with OSPF configurations is because they
ensure that an interface is always active and available for OSPF processes.
Loopback interfaces also come in very handy for diagnostic purposes as well
as for OSPF configuration. Understand that if you do not configure a
loopback interface on a router, the highest active IP address on a router will
become that router's RID during boot-up:
City_X(config)#interf loopback 0
City_X(config-if)#ip address 172.31.1.2 255.255.255.0
City_X(config-if)#no sh
Neighbor Adjacency
There should be a compatible configuration with a remote interface for
OSPFv2 interface before the two can be considered neighbors. The following
criteria must be matched by the two OSPFv2 interfaces:
Hello Interval
Dead Interval
Area ID 
Authentication
Optional Capabilities
If a match is found, the information entered into the neighbor table will be as
follows:
Neighbor ID: The router ID of the neighbor
Priority: Priority of the neighbor
State: It indicates whether the neighbor has just been heard from, the
bidirectional communications are setup, the link-state information is shared,
or the full adjacency has been achieved
Dead Time: It indicates the time since the last Hello packet was received
from this neighbor
IP Address: The neighbor’s IP address
Designated Router: It Indicates whether the neighbor is declared as the
designated router or as the backup designated router
Local Interface: The local interface that received the Hello packet for this
neighbor
Adjacency
Adjacency is not established by all the neighbors. Some of the neighbors
become fully adjacent and share LSAs with all their neighbors depending on
the network type and designated router establishment. (For more information
see the “Designated Routers” section.)
Database Description packets, Link State Request packets, and Link State
Update packets in OSPF are used to establish the adjacency. Only the LSA
headers from the link-state database of the neighbor are included in the
Database Description packet.
The local router makes a comparison of these headers with its own link-state
database and defines which LSAs are new or updated. A Link State Request
packet for each LSA is being sent by the local router. The request shows that
it needs new or updated information. The neighbor starts responding with a
Link State Update packet. This process of exchange continues until both
routers have the same link-state information.
Point-to-Point
Open Shortest Path First (OSPF) runs as a point-to-point network type on
point-to-point links such as High-Level Data Link Control (HDLC) and
Point-to-Point Protocol (PPP). The OSPF network type is enabled by default.
The OSPF supports other network types that include Point-to-Multipoint,
Broadcast, and Non-Broadcast. The show ip ospf interface command is
issued for checking the network type of an interface that runs OSPF.
Broadcast (DR/BDR Selection)
The role of the Designated Router (DR) and a Backup Designated Router
(BDR) is to act as a central point to exchange the OSPF information between
multiple routers on the same, multi-access broadcast network segment. The
routing information should only be exchanged with the DR and BDR by the
Non-DR and Non-BDR routers instead of exchanging updates with every
other router upon the segment. The amount of OSPF routing updates are then
significantly reduced.
Note
OSPF does not elect DR/BDR roles upon point-to-point links, i.e., two
directly connected routers.
Election
Each router will go through an election process upon the segment to elect a
DR and BDR. The elected one is determined by using the two rules as:
Priority: Router with the highest priority wins the election. 1 is the default
priority. It is configured on a per-interface level.
Router ID: The highest router ID wins the election if there is a tie.
2-way
A full relationship is to be formed with the Designated and Backup
Designated Routers. The 2-way neighbor state is formed with Non-DR and
Non-BDR. They both send/receive each other's HELLOs but they do not
exchange any routing updates.
Router ID
The selection of OSPF Router-ID takes place in the order given below:
A 32-bit Router-ID is configured manually
If 1 is not configured, the highest IP of the loop back interface
must be selected
If 1 & 2 has not been configured, the highest IP of any active
interface must be selected
Purpose of First Hop Redundancy Protocol
First Hop Redundancy Protocol (FHRP) is used to allow gateway
redundancy. A class of redundancy protocols known as FHRPs includes
VRRP (Virtual Router Redundancy Protocol), HSRP (Hot Standby Router
Protocol), and GLBP (Gateway Load Balancing Protocol). A single point of
failure for the default gateway is protected by these protocol. It may also
provide a load balancing if multiple uplinks are available at first-hop routers.
Scenario
There are three redundancy routers presented in the figure above. In this
case the routing protocols are not present between the gateway and the end
users. The redundancy is provided between the gateway routers that are
multi layered switches. By sharing all these gateways, a virtual gateway is
created that allows using any of the gateway without even using the
dynamic protocols. In this virtual redundancy, the virtual gateways are
allowed to send traffic to the physical devices. If any of the GETs fails, the
other redundant router takes a charge and starts sending the packets to the
outside world.
The two or more routers on a LAN that are working together in a group are
enabled by both HSRP and VRRP. The routers being served share a single
group IP address. In each of the host, the group IP address is configured as
the default gateway. One router is elected to handle all requests sent to the
group IP address in an HSRP or VRRP group. It is called the active router
with HSRP and the master router with VRRP. There must be at least one
standby router with HSRP and at least one backup router with VRRP.
Gateway Load Balancing Protocol (GLPB) is something that goes a step
beyond VRRP and HSRP. It provides load balancing in addition to
redundancy.
The first hop for packets from a particular LAN, or VAN to be said more
accurately, is a default gateway to reach a remote network. The packets can
be forwarded by the routers as long as its routing table keeps a route to the
intended remote network or a default route is present. The particular network
will become incapable of communicating with the outside world if that first
hop ever goes down. It allows only the local communication across the
switched domain.
As the First Hop Redundancy Protocols allow default gateway redundancy, it
is suggested to have more than one default gateway enabled. There exists a
backupdevice that kicks in and almost transparently to users in the event of a
router failure. The traffic to remote networks is forwarded continually so as
to avoid the situation of isolation.
Types of Redundancy Protocols
The first hop redundancy protocols that could be used for this purpose falls
into the following three categories as:
HSRP (Hot Standby Router Protocol)
VRRP (Virtual Router Redundancy Protocol)
GLBP (Gateway Load Balancing Protocol)
HSRP:
It is a Cisco proprietary that was the first ever created first hope
redundancy protocol
HSRP is enabled in a particular interface and this interface is part
of a “standby” group
Besides the physical IP address of the defined interface, there is a
virtual IP address in the same subnet
The idea behind this is to perform a similar configuration in an
interface belonging to another router
The redundancy will be generated in this way
The different interface from different devices would be sharing the
same virtual IP address
The hosts in a network are assigned a virtual IP address as a
default gateway
https://en.wikipedia.org/wiki/Category:First-hop_redundancy_protocols
There will always be a consistent gateway that you can reach
regardless of which host is active
HSRP has an active/standby relationship, which means that one device
forwards packets while the other device stands by or just listens.
VRRP:
The IETF (Internet Engineering Task Force) started working on a
standards-based FHRP and the result was VRRP
VRRP is not significantly different from HSRP, it is really just the
“open” version of it
The differences that exist between the two protocols are very
minimal
HSRP versus VRRP Comparison Table
HSRP VRRP
Proprietary Standards based
RFC 2281 RFC 3768
Separate IP address needed for the
Virtual
Can use the physical IP address of
the Virtual, if needed, saving IP
space
One Master, One Standby, all others
are listening
One Master, all other routers are
backup
More familiar to most network
engineers
Less familiar – yet very similar
Can track an interface for failover Can track an interface for failover
(depending on operating system and
version, it can also track the
reachability of an IP address)
All HSRP routers use multicast
Hello packets to 224.0.0.2 (all
routers) for version 1 or 224.0.0.102
for version 2
All VRRP routers use IP protocol
number 112 (VRRP) to
communicate via multicast IP
address 224.0.0.18
All virtual router must use MAC
address 0000.0c07.acXX where XX
All virtual routers must use 00-00-
5E-00-01-XX as its Media Access
is the group ID Control (MAC) address
Table 3-05: HSRP versus VRRP Comparison
GLBP
The more advanced of the three possible FHRP protocols is GLBP. The one
main goal of GLBP is to improve the resource utilization by achieving built-
in load balancing between participating routers.
While using HSRP or VRRP of gateway redundancy, the load-balancing
between different VLANs could be achieved by configuring different standby
groups with different priorities in each router to achieve this “active-active”
type of design. It will not waste the capabilities of a full router while waiting
for the others to fail.
Although it is still a common practice, it can still be administratively
burdensome. It might not scale as according to one’s wish. For the purpose
the protocol, GLBP was created so that would natively provide both
redundancy and load balancing.
GLBP tool is a Cisco proprietary. It has taken the HSRP and VRRP to the
next level. A load balancing mechanism must be provided for the clients in
order to provide the first hop redundancy. Routers that are to participate in
GLBP must be a member of the same group as with HSRP and VRRP. One
router is elected to be the AVG (Active Virtual Gateway) after all the routers
are in the same group. The AVG is elected based on highest priority, which
then falls back to highest IP if the priorities match. One is the AVG, and up
to three others can be AVFs (Active Virtual Forwarders) while there are up to
four routers in total that can be in the same GLBP group. The routers that are
able to forward traffic actively will apply the 4 router limit. The joining fifth
or higher router will become a SVF (Standby Virtual Forwarder) and will
take the place of a AVF in case of failure. SVG (Standby Virtual Gateway)
also plays a role in this as well.
The traffic is balanced with GLBP by having the AVG assign each AVF
virtual MAC addresses. The AVG responds to the clients ARP request with
one of the AVF’s virtual MACs while an ARP request come in for the virtual
IP.
Note
Some of the documentations uses the SVF term to describe a router that is
above and beyond the four router AVF limit. SVF is also used in other
documentations to describe an active AVF that is ready to take over another
AVFs role in case of failure. The router 1 is a SVF for routers 2, 3, 4 and 5.
Figure 3-04: GLBP Routers
Five GLBP routers are there in this example. The bare minimum GLBP
configuration must be put on each router and the configuration is used to
examine what has occurred.
Case Study <OSPF>
An organization needs to extend its business and spread its branches in
multiple countries. In order to fulfil the need, it spreads its business by
opening a new branch in a city. The organization needs to configure network
for that branch and connect that internal network with the backbone network
of the company. The network admin of the organization decided to
implement OSPF routing protocol to fulfil the network requirements. Below
is the network topology diagram suggested by the network admin to be
implemented.
Topology Diagram
Figure 3-05: OSPF Routing
Configuration
R1
R1>
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#router ospf 1
R1(config-router)#
*Nov 27 03:00:23.591: %OSPF-4-NORTRID: OSPF process 1 failed to
allocate unique router-id and cannot start
R2(config-router)#router-id ?
A.B.C.D OSPF router-id in IP address format
R1(config-router)#router-id 1.1.1.2
R1(config-router)#network 10.0.0.0 0.0.0.3 area 0
R1(config-router)#network 172.16.1.0 0.0.0.255 area 0
R1(config-router)#ex
R1(config)#interface fa 1/0
R1(config-if)#ip add 10.0.0.2 255.255.255.252
R1(config-if)#ip ospf network point-to-point
R1(config-if)#no sh
R1(config-if)#ex
R1(config)#
*Nov 27 03:01:23.067: %LINK-3-UPDOWN: Interface FastEthernet1/0,
changed state to up
*Nov 27 03:01:24.067: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet1/0, changed state to up
*Nov 27 03:01:26.859: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.1 on
FastEthernet1/0 from LOADING to FULL, Loading Done
R1(config)#interface fa 0/0
R1(config-if)#ip add 172.16.1.1 255.255.255.0
R1(config-if)#ip ospf network broadcast
R1(config-if)#no shutdown
R1(config-if)#ex
R1(config)#
*Nov 27 03:02:21.483: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
*Nov 27 03:02:22.483: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/0, changed state to up
R2
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
//Configuring ospf
R2(config)#interface fa 0/0
R2(config)#router ospf 1
R2(config-router)#network 10.0.0.0 0.0.0.3 area 0
R2(config-router)#router-id 1.1.1.1
R2(config-router)#ex
R2(config)#interface fa 0/0
R2(config-if)#ip add 10.0.0.1 255.255.255.252
R2(config-if)#ip ospf network ?
broadcast Specify OSPF broadcast multi-access network
non-broadcast Specify OSPF NBMA network
point-to-multipoint Specify OSPF point-to-multipoint network
point-to-point Specify OSPF point-to-point network
R2(config-if)#ip ospf network point-to-point
R2(config-if)#no shutdown
R2(config-if)#ex
R2(config)#
*Nov 27 02:57:32.947: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
*Nov 27 02:57:33.947: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/0, changed state to up
R3
Router>
Router>en
Router#config t
Enter configuration commands, one per line. Endwith CNTL/Z.
Router(config)#hostname R3
//Configuring ospf
R3(config)#router ospf 1
*Nov 27 03:23:33.283: %OSPF-4-NORTRID: OSPF process 1 failed to
allocate unique router-id and cannot start
R3(config-router)#router-id 1.1.1.5
R3(config-router)#network 172.16.1.0 0.0.0.255 area 0
R3(config-router)#network 192.168.3.0 0.0.0.255 area 0
R5(config-router)#passive-interface fastEthernet 1/0
R3(config-router)#ex
R3(config)#interface fa 0/0
R3(config-if)#ip add 172.16.1.4 255.255.255.0
R3(config-if)#ip ospf network broadcast
R3(config-if)#no shutdown
R3(config-if)#ex
R3(config)#interface fa 1/0
R3(config-if)#ip add 192.168.3.1 255.255.255.0
R3(config-if)#no sh
R3(config-if)#ex
R3(config)#
*Nov 27 03:23:36.171: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
*Nov 27 03:23:36.483: %LINK-3-UPDOWN: Interface FastEthernet1/0,
changed state to up
*Nov 27 03:23:37.171: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/0, changed state to up
*Nov 27 03:23:37.483: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet1/0, changed state to up
*Nov 27 03:23:43.091: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on
FastEthernet0/0 from LOADING to FULL, Loading Done
*Nov 27 03:23:43.095: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.3 on
FastEthernet0/0 from LOADING to FULL, Loading Done
R4
Router>
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R4
//Configuring ospf
R4(config)#router ospf 1
*Nov 27 03:21:19.795: %OSPF-4-NORTRID: OSPF process 1 failed to
allocate unique router-id and cannot start
R4(config-router)#router-id 1.1.1.4
R4(config-router)#network 172.16.1.0 0.0.0.255 area 0
R4(config-router)#network 192.168.2.0 0.0.0.255 area 0
R5(config-router)#passive-interface fastEthernet 1/0
R4(config-router)#ex
R4(config)#interface fa 0/0
R4(config-if)#ip add 172.16.1.3 255.255.255.0
R4(config-if)#ip ospf network broadcast
R4(config-if)#no shutdown
R4(config-if)#ex
R4(config)#interface fa 1/0
R4(config-if)#ip add 192.1
68.2.1 255.255.255.0
R4(config-if)#no shutdown
R4(config-if)#ex
*Nov 27 03:21:22.667: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
*Nov 27 03:21:22.999: %LINK-3-UPDOWN: Interface FastEthernet1/0,
changed state to up
*Nov 27 03:21:23.667: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/0, changed state to up
*Nov 27 03:21:23.999: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet1/0, changed state to up
*Nov 27 03:21:33.127: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on
FastEthernet0/0 from LOADING to FULL, Loading Done
*Nov 27 03:21:33.127: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.3 on
FastEthernet0/0 from LOADING to FULL, Loading Done
R5
Router>
Router>en
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R5
//Configuring ospf
R5(config)#router ospf 1
R5(config-router)#
*Nov 27 03:18:14.287: %OSPF-4-NORTRID: OSPF process 1 failed to
allocate unique router-id and cannot start
R5(config-router)#router-id 1.1.1.3
R5(config-router)#network 172.16.1.0 0.0.0.255 area 0
R5(config-router)#network 192.168.1.0 0.0.0.255 area 0
R5(config-router)#passive-interface fastEthernet 1/0
R5(config-router)#ex
R5(config)#interface fa 0/0
R5(config-if)#ip add 172.16.1.2 255.255.255.0
R5(config-if)#ip ospf network broadcast
R5(config-if)#no shutdown
R5(config-if)#ex
R5(config)#
*Nov 27 03:19:15.483: %LINK-3-UPDOWN: Interface FastEthernet0/0,
changed state to up
*Nov 27 03:19:16.483: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/0, changed state to up
*Nov 27 03:19:24.695: %OSPF-5-ADJCHG: Process 1, Nbr 1.1.1.2 on
FastEthernet0/0 from LOADING to FULL, Loading Done
R5(config)#interface fa 1/0
R5(config-if)#ip add 192.168.1.1 255.255.255.0
R5(config-if)#no shutdown
R5(config-if)#ex
R5(config)#
*Nov 27 03:19:42.995: %LINK-3-UPDOWN: Interface FastEthernet1/0,
changed state to up
*Nov 27 03:19:43.995: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet1/0, changed state to up
Verification
1. Verify the Connectivity
Ping from any user PC to R2 interface using “Ping 10.0.0.1” command:
Successful ping shows end-to-end connectivity.
Now, run the command “show ip route” on R2 for routing table verification.
2. Verify the configuration on R2
R2#show ip route
From the output above, it is clear that the traffic will be routed from R2 to
the networks that are not directly connected via interface 10.0.0.2 using
OSPF with administrative distance 110. R2 has learned the remote
networks 192.168.1.0, 192.168.2.0 and 192.168.3.0 via OSPF. These
networks are accessible through fast Ethernet 0/0 interface.
R2#show ip ospf 1
R2#show ip ospf neighbor
Showing the neighbors for router R2
R2#show ip ospf interface fastethernet 0/0
The given output shows that the process ID was assigned to be 1, showing
the point-to-point network type having cost value 1 with Router ID 1.1.1.1
3. Verify the configuration on R1
R1#show ip ospf neighbor
The command show ip ospf neighbor giving the Neighbor ID of the
adjacent routers for R1.
R1#show ip ospf interface fastethernet 1/0
The command show ip ospf interface shows the Router ID, Network type and
cost for the respective interface.
R1#show ip ospf interface fastethernet 0/0
4. Verify the configuration on R5
R5#show ip ospf neighbor
Showing the ospf neighbor for R5
R5#show ip ospf interface fastethernet 0/0
R5#show ip ospf interface fastethernet 1/0
5. Verify the configuration on R4
R4#show ip ospf interface fastethernet 1/0
R4#show ip ospf interface fastethernet 0/0
R4#show ip ospf neighbor
Showing the ospf neighbor for R4.
6. Verify the configuration on R3
R3#show ip ospf interface fastethernet 1/0
R3#show ip ospf interface fastethernet 1/0
R3#show ip ospf neighbor
Showing the ospf neighbor for R3.
Figure 3-21: Verification Outputs
Mind Map
Figure 3-06: Mind Map of IP Connectivity
Summary
Components of the Routing Table
In this section, we learned that the networks are either directly
connected, statically configured or dynamically learned. The
“show ip route” command is used to view a routing table
The routing protocol code identifies which route was learned by
which routing protocol
The network address is simply termed as a prefix and the
shorthand way to express a subnet mask using CIDR notation is a
prefix-length e.g., for the subnet mask 255.255.255.0, the prefix-
length is /24
The prefix-length is simply a shorthand way to express a network
mask using CIDR notation. A network mask is also called a subnet
mask or net mask for short
The next hop IP address follows the “via” word for a child prefix
entry. The next hop refers to the IP address of the next router in
the path to the destination network
Administrative distance is used to select the best path when a
router has two different paths
The best path to a destination network within a routing protocol is
determined by the metric value
Packets that are addressed to networks not explicitly listed in the
routing table are directed using default routes
A Router Makes Forwarding Decision by Default
The longest prefix match is an algorithm used in Internet
Protocol (IP) networking for selecting an entry from a forwarding
table. Each entry in a forwarding table specify a sub-network
One routing protocol is preferably chosen over another when both
account the same destination network in the case of administrative
distance
Metric determines the best path to a destination network. The
preferred or shortest path to a particular destination is determined
by the dynamic routing protocols
Configure and Verify IPv4 and IPv6 Static Routing
Static routes are manually assigned both in IPV4 and IPV6
Default route is used by IP to forward any packet with a
destination not found in the routing table
When a route is created to a network, it is called a network route
A route leading to a single host can be created
A floating static route is simply one that has been created as a
backup to a routelearned though a routing protocol
Configure and Verify Single Area OSPFv2
With a remote interface for OSPFv2 interface, there should be a
compatible configuration before the two can be considered
neighbors
The OSPF supports the other network types including Point-to-
Multipoint, Broadcast, and Non-Broadcast
The Designated Router (DR) and a Backup Designated Router
(BDR) acts as a central point to exchange the OSPF information
between multiple routers on the same, multi-access broadcast
network segment
Purpose of First Hop Redundancy Protocol
A gateway redundancy is allowed by the First Hop Redundancy
Protocol (FHRP)
A class of redundancy protocols known as FHRPs includes VRRP
(Virtual Router Redundancy Protocol), HSRP (Hot Standby
Router Protocol), and GLBP (Gateway Load Balancing Protocol)
Practice Question
1. In which of the following, the information necessary to forward a
packet along the best path towards its destination resides?
A. Election Process
B. Routing Table
C. CIDR Notation
D. LSAs
2. What is a shorthand way to express a network mask using CIDR
notation?
A. Prefix Length
B. Administrative Distance
C. Metric Value
D. CIDR Notation
3. What is the default administrative distance for RIP?
A. 200
B. 170
C. 120
D. 0
4. The best path to a destination network within a routing protocol is
determined by which of the following?
A. Administrative Distance
B. Matric Value
C. Routing Table
D. CIDR Notation
5. When both the protocols accounts have the same destination
network, one routing protocol is preferably chosen over another by
using which one of the following?
A. Prefix Length
B. Administrative Distance
C. Metric Value
D. CIDR Notation
6. While using an exit interface instead of a next-hop address, what
could be the administrative distance for static routes?
A. 20
B. 5
C. 1 or 0
D. 100
7. What is a route that has been created as a backup to a route learned
though a routing protocol called?
A. Dynamic Route
B. Static Route
C. Floating Static Route
D. Prefix Length
8. The OSPF process ID is determined by what range of the values that
is represented as a unique number on the router?
A. 1 to 75,535
B. 1 to 65,553
C. 1 to 85,535
D. 1 to 65,535
9. A gateway redundancy is allowed by using which one of the
following?
A. Administrative Distances
B. First Hop Redundancy Protocol
C. OSPF Protocol
D. Gateway of Last Resort
10. Which could be the process on the segment taken to choose a
DR and BDR?
A. 2-way
B. Election
C. Selection
D. Ping
11. What are advantages of using DHCP in a network?
A. Easier administration
B. Static IP addressing
C. More difficult administration of the network
D. Assigns IP address to hosts
12. Which version of SNMP provides plaintext authentication with
MD5 or SHA with no confidentiality?
A. SNMPv2
B. SNMPv1
C. SNMPv2c
D. SNMPv3
13. Which command is used to view a routing table?
A. Show ip interface brief
B. show ip route
C. show ip protocol
D. None of the above
14. What is the prefix-length for the subnet mask 255.255.255.0?
A. /25
B. /24
C. /26
D. /27
15. What is an administrative distance for a static route?
A. 1
B. 12
C. 120
D. 100
16. What could be the value corresponding to the 100% utilization
of a link?
A. 254
B. 255
C. 256
D. 124
17. Which one of the following is the correct command for
configuring a static route?
A. ip route [destination_network] [nexthop_address or exit
interface] [mask] [administrative_distance] [permanent]
B. ip route [destination_network] [mask] [nexthop_address or
exit interface] [administrative_distance] [permanent]
C. ip route [destination_network] [mask]
[administrative_distance] [permanent][nexthop_address or
exit_interface]
D. ip route [destination_network] [nexthop_address or
exit_interface] [mask] [administrative_distance]
18. What happens if the first hop redundancy goes down?
A. The related network is still able to communicate with the
outside world
B. The particular network will become incapable of
communicating with the outside world
C. The particular network will become incapable of
communicating with either the inside or the outside world
D. The particular network will become incapable of
communicating with the inside network
19. Which one of the following is not categorized as the first hop
redundancy protocol?
A. HSRP (Hot Standby Router Protocol)
B. BRRP (Broadway Router Redundancy Protocol)
C. VRRP (Virtual Router Redundancy Protocol)
D. GLBP (Gateway Load Balancing Protocol)
20. For secure communications using HTTPS, what port number is
used by default?
A. 80
B. 110
C. 25
D. 443
Chapter 04: IP Services
Technology Brief
IP Service is a professional combination of all management, operation and
maintenance services, facilities and territories. A long-term contract service
for corporate customers are considered as the main task. A reliable
partnership and comfortable conditions are guaranteed for effective business.
Features to be deployed individually or in combination with each other across
a wide range of Cisco hardware include Network Address Translation (NAT),
Dynamic Host Configuration Protocol (DHCP), and Hot Standby Router
Protocol (HSRP). Cisco’s IP Services comprise of many basic and advanced
building blocks. They allow customers to be able to deploy an IP network
with basic end-to-end IP connectivity, manage their IP addressing
requirements from a central location, control the IP addressing scheme used
throughout their network, provide redundancy at major network connection
points, and much more.
Configure and Verify Inside Source NAT using Static and
Pools
In the process of Network Address Translation (NAT), a network device,
typically a firewall, allocates an address that is public to a computer or group
of computers within a private network. The amount of public IP addresses an
organization or company needs to use is limited by using NAT. It is essential
for both economy and security purposes. A huge private network consuming
addresses in a private range (the ranges consisting of 10.0.0.0 to
10.255.255.255, 172.16.0.0 to 172.31.255.255, or 192.168.0 0 to
192.168.255.255) is involved in the most common form of network
translation. Computers having to access resources inside the network, like
workstations needing access to file servers and printers, utilizes the private
addressing scheme. The traffic between private addresses can be routed by
the routers inside the private network without having any trouble. These
computers need to have a public address to access resources outside the
network in order for replies to their requests to return to them. It is a very
quick process instead of being complex and the end user rarely knows it has
occurred. A call to a computer on the internet is made by a workstation inside
a network. The request is sent to the firewall after the router within the
network having recognized that the request is not for an inside resource of the
network. The firewall observes the request from the computer with the
internal IP. The same request to the internet is then made by using its own
public address, and the response is returned from the internet resource to the
computer inside the private network. From the resource’s perspective on the
internet, information is sent to the address of the firewall and the
communication appears to be happening directly with the site on the internet
from the workstation’s perspective. However, all users inside the private
network accessing the internet have the same public IP address while using
the internet. Hence, only one public address is needed for hundreds or even
thousands of users.
Most modern firewalls are able to set up the connection between the internal
workstation and the internet resource and are considered as stateful. The track
of details of the connection, like ports, packet order, and the IP addresses
involved is kept within the firewall.It is called “keeping track of the state of
the connection”. The session consists of communication between the
workstation and the firewall and the firewall with the internet is kept track in
this way. The firewall rejects all of the information about the connection
upon ending of the session.
Moreover, some servers may act as web servers in large networks and the
access from the Internet is required. The public IP addresses are assigned to
these servers on the firewall. These addresses allow the public to access the
servers only through that IP address. The firewall acts as the middle way
between the outside world and the protected internal network and appears to
be an additional layer of security. Additional rules can be added that includes
the ports can be accessed at that IP address. The internal network traffic is
routed more efficiently by using NAT and more ports are allowed access
while restricting access at the firewall. The detailed logging of
communications between the network and the outside world is also allowed
in NAT. It can also be used to allow selective access to the outside of the
network, too. Workstations or other computers that require special access
outside the network are assigned specific external IPs using NAT. This
allows the Workstations or computers to communicate with computers and
applications that require a unique public IP address. The firewall is able to
control the session in both directions and restricts the port access and
protocols as an intermediary object.
Figure 4-01: Network Address Translation (NAT)
It is a very important aspect of firewall security. The number of public
addresses used inside an organization are conserved in it. The stricter control
of access to resources on both sides of the firewall is allowed by NAT.
The private IP addresses are mapped by using Network Address Translation
(NAT) inside source. The mapping of the addresses is carried out on the
outside interface of the router on a LAN from private to a public IP
address(es).
Network Address Translation (NAT) is utilizes to map private IP
addresses on a LAN to public IP address(es) on the external
interface of the router
The router’s interface connecting to the LAN network is the inside
The router’s interface connecting to the WAN is the outside
Depending on the preferred outcome, different methods of NAT
are used: Static, Pool and PAT
NAT Inside and Outside Addresses
Inside refers to the addresses that must be translated. Outside refers to the
addresses that are not in control of an organization. The network addresses
allow the translation of the addresses to occur.
Inside Local Address
An IP address assigned to a host on the inside network is called the inside
local address. This address is probably not assigned by the service provider,
i.e., there are IP addresses that are private.
Inside Global Address
IP address that denotes one or more inside local IP addresses to the external
world is termed as inside global address. It is the inside host as seen from the
outside network.
Outside Local Address
In the local network after translation, this is the actual IP address of the
destination host.
Outside Global Address
The outside host as seen from the external network is termed as the outside
global address. It represents the IP address of the outside destination host
before translation.
Types of Network Address Translation (NAT)
There are three ways to configure NAT. These are:
Static NAT
Dynamic NAT
Port Address Translation (PAT)
Static NAT
A legally registered (Public) IP address maps a single unregistered (Private)
IP address, i.e., one-to-one mapping between local and global address.
Generally, web hosting uses the static NAT. Organizations with many
devices having to be facilitated and to provide internet access do not use the
static NAT and the public IP address is needed. An organization having 3000
devices needs to buy 3000 public addresses in order to access the internet,
which will be very costly.
Dynamic NAT
A registered (Public) IP address is a result of an unregistered IP address from
a pool of public IP address. The packet will be dropped as only a fixed
number of private IP address can be translated to public addresses if the IP
address of pool is not free.
A pool of 2 public IP addresses is able to translate only 2 private IP
addresses. The 3rd private IP address willing to access internet will result in
dropping the packet consequently as many private IP addresses are mapped to
a pool of public IP addresses. Network with fixed number of users usually
utilizes the NAT. An organization needs to buy many global IP addresses to
make a pool making it very costly.
Port Address Translation
NAT allows many local (Private) IP addresses to be translated to a single
registered IP address. It is also known as NAT overload. The traffic is being
distinguished as which traffic belongs to which IP address by port numbers.
Thousands of users can be linked to the internet by using only one real global
(Public) IP address. It is cost-effective hence used most frequently.
Advantages of NAT
The legally registered IP addresses are conserved in NAT
It offers privacy as the device’s IP address, sending and receiving
the traffic, will be hidden
When a network evolves, the address renumbering is eliminated
Disadvantages of NAT
Switching path delay appears as a result of this translation
Having NAT enabled, certain applications will not function
The tunneling protocols such as IPsec is complicated
Further, router should not tamper with port numbers being a network layer
device. It tampers with port number because of NAT.
Example:
Port Address Translation (PAT) or NAT (Network Address Translation)
Overloading is a modified form of dynamic NAT. The number of inside local
addresses are greater than the number of inside global addresses in PAT or
NAT overloading. Mostly, just a single inside global IP address provides the
internet access to all inside hosts. NAT Overloading is actually the only
flavor of NAT covering the IP addresses and also appears to be the most
popular form of NAT as well.
Figure 4-02: Port Address Translation (PAT)
Protocol Inside Local IP: Port Inside Global IP: Port
ICMP 192.168.1.2 : 18 67.210.97.1 : 18
ICMP 192.168.1.3 : 19 67.210.97.1 : 19
ICMP 192.168.1.4 : 20 67.210.97.1 : 20
Table 4-01: Protocol with Inside Local and Global IP
The overloading or the mapping of more than one inside local address to the
same inside global address is allowed with PAT. The arrival packets would
all have the same destination address as they arrive to the NAT router.
How would the router get to know which inside local address each return
packet belongs to?
The scenario suggests that the NAT entries in the translation table are
extended entries; the protocol types and ports are also tracked by the entries
beside the relevant IP addresses. Up to 65535 inside local addresses could be
mapped theoretically to a one inside global address by interpreting both the
IP address and the port number of a packet, based on the 16-bit port number.
Approximately 160 bytes of router memory is used by a single NAT entry so
more than 10 MB of memory and a large amounts of CPU power would be
taken by 65535 entries. This is a theoretical limit and in practical, PAT
configurations stands nowhere near this number of addresses.
Static:
Allows one-to-one mapping
A specific inside IP address is translated to a specific outside IP
address
In the translation table, translations are statically configured and
placed whether there is traffic or not 
The hosts providing application services like mail, web, FTP, etc.
mostly use this
Pool:
A Dynamic NAT form many-to-many mappings
The multiple inside IP addresses are translated to multiple outside
IP addresses
With the fewer available addresses, the pool is more useful than
actual hosts to be translated
In the translation table, the entries are created while connections
are initiated. It creates one-to-on mappings but is said to be many-
to-manybecause the mappings can vary and at the time of the
request, they are dependent on the available IPs in the pool
NAT entries are detached from the translation table and after a
specified & configurable amount of time, the IP address is reverted
to the NAT pool
Exam Tip
You must have a clear understanding of what NAT is and how it is
configured both statically and dynamically. The labs included must be
practiced to be able to have a hands-on experience.
NTP Operating in a Client and Server Mode
Network Time Protocol provides time to all our network devices. In simple
words, NTP synchronizes clocks of computer systems over packet-switched,
data networks of variable-latency.
Typically, there exists an NTP server that connects through the internet to an
atomic clock. This time can then be synchronized via the network to retain all
routers, switches, servers, etc. to receive the same time information.
Precise network time within the network is important because:
Tracking of events in the network is possible with correct time
Clock synchronization is critical for the right interpretation of
events within the syslog data
Clock synchronization is critical for digital certificates
Switches and Routers issue log messages when different events take place.
For example, when an interface goes down and then backs up. As you already
know, all messages produced by the IOS go only to the console port by
default. However, those console messages are directed to a syslog server.
A syslog server saves copies of console messages and can time-stamp them
so you can view them at a later time.
There are many things involved in the securing of a network such as security
logs along with an accurate date and timestamp. Secondly, when an attack is
encountered on a network, it is important to identify when the attack occurred
and the order in which a specified attack was encountered on a network. Log
messages can be accurately time stamped by the synchronization of clocks on
hosts and network devices manually as well as using Network Time Protocol.
Typically, the date and time settings on the router can be set using one of two
methods:
Manually set the date and time
Configure the Network Time Protocol (NTP)
The figure below shows an example of manually updating the clock. As a
network develops, it becomes difficult to ensure and verify that all
infrastructure devices within a network are functioning with synchronized
time. Even in a minor network environment, the manual method is not ideal.
For example, if a router reboots, how will it get an accurate date and
timestamp?
A better solution to prevent manual configuration of time and date in a
network is to configure the Network Time Protocol (NTP) on the network.
This protocol allows networking devices on the network to synchronize their
time and date with an NTP server device. This is a better way because a
group of NTP clients obtaining time and date information from a single
source has more consistent time settings. When NTP is configured in the
network, it can synchronize to a NTP server, which is publicly available, or it
can be synchronize to a private master clock.
NTP uses UDP port 123 and is documented in RFC 1305. Here is an example
to manually set Time and Date on a device.
R1#clock set 04:00:00 12 nov 2019
// To set time 04 hr 00 min 00 sec and date 12th nov 2019
R1#show clock
// To check the Time and date running on the device
NTP Authentication
NTP version 3 (NTPv3) and later versions support a cryptographic
authentication technique between NTP peers. This authentication can be used
to mitigate an attack.
Three commands are used on the NTP master and the NTP client:
ntp authenticate
ntp authentication-key key-number md5 key-value
ntp trusted-key key-number
Without NTP Authentication configuration, Network time information can
still be exchanged between server and clients but the difference is these NTP
clients do not authenticate the NTP server as a secure source as to what if the
legitimate NTP server goes down and Fake NTP server overtake the real NTP
server.
Use the show ntp associations detail command in order to confirm that the
server is an authenticated source.
Use the show ntp status command to confirm that the server and client are
synchronized.
Figure 4-04: Output of NTP Associations
Exam Tip
For clearing this exam, you must know how the NTP client is synchronized
with the server. Their use in a network should be clear along with the
NTP_master and NTP_Client concepts.
Role of DHCP and DNS within the Network
DHCP (Dynamic Host Configuration Protocol) provides quick, automatic,
and central management for the distribution of IP addresses within a network.
It is also used to configure the default gateway, subnet mask, and DNS server
information on the device.
A scope, or range, of IP addresses is defined by a DHCP server. These
dynamic addresses are used to serve devices with an address. A device
obtains a valid network connection from this pool of addresses. Several
devices are allowed to connect to a network over a period of time without
needing a pool of available addresses.
Example:
If 20 addresses are defined by the DHCP server, 30, 50, 200, or more devices
can be connected to the network. No more than 20 devices can be used out of
one of the available IP addresses simultaneously.
IP addresses for a specific period of time (called a lease period) is assigned
using DHCP. Different results are yielded over time by using commands like
ipconfig to find a computer's IP address. The dynamic IP addresses are
delivered to clients using DHCP. Devices with dynamic addresses and
devices having their IP addresses manually assigned can both exist on the
same network. Usually, IP addresses to ISPs are assigned by using DHCP.
Configuring DHCP
The following information are required in configuring a DHCP server for
hosts:
Network and Mask for Every LAN: Network ID that is also termed as
“scope”. All addresses in a subnet can be hosts by default.
Reserved/Excluded Addresses: Reserved addresses for servers, printers,
routers, etc. These addresses will not be handed over to hosts.
Default Router: Address of router for to every LAN.
DNS Address: A list of DNS server addresses provided to hosts so they can
resolve names.
DNS: Domain Names System (DNS) is used to translate IP Addresses. A list
of mail servers can be provided to accept emails for each domain name. A set
of name servers to be authoritative for its DNS records will be nominated by
the domain name in DNS. When looking for information about the domain
name, all other name servers will be pointed to DNS. A name-service
protocol is implemented with the name server. It stores the zone file and DNS
record. Domain names are pointed to IP addresses with a small set of
instructions called zone file.
Configuration Steps:
Eliminate the addresses you want to reserve. The purpose you do
this step first is that as soon as you set a network ID, the DHCP
service will start responding to client requests
Create your pool for every LAN using a distinctive name
Select the network ID and subnet mask for the DHCP pool that the
server will use to provide addresses to hosts
Add the address used for the defaulting gateway of the subnet
Provide the DNS server address(es)
If you do not want to practice the default lease time of 24 hours,
you need to set the lease time in days, hours, and minutes
TFTP, DNS, and Gateway Options
A few optional but recommended commands including TFTP,
DNS and Default Gateway IP address are used to configure the
Cisco IOS DHCP feature
An external server that will be used to store the DHCP bindings
database is identified by using the TFTP option 150
The DNS server’s IP address on the network is identified by using
the DNS setting
A default-gateway for the clients is defined by using the gateway
option
https://www.123-reg.co.uk/support/my-account/some-jargon-explained/#XYZ
Exam Tip
Make sure you can quickly tell the difference observed in a network after
configuring DHCP.The Function of SNMP in Network Operations
An Application layer protocol is Simple Network Management Protocol
(SNMP). It provides a message format for agents on a variety of devices to
communicate with Network Management Stations (NMSs). The NMS station
receives messages from these agents. The information in the database is then
either read or written. This information is called a Management Information
Base (MIB).
The SNMP agent on a device is periodically queried or polled by NMS to
gather and analyze statistics via GET messages. An SNMP trap would be sent
by the end devices running SNMP agents to the NMS if a problem occurs.
The basic operation of SNMP protocol can be depicted from the following
figure:
Figure 4-03: Working of SNMP
Admins use SNMP to provide some configurations to agents and is called
SET messages. SNMP is also used for analyzing information and compiling
the outcomes in a report or even a graph. An exceeded notification process is
triggered by using the thresholds. The CPU numbers of Cisco devices like a
core router are monitored by using the graphing tools. The CPU should be
watched continuously and the statistics can be graphed by the NMS. Upon
exceeding the threshold, notifications are sent. The SNMP has three versions
(v1, v2 and v3), which are given below:
SNMPv2:
SNMPv2 is similar to SNMPv1 with slight modifications. However,
SMNPv1 is no longer in use. SNMPv2 supports plain-text authentication with
community strings with no encryption but offers GET BULK, which is a way
to collect many kinds of information at once and reduce the number of GET
requests. It offers a more comprehensive error message reporting method
called INFORM, but it is not more secure than v1. It practices UDP even
though it can be configured to use TCP.
SNMPv3:
SNMPv3 supports strong authentication with SHA or MD5, providing
confidentiality (encryption) and data integrity of messages via Data
Encryption Standard (DES) or DES-256 encryption concerning agents and
managers. GET BULK is a sustained feature of SNMPv3, and this version
also uses TCP.
Management Information Base (MIB):
When you want to access data from so many kinds of devices, a standard way
to organize this plethora of data is required. This is implemented using MIB
in SNMP protocol. A Management Information Base (MIB) is a gathering of
information that is organized hierarchically and can be get by protocols like
SNMP. RFCs describe some common public variables, but most
organizations define their personal private branches beside basic SNMP
standards. Organizational IDs (OIDs) are set out as a tree with different levels
assigned by different organizations with top-level MIB OIDs that belongs to
numerous standards organizations.
To obtain some information from the MIB on the SNMP agent, you can use
several different operations:
GET: This operation is used to get information from the MIB to an SNMP
agent.
SET: This operation is used to get information to the MIB from an SNMP
manager.
WALK: This operation is used to list information from successive MIB
objects within a specified MIB.
TRAP: This operation is used by the SNMP agent to send a triggered piece
of information to the SNMP manager.
INFORM: This operation is the same as a trap, but it adds an
acknowledgment that a trap does not provide.
Exam Tip
To describe the function of SNMP, the concept of Management Server and
Agent needs a clear understanding.
Use of Syslog Features Including Facilities and Levels
Syslog
In a network where a certain event occurs, networking devices have a trusted
technique to inform or notify the network administrator by detailed system
messages. These messages may be either non-critical or significant. Network
administrators have many options for storing, interpreting, and viewing these
messages, and for being informed to those messages that could have the
greatest impact on the network infrastructure. One of the most common
methods to access system messages that devices provide is by using protocol
called syslog. Syslog is a system logging protocol, which keeps monitoring
the event running on the system, and store the message to the desired
location. It was developed for UNIX based systems in the 1980s, but was first
documented in 2001 as RFC 3164 by IETF. Syslog uses port 514 (UDP) to
send event notification messages over IP networks.
Figure 4-04: Syslog Messages
Many of the networking devices support syslog, routers, switches, servers,
firewalls, and other network appliances. Syslog allows the networking
devices to send their system logging messages through the network to syslog
servers. It is conceivable to build a special Out-of-Band (OOB) network for
this purpose.
There are several different types of syslog server software packages for
Windows and UNIX. Many of them are freeware.
The syslog logging service offers three primary functions:
The ability to collect logging messages for monitoring and
troubleshooting
The ability to select the specific type of logging information that is
captured
The ability to specify the destinations to store the captured syslog
messages
Figure 4-05: Syslog
You can read system messages from a switch's or router's internal buffer. It is
the most popular and effective method of watching what's going on with your
network at a specific time. But the finest way is to log messages to
a syslog server, which stocks messages from you and can even time-stamp
and arrange them in order, and it's easy to set up and configure.
By using syslog, you can show, sort, and even search messages, all of which
sorts it as a really great troubleshooting tool. The search feature is
particularly powerful because you can practice keywords and even severity
levels. Plus, the server can email admins centered on the message’s severity
level.
Network devices can be configured to produce a syslog message and forward
it to various destinations. These four examples are standard ways to gather
messages from Cisco devices:
● Logging Buffer (on by default)
● Console Line (on by default)
● Terminal Lines (using the terminal monitor command)
● Syslog Server
You should know, all system messages and debug output produced by the
IOS go out only by the console port by default and are logged in buffers in
RAM. And, you should also know that Cisco routers are not precisely
cautious about sending messages. To send message to the VTY lines,
the terminal monitor command is used.
Note
The Cisco router would send a broad version of the message to the syslog
server that would be configured into something like this:
Seq no: timestamp: %facility-severity-MNEMONIC: report
The system message format can be broken in this way:
Seq No: This stamp logs messages with a sequence number, but not by
default. If you want this output, you have got to configure it.
Timestamp: Data and time of the message or event, which again will show
up only if configured.
Facility: The facility to which the message refers.
Severity: A single-digit code from 0 to 7 that indicates the severity of the
message.
MNEMONIC: Text string that uniquely describes the message.
Description: Text string containing detailed information about the event
being reported.
The severity levels, from the most severe level to the least severe, are
mentioned in the table below:
Severity Level Explanation
Emergency (severity 0) System is unusable
Alert (severity 1) Immediate action is needed
Critical (severity 2) Critical condition
Error (severity 3) Error condition
Warning (severity 4) Warning condition
Notification (severity 5) Normal but significant condition
Informational (severity 6) Normal information message
Debugging (severity 7) Debugging message
Table 4-02: Severity Levels and their Explanation
Syslog Facilities and Features
Syslog is primarily used for system management. The proactive syslog
monitoring can significantly reduce downtime of servers and also the other
devices in an infrastructure. Moreover, the cost savings should be achieved
by preventingthe loss of productivity that usually accompanies reactive
troubleshooting. A variety of options and severity levels can be chosen in
setting up syslog alerts, including emergency, critical, warning, error, and so
on.
Network Alerting: Critical network issues are identified with Syslog. For
example, the fabric channel errors can be detected on a switch fabric module.
The other forms of monitoring metrics cannot be detected with these
warnings or errors.
Security Alerting: The detailed context of security events is provided with
Syslog messages. The communication relationships, timing, and in some
cases, an attacker’s motive and tools can be recognized by using syslog.
Server Alerting: Syslog is able to alert on server startups, abrupt server
shutdowns, clean server shutdowns, runtime configuration impact,
configuration reloads and failures, resource impact, and so on. The failed
connections can also be detected with Syslog. Server alerts are always
valuable, specifically when you supervise hundreds of servers.
Application Alerting: Logs are created in different ways by applications.
Some of the logs are created through syslog. Dozens of logs are written in the
log folder while running a web application. A syslog monitoring solution is
needed to get real-time monitoring. A syslog monitoring solution can observe
changes in the log folder. Another good use of syslog is Monitoring High-
Availability (HA) servers. Only the logs that are troublesome needs to be
monitored. All the logs from the server are needed in case of a HA server
failure. Having a dedicated syslog server for HA cluster is the solution in this
way.
The detailed analysis of error is needed to dig into the historical syslog
reports using any syslog analysis tool, like LogZilla®, Kiwi Syslog®, or
syslog-ng. The comprehensive details, like high momentary error rates,
configuration changes, or a sustained abnormal condition cannot be shown
using other forms of monitoring.
The basic features of any syslog monitoring tool include a synchronous web
dashboard, alerting system, and log storage. The trouble tickets can be
reduced with proactive syslog monitoring and troubleshooting. The syslog
monitoring feature is enhanced with integrating the syslog monitoring tool
with other infrastructure management tools.
DHCP Client and Relay
A framework for transferring configuration information
dynamically to hosts on a TCP/IP network is provided by DHCP
The parameters to be configured such as an IP address is obtained
by an internet host that is using DHCP called a DHCP client
Any host that forwards DHCP packets between clients and servers
is a DHCP relay agent. The requests and replies are forwarded
between clients and servers by using the rely agents when these
two are not on the same physical subnet
Relay agent forwarding is different from the normal forwarding of
an IP router. In the forwarding of an IP router, IP datagrams are
switched between networks
DHCP messages are being received by relay agents and a new
DHCP message is generated to send on another interface
Figure 4-06: DHCP Request for an IP Address from a DHCP Server
A DHCP Server is a network server. IP addresses, default gateways and
extra network parameters are provided automatically with the DHCP Server.
Dynamic Host Configuration Protocol or DHCP is responsible to respond to
broadcast queries by clients in a DHCP Server.
The required network parameters are sent automatically for clients to
properly communicate on the network. Instead the network administrator has
to manually set up each client joining the network that is not an easy task,
especially in larger networks. Each client is assigned with a unique dynamic
IP address by DHCP servers that changes when the lease of client for that IP
address has terminated.
Router/Switch as a DHCP Server
DHCP for IPv4 is used by many enterprise companies on their
routers/switches. The network administrator usually handles those who need
to get a DHCP capability up and run it quickly but do not have access to a
DHCP server.
The following DHCP server support is provided with most of the
routers/switches:
It supports a DHCP client and an interface IPv4 address is being
from an upstream DHCP service
It supports a DHCP relay and UDP DHCP messages are forwarded
from clients on a LAN to and from a DHCP server
It supports a DHCP server that allows the router/switch services
DHCP requests directly. There are still some limitations to using a
router/switch as a DHCP server
Resources on the network device are consumed by running a
DHCP server on a router/switch. Software, not hardware
accelerated forwarding, handles these DHCP packets. This
practice is not suitable for a network with a large number (> 150)
of DHCP clients. It does not support dynamic DNS
An access into DNS on behalf of the client built on the IPv4
address cannot be created by the router/switch DHCP server. The
entry is leased to the client
The scope is not managed easily and the current DHCP bindings
and leases across multiple routers are not observed. To get the
information about DHCP bindings, an administrator must log into
the switch/router individually
This would cause the current DHCP server and default gateway
fails. There is no high availability or redundancy of the DHCP
bindings
DHCP options are more difficult to be configured on router/switch
platform
A router/switch having DHCP service running is not integrated
with IP Address Management (IPAM) for tracking address and
scope utilization or security forensics
Benefits of a Dedicated DHCP Server
Using a centralized DHCP server is a better approach than using DHCP on
your router/switch. Network environments requiring support of both DHCP
for IPv4 and DHCP for IPv6 at the same time particularly utilize this. The
similar management interface for IPv4 and IPv6 can be used by all DHCP
server vendors that supports support both protocols.
Enterprises use DHCPv6 for several benefits that make it advantageous.
These include:
The IPv6-enabled client nodes are given visibility for IPv6 having
a DHCPv6 server that is integrated into an IP Address
Management (IPAM) system
The logging and management interfaces are provided with DHCP
servers that aid administrators manage their IP address scopes. An
organization usually wants an accounting of what is on a network
regardless of IP version being used
Redundancy and high availability can be provided with DHCP
servers. The clients will reserve their current IP addresses in case
of one DHCP server fails. It does not cause an interruption for
end-nodes
A DHCPv6 server that has been tested and tried will be preferred
by organizations. The USGv6 certification laboratory has certified
the Infoblox DHCPv6 server as “IPv6 Ready”
DHCP for IPv4 possibility off the routers/switches should be
mitigated in organizations beginning to implement IPv6 and the
organizations should be put on a robust DHCP server
infrastructure. The advantage of the centralized dual-protocol
DHCP server will be given to the enterprise organizations to
deliver IPv4 and IPv6 addresses to client devices
Forwarding Per-Hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
In the Per-Hop Behavior (PHB), the forwarding behavior is assigned to a
Differentiated Services Code Point (DSCP). The forwarding priority that a
marked packet receives in relation to other traffic on the Diffserv-aware
system is defined by the PHB. The marked packets are forwarded and
dropped by the IPQoS-enabled system or Diffserv router. IPQoS-enabled
system or Diffserv router is determined by this precedence. The same PHB is
applied to each Diffserv router that the packet encounters en route to its
destination unless another Diffserv system has changed the DSCP.
A definite amount of network resources to a class of traffic on the contiguous
network is provided by a PHB. DSCPs indicate the precedence levels for
traffic classes when the traffic flow leaves the IPQoS-enabled system in the
QoS policy definedDSCPs. Precedencies are ranged from high-
precedence/low-drop probability to low-precedence/high-drop probability.
For example, a low-drop precedence PHB from any Diffserv-aware router is
guaranteed by the QoS policy assigned DSCP to one class of traffic. This
low-drop precedence PHB guarantees bandwidth to packets of this class. The
varying levels of precedence to other traffic classes are assigned by adding
other DSCPs to the QoS policy. Diffserv systems provides bandwidth to the
lower-precedence packets in agreement with the priorities that are indicated
in the packets' DSCPs. The two types of forwarding behaviors are supported
by IPQoS. The behaviors defined in the Diffserv architecture include the
Expedited Forwarding (EF) and Assured Forwarding (AF).
Classification:
Expedited Forwarding
Any traffic class with EFs associated to DSCP is assured to be given highest
priority in per-hop behavior. Traffic with an EF DSCP does not wait in line.
A low loss, latency, and jitter is provided with EFs. 101110 is the
recommended DSCP for EF. A guaranteed low-drop precedence is received
by a packet that is marked with 101110. A low-drop precedence is received
as the packet traverses Diffserv-aware networks en route to its destination.
The customers or applications with a premium SLA are assigned priority by
using the EF DSCP.
Expedited Forwarding PHB
A component of the integrated services model, Resource Reservation
Protocol (RSVP), provides a guaranteed bandwidth service. This kind of
robust service is essential for the applications such as Voice over IP (VoIP),
video, and online trading programs. This kind of robust service is supplied by
providing low loss, low latency, low jitter, and assured bandwidth service.
The most significant 3 bits of the DSCP field set to 101 in Expedited
Forwarding (EF) PHB. Hence, the whole DSCP field is set to 101110,
decimal value of 46. The low delay service is provided with EF PHB.
Figure 4-07: IP Header DS Field and DSCP PHBs
The low delay service is provided with EF PHB. It should also minimize
jitter and loss. The bandwidth dedicated to EF must be limited and the queue
dedicated to EF must be the highest priority queue so as to assign the traffic
to get through fast and not experience significant delay or loss. It can be
achieved when assigned traffic is kept within its bandwidth limit/cap. By
utilizing QoS, techniques such as admission control the successful
deployment of EF PHB is ensured. Three important facts about the EF PHB
include:
During congestion, EF polices bandwidth
It provides bandwidth guarantee
It imposes minimum delay
The non-DSCP compliant applications were being set the IP precedence bits
to 101, decimal 5 which is called Critical, for delay-sensitive traffic such as
voice. The most significant bits are 101 for the EF marking (101110) that
makes it backward compatible with the binary 101 IP precedence (Critical)
setting.
Assured Forwarding
The four different forwarding classes are provided by per-hop behavior.
These different forwarding classes can be assigned to a packet. The three
drop precedencies, low-drop, medium-drop, and high-drop are provided by
every forwarding class.
The Assured Forwarding (AF) PHB is equivalent to Controlled Load Service
available in the integrated services model. A method is defined by an AF
PHB to give different forwarding assurances.
Following are the classes for network traffic:
Gold: 50 percent of the available bandwidth is allocated for the traffic in this
category.
Silver: 30 percent of the available bandwidth is allocated for the traffic in
this category.
Bronze: 20 percent of the available bandwidth is allocated for the traffic in
this category.
The four AF classes of the AF PHB are AF1, AF2, AF3, and AF4. A specific
amount of buffer space and interface bandwidth is assigned to each class,
according to the SLA with the service provider or policy map. Three drop
precedence (dP) values: 1, 2, and 3 can be specified within each AF class.
With the Assured Forwarding (AF) PHB the most significant 3 bits of the
DSCP field are set to 001, 010, 011, or 100. These bits are also called AF1,
AF2, AF3, and AF4. AF PHB is used for guaranteed bandwidth service.
Default Per-Hop Behavior
The three most significant bits of the DiffServ/DSCP field are set to 000 in
Default PHB. It is used for Best Effort (BE) service. The DSCP value of a
packet is consequently assigned to the default PHB if it is not mapped to a
PHB.
Packet Forwarding in a Diffserv Environment
A network solution aimed at classifying the IP traffic flow into traffic classes
is called the Differentiated Service (DiffServ). DiffServ Code Point (DSCP)
uses six bits, part of the eight-bit field called Type of Service (TOS) inside
the IP header. The determination of PHB is its main goal that defines
the packet forwarding procedure of each node. The DiffServ Domain actually
identify the scope of this protocol.
Figure 4-08: Diffserv Environment
The part of an intranet at a company with a partially Diffserv-enabled
environment is shown in the figure given below. All hosts on the
networks 10.10.0.0 and 10.14.0.0 are IPQoS enabled and on both networks, the
local routers are Diffserv aware.
https://www.sciencedirect.com/topics/computer-science/packet-forwarding
Figure 4-09: Packet Forwarding Across Diffserv-Aware Network Hops
The flow of the packet begins with the progress of a packet that
originates at host ipqos1. The steps continue through several hops
to host ipqos2
The ftp command is run on ipqos1 to access host ipqos2 , which is
three hops away
The QoS policy is applied by ipqos1 to the resulting packet flow.
The ftp traffic is then successfully classified by ipqos1 
A class for all outgoing ftp traffic has been created by the system
administrator. The traffic initiates on the local network 10.10.0.0.
Traffic for the ftp class is assigned the AF22 per-hop behavior:
class two, medium-drop precedence. For the ftp class, a traffic
flow rate of 2Mb/sec is configured
The flow exceeding the committed rate of 2 Mbit/sec is
determined by ipqos-1 meters the ftp flow
The DS arenas in the outgoing ftp packets is marked with the
010100 DSCP, corresponding to the AF22 PHB by the marker
on ipqos1 marks
The ftp packets are received by router diffrouter1 and then the
DSCP is checked. Packets marked with AF22 gets dropped,
if diffrouter1 is found to be congested
In agreement with the per-hop behavior, ftp traffic is forwarded to
the next hop. This per-hop behavior is configured for AF22
in diffrouter1 's files
The network 10.12.0.0 is traversed to genrouter by the ftp traffic. The
network is not Diffserv aware. The “best-effort” forwarding
behavior is then received by the traffic as a result
The ftp traffic is passed to network 10.13.0.0 by genrouter
where diffrouter2 receives the traffic
diffrouter2 is Diffserv aware. The ftp packets are then forwarded to
the network in contract with the PHB that is defined in the router
policy for AF22 packets
The ftp traffic is received by ipqos2. The user is then prompted
on ipqos1 for a user name and password
The set of end-to-end Quality of Service (QoS) skills is called DiffServ. The
capability of the network to deliver service required by specific network
traffic from one end of the network to another is an end-to-end QoS. The
three types of service models supported by Cisco IOS QoS software include:
Integrated Services (IntServ), Best-Effort Services, and Differentiated
Services.
Congestion
To avoid tail drop, congestion avoidance techniques such as Weighted
Random Early Detection (WRED) are deployed on each queue. Packet drop
is performed based on the marking differences of the packets. Within each
AFxy class, y specifies the drop preference (or probability) of the packet.
Some packets are marked with minimum probability/preference of being
dropped, some with medium, and the rest with maximum
probability/preference of drop. The y part of AFxy is one of 2-bit binary
numbers 01, 10, and 11; thisis embedded in the DSCP field of these packets
and specifies high, medium, and low drop preference. Note that the bigger
numbers here are not better, because they imply higher drop preference.
Therefore, two features are embedded in the AF PHB:
Four traffic classes (BAs) are assigned to four queues, each of which has a
minimum reserved bandwidth.
Class Low Drop Medium Drop High Drop
Class 1 AF11 AF12 AF13
DSCP 10:
(001010
DSCP 12:
(001100)
DSCP 14:
(001110)
Class 2 AF21 AF22 AF23
DSCP 18:
(010010)
DSCP 20:
(010100)
DSCP 22:
(010110)
Class 3 AF31 AF32 AF33
DSCP 26:
(011010)
DSCP 28:
(011100)
DSCP 30:
(011110)
Class 4 AF41 AF42 AF43
DSCP 34:
(100010)
Table 4-03: The AF DSCP Values
Each queue that has congestion avoidance deployed to avoid tail drop and to
have preferential drops displays the four AF classes and the three drop
preferences (probabilities) within each class. Beside each AFxy within the
table, its corresponding decimal and binary DSCP values are also displayed
for your reference.
Queuing
Per-Hop Behavior Queue Design Principles
Voice, video, and data applications are converged in the network to be co-
existed seamlessly by allowing each with appropriate QoS service
expectations and guarantees.
The non-real–time applications’ performance can be significantly degraded
when real-time applications are the only ones that consume link bandwidth.
The significant performance impact on non-real–time applications is shown
by the extensive testing results when more than one-third of the connections
is used by real-time applications as part of a strict-priority queue. More than a
third of link bandwidth is not recommended to be used for strict-priority
queuing. The non-real–time applications are prevented from being dropped
out of their required QoS recommendations with this principle. Also, no more
than 33 percent of the bandwidth be used for the expedite forwarding queue.
This 33% design principle is not necessarily a mandatory rule but a best
practice design recommendation.
For an assured forwarding per-hop behavior, a minimum of one queue should
be provisioned but up to four subclasses can be well-defined within the AF
class: AF1x, AF2x, AF3x, and AF4x.
A bandwidth corresponding to the application requirements of that traffic
subclass must be there in the specified AF subclass that belongs to each
queue. All the traffic not explicitly defined in other queues lie in the Default
Forwarding (DF) class. It is important to have acceptable space for those
traffic types while many applications are used by an enterprise. For this
service class, typically 25 percent of link bandwidth can be used. As for each
of the queue, a pre-specified bandwidth is reserved if the amount of traffic on
a particular queue exceeds the reserved bandwidth for that queue, the queue
builds up and eventually incurs packet drops.
Queuing Schedulers
Priority Queueing (PRIQ)
The simplest form of traffic shaping is Priority Queuing. It is often the most
effective. Only the prioritization of traffic is performed without regard for
bandwidth.
Pros
Easy to understand and configure.
Cons
Lower precedence queues can be completely starved easily for bandwidth.
Class Based Queueing (CBQ)
The next step up from priority queuing is CBQ. A tree hierarchy of classes is
created with an allocated priority and bandwidth limit. Instead of
processing all packets from the class, the PRIQ will only process enough
packets until the bandwidth limit is reached.
Shaping
Traffic shaping is used to assign more predictive behavior to traffic. It uses
Token Bucket model. The Token Bucket characterizes traffic source.
The main parameters for Token Bucket includes:
Token Arrival Rate - v
Bucket Depth - Bc
Time Interval – tc
Link Capacity - C
Configuring Traffic Shaping
Traffic shaping and queuing can be accomplished in several ways. The
easiest way implemented is ALTQ-based shaping that is with the Traffic
Shaping Wizard.
Traffic Shaping configuration is based at Firewall > Traffic Shaping.
Limitations
An upper limit on traffic cannot be set by ALTQ shaping.
Wizards
A default set of rules are created by using The Traffic Shaping Wizard. The
rules shaped by the wizard cope well with VOIP traffic but may need
modification to accommodate other traffic not enclosed by the wizard. The
exact choices of wizards depend on the version in use.
The queue sizes and bandwidths are sized appropriately for most
configurations by the wizard. They may need to be manually adjusted in
some cases but for the majority of cases, it is unnecessary.
Multiple Lan/Wan
An arbitrary number of WANs and LANs can be accommodated with this
wizard.
Dedicated Links
When the specific LAN/WAN pairings do not mix traffic with others, this
wizard is meant for multiple WANs and LANs. Several ‘virtual’ links are
managed by a single firewall in this way.
Other Wizards
If the descriptions of the other wizards suit the respective environment, they
can be used. The Multiple Lan/Wan wizard can be used due to a large amount
of unnecessary redundancy between the various wizards.
Policing
QoS policy prevents manual policy changes in network devices. Its
Community attribute is usually used for color assignments.
Note
DiffServ or differentiated services is a computer networking architecture. A
mechanism that is simple and scalable for classifying and managing
network is specified in these services. It also provides Quality of Service
(QoS) on modern IP networks.
Differentiated Services
The differing QoS requirements are classified with a multiple service model
called Differentiated Services. A specific kind of service based on the QoS is
delivered by the network with Differentiated Services. This QoS is specified
by each packet. Many different ways support the occurrence of this
specification. The QoS specification is used in a network to classify, mark,
shape, and police traffic to perform intelligent queueing.
Several mission-critical applications use differentiated services. It is also used
for providing end-to-end QoS. Differentiated Services performs a relatively
coarse level of traffic classification and is appropriate for aggregate flows.
DS Field Definition
The DS field is well-defined by Differentiated Services. It is also termed as a
replacement header field. The current definitions of the IP version 4 (IPv4)
type of service (ToS) octet (RFC 791) and the IPv6 traffic class octet are
superseded by the DS field. To select the Per-Hop Behavior (PHB) on each
and every interface, six bits of the DS field are used as the DSCP. A 2-bit
(CU) unused field is kept for the obvious congestion notification (ECN). DS-
compliant interfaces usually ignore the value of the CU bits while
determining the PHB to apply to a received packet.
Per-Hop Behaviors
The PHB has been defined as the externally observable forwarding behavior
by RFC 2475. This behavior is applied at a DiffServ-compliant node to a
DiffServ Behavior Aggregate (BA) with the aptitude of the system to mark
packets according to DSCP setting. The collections of packets with the same
DSCP setting can be grouped into a BA that are sent in a particular direction.
Packets from several sources or applications can belong to the same BA.
A PHB is also referred as packet scheduling, queueing, policing, or shaping
behavior of a node on any particular packet belonging to a BA. This is as
configured by a Service Level Agreement (SLA) or a policy map.
Default PHB
The traditional best-effort package from a DS-compliant node is received by
a packet marked with a DSCP value of 000000 that is essentially specified in
the default PHB. The packet will be mapped to the default PHB upon arriving
of packets at a DS-compliant node. The DSCP value will not be mapped to
any other PHB.
Class-Selector PHB
A DSCP value in the form xxx000 has been defined by DiffServ to reserve
backward-compatibility with any IP precedence scheme currently in use on
the network, where x is either 0 or 1. Class-Selector Code Points is the name
given to these DSCP values.The DSCP worth for a packet with default PHB
000000 is also termed as the Class-Selector Code Point. A Class-Selector
PHB is the PHB associated with a Class-Selector Code Point. Most of the
forwarding behavior is retrained in these Class-Selector PHBs as nodes that
implement IP Precedence-based classification and forwarding.
For example, packets having a DSCP value of 11000 usually have
preferential forwarding treatment. Remember that the 11000 is the equivalent
of the IP Precedence-based value of 110 and the preferential forwarding
treatment is followed for scheduling, queueing, and so on. These Class-
Selector PHBs confirm that DS-compliant nodes can coexist with IP
Precedence-based nodes.
Figure 4-10: Per-Hop Treatment
Benefits of Implementing DiffeServe
For end-to-end quality of service, the DiffServ is set to implement the
Differentiated Services architecture. The benefits of implementing
Differentiated Services include:
Burden on network devices is reduced and can be scaled easily as
the network grows
Any existing Layer 3 ToS prioritization scheme can be kept by
customers 
DiffServ-compliant devices can be mixed with any existing ToS-
enabled equipment in use by the customers
The current corporate network resources can be alleviated through
efficient management
Network Devices for Remote Access using SSH
By applying access-lists to the line (as we explain in a section Local
Authentication) access to a device can be controlled at any line (console, aux,
or terminal). A method SSH is also used for securing access.
Source Address: Securing address is done through the configuration of
access-lists as described in the section “Local Authentication”.
Telnet/SSH: You should use Secure Shell (SSH) instead of telnet because it
creates a more secure session. Telnet applications practice an unencrypted
data stream, but SSH uses encryption keys to send data so that no one can see
your username and password.
Exam Tip
When we use telnet at the end of the ssh command, only then SSH will
work on the device. SSH is more secure than Telnet. Accessing a network
using SSH is a topic that you need to understand both for clearing the exam
and making your network secure.
Capabilities and Functions of TFTP/FTP in the Network
File Transfer Protocol (FTP)
Files are transferred between systems by using both the File Transfer
Protocol (FTP) and the Trivial File Transfer Protocol (TFTP). The remote
user is allowed to navigate the server's file structure and upload and
download files with FTP. A simplified alternative to FTP is TFTP that
provides no authentication and the configurations are transferred to and from
network devices by using it. Both FTP and TFTP are insecure protocols
inherently.
Encryption is not used by these protocols and both authentication and file
data to traverse the network in the clear are allowed. These protocols are
considered while sharing non-sensitive data with the general public or
operating in an inherently secure environment. A secure alternative to these
protocols is there. The Secure Shell (SSH) protocol is used by the secure FTP
protocol to encrypt standard FTP communications and provide confidentiality
in transit.
Note
The two TCP ports used by FTP are: port 20 for sending data and port 21
for sending control commands. The use of authentication is supported by
the protocol, but like Telnet, all data including the usernames and
passwords are sent in clear text.
Capabilities and functions of File Transfer Protocol
File Transfer Protocol, FTP, is a protocol for application layer that transfers
files between local and remote file systems. It functions on the top of TCP,
like HTTP. To move a file, two TCP connections are used by FTP in
parallel: control connection and data connection.
Figure 4-11: File Transfer Protocol Diagram
What is control connection?
The control information like user identification, commands to change the
remote directory, password, commands to retrieve and store files, etc., are
controlled by making the use of FTP connection. This control connection
initiates on port number 21.
What is data connection?
FTP makes use of data connection for sending the actual file. Port number 20
allows the initiation of data connection. The control information is sent out-
of-band as FTP uses a separate control connection. Hence, they are said to
send their control information in-band for this reason. HTTP and SMTP are
the like examples.
FTP Session:
The client starts a control TCP connection with the server side when the FTP
session is started between a client and a server. The control information is
sent over a TCP connection by the client. A data connection to the client side
is initiated when the server receives this information. One data connection
allows only one file to be sent over it. The control connection remains active
during the user session. As HTTP is stateless, it does not have to keep track
of any user state. But a state about FTP’s user needs to be maintained
throughout the session.
Data Structures: Three types of data structures are allowed with FTP:
File Structure: There is no internal structure present in a file-structure and
the file is deliberated to be a continuous sequence of data bytes.
Record Structure: The file is made up of sequential records in record-
structure.
Page Structure: The file is made up of independent indexed pages in page-
structure.
FTP Commands:
Some of the FTP commands are given below:
USER : The user identification is sent to the server by this command.
PASS : The user password to the server is sent by this command.
CWD: The user is allowed to work with a different directory or dataset for
file storage or retrieval by using this command. This is without altering login
or accounting information.
RMD: The directory specified in the path-name to be removed as a directory
is caused by this command.
MKD: The directory specified in the pathname to be created as a directory is
resulted by this command.
PWD: This command is used to return the name of the current working
directory in the reply results.
RETR: A data connection of the remote host is initiated and the requested
files are sent over the data connection by using this command.
STOR: The current directory of the remote host stores a file by using this
command.
LIST: The list of all the files present in the directory is displayed by sending
this request.
ABOR: The previous FTP service command and the transfer of data that is
associated by using this command are aborted by this request.
QUIT: A USER is terminated and the control connection of server gets
closed by using this command if the file transfer is not in progress.
FTP Replies:
The FTP replies include:
200 Command is okay.
530 Not logged in.
331 User name is okay; a password is needed.
225 Open a data connection; no transfer is in progress.
221 Control connection is being closed by the service.
551 Aborted the requested actions: unknown page type.
502 Command is not implemented.
503 Commands with bad sequence.
504 For the parameter, command was not implemented.
Trivial File Transfer Protocol (TFTP)
A network protocol used to handover files between remote machines is called
TFTP. It lacks in having some of the more innovative features that FTP
offers. It requires less resources than FTP. TFTP can be used merely to send
and receive files. TFTP was developed in the 1970’s . It still can be used to
save and bring back a router configuration or to backup an IOS image. It is a
very simple protocol. It has limited features as compared to File Transfer
Protocol (FTP). No authentication and security while transferring files are
provided in TFTP. The boot files or configuration files are usually transferred
between machines in a local setup by using this protocol. In a computer
network, users interactively utilize these protocols. However, it is very
dangerous to use it over the internet due to the lack of its security.
The boot computers and devices not having hard disk drivesor storage
devices significantly use this protocol because a small amount of memory is
enough to implement it. Due to this feature, TFTP appears to be one of the
core elements of network boot protocol or Pre-boot Execution Environment
(PXE). Initiation of data transfer takes place through port 69. When the
connection is initialized, the data transfer ports are selected by the sender and
receiver.
TFTP are used by the home network administrators to upgrade the router
firmware. TFTP are used by the professional administrators to distribute
software across corporate networks.
Key Features of TFTP
Good for simple file handovers, such as during boot time
UDP is used as transport layer protocols. The TFTP server must
handle the errors in the transmission (checksum errors, lost
packets)
Only one connection is used through well-known port 69
A simple lock-step protocol is used by TFTP. In the simple lock-
step protocol, each data packet needs to be acknowledged. Thus
the throughput is limited
Capabilities of TFTP
The client and server software are used by TFTP to make connections
between two devices. From a TFTP client, the individual files can be copied
(uploaded) to or downloaded from the server. The files and the client requests
are hosted by the server or files are sent.
Note
TFTP relies on UDP to transport data
A computer can be initiated remotely and the network or router configuration
files are backed up by using TFTP.
TFTP Client and Server Software
The current versions of Microsoft Windows, Linux, and MacOS include the
command-line TFTP clients. These TFTP clients with graphical interfaces are
also available as freeware. For example, TFTPD32 that includes a TFTP
server. Another example of a GUI client and server for TFTP is windows
TFTP Utility.
Several free Windows TFTP servers are available for download. The TFTP
servers are used by the Linux and MacOS systems in spite the fact that they
could be disabled by default.
Note
Networking experts recommend configuring TFTP servers carefully to
https://www.lifewire.com/user-datagram-protocol-817976
https://www.lifewire.com/freeware-definition-4154271
http://tftpd32.jounin.net/
https://sourceforge.net/projects/tftputil/
https://www.lifewire.com/windows-ftp-servers-free-817577
avoid potential security problems.
Differences between TFTP & FTP
The key aspects that differentiate the Trivial File Transfer Protocol from FTP
are:
Original versions of TFTP were able to transfer files up to 32 MB
in size, the latest TFTP servers removed this restriction or might
limit the file size to 4 GB
There are no login features available in TFTP, so a username and
password is not prompted
Sensitive files must not be shared by using TFTP; These files can
be protected or the access to the files must be audited
It is not allowed to listen, rename, and delete files over TFTP
UDP port 69 is used by TFTP to establish network connections
while ports 20 and 21 are used by FTP
UDP is used to implement TFTP. It generally works only on local
area networks
Exam Tip
To pass the exam, you should know the difference between the FTP and
TFTP with respect to the encryption, authentication and confidentiality.
Mind Map
https://www.lifewire.com/what-is-lan-4684071
Figure 4-12: Mind Map of IP Services
Summary
Configure and Verify Inside Source NAT using Static and
Pools
A firewall gives a public address to a computer or group of
computers within a private network in the process of Network
Address Translation (NAT)
The traffic between private addresses can be routed by the routers
inside the private network without having any trouble
The firewall acts as the intermediary between the external world
and the protected internal network and appears to be an additional
layer of security
The inside addresses must be translated while the outside
addresses are not in control of an organization
The 3 ways to configure NAT are Static NAT, Dynamic NAT, and
Port Address Translation (PAT)
NAT64 is the process of translating an IPv6 address to IPv4
address for communication and vice versa
Cisco IP SLA (Service Level Agreement) allows you to monitor
services in order to increase performance, productivity, lowering
the network outage frequency, etc.
PAT is an extension to NAT. On a LAN, the multiple IP addresses
are mapped to a single public IP address
Configure and Verify NTP Operating in a Client and Server
Mode
NTP synchronizes clocks of computer systems over packet-
switched, variable-latency data networks
An NTP server connects through the internet to an atomic clock
The date and time settings on the router can be set using one of
two methods: Manually Setting the date and time, and Configuring
the Network Time Protocol (NTP)
NTP allows networking devices on the network to synchronize
their time and date with an NTP server device
Syslog is one of the most common methods to access system
messages that devices provide
It keeps monitoring the event running on the system, and stores the
message to the desired location
The Role of DHCP and DNS within the Network
The information required to configure a DHCP server for hosts
includes: Network and Mask for every LAN, Reserved/Excluded
Addresses, Default Router, and DNS Address
The DNS server’s P address on a network be identified by using
the DNS settings
A default-gateway for the clients is defined by using the gateway
option
The Function of SNMP in Network Operations
Simple Network Management Protocol (SNMP) provides a
message format for agents on a variety of devices to communicate
with Network Management Stations (NMSs)
The information in the database is either read or written as a
Management Information Base (MIB)
SNMP is used to provide some configurations to agents and it is
called SET messages
SNMP is used for analyzing information and compiling the
outcomes in a report or even a graph
The SNMP has three versions (v1, v2 and v3)
SNMPv2 supports plain-text authentication with community
strings with no encryption but offers GET BULK that is a way to
collect many types of information at once and minimize the
number of GET requests
SNMPv3 supports strong authentication with SHA or MD5
It provides confidentiality (encryption) and data integrity of
messages via Data Encryption Standard (DES) or DES-256
encryption between agents and managers
Use of Syslog Features
An effective method of watching what's going on with a network
at a particular time is by using the syslog features
Network devices are being configured to produce a syslog
message and forward it to various destinations
The system message format can be broken as Seq no, Timestamp,
Facility, Severity, MNEMONIC, and Description
Configure and Verify DHCP Client and Relay
Dynamic Host Configuration Protocol (DHCP) is a network
protocol
It enables a server to assign an IP address automatically to a
computer from a defined range of numbers
A DHCP Server is a network server. It automatically provides and
assigns IP addresses, default gateways and other network
parameters to client devices
The network administrator has to set up every client manually that
joins the network without having a DHCP
DHCP servers offer logging and management interfaces that aid
administrators manage their IP address scopes
Forwarding Per-hop Behavior for QoS such as Classification,
Marking, Queuing, Congestion, Policing, Shaping
The forwarding behavior is assigned to a DSCP
The forwarding priority for a marked packet is defined by the PHB
When the traffic flows leave the IPQoS-enabled system in the QoS
policy defined DSC, the DSCPs indicates the precedence levels for
traffic classes Ps
The behaviors are defined in the Diffserv architecture, which
includes the Expedited Forwarding (EF) and Assured Forwarding
(AF)
Network Devices for Remote Access using SSH
A method SSH is used for securing access
Securing address is done through the configuration of access-lists
Telnet application practices an unencrypted data stream, but SSH
uses encryption keys to send data so no one is able to see theusername and password
Capabilities and Functions of TFTP/FTP in the Network
Both the File Transfer Protocol (FTP) and the Trivial File Transfer
Protocol (TFTP) are used to send files among the systems
TFTP is an easy alternative to FTP that offers no authentication
The configurations are transferred to and from network devices by
using TFTP
The Secure Shell (SSH) protocol is used by the secure FTP
protocol to encrypt standard FTP communications and provide
confidentiality in transit
FTP makes use of data connection for sending the actual file
where Port number 20 allows the initiation of data connection
TFTP lacks in having some of the more innovative features that
FTP offers
Boot computers and devices not having hard disk drives or storage
devices significantly use this protocol because a small amount of
memory is enough to implement it
TFTPs are used by the professional administrators to distribute
software across corporate networks
Practice Question
1. Which of the following message formats is provided for agents on a
variety of devices to communicate with Network Management Stations
(NMSs)?
A. OSPF
B. SNMP
C. DSCP
D. TFTP
2. A low loss, latency, and jitter is provided with which one of the
following?
A. SNMP
B. TFTP
C. EFs related DSCP
D. GET BULK
3. How many different types of forwarding classes are provided by the
per-hop behavior?
A. Three
B. Two
C. Four
D. Five
4. Which of the following protocol uses encryption keys to send data
so that no one can see your username and password?
A. TFTP
B. SSH
C. HTTP
D. TCP
5. Which protocol is used to transfer the boot files or configuration
files between machines in a local setup?
A. FTP
B. TFTP
C. TCP
D. HTTP
6. Which protocol is used to analyze information and compile the
outcomes in a report or even a graph?
A. SMTP
B. SNMP
C. SNMPV2
D. TFTP
7. Which if the protocol supports plain-text authentication with
community strings with no encryption but provides GET BULK?
A. SMTP
B. SNMP
C. SNMPV2
D. TFTP
8. What is the most popular and efficient method of seeing the running
configuration on your network at a particular time?
A. OSPF
B. SNMP
C. DSCP
D. TFTP
9. Which protocol is used by the boot computers and devices that does
not have hard disk drives or storage drives?
A. TFTP
B. FTP
C. SNMP
D. DHCP
10. Which UDP port is used by TFTP to establish network
connections?
A. 20
B. 69
C. 21
D. None of the above
11. Which protocol is used to upload and download the files and to
navigate the server's file?
A. UDP
B. FTP
C. TCP
D. HTTP
12. Which connection is stablished with the server side when the
FTP session starts?
A. UDP
B. SNMP
C. TCP
D. HTTP
13. Which of the protocol offers the limited throughput in TFTP?
A. Simple Network Management Protocol
B. Lock-Step Protocol
C. User Datagrame Protocol
D. File Transfer Protocol
14. Workstations requiring special access outside the network are
assigned specific external IPs by using which of the following
protocol?
A. PHB
B. SNMP
C. NAT
D. TCP
15. Which address is not in control of any organization?
A. Inside
B. Outside
C. Global
D. Inside Global
16. Which of the following method allows the user to conserve
addresses in the global address pool by allowing source ports in TCP
and UDP to be translated?
A. NAP
B. SLA
C. PHB
D. PAT
17. Which one of the following supports a cryptographic
authentication technique between NTP peers?
A. NTP
B. UDP
C. NTPV3
D. TCP
18. Which of the following can be used to send a triggered piece of
information to the SNMP manager?
A. WALK
B. SET
C. TRAP
D. GET
19. In which of the following techniques, traffic does not have to
wait in line?
A. Expedited Forwarding
B. Assured Forwarding
C. Per-Hop Behavior
D. Packet Forwarding
20. Which of the following provides and assigns IP addresses,
default gateways and other network parameters to client devices?
A. TCP Server
B. DHCP Server
C. UDP Server
D. HTTP Server
Chapter 05: Security Fundamentals
Technology Brief
As the computer network technology and the internet technology is
developing more rapidly, people are becoming more aware of the importance
of the network security. Network security is the main issue of computing
because many types of attacks are increasing day by day. Protecting
computer and network security are critical issues. Network security is a very
important consideration for accessing the internet and for transferring the
data. In this chapter, we are going to discuss the security threats, observed
vulnerabilities, exploits and the mitigation techniques.
Security Concepts
The most prominent topics nowadays is network and information system
security and their associated risks and attacks. One after another, networks
are compromised due to insufficient network security policies. But the
question is; why is network security so important? Network security is
important because of its direct impact to the continuity of any organization’s
business.
Network security attacks can cause the following impacts in an organization:
o Loss of business data
o Interruption and misuse of people’s privacy
o Threaten and compromise the integrity of organization’s data
o Loss of reputation
Nowadays, people are becoming more aware about securing their devices
connected to the public internet because of occurred events of data leakage,
it’s alteration and misuse in the past few years. Network vulnerability and
new methods of attack are growing day by day, hence the evolving
techniques of making network more secured is growing.
Threats
A threat indicates the possibility of an exploit or attack with potential risks. A
threat is any insecurity lying in a system that can be exploit. The presence of
vulnerability in a system results in a threat. The entity that uses the
vulnerability to attack a system is known as malicious actor and the path used
by this entity to launch attack is known as threat vector. Some of the major
threat classifications include:
User Identity Spoofing: This includes multiple techniques used to represent
legitimate user information like GPS spoofing, email-address spoofing and
caller-ID spoofing, which are used in Voice-over-IP.
Information Tampering: This includes threats that are related to the
changing of information rather than stealing it. Like changing the financial
records and transactions used in banks, criminal records, etc.
Data Leakage: This means revealing or sending the data either outside the
organization or to someone who is not authorized for. It also includes the
disclosure of information from different running services and operational
processes. Implementing DLP controls and strict information security
policies can help to overcome this leakage.
Denial of Service (DoS): This is a type of attack in which service offered by
a system or a network is denied. Services may either be denied, reduce the
functionality, or prevent the access to the resources even to the legitimate
users. There are several techniques to perform DoS attack such as generating
a large number of requests to the targeted system for service. These large
numbers of incoming requests overload the system capacity, which results in
denial of service. Botnets and Zombies are the compromised systems, which
are used for generating huge traffic for DDoS attack.
Figure 5-01: Denial-of-Service Attack 
Common Symptoms of DoS attack are:
Slow performance
High CPU and memory utilization
Unavailability of a resource
Loss of access to a service
Discontinuation of a wireless or wired internet connection
Denial of access to any internet service
Vulnerabilities
Vulnerability is defined as an inherent weakness in the design, configuration,
implementation, or management of a network or system that can be exploited
by an attacker. Vulnerability can be present at any level of system
architecture.
Classifying vulnerabilities on the basis of how threatening it is orhow it
would impact the system helps in identifying its impact on system. The
Common Vulnerabilities and Exposures (CVE) List was launched by MITRE
as a community effort in 1999, and the U.S. National Vulnerability Database
(NVD) was launched by the National Institute of Standards and Technology
(NIST) in 2005. CVE categorizes the known vulnerabilities over the internet.
It can be searched via any search engine available today. The following are
few of the important reasons through which vulnerability can exist in the
system:
Policy flaws
Design errors
Protocol weaknesses
Misconfiguration
Software vulnerabilities
Human factors
Malicious software
Hardware vulnerabilities
Physical access to network resources
Exploits
The term “exploits” refers to the action of an attacker where a vulnerability is
leveraged to intrude into the system. The attacker takes the advantage of the
vulnerability such as an unpatched system is easily exploitable. It may also
refer to a software code or program, which bypasses the security mechanism
to provide access to the system.
Some exploits are designed to specifically attack vulnerabilities on
applications or systems to take control over servers or computer systems.
Remember that in some cases, exploits do not need software to achieve their
goals. For example, scams that involve social engineering a person or
employee into revealing sensitive or critical information are perfect examples
of exploits that do not require software and hacking skills.
Mitigation Techniques
The word mitigation defines the act of reducing the severity or seriousness of
the impact of something on a situation. IT Threat Mitigation is then defined
as the addressing actions, prevention techniques, or remedies implemented to
reduce IT threats on a network, computer, or server. 'IT threat' is actual a
broad term that holds physical, software, and hardware threats that any IT
system may encounter.
Signature Management
A digital signature is a digital equivalent authentication mechanism, which
validates the integrity of a message or file. Digital signatures can also
provide non-repudiation. It is important to detect forgery or tampering in
digital information. Digital signatures are equivalent to traditional
handwritten signatures in many respects, but properly implemented digital
signatures are more difficult to forge than the handwritten type. Digital
signatures employ asymmetric cryptography.
Digital signatures are the digitalized equivalent of a sealed envelope and are
intended to ensure that a file has not been altered during transit. Any file with
a digital signature is allowed to verify not only the publishers of the content
or file, but also to verify the content integrity at the time of download. On the
network, PKI enables users to issue certificates to internal
developers/contractors and allows any member to verify the origin and
integrity of downloaded applications.
Device Hardening
Device hardening is a technique that applies not only in routers, switches and
servers but also applies on all network devices including laptops, desktops
and mobile devices. One of the current goals of operations security is to
ensure that all systems have been hardened to the extent that is possible and
still provide functionality. The hardening can be achieved both on a physical
and logical basis.
From a logical perspective:
Implementing least privilege rule
Changing default credentials and implementing strong password
policy
Patching OS and applications
Disabling unnecessary services and ports
Change Default Native VLAN
On switches, the native VLAN is the only VLAN that is not tagged in a
trunk. This means that native VLAN frames are transmitted unchanged. By
default, the native VLAN port is 1, and that default port represents a
weakness in a way that it is an information that an attacker can take
advantage of it. To provide security, you must take some steps and change
the native VLAN to another VLAN.
Switch Port Protection
The switch port protection feature is a key implementation of the network
switch security. It provides the ability to limit what addresses will be allowed
to send traffic on individual switch ports within the switched network. Switch
port security starts with understanding potential vulnerabilities and then
addressing them through correct configuration. This addresses may include
Spanning Tree, Flood Guard, BPDU Guard, Root Guard, and DHCP
Snooping. Unused switch ports must be administratively shutdown.
Network Segmentation
Network segmentation reduces the congestion in the network. Apart from
enhancing the network performance, network segmentation plays an
important role in strengthening the network security by isolating the
management network and critical servers from normal traffic.
DMZ
Generally, three zones are related with firewalls: Internal, External, and
Demilitarized (DMZ). The internal zone is the zone inside of all firewalls,
and it is considered to be the protected area where most critical servers, such
as domain controllers that control sensitive information, are placed. The
external zone is the area outside the firewall that represents the network
against inside protection such as the internet. The DMZ is placed where the
network has more than one firewall. It is a zone that is between two firewalls.
It is created using a device that has at least three network connections,
sometimes referred to as a three-pronged firewall. In DMZ, place the servers
that are used by hosts on both the internal network and the external network
that may include web, VPN, and FTP servers.
Figure 5-02: DMZ using One Firewall
VLAN
Switches and routers have physical interfaces, commonly known as a
physical port; these ports can be configured in a variety of ways, depending
upon the topology, design, type of encapsulation, duplex, and speed of the
link.
VLANs on switches allow users to create network segmentation by creating
multiple virtual subnets while maintaining a flexible network that is easy to
modify when required. Alternatively, an improper VLAN assignment on a
port will effectively place clients in a subnet that will not be controlled by the
administrator. It is not only a connectivity issue, but it could also create
security issues. While assigning a VLAN, it should be done with great care as
to which client computer is connected to which VLAN interface.
Privileged User Account
The Least Privilege Principle states that,
“A subject should be given only those privileges needed for it to complete its
task”
The least set of privileges is used to complete the job by every program and
every user of the system. The damage resulted from an accident or error is
limited by this principle. The number of potential interactions among
privileged programs are reduced to the minimum for correct operation, so that
unintentional, unwanted, or improper uses of privilege are less likely to
occur. The number of programs to be audited are minimized if a question
arises related to misuse of a privilege. An example of this principle is the
military security rule of "need-to-know".
Only the minimum access necessary to perform an operation should be
granted according to the principle of least privilege. The access should be
granted only for the minimum amount of necessary time.
File Integrity Monitoring
Integrity is the process to ensure that the received data is same as the
originally sent. Integrity is designed to eliminate the situations where
someone is tampering with your data. However, file integrity monitoring is
performed as the concept of file hashing that were discussed earlier but with a
software program. File integrity monitoring observes changed settings or
access controls, attributes and sizes, and, of course, the hashes of files.
Role Separation
Role separation also known as separation of duties, requires one user to
perform a specific task, and another one to perform a related task. This
reduces the possibility of scams or errors from occurring, by implementing an
equalized