CCNA PPT score increases as you pick a category, fill out a long description and add more t.ppt

2

3
Data Networks
Sharing data through the use of floppy disks is not an efficient
or cost-effective manner in which to operate businesses.
Businesses needed a solution that would successfully
address the following three problems:
• How to avoid duplication of equipment and resources
• How to communicate efficiently
• How to set up and manage a network
Businesses realized that networking technology could
increase productivity while saving money.

4
Networking Devices
Equipment that connects directly to a network segment is
referred to as a device.
These devices are broken up into two classifications.
• end-user devices
• network devices
End-user devices include computers, printers, scanners, and
other devices that provide services directly to the user.
Network devices include all the devices that connect the end-
user devices together to allow them to communicate.

5
Network Interface Card
A network interface card (NIC) is a printed circuit board
that provides network communication capabilities to and
from a personal computer. Also called a LAN adapter.

6
Networking Device Icons

7
Repeater
A repeater is a network device used to regenerate a signal.
Repeaters regenerate analog or digital signals distorted by
transmission loss due to attenuation. A repeater does not
perform intelligent routing.

8
Hub
Hubs concentrate
connections. In other words,
they take a group of hosts
and allow the network to see
them as a single unit.
This is done passively,
without any other effect on
the data transmission.
Active hubs not only
concentrate hosts, but they
also regenerate signals.

9
Bridge
Bridges convert network transmission data formats as well as
perform basic data transmission management. Bridges, as
the name implies, provide connections between LANs. Not
only do bridges connect LANs, but they also perform a check
on the data to determine whether it should cross the bridge or
not. This makes each part of the network more efficient.

10
Workgroup Switch
Workgroup switches add
more intelligence to data
transfer management.
Switches can determine
whether data should remain
on a LAN or not, and they
can transfer the data to the
connection that needs that
data.

11
Router
Routers have all capabilities of the previous devices. Routers
can regenerate signals, concentrate multiple connections,
convert data transmission formats, and manage data
transfers.They can also connect to a WAN, which allows them
to connect LANs that are separated by great distances.

12
“The Cloud”
The cloud is used in diagrams to represent where the
connection to the internet is.
It also represents all of the devices on the internet.

13
Network Topologies
Network topology defines the structure of the network.
One part of the topology definition is the physical topology,
which is the actual layout of the wire or media.
The other part is the logical topology,which defines how the
media is accessed by the hosts for sending data.

14
Physical Topologies

15
Bus Topology
A bus topology uses a single backbone cable that is
terminated at both ends.
All the hosts connect directly to this backbone.

16
Ring Topology
A ring topology connects one host to the next and the last host
to the first.
This creates a physical ring of cable.

17
Star Topology
A star topology connects all cables to a central point of
concentration.

18
Extended Star Topology
An extended star topology links individual stars together by
connecting the hubs and/or switches.This topology can extend
the scope and coverage of the network.

19
Hierarchical Topology
A hierarchical topology is similar to an extended star.

20
Mesh Topology
A mesh topology is implemented to provide as much
protection as possible from interruption of service.
Each host has its own connections to all other hosts.
Although the Internet has multiple paths to any one
location, it does not adopt the full mesh topology.

21
LANs, MANs, & WANs
One early solution was the creation of local-area network
(LAN) standards which provided an open set of guidelines for
creating network hardware and software, making equipment
from different companies compatible.
What was needed was a way for information to move
efficiently and quickly, not only within a company, but also
from one business to another.
The solution was the creation of metropolitan-area networks
(MANs) and wide-area networks (WANs).

22
Examples of Data Networks

23
LANs

24
Wireless LAN Organizations
and Standards
In cabled networks, IEEE is the prime issuer of standards for
wireless networks. The standards have been created within the
framework of the regulations created by the Federal
Communications Commission (FCC).
A key technology contained within the 802.11 standard is Direct
Sequence Spread Spectrum (DSSS).

25
Cellular Topology for Wireless

26
WANs

27
SANs
A SAN is a dedicated, high-
performance network used to
move data between servers
and storage resources.
Because it is a separate,
dedicated network, it avoids
any traffic conflict between
clients and servers.

28
Virtual Private Network
A VPN is a private network that is constructed within a public network
infrastructure such as the global Internet. Using VPN, a telecommuter
can access the network of the company headquarters through the
Internet by building a secure tunnel between the telecommuter’s PC
and a VPN router in the headquarters.

29
Bandwidth

30
Measuring Bandwidth

31

32
Why do we need the OSI Model?
To address the problem of networks increasing in size
and in number, the International Organization for
Standardization (ISO) researched many network
schemes and recognized that there was a need to
create a network model that would help network
builders implement networks that could communicate
and work together and therefore, released the OSI
reference model in 1984.

33
Don’t Get Confused.
ISO -International Organization for Standardization
OSI -Open System Interconnection
IOS -Internetwork Operating System
The ISO created the OSI to make the IOS more
efficient. The “ISO” acronym is correct as shown.
To avoid confusion, some people say “International
Standard Organization.”

34
The OSI Reference Model
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
The OSI Model will be
used throughout your
entire networking
career!
Memorize it!

35
Layer 7 -The Application Layer
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
This layer deal with
networking applications.
Examples:
 Email
 Web browsers
PDU -User Data

36
Layer 6 -The Presentation Layer
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
This layer is responsible
for presenting the data in
the required format which
may include:
 Encryption
 Compression
PDU -Formatted Data

37
Layer 5 -The Session Layer
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
This layer establishes,
manages, and terminates
sessions between two
communicating hosts.
Example:
 Client Software
( Used for logging in)
PDU -Formatted Data

38
Layer 4 -The Transport Layer
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
This layer breaks up the
data from the sending host
and then reassembles it in
the receiver.
It also is used to insure
reliable data transport
across the network.
PDU -Segments

39
Layer 3 -The Network Layer
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Sometimes referred to as the
“Cisco Layer”.
Makes “Best Path
Determination” decisions
based on logical addresses
(usually IP addresses).
PDU -Packets

40
Layer 2 -The Data Link Layer
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
This layer provides reliable
transit of data across a
physical link.
Makes decisions based on
physical addresses (usually
MAC addresses).
PDU -Frames

41
Layer 1 -The Physical Layer
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
This is the physical media
through which the data,
represented as electronic
signals, is sent from the
source host to the
destination host.
Examples:
 CAT5 (what we have)
 Coaxial (like cable TV)
 Fiber optic
PDU -Bits

42
OSI Model Analogy
Application Layer -Source Host
After riding your new bicycle a few times in
NewYork, you decide that you want to give it to a
friend who lives in Munich,Germany.

43
OSI Model Analogy
Presentation Layer -Source Host
Make sure you have the proper directions to
disassemble and reassemble the bicycle.

44
OSI Model Analogy
Session Layer -Source Host
Call your friend and make sure you have his
correct address.

45
OSI Model Analogy
Transport Layer -Source Host
Disassemble the bicycle and put different pieces
in different boxes. The boxes are labeled
“1 of 3”, “2 of 3”, and “3 of 3”.

46
OSI Model Analogy
Network Layer -Source Host
Put your friend's complete mailing address (and
yours) on each box.Since the packages are too
big for your mailbox (and since you don’t have
enough stamps) you determine that you need to
go to the post office.

47
OSI Model Analogy
Data Link Layer –Source Host
NewYork post office takes possession of the
boxes.

48
OSI Model Analogy
Physical Layer -Media
The boxes are flown from USA to Germany.

49
OSI Model Analogy
Data Link Layer -Destination
Munich post office receives your boxes.

50
OSI Model Analogy
Network Layer -Destination
Upon examining the destination address,
Munich post office determines that your
boxes should be delivered to your written
home address.

51
OSI Model Analogy
Transport Layer -Destination
Your friend calls you and tells you he got all 3
boxes and he is having another friend named
BOB reassemble the bicycle.

52
OSI Model Analogy
Session Layer -Destination
Your friend hangs up because he is done talking
to you.

53
OSI Model Analogy
Presentation Layer -Destination
BOB is finished and “presents” the bicycle to
your friend. Another way to say it is that your
friend is finally getting him “present”.

54
OSI Model Analogy
Application Layer -Destination
Your friend enjoys riding his new bicycle in
Munich.

55
Host Layers
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
These layers
only exist in the
source and
destination host
computers.

56
Media Layers
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
These layers manage
the information out in
the LAN or WAN
between the source
and destination hosts.

57
The OSI Layers
Communications

58
Encapsulation Process

59
Data Flow Through a Network

60

61
LAN Physical Layer
Various symbols are used to represent media types.
The function of media is to carry a flow of information
through a LAN.Networking media are considered
Layer 1, or physical layer, components of LANs.
Each media has advantages and disadvantages.
Some of the advantage or disadvantage comparisons
concern:
•Cable length
•Cost
•Ease of installation
•Susceptibility to interference
Coaxial cable, optical fiber, and even free space can
carry network signals. However, the principal medium
that will be studied is Category 5 unshielded twisted-
pair cable (Cat 5 UTP)

62
Unshielded Twisted Pair (UTP) Cable

63
UTP Implementation
EIA/TIA specifies an RJ-45 connector for UTP cable.
The RJ-45 transparent end connector shows eight colored wires.
Four of the wires carry the voltage and are considered “tip” (T1 through T4).
The other four wires are grounded and are called “ring” (R1 through R4).
The wires in the first pair in a cable or a connector are designated as T1 & R1

64
Connection Media
The registered jack (RJ-45) connector and jack are the most
common.
In some cases the type of connector on a network interface
card (NIC) does not match the media that it needs to connect
to.
The attachment unit interface (AUI) connector allows different
media to connect when used with the appropriate transceiver.
A transceiver is an adapter that converts one type of
connection to another.

65
Ethernet Standards
The Ethernet standard specifies that each of the pins on an
RJ-45 connector have a particular purpose. A NIC transmits
signals on pins 1 & 2, and it receives signals on pins 3 & 6.

66
Remember…
A straight-thru cablehas T568B on both ends. A crossover(or
cross-connect) cable has T568B on one end and T568A on the
other. A consolecable had T568B on one end and reverse T568B
on the other, which is why it is also called a rollovercable.

67
Straight-Thru or Crossover
Use straight-through cables for the following cabling:
•Switch to router
•Switch to PC or server
•Hub to PC or server
Use crossover cables for the following cabling:
•Switch to switch
•Switch to hub
•Hub to hub
•Router to router
•PC to PC
•Router to PC

68
Sources of Noise on Copper Media
Noiseis any electrical energy on the
transmission cable that makes it difficult for a
receiver to interpret the data sent from the
transmitter. TIA/EIA-568-B certification of a cable
now requires testing for a variety of types of
noise.Twisted-pair cableis designed to take
advantage of the effects of crosstalk in order to
minimize noise. In twisted-pair cable, a pair of
wires is used to transmit one signal.The wire pair
is twisted so that each wire experiences similar
crosstalk. Because a noise signal on one wire
will appear identically on the other wire, this
noise be easily detected and filtered at
receiver.Twisting one pair of wires in a cable also
helps to reduce crosstalk of data or noise signals
from adjacent wires.

69
Shielded Twisted Pair (STP) Cable

70
Coaxial Cable

71
Fiber Optic Cable

72
Fiber Optic Connectors
Connectors are attached to the fiber ends so that the fibers can
be connected to the ports on the transmitter and receiver.
The type of connector most commonly used with multimode fiber
is the Subscriber Connector (SC connector).On single-mode
fiber, the Straight Tip (ST) connector is frequently used

73
Fiber Optic Patch Panels
Fiber patch panels similar to the patch panels used with copper
cable.

74
Cable Specifications
10BASE-T
The T stands for twisted pair.
10BASE5
The 5 represents the fact that a signal can travel for approximately
500 meters 10BASE5 is often referred to as Thicknet.
10BASE2
The 2 represents the fact that a signal can travel for approximately
200 meters 10BASE2 is often referred to as Thinnet.
All 3 of these specifications refer to the speed of transmission at 10
Mbps and a type of transmission that is baseband, or digitally
interpreted. Thinnet and Thicknet are actually a type of networks,
while 10BASE2 & 10BASE5 are the types of cabling used in these
networks.

75
Ethernet Media Connector Requirements

76
LAN Physical Layer Implementation

77
Ethernet in the Campus

78
WAN Physical Layer

79
WAN Serial Connection Options

80
Serial Implementation of DTE & DCE
When connecting directly to a service provider, or to a
device such as a CSU/DSU that will perform signal clocking,
the router is a DTE and needs a DTE serial cable.
This is typically the case for routers.

81
Back-to-Back Serial Connection
When
performing a
back-to-back
router scenario
in a test
environment,
one of the
routers will be a
DTE and the
other will be a
DCE.

82
Repeater
A repeater is a network device used to regenerate a signal.
Repeaters regenerate analog or digital signals distorted by
transmission loss due to attenuation.Repeater is a Physical
Layer device

83
The 4 Repeater Rule
The Four Repeater Rule for 10-Mbps Ethernet should be
used as a standard when extending LAN segments.
This rule states that no more than four repeaters
can be used between hosts on a LAN.
This rule is used to limit latency added to frame travel by
each repeater.

84
Hub
Hubs concentrate
connections.In other words,
they take a group of hosts
and allow the network to see
them as a single unit.
Hub is a physical layer
device.

85
Network Interface Card
The function of a NIC is to connect a host device to the network medium.
A NIC is a printed circuit board that fits into the expansion slot on the motherboard or
peripheral device of a computer. The NIC is also referred to as a network adapter.
NICs are considered Data Link Layer devices because each NIC carries a
unique code called a MAC address.

86
MAC Address
MAC address is 48 bits in length and expressed as twelve hexadecimal
digits.MAC addresses are sometimes referred to as burned-in addresses
(BIA) because they are burned into read-only memory (ROM) and are
copied into random-access memory (RAM) when the NIC initializes.

87
Bridge
Bridges are Data Link layer devices.Connected host
addresses are learned and stored on a MAC address
table.Each bridge port has a unique MAC address

88
Bridges

89
Bridging Graphic

90
Switch
Switches are Data Link
layer devices.
Each Switch port has a
unique MAC address.
Connected host MAC
addresses are learned and
stored on a MAC address
table.

91
Switching Modes
cut-through
A switch starts to transfer the frame as soon as the destination MAC
address is received. No error checking is available.
Must use synchronous switching.
store-and-forward
At the other extreme, the switch can receive the entire frame before
sending it out the destination port. This gives the switch software an
opportunity to verify the Frame Check Sum (FCS) to ensure that the frame
was reliably received before sending it to the destination.
Must be used with asynchronous switching.
fragment-free
A compromise between the cut-through and store-and-forward modes.
Fragment-free reads the first 64 bytes, which includes the frame header,
and switching begins before the entire data field and checksum are read.

92
Full Duplex
Another capability emerges when only two nodes are connected. In a network that
uses twisted-pair cabling, one pair is used to carry the transmitted signal from one
node to the other node. A separate pair is used for the return or received signal. It is
possible for signals to pass through both pairs simultaneously. The capability of
communication in both directions at once is known as full duplex.

93
Switches –MAC Tables

94
Switches –Parallel Communication

95
Microsegmentation
A switch is simply a bridge with many ports. When only one node is connected to a
switch port, the collision domain on the shared media contains only two nodes.
The two nodes in this small segment, or collision domain, consist of the switch port
and the host connected to it. These small physical segments are called micro
segments.

96
Peer-to-Peer Network
In a peer-to-peer network, networked computers act as equal partners, or peers.
As peers, each computer can take on the client function or the server function.
At one time, computer A may make a request for a file from computer B, which
responds by serving the file to computer A. Computer A functions as client, while B
functions as the server. At a later time, computers A and B can reverse roles.
In a peer-to-peer network, individual users control their own resources. Peer-to-
peer networks are relatively easy to install and operate. As networks grow, peer-to-
peer relationships become increasingly difficult to coordinate.

97
Client/Server Network
In a client/server arrangement, network services are located on a dedicated
computer called a server.
The server responds to the requests of clients.
The server is a central computer that is continuously available to respond to
requests from clients for file, print, application, and other services.
Most network operating systems adopt the form of a client/server relationship.

98

99
Why Another Model?
Although the OSI reference model is universally
recognized, the historical and technical open standard
of the Internet is Transmission Control Protocol /
Internet Protocol (TCP/IP).
The TCP/IP reference model and the TCP/IP protocol
stack make data communication possible between any
two computers, anywhere in the world, at nearly the
speed of light.
The U.S. Department of Defense (DoD) created the
TCP/IP reference model because it wanted a network
that could survive any conditions, even a nuclear war.

100
Don’t Confuse the Models
Application
Transport
Internet
Network
Access
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical

101
2 Models
Side-By-Side
Application
Transport
Internet
Network
Access
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical

102
The Application Layer
The application
layer of the
TCP/IP model
handles high-
level protocols,
issues of
representation,
encoding, and
dialog control.

103
The transport layer provides transport services from
the source host to the destination host. It constitutes
a logical connection between these endpoints of the
network. Transport protocols segment and
reassemble upper-layer applications into the same
data stream between endpoints.
The transport layer data stream provides end-to-end
transport services.
The Transport Layer

104
The Internet Layer
The purpose of the Internet layer is to
select the best path through the network for
packets to travel. The main protocol that
functions at this layer is the Internet
Protocol (IP). Best path determination and
packet switching occur at this layer.

105
The Network Access Layer
The network access layer is also called the host-to-
network layer. It the layer that is concerned with all of the
issues that an IP packet requires to actually make a
physical link to the network media. It includes LAN and
WAN details, and all the details contained in the OSI
physical and data-link layers. NOTE: ARP & RARP work
at both the Internet and Network Access Layers.

106
Comparing TCP/IP & OSI Models
NOTE: TCP/IP transport layer using UDP does not always guarantee
reliable delivery of packets as the transport layer in the OSI model does.

107
Introduction to the Transport Layer
The primary duties of the transport layer, Layer 4 of the OSI
model, are to transport and regulate the flow of information from
the source to the destination, reliably and accurately.
End-to-end control and reliability are provided by sliding
windows, sequencing numbers, and acknowledgments.

108
More on The Transport Layer
The transport layer provides transport services from the
source host to the destination host.
It establishes a logical connection between the endpoints of
the network.
• Transport services include the following basic services:
• Segmentation of upper-layer application data
• Establishment of end-to-end operations
• Transport of segments from one end host to another
end host
• Flow control provided by sliding windows
• Reliability provided by sequence numbers and
acknowledgments

109
Flow Control
As the transport layer sends data segments, it tries to ensure that data is not lost.
A receiving host that is unable to process data as quickly as it arrives could be a
cause of data loss.
Flow controlavoids the problem of a transmitting host overflowing the buffers in
the receiving host.

110
3-Way Handshake
TCP requires connection establishment before data transfer begins.
For a connection to be established or initialized, the two hosts must
synchronize their Initial Sequence Numbers (ISNs).

111
Basic Windowing
Data packets must be
delivered to the
recipient in the same
order in which they
were transmitted to
have a reliable,
connection-oriented
data transfer.
The protocol fails if
any data packets are
lost, damaged,
duplicated, or
received in a different
order.
An easy solution is to
have a recipient
acknowledge the
receipt of each packet
before the next
packet is sent.

112
Sliding Window

113
Sliding Window
with Different Window Sizes

114
TCP Sequence & Acknowledgement

115
TCP
Transmission Control Protocol (TCP) is a connection-oriented Layer 4
protocol that provides reliable full-duplex data transmission.
TCP is part of the TCP/IP protocol stack. In a connection-oriented
environment, a connection is established between both ends before the
transfer of information can begin.
TCP is responsible for breaking messages into segments, reassembling
them at the destination station, resending anything that is not received,
and reassembling messages from the segments.TCP supplies a virtual
circuit between end-user applications.
The protocols that use TCP include:
• FTP (File Transfer Protocol)
• HTTP (Hypertext Transfer Protocol)
• SMTP (Simple Mail Transfer Protocol)
• Telnet

116
TCP Segment Format

117
UDP
User Datagram Protocol (UDP) is the connectionless transport protocol
in the TCP/IP protocol stack.
UDP is a simple protocol that exchanges datagrams, without
acknowledgments or guaranteed delivery. Error processing and
retransmission must be handled by higher layer protocols.
UDP uses no windowing or acknowledgments so reliability, if needed, is
provided by application layer protocols. UDP is designed for applications
that do not need to put sequences of segments together.
The protocols that use UDP include:
• TFTP (Trivial File Transfer Protocol)
• SNMP (Simple Network Management Protocol)
• DHCP (Dynamic Host Control Protocol)
• DNS (Domain Name System)

118
UDP Segment Format

119
Well Known Port Numbers
The following port numbers should be memorized:
NOTE:
The curriculum forgot to mention one of the most important port numbers.
Port 80is used for HTTPor WWWprotocols. (Essentially access to the internet.)

120
URL

121
SNMP –Managed Network

122

123
Base 2 Number System
10110
2= (1 x 2
4
= 16) + (0 x 2
3
= 0) + (1 x 2
2
= 4) +
(1 x 2
1
= 2) + (0 x 2
0
= 0) = 22

124
Converting Decimal to Binary
Convert 201
10to binary:
201 / 2 = 100 remainder 1
100 / 2 = 50 remainder 0
50 / 2 = 25 remainder 0
25 / 2 = 12 remainder 1
12 / 2 = 6 remainder 0
6 / 2 = 3 remainder 0
3 / 2 = 1 remainder 1
1 / 2 = 0 remainder 1
When the quotient is 0, take all the remainders in
reverse order for your answer: 201
10 = 11001001
2

125

126
Network and Host Addressing
Using the IP address of the
destination network, a router can
deliver a packet to the correct
network.
When the packet arrives at a
router connected to the
destination network, the router
uses the IP address to locate the
particular computer connected to
that network.
Accordingly, every IP address has
two parts.

127
Network Layer Communication Path
A router forwards packets from the originating network to the
destination network using the IP protocol. The packets must
include an identifier for both the source and destination networks.

128
Internet Addresses
IP Addressing is a hierarchical structure.An IP address combines two
identifiers into one number. This number must be a unique number,
because duplicate addresses would make routing impossible.The
first part identifies the system's network address.The second part,
called the host part, identifies which particular machine it is on the
network.

129
IP Address Classes
IP addresses are divided into classes to define the large,
medium, and small networks.
Class Aaddresses are assigned to larger networks.
Class Baddresses are used for medium-sized networks, &
Class Cfor small networks.

130
Identifying Address Classes

131
Address Class Prefixes
To accommodate different size networks and aid in classifying these networks, IP
addresses are divided into groups called classes.This is classful addressing.

132
Network and Host Division
Each complete 32-bit IP address is broken down into a network part
and a host part. A bit or bit sequence at the start of each address
determines the class of the address. There are 5 IP address classes.

133
Class A Addresses
The Class A address was designed to support extremely large
networks, with more than 16 million host addresses available.
Class A IP addresses use only the first octet to indicate the
network address. The remaining three octets provide for host
addresses.

134
Class B Addresses
The Class B address was designed to support the needs of
moderate to large-sized networks.A Class B IP address uses
the first two of the four octets to indicate the network address.
The other two octets specify host addresses.

135
Class C Addresses
The Class C address space is the most commonly used of the
original address classes.This address space was intended to
support small networks with a maximum of 254 hosts.

136
Class D Addresses
The Class D address class was created to enable multicasting in an
IP address. A multicast address is a unique network address that
directs packets with that destination address to predefined groups of
IP addresses. Therefore, a single station can simultaneously transmit
a single stream of data to multiple recipients.

137
Class E Addresses
A Class E address has been defined. However, the Internet
Engineering Task Force (IETF) reserves these addresses for its
own research. Therefore, no Class E addresses have been
released for use in the Internet.

138
IP Address Ranges
The graphic below shows the IP address range of the first octet
both in decimal and binary for each IP address class.

139
IPv4
As early as 1992, the Internet Engineering
Task Force (IETF) identified two specific
concerns: Exhaustion of the remaining,
unassigned IPv4 network addresses and the
increase in the size of Internet routing tables.
Over the past two decades, numerous
extensions to IPv4 have been developed.
Two of the more important of these are
subnet masks and classless interdomain
routing (CIDR).

140
Finding the Network Address with ANDing
By ANDing the Host address of 192.168.10.2with 255.255.255.0
(its network mask) we obtain the network address of 192.168.10.0

141
Network Address

142
Broadcast Address

143
Network/Broadcast Addresses
at the Binary Level
An IP address that has binary 0s in all host bit positions is
reserved for the network address, which identifies the network.
An IP address that has binary 1s in all host bit positions is
reserved for the broadcast address, which is used to send data
to all hosts on the network. Here are some examples:
Class Network Address Broadcast Address
A 100.0.0.0 100.255.255.255
B 150.75.0.0 150.75.255.255
C 200.100.50.0 200.100.50.255

144
Public IP Addresses
Unique addresses are required for each device on a network.
Originally, an organization known as the Internet Network Information
Center (InterNIC) handled this procedure.
InterNIC no longer exists and has been succeeded by the Internet Assigned
Numbers Authority (IANA).
No two machines that connect to a public network can have the same IP
address because public IP addresses are global and standardized.
All machines connected to the Internet agree to conform to the system.
Public IP addresses must be obtained from an Internet service provider
(ISP) or a registry at some expense.

145
Private IP Addresses
Private IP addresses are another solution to the problem of the
impending exhaustion of public IP addresses.As mentioned, public
networks require hosts to have unique IP addresses.
However, private networks that are not connected to the Internet may
use any host addresses, as long as each host within the private
network is unique.

146
Mixing Public and
Private IP Addresses
Private IP addresses can be intermixed, as shown in the graphic, with
public IP addresses.This will conserve the number of addresses used for
internal connections. Connecting a network using private addresses to
the Internet requires translation of the private addresses to public
addresses. This translation process is referred to as Network Address
Translation (NAT).

147
Introduction to Subnetting
Subnetting a network means to use the subnet mask to divide the
network and break a large network up into smaller, more efficient and
manageable segments, or subnets.
With subnetting, the network is not limited to the default Class A, B, or
C network masks and there is more flexibility in the network design.
Subnet addresses include the network portion, plus a subnet field and
a host field.The ability to decide how to divide the original host portion
into the new subnet and host fields provides addressing flexibility for
the network administrator.

148
The 32-Bit
Binary IP Address

149
Numbers That Show Up In
Subnet Masks (Memorize Them!)

150
Addressing with Subnetworks

151
Obtaining an Internet Address

152
Static Assignment of an IP Address
Static assignment
works best on small
networks.
The administrator
manually assigns and
tracks IP addresses
for each computer,
printer, or server on
the intranet.
Network printers,
application servers,
and routers should be
assigned static IP
addresses.

153
SIEMENS
NIXDORF
SIEMENS
NIXDORF
Host A
Host B
IP Address: 128.0.10.4
HW Address: 080020021545
ARP Reply
ARP Request -Broadcast to all hosts
„What is the hardware address for IP address 128.0.10.4?“
SIEMENS
NIXDORF
Fig. 32 How does ARP work? (TI1332EU02TI_0004 The Network Layer, 47)
ARP
(Address Resolution Protocol)

154
Fig. 33 The ARP command (TI1332EU02TI_0004 The Network Layer, 47)

155
B
1 Network = 1 Broadcast Domain
Broadcast: ARP request
A
B
2 Networks = 2 Broadcast Domains
Broadcast: ARP request
A
Router
host B would reply
no one would reply
Fig. 34 Proxy-ARP concept (TI1332EU02TI_0004 The Network Layer, 49)

156
A
Router R
Broadcast Message to all:
If your IP address matches “B”
then please tell me your
Ethernet address
B
A
B
Yes, I know the destination
network, let me give you my
Ethernet address
I take care, to forward
IP packets to B

157
RARP
Reverse Address Resolution Protocol (RARP) associates a known MAC addresses
with an IP addresses.
A network device, such as a diskless workstation, might know its MAC address but not
its IP address. RARP allows the device to make a request to learn its IP address.
Devices using RARP require that a RARP server be present on the network to answer
RARP requests.

158
BootP
The bootstrap protocol (BOOTP) operates in a client-server environment and only
requires a single packet exchange to obtain IP information.
However, unlike RARP, BOOTP packets can include the IP address, as well as
the address of a router, the address of a server, and vendor-specific information.
One problem with BOOTP, however, is that it was not designed to provide
dynamic address assignment. With BOOTP, a network administrator creates a
configuration file that specifies the parameters for each device.The administrator
must add hosts and maintain the BOOTP database.
Even though the addresses are dynamically assigned, there is still a one to one
relationship between the number of IP addresses and the number of hosts.
This means that for every host on the network there must be a BOOTP profile
with an IP address assignment in it. No two profiles can have the same IP
address.

159
DHCP
Dynamic host configuration protocol (DHCP) is the successor to BOOTP.
Unlike BOOTP, DHCP allows a host to obtain an IP address dynamically without the
network administrator having to set up an individual profile for each device.
All that is required when using DHCP is a defined range of IP addresses on a DHCP
server.As hosts come online, they contact the DHCP server and request an address.
The DHCP server chooses an address and leases it to that host.
With DHCP, the entire network configuration of a computer can be obtained in one
message.
This includes all of the data supplied by the BOOTP message, plus a leased IP
address and a subnet mask.
The major advantage that DHCP has over BOOTP is that it allows users to be mobile.

160

161
Introduction to Routers
A router is a special type of computer. It has the same basic components as a
standard desktop PC. However, routers are designed to perform some very specific
functions. Just as computers need operating systems to run software applications,
routers need the Internetwork Operating System software (IOS) to run configuration
files. These configuration files contain the instructions and parameters that control the
flow of traffic in and out of the routers. The many parts of a router are shown below:

162
RAM
Random Access Memory, also called dynamic RAM (DRAM)
RAM has the following characteristics and functions:
• Stores routing tables
• Holds ARP cache
• Holds fast-switching cache
• Performs packet buffering (shared RAM)
• Maintains packet-hold queues
• Provides temporary memory for the configuration file of
the router while the router is powered on
• Loses content when router is powered down or restarted

163
NVRAM
Non-Volatile RAM
NVRAM has the following characteristics and functions:
• Provides storage for the startup configuration file
• Retains content when router is powered down or
restarted

164
Flash
Flash memory has the following characteristics and
functions:
• Holds the operating system image (IOS)
• Allows software to be updated without
removing and replacing chips on the processor
• Retains content when router is powered down
or restarted
• Can store multiple versions of IOS software
Is a type of electronically erasable, programmable
ROM (EEPROM)

165
ROM
Read-Only Memory
ROM has the following characteristics and functions:
• Maintains instructions for power-on self test
(POST) diagnostics
• Stores bootstrap program and basic operating
system software
• Requires replacing pluggable chips on the
motherboard for software upgrades

166
Interfaces
Interfaces have the following characteristics and functions:
• Connect router to network for frame entry and exit
• Can be on the motherboard or on a separate module
Types of interfaces:
• Ethernet
• Fast Ethernet
• Serial
• Token ring
• ISDN BRI
• Loopback
• Console
• Aux

167
Internal Components of a 2600 Router

168
External Components of a 2600 Router

169
External Connections

170
Fixed Interfaces
When cabling routers for serial connectivity, the routers will either have
fixed or modular ports. The type of port being used will affect the syntax
used later to configure each interface. Interfaces on routers with fixed
serial ports are labeled for port type and port number.

171
Modular Serial Port Interfaces
Interfaces on routers with modular serial ports are labeled for port type, slot, and port
number.The slot is the location of the module.To configure a port on a modular card, it is
necessary to specify the interface using the syntax “port type slot number/port number.” Use
the label “serial 0/1,” when the interface is serial, the slot number where the module is
installed is slot 0, and the port that is being referenced is port 1.

172
Routers & DSL Connections
The Cisco 827 ADSL router has one asymmetric digital
subscriber line (ADSL) interface. To connect a router for DSL
service, use a phone cable with RJ-11 connectors. DSL works
over standard telephone lines using pins 3 and 4 on a
standard RJ-11 connector.

173
Computer/Terminal Console Connection

174
Modem Connection to Console/Aux Port

175
HyperTerminal Session Properties

176
Establishing a
HyperTerminal Session
Take the following steps
to connect a terminal to
the console port on the
router:
First, connect the
terminal using the RJ-45
to RJ-45 rollover cable
and an RJ-45 to DB-9 or
RJ-45 to DB-25 adapter.
Then, configure the
terminal or PC terminal
emulation software for
9600 baud, 8 data bits,
no parity, 1 stop bit, and
no flow control.

177
Cisco IOS
Cisco technology is built around the Cisco
Internetwork Operating System (IOS), which is the
software that controls the routing and switching
functions of internetworking devices.
A solid understanding of the IOS is essential for a
network administrator.

178
The Purpose of Cisco IOS
As with a computer, a router or switch cannot function without
an operating system. Cisco calls its operating system the
Cisco Internetwork Operating System or Cisco IOS.
It is the embedded software architecture in all of the Cisco
routers and is also the operating system of the Catalyst
switches.
Without an operating system, the hardware does not have any
capabilities.
The Cisco IOS provides the following network services:
• Basic routing and switching functions
• Reliable and secure access to networked resources
• Network scalability

179
Router Command Line
Interface

180
Setup Mode
Setup is not intended as the mode for entering complex protocol features in the
router. The purpose of the setup mode is to permit the administrator to install a
minimal configuration for a router, unable to locate a configuration from another
source.
In the setup mode, default answers appear in square brackets [ ]following the
question. Press the Enterkey to use these defaults.
During the setup process, Ctrl-Ccan be pressed at any time to terminate the
process. When setup is terminated using Ctrl-C, all interfaces will be
administratively shutdown.
When the configuration process is completed in setup mode, the following options
will be displayed:
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.
Enter your selection [2]:

181
Operation of Cisco IOS Software
The Cisco IOS devices have three distinct operating environments or
modes:
• ROM monitor
• Boot ROM
• Cisco IOS
The startup process of the router normally loads into RAM and executes
one of these operating environments. The configuration register setting can
be used by the system administrator to control the default start up mode for
the router.
To see the IOS image and version that is running, use the show version
command, which also indicates the configuration register setting.

182
IOS File System Overview

183
Initial Startup of Cisco Routers
A router initializes by loading the bootstrap, the operating system, and a
configuration file.
If the router cannot find a configuration file, it enters setup mode.
Upon completion of the setup mode a backup copy of the configuration file
may be saved to nonvolatile RAM (NVRAM).
The goal of the startup routines for Cisco IOS software is to start the router
operations. To do this, the startup routines must accomplish the following:
• Make sure that the router hardware is tested and functional.
• Find and load the Cisco IOS software.
• Find and apply the startup configuration file or enter the setup
mode.
When a Cisco router powers up, it performs a power-on self test (POST).
During this self test, the router executes diagnostics from ROM on all
hardware modules.

184
After the Post…
After the POST, the following events occur as the router initializes:
Step 1
The generic bootstrap loader in ROM executes. A bootstrap is a simple set of
instructions that tests hardware and initializes the IOS for operation.
Step 2
The IOS can be found in several places. The boot field of the configuration register
determines the location to be used in loading the IOS. If the boot field indicates a
flash or network load, boot system commands in the configuration file indicate the
exact name and location of the image.
Step 3
The operating system image is loaded.
Step 4
The configuration file saved in NVRAM is loaded into main memory and executed
one line at a time. The configuration commands start routing processes, supply
addresses for interfaces, and define other operating characteristics of the router.
Step 5
If no valid configuration file exists in NVRAM, the operating system searches for an
available TFTP server. If no TFTP server is found, the setup dialog is initiated.

185
Step in Router Initialization

186
Router LED Indicators
Cisco routers use LED indicators to provide status information.
Depending upon the Cisco router model, the LED indicators will
vary. An interface LED indicates the activity of the corresponding
interface. If an LED is off when the interface is active and the
interface is correctly connected, a problem may be indicated. If an
interface is extremely busy, its LED will always be on. The green OK
LED to the right of the AUX port will be on after the system initializes
correctly.

187
Enhanced
Cisco IOS Commands

188
The show version Command
The show versioncommand displays information about the Cisco IOS
software version that is currently running on the router. This includes the
configuration register and the boot field settings.
The following information is available from the show versioncommand:
IOS version and descriptive information
• Bootstrap ROM version
• Boot ROM version
• Router up time
• Last restart method
• System image file and location
• Router platform
• Configuration register setting
Use the show versioncommand to identify router IOS image and boot
source. To find out the amount of flash memory, issue the show flash
command.

189
Checking File System Information
with show version command

190

191
Router User Interface Modes
The Cisco command-line interface (CLI) uses a hierarchical structure. This
structure requires entry into different modes to accomplish particular tasks.
Each configuration mode is indicated with a distinctive prompt and allows
only commands that are appropriate for that mode.
As a security feature the Cisco IOS software separates sessions into two
access levels, user EXEC mode and privileged EXEC mode. The privileged
EXEC mode is also known as enable mode.

192
Overview of Router Modes

193
Router Modes

194
User Mode Commands

195
Privileged Mode Commands
NOTE:
There are
many more
commands
available in
privileged
mode.

196
Specific Configuration Modes

197
CLI Command Modes
All command-line interface (CLI) configuration changes to a Cisco router
are made from the global configuration mode. Other more specific modes
are entered depending upon the configuration change that is required.
Global configuration mode commands are used in a router to apply
configuration statements that affect the system as a whole.
The following command moves the router into global configuration mode
Router#configure terminal (or config t)
Router(config)#
When specific configuration modes are entered, the router prompt changes
to indicate the current configuration mode.
Typing exitfrom one of these specific configuration modes will return the
router to global configuration mode. Pressing Ctrl-Zreturns the router to all
the way back privileged EXEC mode.

198
Configuring a Router’s Name
A router should be given a unique name as one of the
first configuration tasks.
This task is accomplished in global configuration
mode using the following commands:
Router(config)#hostname Tokyo
Tokyo(config)#
As soon as the Enterkey is pressed, the prompt
changes from the default host name (Router) to the
newly configured host name (which is Tokyo in the
example above).

199
Setting
the Clock
with Help

200
Message Of The Day (MOTD)
A message-of-the-day (MOTD) banner can be displayed on all
connected terminals.
Enter global configuration mode by using the command config t
Enter the command
banner motd # The message of the day goes here #.
Save changes by issuing the command copy run start

201
Configuring a Console Password
Passwords restrict access to routers.
Passwords should always be configured for virtual terminal
lines and the console line.
Passwords are also used to control access to privileged EXEC
mode so that only authorized users may make changes to the
configuration file.
The following commands are used to set an optional but
recommended password on the console line:
Router(config)#line console 0
Router(config-line)#password <password>
Router(config-line)#login

202
Configuring a Modem Password
If configuring a router via a modem you are most likely
connected to the aux port.
The method for configuring the aux port is very similar to
configuring the console port.
Router(config)#line aux 0
Router(config-line)#password <password>
Router(config-line)#login

203
Configuring Interfaces
An interface needs an IP Address and a Subnet Mask to be configured.
All interfaces are “shutdown” by default.
The DCE end of a serial interface needs a clock rate.
Router#config t
Router(config)#interface serial 0/1
Router(config-if)#ip address 200.100.50.75 255.255.255.240
Router(config-if)#clock rate 56000 (required for serial DCE only)
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#int f0/0
Router(config-if)#ip address 150.100.50.25 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#
On older routers, Serial 0/1 would be just Serial 1 and f0/0 would be e0.
s = serial e = Ethernet f = fast Ethernet

204
Configuring a Telnet Password
A password must be set on one or more of the virtual terminal
(VTY) lines for users to gain remote access to the router using
Telnet.
Typically Cisco routers support five VTY lines numbered 0
through 4.
The following commands are used to set the same password
on all of the VTY lines:
Router(config)#line vty 0 4
Router(config-line)#password <password>
Router(config-line)#login

205
Examining the show Commands
There are many showcommands that can be used to examine the contents of files
in the router and for troubleshooting. In both privileged EXEC and user EXEC
modes, the command show ?provides a list of available showcommands. The list
is considerably longer in privileged EXEC mode than it is in user EXEC mode.
show interfaces–Displays all the statistics for all the interfaces on the router.
show int s0/1 –Displays statistics for interface Serial 0/1
show controllers serial–Displays information-specific to the interface hardware
show clock–Shows the time set in the router
show hosts–Displays a cached list of host names and addresses
show users–Displays all users who are connected to the router
show history–Displays a history of commands that have been entered
show flash–Displays info about flash memory and what IOS files are stored there
show version–Displays info about the router and the IOS that is running in RAM
show ARP–Displays the ARP table of the router
show start–Displays the saved configuration located in NVRAM
show run–Displays the configuration currently running in RAM
show protocol–Displays the global and interface specific status of any configured
Layer 3 protocols

206
The copy run tftp Command

207
The copy tftp run Command

208

209
Ethernet Overview
Ethernet is now the dominant LAN technology in the world.
Ethernet is not one technology but a family of LAN
technologies.
All LANs must deal with the basic issue of how individual
stations (nodes) are named, and Ethernet is no exception.
Ethernet specifications support different media, bandwidths,
and other Layer 1 and 2 variations.
However, the basic frame format and addressing scheme is
the same for all varieties of Ethernet.

210
Ethernet and the OSI Model
Ethernet
operates in two
areas of the
OSI model, the
lower half of
the data link
layer, known as
the MAC
sublayer and
the physical
layer

211
Ethernet Technologies
Mapped to the OSI Model

212
Layer 2 Framing
Framing is the Layer 2 encapsulation process.
A frame is the Layer 2 protocol data unit.
The frame format diagram shows different groupings of bits
(fields) that perform other functions.

213
Ethernet and IEEE Frame
Formats are Very Similar

214
3 Common Layer 2 Technologies
Ethernet
Uses CSMA/CD logical bus topology
(information flow is on a linear bus)
physical star or extended star (wired as
a star)
Token Ring
logical ring topology (information flow is
controlled in a ring) and a physical star
topology (in other words, it is wired as a
star)
FDDI
logical ring topology (information flow is
controlled in a ring) and physical dual-
ring topology(wired as a dual-ring)

215
Collision Domains
To move data between one Ethernet station and
another, the data often passes through a repeater.
All other stations in the same collision domain see
traffic that passes through a repeater.
A collision domain is then a shared resource.
Problems originating in one part of the collision
domain will usually impact the entire collision
domain.

216
CSMA/CD Graphic

217
Backoff
After a collision occurs and all stations allow the cable to
become idle (each waits the full interframe spacing), then the
stations that collided must wait an additional and potentially
progressively longer period of time before attempting to
retransmit the collided frame.
The waiting period is intentionally designed to be random so
that two stations do not delay for the same amount of time
before retransmitting, which would result in more collisions.

218

Hierarchical Addressing Using
Variable-Length Subnet Masks
© 2003, Cisco Systems, Inc. All rights reserved. 219

220
Prefix Length and Network
Mask
Range of Addresses: 192.168.1.64 through 192.168.1.79
•Have the first 28 bits in common, which is
represented by a /28 prefix length
•28 bits in common can also be represented in dotted
decimal as 255.255.255.240
In the IP network number that accompanies the network
mask, when the host bits of the IP network number are:
•All binary zeros –that address is the bottom of the
address range
•All binary ones –that address is the top of the
address range
Binary ones in the network mask represent network bits in the
accompanying IP address; binary zeros represent host bits
11000000.10101000.00000001.0100xxxx IP Address
11111111.11111111.11111111.11110000Network
Mask
Fourth Octet
6401000000
6501000001
6601000010
6701000011
6801000100
6901000101
7001000110
7101000111
7201001000
7301001001
7401001010
7501001011
7601001100
7701001101
7801001110
7901001111

221
Implementing VLSM

222
Range Of Addresses for
VLSM

223
Breakdown Address Space
for Largest Subnet

224
Breakdown Address Space
for Ethernets at Remote Sites

225
Break Down Remaining
Address Space for Serial
Subnets

226
Calculating VLSM: Binary

Route Summarization and
Classless Interdomain Routing
© 2003, Cisco Systems, Inc. All rights reserved. 227

228
What Is Route Summarization?

229
Summarizing Within an Octet

230
Summarizing Addresses in a
VLSM-Designed Network

231
Classless Interdomain Routing
–CIDR is a mechanism developed to alleviate
exhaustion of addresses and reduce routing
table size.
–Block addresses can be summarized into single
entries without regard to the classful boundary of
the network number.
–Summarized blocks are installed in routing
tables.

232
What Is CIDR?
•Addresses are the same as in the route summarization figure, except that
Class B network 172 has been replaced by Class C network 192.

233
CIDR Example

234

235
Anatomy of an IP Packet
IP packets consist of the data from upper layers plus an IP
header. The IP header consists of the following:

236
Introducing Routing
Routing is the process that a router uses to forward packets
toward the destination network. A router makes decisions
based upon the destination IP address of a packet. All devices
along the way use the destination IP address to point the
packet in the correct direction so that the packet eventually
arrives at its destination. In order to make the correct
decisions, routers must learn the direction to remote networks.

237
Configuring Static Routes by
Specifying Outgoing Interfaces

238
Configuring Static Routes by
Specifying Next-Hop Addresses

239
Administrative Distance
The administrative distance is an optional parameter that gives a measure
of the reliability of the route. The range of an AD is 0-255 where smaller
numbers are more desireable.
The default administrative distance when using next-hop address is 1, while
the default administrative distance when using the outgoing interface is 0.
You can statically assign an AD as follows:
Router(config)#ip route 172.16.3.0
255.255.255.0 172.16.4.1 130
Sometimes static routes are used for backup purposes. A static route can
be configured on a router that will only be used when the dynamically
learned route has failed. To use a static route in this manner, simply set the
administrative distance higher than that of the dynamic routing protocol
being used.

240
Configuring Default Routes
Default routes are used to route packets with destinations that do
not match any of the other routes in the routing table.
A default route is actually a special static route that uses this format:
ip route 0.0.0.0 0.0.0.0 [next-hop-address| outgoing interface]
This is sometimes referred to as a “Quad-Zero” route.
Example using next hop address:
Router(config)#ip route 0.0.0.0 0.0.0.0 172.16.4.1
Example using the exit interface:
Router(config)#ip route 0.0.0.0 0.0.0.0 s0/0

241
Verifying Static
Route Configuration
After static routes are configured it is important to
verify that they are present in the routing table and
that routing is working as expected.
The command show running-configis used to view
the active configuration in RAM to verify that the static
route was entered correctly.
The show ip routecommand is used to make sure
that the static route is present in the routing table.

242
Trouble Shooting Static
Route Configuration

243
Path Determination Graphic

244
Router
Router
Router
Router Router
What is
an optimal
route ?
Switch
Switch
Routing Protocol

245
Routing Protocols
Routing protocols
includes the following:
processes for sharing
route information
allows routers to
communicate with
other routers to update
and maintain the
routing tables
Examples of routing
protocols that support
the IP routed protocol
are:
RIP, IGRP,
OSPF, BGP,
and EIGRP.

246
Routing Protocols

247
Routed Protocols
Protocols used at the network layer that transfer data from one host to another across
a router are called routed or routable protocols. The Internet Protocol (IP) and Novell's
Internetwork Packet Exchange (IPX) are examples of routed protocols. Routers use
routing protocols to exchange routing tables and share routing information. In other
words, routing protocols enable routers to route routed protocols.

248
Routed Protocols

249
Autonomous System
AS 2000
AS 3000
IGP
Interior Gateway Protocols are
used for routing decisions
within an Autonomous System.
Exterior Gateway
Protocols are used
for routing between
Autonomous Systems
EGP
AS 1000
An Autonomous System (AS) is a group of IP networks, which
has a single and clearly defined external routing policy.
Fig. 48 IGP and EGP (TI1332EU02TI_0004 The Network Layer, 67)

250
IGP
Interior Gateway Protocol
(IGP)
Exterior Gateway
Protocol (EGP)
EGP
EGP
EGP
Interior Gateway Protocol
(IGP)
AS 1000
AS 2000
AS 3000
Fig. 49 The use of IGP and EGP protocols (TI1332EU02TI_0004 The Network Layer, 67)

251
IGP and EGP
An autonomous system is a network or set of networks under
common administrative control, such as the cisco.com domain.

252
Categories of Routing
Protocols
Most routing algorithms can be classified into one of two
categories:
• distance vector
• link-state
The distance vector routing approach determines the direction
(vector) and distance to any link in the internetwork.
The link-state approach, also called shortest path first,
recreates the exact topology of the entire internetwork.

253
Distance Vector
Routing Concepts

254
2 Hops
1 Hop1 Hop
Destination
192.16.1.0
192.16.5.0
192.16.7.0
Distance
1
1
2
Routing table contains the addresses
of destinations and the distance
of the way to this destination.
Flow of routing
information
Router B Router CRouter A Router D
192.16.1.0 192.16.7.0
192.16.5.0
Distance Vector Routing (DVR)

255
Routing Tables Graphic

256
Distance Vector
Topology Changes

257
Router Metric Components

258
Router CRouter A Router D
192.16.1.0 192.16.7.0
192.16.5.0
Router B
192.16.3.0
192.16.2.0
192.16.4.0
192.16.6.0
192.16.1.0
192.16.2.0
192.16.4.0
192.16.5.0
192.16.6.0
192.16.6.0
192.16.7.0
192.16.2.0
192.16.3.0
192.16.4.0
192.16.4.0
192.16.5.0
192.16.6.0
192.16.6.0
192.16.7.0
192.16.1.0
192.16.2.0
192.16.2.0
192.16.3.0
192.16.4.0192.16.3.0
192.16.4.0 192.16.1.0
192.16.5.0
192.16.6.0
192.16.3.0
192.16.2.0
192.16.7.0
192.16.5.0
192.16.4.0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
1
1
1
1
1
L
L
L
L
L
L
L
L
L
L
L
L
L
L
L
L
L
L
1
1
0
0
L
L
B
B A
C
C
B
B
D
C
C
L Locally connected
Distance Vector Routing (DVR)

259
192.16.4.0
192.16.5.0
192.16.6.0
192.16.6.0
192.16.7.0
192.16.1.0
192.16.2.0
192.16.2.0
192.16.3.0
192.16.4.0192.16.3.0
192.16.4.0 192.16.1.0
192.16.5.0
192.16.6.0
192.16.3.0
192.16.2.0
192.16.7.0
192.16.5.0
192.16.4.0
192.16.5.0
192.16.6.0
192.16.7.0 192.16.1.0
192.16.3.0
192.16.2.0
0
0
0
0
0
0
0
0
0
0
1
1 1
1
1
1
1
1
1
1
2
2
2 2
2
2
L
L
L
L
L
L
L
L
L
L
B
B A
C
C
B
B
D
C
C
B
B
C B
C
C
192.16.4.0
192.16.5.0
192.16.6.0
192.16.6.0
192.16.7.0
192.16.1.0
192.16.2.0
192.16.2.0
192.16.3.0
192.16.4.0192.16.3.0
192.16.4.0 192.16.1.0
192.16.5.0
192.16.6.0
192.16.3.0
192.16.2.0
192.16.7.0
192.16.5.0
192.16.4.0
192.16.5.0
192.16.6.0
192.16.7.0 192.16.1.0
192.16.3.0
192.16.2.0
192.16.1.0192.16.7.0
0
0
0
0
0
0
0
0
0
0
1
1 1
1
1
1
1
1
1
1
2
2
2
2
2 2 33
L
L
L
L
L
L
L
L
L
L
B
B A
C
C
B
B
D
C
C
B
B
C B
C
C
B C
Distance Vector Routing (DVR)
Fig. 53 Distribution of routing information with distance vector routing protocol (cont.) (TI1332EU02TI_0004 The Network Layer, 71)

260
RIPv1
Distance Vector Routing Protocol,
classful
Distribution of Routing Tables via broadcast
to adjacent routers
Only one kind of metric:
Number of Hops
Connections with different
bandwidth can not be weighted
Routing loops can occur
-> bad convergence in case of a failure
Count to infinity problem
(infinity = 16)
Maximum network size is limited
by the number of hops
Fig. 59 Properties of RIPv1 (TI1332EU02TI_0004 The Network Layer, 81)

261
RIP Characteristics

262
200.14.13.0/24
130.24.13.0/24
Router A
Port 2
200.14.13.2/24
Port 1
130.24.13.1/24
130.24.36.0/24
RIP-1: 130.24.36.0
RIP-1: 130.24.36.0
RIP-1: 130.24.0.0
130.24.25.0/24
RIP-1 permits only a Single Subnet Mask
Fig. 60 RIP-1 permits only a single subnet mask (TI1332EU02TI_0004 The Network Layer, 83)

263
Router Configuration
The routercommand starts a routing process.
The networkcommand is required because it enables the
routing process to determine which interfaces participate in the
sending and receiving of routing updates.
An example of a routing configuration is:
GAD(config)#router rip
GAD(config-router)#network 172.16.0.0
The network numbers are based on the network class
addresses, not subnet addresses or individual host addresses.

264
Configuring RIP Example

265
Verifying RIP Configuration

266
The debug ip rip Command
Most of the RIP
configuration
errors involve an
incorrect network
statement,
discontiguous
subnets, or split
horizons. One
highly effective
command for
finding RIP
update issues is
the debug ip rip
command. The
debug ip rip
command
displays RIP
routing updates
as they are sent
and received.

267
Problem: Routing Loops
Routing loops
can occur
when
inconsistent
routing tables
are not
updated due
to slow
convergence
in a changing
network.

268
Problem: Counting to Infinity

269
Solution: Define a Maximum

270
Solution: Split Horizon

271
Route Poisoning
Route poisoning is used by various distance vector protocols in order to
overcome large routing loops and offer explicit information when a subnet
or network is not accessible. This is usually accomplished by setting the
hop count to one more than the maximum.

272
Triggered Updates
New routing tables are sent to neighboring routers on a regular basis.
For example, RIP updates occur every 30 seconds.
However a triggered update is sent immediately in response to some
change in the routing table.
The router that detects a topology change immediately sends an update
message to adjacent routers that, in turn, generate triggered updates
notifying their adjacent neighbors of the change.
When a route fails, an update is sent immediately rather than waiting on the
update timer to expire.
Triggered updates, used in conjunction with route poisoning, ensure that all
routers know of failed routes before any holddown timers can expire.

273
Triggered Updates Graphic

274
Solution: Holddown Timers

275
IGRP
Interior Gateway Routing Protocol (IGRP) is a proprietary
protocol developed by Cisco.
Some of the IGRP key design characteristics emphasize
the following:
• It is a distance vector routing protocol.
• Routing updates are broadcast every 90 seconds.
• Bandwidth, load, delay and reliability are used to
create a composite metric.

276
IGRP Stability Features
IGRP has a number of features that are designed to enhance its stability, such as:
• Holddowns
• Split horizons
• Poison reverse updates
Holddowns
Holddowns are used to prevent regular update messages from inappropriately
reinstating a route that may not be up.
Split horizons
Split horizons are derived from the premise that it is usually not useful to send
information about a route back in the direction from which it came.
Poison reverse updates
Split horizons prevent routing loops between adjacent routers, but poison reverse
updates are necessary to defeat larger routing loops.
Today, IGRP is showing its age, it lacks support for variable length subnet masks
(VLSM). Rather than develop an IGRP version 2 to correct this problem, Cisco has
built upon IGRP's legacy of success with Enhanced IGRP.

277
Configuring IGRP

278
Routing Metrics Graphics

279
Link State Concepts

280
Link State Topology Changes

281
LSP:
„My links to
R
2and R
4are
up“
LSP: „My links to
R
1and R
3are up,
my link to R
4is down.“
LSP: „My links to
R
2and R
4are up.“
LSP:
„My links to R
1and R
3are
up.
My link to R
2is down.“
Router 1 Router 4
Router 2 Router 3
SPF
Routing
Table
Link State Routing (LSR)
LSP....link state packet
SPF... shortest path first

282
Link State Concerns

283
Router A Router C
Router B Router D
Router E
2
1
4
2
4
1
B -2
C -1
A -2
D -4
A -1
D -2
E -4
C -2
B -4
E -1
C -4
D -1
Router A Router B Router C Router D Router E
Link State Database
A
CB
D
E
A D
EC
B
D A
E B
C
E C B
A
D
Link State Routing (LSR)

284
Link State Routing Features
Link-state algorithms are also known as Dijkstras algorithm or as SPF (shortest path first)
algorithms.
Link-state routing algorithms maintain a complex database of topology information.
The distance vector algorithm are also known as Bellman-Ford algorithms. They have
nonspecific information about distant networks and no knowledge of distant routers.
A link-state routing algorithm maintains full knowledge of distant routers and how they
interconnect. Link-state routing uses:
• Link-state advertisements (LSAs)
A link-state advertisement (LSA) is a small packet of routing information
that is sent between routers.
• Topological database
A topological database is a collection of information gathered from LSAs.
• SPF algorithm
The shortest path first (SPF) algorithm is a calculation performed on the
database resulting in the SPF tree.
• Routing tables–A list of the known paths and interfaces.

285
Link State Routing

286
Comparing Routing Methods

OSPF (Open Shortest Path First)
Protocol
© 2003, Cisco Systems, Inc. All rights reserved. 287

288
OSPF is a Link-State Routing
Protocols
–Link-state (LS) routers recognize much more information
about the network than their distance-vector
counterparts,Consequently LS routers tend to make more accurate
decisions.
–Link-state routers keep track of the following:
•Their neighbours
•All routers within the same area
•Best paths towardadestination

289
Link-State Data Structures
–Neighbor table:
•Also known as the adjacency database
(list of recognized neighbors)
–Topology table:
•Typically referred to as LSDB
(routers and links in the area or network)
•All routers within an area have an identical LSDB
–Routing table:
•Commonly named a forwarding database
(list of best paths to destinations)

290
OSPF vs. RIP
RIP is limited to 15 hops, it converges slowly, and it sometimes chooses
slow routes because it ignores critical factors such as bandwidth in route
determination. OSPF overcomes these limitations and proves to be a
robust and scalable routing protocol suitable for the networks of today.

291
OSPF Terminology
The next several slides explain various OSPF terms -
one per slide.

292
OSPF Term: Link

293
OSPF Term: Link State

294
OSPF Term: Area

295
OSPF Term: Link Cost

296
OSPF Term: Forwarding Database

297
OSPF Term: Adjacencies Database

298
OSPF Terms: DR & BDR

299
Link-StateData Structure:
Network Hierarchy
•Link-state routing requires a hierachical
networkstructurethat is enforced by OSPF.
•This two-level hierarchy consists of the
following:
•Transit area (backbone or area 0)
•Regular areas (nonbackbone areas)

300
OSPF Areas

301
Area Terminology

302
LS Data Structures: Adjacency
Database
–Routers discover neighbors by exchanging
hello packets.
–Routers declare neighbors to be up after checking
certain parameters or optionsin the hello packet.
–Point-to-point WAN links:
•Both neighbors become fully adjacent.
–LAN links:
•Neighbors form an adjacency with the DR and BDR.
•Maintain two-way state with the other routers (DROTHERs).
–Routing updates and topology information are only passed
between adjacent routers.

303
OSPF Adjacencies
Routers build logical adjacencies between each other
using the Hello Protocol. Once an adjacency is formed:
•LS database packets are exchanged to synchronize
each other’s LS databases.
•LSAs are flooded reliably throughout the area or network
using these adjacencies.

304
Link State Routing Graphic

305
Open Shortest Path First
Calculation
•Routers find the best paths to destinations by
applying Dijkstra’s SPFalgorithm to the link-state
database as follows:
–Every router in an area has the identical
link-state database.
–Eachrouter in the area places itself into
the root of the tree that is built.
–The best path is calculated with respect to the
lowest totalcost of links to a specific destination.
–Best routes are put into the forwarding database.

306
OSPF Packet Types

307
OSPF Packet Header Format

308
Neighborship

309
Establishing Bidirectional
Communication

310
Establishing Bidirectional
Communication (Cont.)

311
Establishing Bidirectional
Communication (Cont.)

312
Establishing Bidirectional
Communication

313
Discovering the Network Routes

314
Discovering the Network Routes

315
Adding the Link-State Entries

316
Adding the Link-State Entries
(Cont.)

317
Adding the Link-State Entries

318
Maintaining Routing Information
•Router A notifies all OSPF DRs on 224.0.0.6

319
Maintaining Routing Information
(Cont.)
•Router A notifies all OSPF DRs on 224.0.0.6
•DR notifies others on 224.0.0.5

320
Maintaining Routing Information
(Cont.)
•Router A notifies all OSPF DRs on 224.0.0.6
•DR notifies others on 224.0.0.5

321
Maintaining Routing Information
•Router A notifies all OSPF DRs on 224.0.0.6
•DR notifies others on 224.0.0.5

322
router ospf process-id
Router(config)#
•Turns on one or more OSPF routing processes in
the IOS software.
Configuring Basic OSPF:
Single Area
network address inverse-maskarea [area-id]
Router(config-router)#
•Router OSPF subordinate command that defines
the interfaces (by network number) that OSPF
will run on. Each network number must be
defined to a specific area.

323
Configuring OSPF on Internal
Routers of a Single Area

324
show ip protocols
Router#
•Verifies the configured IP routing protocol
processes, parameters and statistics
Verifying OSPF Operation
show ip route ospf
Router#
•Displays all OSPF routes learned by the router
show ip ospf interface
Router#
•Displays the OSPF router ID, area ID and
adjacency information

325
show ip ospf
Router#
•Displays the OSPF router ID, timers, and statistics
Verifying OSPF Operation
(Cont.)
show ip ospf neighbor [detail]
Router#
•Displays information about the OSPF neighbors,
including Designated Router (DR) and Backup
Designated Router (BDR) information on
broadcast networks

326
The show ip route ospf
Command
RouterA# show ip route ospf
Codes:C -connected, S -static, I -IGRP, R -RIP, M -mobile,
B -BGP, D -EIGRP, EX -EIGRP external, O -OSPF,
IA -OSPF inter area, E1 -OSPF external type 1,
E2 -OSPF external type 2, E -EGP, i -IS-IS, L1 -IS-IS
level-1, L2 -IS-IS level-2, * -candidate default
Gateway of last resort is not set
10.0.0.0 255.255.255.0 is subnetted, 2 subnets
O 10.2.1.0 [110/10] via 10.64.0.2, 00:00:50, Ethernet0

327
The show ip ospf interface
Command
RouterA# show ip ospf interface e0
Ethernet0 is up, line protocol is up
Internet Address 10.64.0.1/24, Area 0
Process ID 1, Router ID 10.64.0.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 10.64.0.2, Interface address 10.64.0.2
Backup Designated router (ID) 10.64.0.1, Interface address 10.64.0.1
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:04
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.64.0.2 (Designated Router)
Suppress hello for 0 neighbor(s)

328
The show ip ospf neighbor
Command
RouterB# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.64.1.1 1 FULL/BDR 00:00:31 10.64.1.1 Ethernet0
10.2.1.1 1 FULL/ - 00:00:38 10.2.1.1 Serial0

329
show ip protocol
show ip route

330
show ip ospf neighbor detail
show ip ospf database

331
OSPF Network Types -1

332
Point-to-Point Links
•Usually a serial interface running either PPP
or HDLC
•May also be a point-to-point subinterface
running Frame Relay or ATM
•No DR or BDR election required
•OSPF autodetects this interface type
•OSPF packets are sent using multicast 224.0.0.5

333
Multi-access Broadcast Network
•Generally LAN technologies like Ethernet and Token Ring
•DR and BDR selection required
•All neighbor routers form full adjacencies with the DR and
BDR only
•Packets to the DR use 224.0.0.6
•Packets from DR to all other routers use 224.0.0.5

334
Electing the DR and BDR
•Hello packets are exchanged via IP multicast.
•The router with the highest OSPF priority is
selected as the DR.
•Use the OSPF router ID as the tie breaker.
•The DR election is nonpreemptive.

335
Setting Priority for DR Election
ip ospf priority number
•This interface configuration command assigns the
OSPF priority to an interface.
•Different interfaces on a router may be assigned
different values.
•The default priority is 1. The range is from 0 to 255.
•0 means the router is a DROTHER; it can’t be the
DR or BDR.
Router(config-if)#

336
OSPF Network Types -2

337
Creation of Adjacencies
RouterA# debug ip ospf adj
Point-to-point interfaces coming up: No election
%LINK-3-UPDOWN: Interface Serial1, changed state to up
OSPF: Interface Serial1 going Up
OSPF: Rcv hello from 192.168.0.11 area 0 from Serial1 10.1.1.2
OSPF: End of hello processing
OSPF: Build router LSA for area 0, router ID 192.168.0.10
OSPF: Rcv DBD from 192.168.0.11 on Serial1 seq 0x20C4 opt 0x2 flag 0x7 len 32
state INIT
OSPF: 2 Way Communication to 192.168.0.11 on Serial1, state 2WAY
OSPF: Send DBD to 192.168.0.11 on Serial1 seq 0x167F opt 0x2 flag 0x7 len 32
OSPF: NBR Negotiation Done. We are the SLAVE
OSPF: Send DBD to 192.168.0.11 on Serial1 seq 0x20C4 opt 0x2 flag 0x2 len 72

338
Creation of Adjacencies (Cont.)
RouterA# debug ip ospf adj
Ethernet interface coming up: Election
OSPF: 2 Way Communication to 192.168.0.10 on Ethernet0, state 2WAY
OSPF: end of Wait on interface Ethernet0
OSPF: DR/BDR election on Ethernet0
OSPF: Elect BDR 192.168.0.12
OSPF: Elect DR 192.168.0.12
DR: 192.168.0.12 (Id) BDR: 192.168.0.12 (Id)
OSPF: Send DBD to 192.168.0.12 on Ethernet0 seq 0x546 opt 0x2 flag 0x7 len 32
<…>
OSPF: DR/BDR election on Ethernet0
OSPF: Elect BDR 192.168.0.11
OSPF: Elect DR 192.168.0.12
DR: 192.168.0.12 (Id) BDR: 192.168.0.11 (Id)

339

340
Overview
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-
proprietary routing protocol based on Interior Gateway Routing Protocol
(IGRP).
Unlike IGRP, which is a classful routing protocol, EIGRP supports CIDR
and VLSM.
Compared to IGRP, EIGRP boasts faster convergence times, improved
scalability, and superior handling of routing loops.
Furthermore, EIGRP can replace Novell Routing Information Protocol
(RIP) and AppleTalk Routing Table Maintenance Protocol (RTMP),
serving both IPX and AppleTalk networks with powerful efficiency.
EIGRP is often described as a hybrid routing protocol, offering the best
of distance vector and link-state algorithms.

341
Comparing EIGRP with IGRP
IGRP and EIGRP are compatible with each other.
EIGRP offers multiprotocol support, but IGRP does not.
EIGRP and IGRP use different metric calculations.
EIGRP scales the metric of IGRP by a factor of 256.
IGRP has a maximum hop count of 255.
EIGRP has a maximum hop count limit of 224.
Enabling dissimilar routing protocols such as OSPF and RIP to
share information requires advanced configuration.
Redistribution, the sharing of routes, is automatic between
IGRP and EIGRP as long as both processes use the same
autonomous system (AS) number.

342
EIGRP & IGRP Metric Calculation

343
Comparing EIGRP with IGRP

344
Comparing EIGRP with IGRP

345
EIGRP Concepts & Terminology
EIGRP routers keep route and topology information readily
available in RAM, so they can react quickly to changes.
Like OSPF, EIGRP saves this information in several tables and
databases.
EIGRP saves routes that are learned in specific ways.
Routes are given a particular status and can be tagged to
provide additional useful information.
EIGRP maintains three tables:
• Neighbor table
• Topology table
• Routing table

346
Neighbor Table
The neighbor table is the most important table in EIGRP.
Each EIGRP router maintains a neighbor table that lists adjacent
routers. This table is comparable to the adjacency database used by
OSPF. There is a neighbor table for each protocol that EIGRP
supports.
When a neighbor sends a hello packet, it advertises a hold time. The
hold time is the amount of time a router treats a neighbor as
reachable and operational. In other words, if a hello packet is not
heard within the hold time, then the hold time expires.
When the hold time expires, the Diffusing Update Algorithm (DUAL),
which is the EIGRP distance vector algorithm, is informed of the
topology change and must recalculate the new topology.

347
Topology Table
The topology table is made up of all the EIGRP routing tables in the
autonomous system.
DUAL takes the information supplied in the neighbor table and the topology
table and calculates the lowest cost routes to each destination. By tracking
this information, EIGRP routers can identify and switch to alternate routes
quickly.
The information that the router learns from the DUAL is used to determine
the successor route, which is the term used to identify the primary or best
route.
A copy is also placed in the topology table.
Every EIGRP router maintains a topology table for each configured network
protocol. All learned routes to a destination are maintained in the topology
table.

348
Routing Table
The EIGRP routing table holds the best routes to a destination. This
information is retrieved from the topology table. Each EIGRP router
maintains a routing table for each network protocol.
A successor is a route selected as the primary route to use to reach a
destination.DUAL identifies this route from the information contained in the
neighbor and topology tables and places it in the routing table.
There can be up to four successor routes for any particular route. These
can be of equal or unequal cost and are identified as the best loop-free
paths to a given destination.
A copy of the successor routes is also placed in the topology table.
A feasible successor (FS) is a backup route.These routes are identified at
the same time the successors are identified, but they are only kept in the
topology table. Multiple feasible successors for a destination can be
retained in the topology table although it is not mandatory.

349
EIGRP Data Structure
Like OSPF, EIGRP relies on different types of packets to maintain its various tables
and establish complex relationships with neighbor routers. The five EIGRP packet
types are:
• Hello
• Acknowledgment
• Update
• Query
• Reply
EIGRP relies on hello packets to discover, verify, and rediscover neighbor routers.
Rediscovery occurs if EIGRP routers do not receive hellos from each other for a
hold time interval but then re-establish communication.
EIGRP routers send hellos at a fixed but configurable interval, called the hello
interval. The default hello interval depends on the bandwidth of the interface.
On IP networks, EIGRP routers send hellos to the multicast IP address 224.0.0.10.

350
Default Hello Intervals
and Hold Times for EIGRP

351
EIGRP Algorithm
The sophisticated DUAL algorithm results in the exceptionally fast
convergence of EIGRP.
Each router constructs a topology table that contains information about how
to route to a destination network.
Each topology table identifies the following:
• The routing protocol or EIGRP
• The lowest cost of the route, which is called Feasible Distance
• The cost of the route as advertised by the neighboring router,
which is called Reported Distance
The Topology heading identifies the preferred primary route, called the
successor route (Successor), and, where identified, the backup route,
called the feasible successor (FS). Note that it is not necessary to have an
identified feasible successor.

352
FS Route Selection Rules

353
DUAL Example

354
Configuring EIGRP

355
Configuring EIGRP Summarization
EIGRP automatically summarizes routes at the classful boundary.
This is the boundary where the network address ends, as defined by class-
based addressing.
This means that even though RTC is connected only to the subnet 2.1.1.0,
it will advertise that it is connected to the entire Class A network, 2.0.0.0.
In most cases auto summarization is beneficial because it keeps routing
tables as compact as possible.

356
Configuring EIGRP no-summary
However, automatic summarization may not be the preferred option in
certain instances. To turn off auto-summarization, use the following
command: router(config-router)#no auto-summary

357
Configuring EIGRP
Summary Addersses Manually
With EIGRP, a summary address can be manually configured by configuring a prefix
network. Manual summary routes are configured on a per-interface basis.
router(config-if)#ip summary-address eigrpautonomous-system-
number ip-address mask administrative -distance
EIGRP summary routes have an administrative distance of 5 by default.
In the graphic below, RTC can be configured using the commands shown:
RTC(config)#router eigrp 2446
RTC(config-router)#no auto-summary
RTC(config-router)#exit
RTC(config)#interface serial 0/0
RTC(config-if)#ip summary-address eigrp 2446 2.1.0.0 255.255.0.0

358
Verifying the EIGRP Configuration
To verify the EIGRP configuration a number of show
and debug commands are available.
These commands are shown on the next few slides.

359
show ip eigrp neighbors
show ip eigrp interfaces

360
show ip eigrp topology
show ip eigrp topology
[active | pending | successors]

361
show ip eigrp topology
all-links
show ip eigrp traffic

362
Administrative Distances

363
Classful and Classless
Routing Protocols

364

365
What are ACLs?
ACLs are lists of conditions that are applied to traffic traveling
across a router's interface.These lists tell the router what types
of packets to accept or deny. Acceptance and denial can be
based on specified conditions.
ACLs can be created for all routed network protocols, such as
Internet Protocol (IP) and Internetwork Packet Exchange (IPX).
ACLs can be configured at the router to control access to a
network or subnet.
Some ACL decision points are source and destination addresses,
protocols, and upper-layer port numbers.
ACLs must be defined on a per-protocol, per direction, or per port
basis.

366
Reasons to Create ACLs
The following are some of the primary reasons to create ACLs:
• Limit network traffic and increase network performance.
• Provide traffic flow control.
• Provide a basic level of security for network access.
• Decide which types of traffic are forwarded or blocked at
the router interfaces. For example: Permit e-mail traffic to
be routed, but block all telnet traffic.
Allow an administrator to control what areas a client can access
on a network.
If ACLs are not configured on the router, all packets passing
through the router will be allowed onto all parts of the network.

367
ACLs Filter Traffic Graphic

368
How ACLs Filter Traffic

369
One List per Port, per
Destination, per Protocol...

370
How ACLs work.

371
Creating ACLs
ACLs are created in the global configuration mode. There are many
different types of ACLs including standard, extended, IPX, AppleTalk,
and others. When configuring ACLs on a router, each ACL must be
uniquely identified by assigning a number to it. This number
identifies the type of access list created and must fall within the
specific range of numbers that is valid for that type of list.
Since IP is by far the
most popular routed
protocol, addition ACL
numbers have been
added to newer router
IOSs.
Standard IP: 1300-1999
Extended IP: 2000-2699

372
The access-listcommand

373
The ip access-groupcommand
{ in| out}

374
ACL Example

375
Basic Rules for ACLs
These basic rules should be followed when creating and applying access lists:
• One access list per protocol per direction.
• Standard IP access lists should be applied closest to the destination.
• Extended IP access lists should be applied closest to the source.
• Use the inbound or outbound interface reference as if looking at the port
from inside the router.
• Statements are processed sequentially from the top of list to the bottom
until a match is found, if no match is found then the packet is denied.
• There is an implicit deny at the end of all access lists. This will not appear
in the configuration listing.
• Access list entries should filter in the order from specific to general.
Specific hosts should be denied first, and groups or general filters should
come last.
• Never work with an access list that is actively applied.
• New lines are always added to the end of the access list.
• A no access-listxcommand will remove the whole list. It is not possible
to selectively add and remove lines with numbered ACLs.
• Outbound filters do not affect traffic originating from the local router.

376
Wildcard Mask Examples
5 Examples follow that demonstrate how a wildcard mask can be
used to permit or deny certain IP addresses, or IP address ranges.
While subnet masks start with binary 1s and end with binary 0s,
wildcard masks are the reverse meaning they typically start with
binary 0s and end with binary 1s.
In the examples that follow Cisco has chosen to represent the binary
1s in the wilcard masks with Xs to focus on the specific bits being
shown in each example.
You will see that while subnet masks were ANDed with ip addresses,
wildcard masks are ORed with IP addresses.
.

377
Wildcard Mask Example #1

378
Wildcard Mask Example #2

379
Wildcard Mask Example #3

380
Wildcard Mask Example #4 -Even IPs

381
Wildcard Mask Example #5 -Odd IP#s

382
The anyand hostKeywords

383
Verifying ACLs
There are many showcommands that will verify the content
and placement of ACLs on the router.
The show ip interfacecommand displays IP interface
information and indicates whether any ACLs are set.
The show access-listscommand displays the contents of all
ACLs on the router.
show access-list 1 shows just access-list 1.
The show running-configcommand will also reveal the
access lists on a router and the interface assignment
information.

384
Standard ACLs
Standard ACLs check the source address of IP packets that are routed.
The comparison will result in either permit or deny access for an entire protocol
suite, based on the network, subnet, and host addresses.
The standard version of the access-listglobal configuration command is used to
define a standard ACL with a number in the range of 1 to 99 (also from 1300 to
1999 in recent IOS).
If there is no wildcard mask. the default mask is used, which is 0.0.0.0.
(This only works with Standard ACLs and is the same thing as using host.)
The full syntax of the standard ACL command is:
Router(config)#access-listaccess-list-number
{deny | permit} source [ source-wildcard] [log]
The no form of this command is used to remove a standard ACL. This is the syntax:
Router(config)#no access-listaccess-list-number

385
Extended ACLs
Extended ACLs are used more often than standard ACLs because they provide a
greater range of control. Extended ACLs check the source and destination packet
addresses as well as being able to check for protocols and port numbers.
The syntax for the extended ACL statement can get very long and often will wrap in
the terminal window.
The wildcards also have the option of using the hostor anykeywords in the
command.
At the end of the extended ACL statement, additional precision is gained from a field
that specifies the optional Transmission Control Protocol (TCP) or User Datagram
Protocol (UDP) port number.
Logical operations may be specified such as, equal (eq), not equal (neq), greater
than (gt), and less than (lt), that the extended ACL will perform on specific protocols.
Extended ACLs use an access-list-number in the range 100 to 199 (also from 2000
to 2699 in recent IOS).

386
Extended ACL Syntax

387
Well Known Port Numbers
Don’t forget that WWW or HTTP is 80and POP3 is 110.

388
Extended ACL Example
This extended ACL will allow people in network 200.100.50.0
to surfing the internet, but not allow any other protocols like
email, ftp, etc.
access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq 80
or
access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq www
or
access-list 101 permit tcp 200.100.50.0 0.0.0.255 any eq http
NOTE: Just like all Standard ACLs end with an implicit "deny
any", all Extended ACLs end with an implicit "deny ip any any"
which means deny the entire internet from anywhere to
anywhere.

389
ip access-group
The ip access-groupcommand links an existing standard or
extended ACL to an interface.
Remember that only one ACL per interface, per direction, per
protocol is allowed.
The format of the command is:
Router(config-if)#ip access-group
access-list-number{in | out}

390
Named ACLs
IP named ACLs were introduced in Cisco IOS Software Release 11.2,
allowing standard and extended ACLs to be given names instead of
numbers.
The advantages that a named access list provides are:
• Intuitively identify an ACL using an alphanumeric name.
• Eliminate the limit of 798 simple and 799 extended ACLs
• Named ACLs provide the ability to modify ACLs without deleting
them completely and then reconfiguring them.
Named ACLs are not compatible with Cisco IOS releases prior to Release
11.2.
The same name may not be used for multiple ACLs.

391
Named ACL Example

392
Placing ACLs
The general rule is to put the extended ACLs as close as possible to the
source of the traffic denied. Standard ACLs do not specify destination
addresses, so they should be placed as close to the destination as
possible. For example, in the graphic a standard ACL should be placed on
Fa0/0 of Router D to prevent traffic from Router A.

393

394
Permitting a Single Host
Router(config)# access-list 1 permit 200.100.50.23 0.0.0.0
or
Router(config)# access-list 1 permit host 200.100.50.23
or
Router(config)# access-list 1 permit 200.100.50.23
(The implicit “deny any” ensures that everyone else is denied.)
Router(config)# int e0
Router(config-if)# ip access-group 1 in
or
Router(config-if)# ip access-group 1 out

395
Denying a Single Host
Router(config)# access-list 1 deny 200.100.50.23 0.0.0.0
Router(config)# access-list 1 permit 0.0.0.0 255.255.255.255
or
Router(config)# access-list 1 deny host 200.100.50.23
Router(config)# access-list 1 permit any
(The implicit “deny any” is still present, but totally irrelevant.)
Router(config)# int e0
Router(config-if)# ip access-group 1 in
or
Router(config-if)# ip access-group 1 out

396
Permitting a Single Network
Class C
Router(config)# access-list 1 permit 200.100.50.0 0.0.0.255
or
Class B
Router(config)# access-list 1 permit 150.75.0.0 0.0.255.255
or
Class A
Router(config)# access-list 1 permit 13.0.0.0 0.255.255.255
(The implicit “deny any” ensures that everyone else is denied.)
Router(config)# int e0
Router(config-if)# ip access-group 1 in
or
Router(config-if)# ip access-group 1 out

397
Denying a Single Network
Class C
Router(config)# access-list 1 deny 200.100.50.0 0.0.0.255
Router(config)# access-list 1 permit any
or
Class B
Router(config)# access-list 1 deny 150.75.0.0 0.0.255.255
Router(config)# access-list 1 permit any
or
Class A
Router(config)# access-list 1 deny 13.0.0.0 0.255.255.255
Router(config)# access-list 1 permit any
(The implicit “deny any” is still present, but totally irrelevant.)

398
Permitting a Class C Subnet
Network Address/Subnet Mask: 200.100.50.0/28
Desired Subnet: 3rd
Process:
32-28=4 2^4 = 16
1st Usable Subnet address range it 200.100.50.16-31
2nd Usable Subnet address range it 200.100.50.32-47
3rd Usable Subnet address range it 200.100.50.48-63
Subnet Mask is 255.255.255.240 Inverse Mask is 0.0.0.15
or subtract 200.100.50.48 from 200.100.50.63 to get 0.0.0.15
Router(config)# access-list 1 permit 200.100.50.48 0.0.0.15
(The implicit “deny any” ensures that everyone else is denied.)

399
Denying a Class C Subnet
Network Address/Subnet Mask: 192.68.72.0/27
Undesired Subnet: 2nd
Process:
32-27=5 2^5=32
1st Usable Subnet address range it 192.68.72.32-63
2nd Usable Subnet address range it 192.68.72.64-95
Subnet Mask is 255.255.255.224Inverse Mask is 0.0.0.31
or subtract 192.68.72.64 from 192.68.72.95 to get 0.0.0.31
Router(config)# access-list 1 deny 192.68.72.64 0.0.0.31
Router(config)# access-list 1 permit any
(The implicit “deny any” is still present, but totally irrelevant.)

400
Permitting a Class B Subnet
Network Address/Subnet Mask: 150.75.0.0/24
Desired Subnet: 129th
Process:
Since exactly 8 bits are borrowed the 3rd octet will denote the
subnet number.
129th Usable Subnet address range it 150.75.129.0-255
Subnet Mask is 255.255.255.0 Inverse Mask is 0.0.0.255
or subtract 150.75.129.0 from 150.75.129.255 to get 0.0.0.255
Router(config)# access-list 1 permit 150.75.129.0 0.0.0.255
(The implicit “deny any” ensures that everyone else is denied.)

401
Denying a Class B Subnet
Network Address/Subnet Mask: 160.88.0.0/22
Undesired Subnet: 50th
Process:
32-22=10 (more than 1 octet) 10-8=2 2^2=4
1st Usable Subnet address range it 160.88.4.0-160.88.7.255
2nd Usable Subnet address range it 160.88.8.0-160.88.11.255
50 * 4 = 200 50th subnet is 160.88.200.0-160.88.203.255
Subnet Mask is 255.255.252.0 Inverse Mask is 0.0.3.255
or subtract 160.88.200.0 from 160.88.203.255 to get 0.0.3.255
Router(config)# access-list 1 deny 160.88.200.0 0.0.3.255
Router(config)# access-list 1 permit any

402
Permitting a Class A Subnet
Network Address/Subnet Mask: 111.0.0.0/12
Desired Subnet: 13th
Process:
32-12=20 20-16=4 2^4=16
1st Usable Subnet address range is 111.16.0.0-111.31.255.255
13*16=208
13th Usable Subnet address range is 111.208.0.0-111.223.255.255
Subnet Mask is 255.240.0.0 Inverse Mask is 0.15.255.255
or subtract 111.208.0.0 from 111.223.255.255 to get 0.15.255.255
Router(config)# access-list 1 permit 111.208.0.0 0.15.255.255
(The implicit “deny any” ensures that everyone else is denied.)

403
Denying a Class A Subnet
Network Address/Subnet Mask: 40.0.0.0/24
Undesired Subnet: 500th
Process:
Since exactly 16 bits were borrowed the 2nd and 3rd octet will
denote the subnet.
1st Usable Subnet address range is 40.0.1.0-40.0.1.255
255th Usable Subnet address range is 40.0.255.0-40.0.255.255
256th Usable Subnet address range is 40.1.0.0-40.1.0.255
300th Usable Subnet address range is 40.1.44.0-40.1.44.255
500th Usable Subnet address range is 40.1.244.0-40.1.244.255
Router(config)# access-list 1 deny 40.1.244.0 0 0.0.0.255
Router(config)# access-list 1 permit any

404

405
Permit 200.100.50.24-100 Plan A
access-list 1 permit host 200.100.50.24
access-list 1 permit host 200.100.50.25
access-list 1 permit host 200.100.50.26
access-list 1 permit host 200.100.50.27
access-list 1 permit host 200.100.50.28
: : : : : : : :
access-list 1 permit host 200.100.50.96
access-list 1 permit host 200.100.50.97
access-list 1 permit host 200.100.50.98
access-list 1 permit host 200.100.50.99
access-list 1 permit host 200.100.50.100
This
would
get very
tedious!

406
Permit 200.100.50.24-100 Plan B
access-list 1 permit 200.100.50.24 0.0.0.7 (24-31)
access-list 1 permit 200.100.50.32 0.0.0.31 (32-63)
access-list 1 permit 200.100.50.64 0.0.0.31 (64-95)
access-list 1 permit 200.100.50.96 0.0.0.3 (96-99)
access-list 1 permit host 200.100.50.100 (100)
(The implicit “deny any” ensures that everyone else is denied.)

407
Permit 200.100.50.16-127 Plan A
access-list 1 permit 200.100.50.16 0.0.0.15 (16-31)
access-list 1 permit 200.100.50.32 0.0.0.31 (32-63)
access-list 1 permit 200.100.50.64 0.0.0.63 (64-127)
(The implicit “deny any” ensures that everyone else is denied.)

408
Permit 200.100.50.16-127 Plan B
access-list 1 deny 200.100.50.0 0.0.0.15 (0-15)
access-list 1 permit 200.100.50.0 0.0.0.127 (0-127)
First we make sure that addresses 0-15 are denied.
Then we can permit any address in the range 0-127.
Since only the first matching statement in an ACL is applied an
address in the range of 0-15 will be denied by the first statement
before it has a chance to be permitted by the second.
(The implicit “deny any” ensures that everyone else is denied.)

409
Permit 200.100.50.1,5,13,29,42,77
access-list 1 permit host 200.100.50.1
access-list 1 permit host 200.100.50.5
access-list 1 permit host 200.100.50.13
access-list 1 permit host 200.100.50.29
access-list 1 permit host 200.100.50.42
access-list 1 permit host 200.100.50.77
Sometimes a group of addresses has no pattern and the best
way to deal with them is individually.
(The implicit “deny any” ensures that everyone else is denied.)

410

411
Permit Source Network
access-list 101 permit ip 200.100.50.0 0.0.0.255
0.0.0.0 255.255.255.255
or
access-list 101 permit ip 200.100.50.0 0.0.0.255 any
Implicit deny ip any any

412
Deny Source Network
access-list 101 deny ip 200.100.50.0 0.0.0.255
0.0.0.0 255.255.255.255
access-list 101 permit ip 0.0.0.0 255.255.255.255
0.0.0.0 255.255.255.255
or
access-list 101 deny ip 200.100.50.0 0.0.0.255 any
access-list 101 permit ip any any
Implicit deny ip any any is present but irrelevant.

413
Permit Destination Network
access-list 101 permit ip 0.0.0.0 255.255.255.255
200.100.50.0 0.0.0.255
or
access-list 101 permit ip any 200.100.50.0 0.0.0.255
Implicit deny ip any any

414
Deny Destination Network
access-list 101 deny ip 0.0.0.0 255.255.255.255
200.100.50.0 0.0.0.255
access-list 101 permit ip 0.0.0.0 255.255.255.255
0.0.0.0 255.255.255.255
or
access-list 101 deny ip any 200.100.50.0 0.0.0.255
access-list 101 permit ip any any
Implicit deny ip any any is present but irrelevant.

415
Permit one Source Network to
another Destination Network
Assume the only traffic you want is traffic from network
200.100.50.0 to network 150.75.0.0
access-list 101 permit ip 200.100.50.0 0.0.0.255
150.75.0.0 0.0.255.255
Implicit deny ip any any
To allow 2 way traffic between the networks add this statement:
access-list 101 permit ip 150.75.0.0 0.0.255.255
200.100.50.0 0.0.0.255

416
Deny one Source Network to
another Destination Network
Assume you want to allow all traffic EXCEPT from network
200.100.50.0 to network 150.75.0.0
access-list 101 deny ip 200.100.50.0 0.0.0.255
150.75.0.0 0.0.255.255
access-list 101 permit ip any any
To deny 2 way traffic between the networks add this statement:
access-list 101 deny ip 150.75.0.0 0.0.255.255
200.100.50.0 0.0.0.255

417
Deny FTP
Assume you do not want anyone FTPing on the network.
access-list 101 deny tcp any any eq 21
access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq ftp
access-list 101 permit ip any any

418
Deny Telnet
Assume you do not want anyone telnetting on the network.
access-list 101 deny tcp any any eq 23
access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any

419
Deny Web Surfing
Assume you do not want anyone surfing the internet.
access-list 101 deny tcp any any eq 80
access-list 101 permit ip any any
or
access-list 101 deny tcp any any eq www
access-list 101 permit ip any any
You can also use httpinstead of www.

420
Complicated Example #1
Suppose you have the following conditions:
 No one from Network 200.100.50.0 is allowed to FTP anywhere
 Only hosts from network 150.75.0.0 may telnet to network 50.0.0.0
 Subnetwork 100.100.100.0/24 is not allowed to surf the internet
access-list 101 deny tcp 200.100.50.0 0.0.0.255 any eq 21
access-list 101 permit tcp 150.75.0.0 0.0.255.255 50.0.0.0
0.255.255.255 eq 23
access-list 101 deny tcp any any eq 23
access-list 101 deny tcp 100.100.100.0 0.0.0.255 any eq 80
access-list 101 permit ip any any

421
Complicated Example #2
Suppose you are the admin of network 200.100.50.0. You want to permit
Email only between your network and network 150.75.0.0. You wish to place
no restriction on other protocols like web surfing, ftp, telnet, etc.
 Email server send/receive Protocol: SMTP, port 25
 User Check Email Protocol: POP3, port 110
This example assumes the your Email server is at addresses 200.100.50.25
access-list 101 permit tcp 200.100.50.0 0.0.0.255 150.75.0.0
0.0.255.255 eq 25
access-list 101 permit tcp 150.75.0.0 0.0.255.255
200.100.50.0 0.0.0.255 eq 25
access-list 101 permit tcp 200.100.50.0 0.0.0.255
200.100.50.0 0.0.0.255eq 110
access-list 101 deny tcp any any smtp
access-list 101 deny tcp any any pop3
access-list 101 permit ip any any

422
NAT
Network Address Translator
Fig. 3 NAT (TI1332EU02TI_0003 New Address Concepts, 7)

423
New addressing concepts
Problems with IPv4
Shortage of IPv4 addresses
Allocation of the last IPv4 addresses is forecasted for the year 2005
Address classes were replaced by usage of CIDR, but this is not sufficient
Short term solution
NAT: Network Address Translator
Long term solution
IPv6 = IPng (IP next generation)
Provides an extended address range
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

424
NAT: Network Address Translator
NAT
Translates between local addresses and public ones
Many private hosts share few global addresses
Public Network
Uses public addresses
Public addresses are
globally unique
Private Network
Uses private address range
(local addresses)
Local addresses may not
be used externally
Fig. 4 How does NAT work? (TI1332EU02TI_0003 New Address Concepts, 9)

425
NAT
To be
translated
exclude
reserve
pool
exclude
realm with
private addresses
NAT Router
realm with
public addresses
map
translate
Fig. 5 Translation mechanism (TI1332EU02TI_0003 New Address Concepts, 9)

426
free
NAT
Pool
A timeout value (default 15 min) instructs NAT
howlong to keep an association in an idle state before
returning the external IP address to the free NAT pool.
Fig. 8 How does NAT know when to return the public IP address to the pool? (TI1332EU02TI_0003 New Address Concepts, 15)

427
NAT Addressing Terms
•Inside Local
–The term “inside” refers to an address used for a host
inside an enterprise. It is the actual IP address
assigned to a host in the private enterprise network.
•Inside Global
–NAT uses an inside global address to represent the
inside host as the packet is sent through the outside
network, typically the Internet.
–A NAT router changes the source IP address of a
packet sent by an inside host from an inside local
address to an inside global address as the packet goes
from the inside to the outside network.

428
NAT Addressing Terms
•Outside Global
–The term “outside” refers to an address used for a
host outside an enterprise, the Internet.
–An outside global is the actual IP address assigned to
a host that resides in the outside network, typically
the Internet.
•Outside Local
–NAT uses an outside local address to represent the
outside host as the packet is sent through the private
enterprise network.
–A NAT router changes a packet’s destination IP
address, sent from an outside global address to an
inside host, as the packet goes from the outside to the
inside network.

429
SIEMENSNIXDORF
10.47.10.10 192.50.20.5
WAN
Net A
Net B
SIEMENSNIXDORF
LAN LAN
192.50.20.0
10.0.0.0
Router Router
RouterRouter
Router
SA = 10.47.10.10
DA = 192.50.20.5
SA = 193.50.30.4
DA = 192.50.20.5
Router A with NAT
Router B
Fig. 7 An example for NAT (TI1332EU02TI_0003 New Address Concepts, 13)

430
WAN
138.76.29.7
SIEMENSNIXDORF
Net A
10.0.0.0/8
Router
Router
Router
SA = 10.0.0.10
DA = 138.76.29.7
SA = 138.76.28.4
DA =138.76.29.7
NAT with
WAN interface:
138.76.28.4
SA = 138.76.29.7
DA = 138.76.28.4
SA = 138.76.29.7
DA = 10.0.0.10
10.0.0.10
SIEMENSNIXDORF
Fig. 11 An example for NAPT (TI1332EU02TI_0003 New Address Concepts, 21)

431
Types Of NAT
•There are different types of NAT that can
be used, which are
–Static NAT
–Dynamic NAT
–Overloading NAT with PAT (NAPT)

432
Static NAT
•With static NAT, the NAT router simply
configures a one-to-one mapping between
the private address and the registered
address that is used on its behalf.

433
Static NAT

434
Dynamic NAT
•Like static NAT, the NAT router creates a
one-to-one mapping between an inside
local and inside global address and
changes the IP addresses in packets as
they exit and enter the inside network.
•However, the mapping of an inside local
address to an inside global address
happens dynamically.

435
Dynamic NAT
•Dynamic NAT sets up a pool of possible
inside global addresses and defines
criteria for the set of inside local IP
addresses whose traffic should be
translated with NAT.
•The dynamic entry in the NAT table stays
in there as long as traffic flows
occasionally.

436
PAT
Port Address Translator
Fig. 9 NAPT (TI1332EU02TI_0003 New Address Concepts, 17)

437
WAN
138.76.29.7
SIEMENSNIXDORF
Net A
10.0.0.0/8
Router
Router
Router
SA = 10.0.0.10, sport = 3017
DA = 138.76.29.7, dpor t= 23
SA = 138.76.28.4, sport = 1024
DA =138.76.29.7, dpor t= 23
NAPT with
WAN interface:
138.76.28.4
SA = 138.76.29.7, spor t= 23
DA = 138.76.28.4, dport = 1024
SA = 138.76.29.7, spor t= 23
DA = 10.0.0.10, dport = 3017
10.0.0.10
SIEMENSNIXDORF
Fig. 11 An example for NAPT (TI1332EU02TI_0003 New Address Concepts, 21)

438
WAN
private IP network
(e.g. SOHO)
registered IP @,
assigned TU port #
local IP @,
local TU port #
single public
IP address
mapping
pool of TU port numbers
PATwith e.g. a single public IP address
TU....TCP/UDP
Fig. 10 NAPT (TI1332EU02TI_0003 New Address Concepts, 19)

439
NAT&PAT
Network Address Translation &
Port Address Transation
Fig. 3 NAT (TI1332EU02TI_0003 New Address Concepts, 7)

440
New addressing concepts
Problems with IPv4
Shortage of IPv4 addresses
Allocation of the last IPv4 addresses is forecasted for the year 2006
Address classes were replaced by usage of CIDR, but this is not sufficient
Short term solution
NAT: Network Address Translator
Long term solution
IPv6 = IPng (IP next generation)
Provides an extended address range
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

441
NAT: Network Address Translator
NAT
Translates between local addresses and public ones
Many private hosts share few global addresses
Public Network
Uses public addresses
Public addresses are
globally unique
Private Network
Uses private address range
(local addresses)
Local addresses may not
be used externally
Fig. 4 How does NAT work? (TI1332EU02TI_0003 New Address Concepts, 9)

442
NAT
To be
translated
exclude
reserve
pool
exclude
private addresses
NAT Router
public addresses
map
translate
Fig. 5 Translation mechanism (TI1332EU02TI_0003 New Address Concepts, 9)

443
free
NAT
Pool
A timeout value (default 15 min) instructs NAT
howlong to keep an association in an idle state before
returning the external IP address to the free NAT pool.
Fig. 8 How does NAT know when to return the public IP address to the pool? (TI1332EU02TI_0003 New Address Concepts, 15)

444
NAT Addressing Terms
•Inside Local “Private address”
–The term “inside” refers to an address used for a host
inside an enterprise. It is the actual IP address
assigned to a host in the private enterprise network.
•Inside Global “Public address”
–NAT uses an inside global address to represent the
inside host as the packet is sent through the outside
network, typically the WAN.
–A NAT router changes the source IP address of a
packet sent by an inside host from an inside local
address to an inside global address as the packet goes
from the inside to the outside network.
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

445
SIEMENSNIXDORF
10.47.10.10 192.50.20.5
WAN
Net A
Net B
SIEMENSNIXDORF
LAN LAN
192.50.20.0
10.0.0.0
Router Router
RouterRouter
Router
SA = 10.47.10.10
DA = 192.50.20.5
SA = 193.50.30.4
DA = 192.50.20.5
Router A with NAT
Router B
Fig. 7 An example for NAT (TI1332EU02TI_0003 New Address Concepts, 13)

446
WAN
138.76.29.7
SIEMENSNIXDORF
Net A
10.0.0.0/8
Router
Router
Router
SA = 10.0.0.10
DA = 138.76.29.7
SA = 138.76.28.4
DA =138.76.29.7
NAT with
WAN interface:
138.76.28.4
SA = 138.76.29.7
DA = 138.76.28.4
SA = 138.76.29.7
DA = 10.0.0.10
10.0.0.10
SIEMENSNIXDORF
Fig. 11 An example for NAPT (TI1332EU02TI_0003 New Address Concepts, 21)

447
Types Of NAT
•There are different types of NAT that can
be used, which are
–Static NAT
–Dynamic NAT
–Overloading NAT with PAT (NAT Over PAT)
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

448
Static NAT
•With static NAT, the NAT router simply
configures a one-to-one mapping between
the private address and the registered
address that is used on its behalf.
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

449
Static NAT
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

450
Static NAT Configuration
•To form NAT table
Router(config)#IP Nat inside source static [inside local
source IP address] [inside global source IP address]
•Assign NAT to an Interface
Router(config)#Interface [Serial x/y]
Router(config-if)#IP NAT [Inside]
•See Example
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

451
Dynamic NAT
•Like static NAT, the NAT router creates a
one-to-one mapping between an inside
local and inside global address and
changes the IP addresses in packets as
they exit and enter the inside network.
•However, the mapping of an inside local
address to an inside global address
happens dynamically.
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

452
Dynamic NAT
•Dynamic NAT sets up a pool of possible inside
global addresses and defines criteria for the
set of inside local IP addresses whose traffic
should be translated with NAT.
•The dynamic entry in the NAT table stays in
there as long as traffic flows occasionally.
•If a new packet arrives, and it needs a NAT
entry, but all the pooled IP addresses are in
use, the router simply discards the packet.Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

453
Dynamic NAT Configuration
•Specify inside addresses to be translated
Router(config)#IP Nat inside source list [standard Access
List number] pool [NAT Pool Name]
•Specify NAT pool
Router(config)#IP Nat pool [NAT Pool Name] [First inside
global address] [Last inside global address] netmask
[subnet mask]
•Assign NAT to an Interface
Router(config)#Interface [Serial x/y]
Router(config-if)#IP NAT [Inside]
•See Example
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

454
PAT
Port Address Translator
Fig. 9 NAPT (TI1332EU02TI_0003 New Address Concepts, 17)

455
WAN
138.76.29.7
SIEMENSNIXDORF
Net A
10.0.0.0/8
Router
Router
Router
SA = 10.0.0.10, sport = 3017
DA = 138.76.29.7, dpor t= 23
SA = 138.76.28.4, sport = 1024
DA =138.76.29.7, dpor t= 23
NAPT with
WAN interface:
138.76.28.4
SA = 138.76.29.7, spor t= 23
DA = 138.76.28.4, dport = 1024
SA = 138.76.29.7, spor t= 23
DA = 10.0.0.10, dport = 3017
10.0.0.10
SIEMENSNIXDORF
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

456
WAN
private IP network
(e.g. SOHO)
registered IP @,
assigned TU port #
local IP @,
local TU port #
single public
IP address
mapping
pool of TU port numbers
PATwith e.g. a single public IP address
TU....TCP/UDP
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

457
PAT Configuration
•Specify inside addresses to be translated
Router(config)#IP Nat inside source list [standard Access
List number] pool [NAT Pool Name] overload
•Specify PAT pool
Router(config)#IP Nat pool [NAT Pool Name] [First inside
global address] [Last inside global address] netmask
[subnet mask]
•Assign PAT to an Interface
Router(config)#Interface [Serial x/y]
Router(config-if)#IP NAT [Inside]
•See Example
Fig. 2 Address shortage and possible solutions (TI1332EU02TI_0003 New Address Concepts, 5)

458

459
Ethernet Access with Hubs

460
Ethernet Access with Bridges

461
Ethernet Access with Switches

462
Today's LAN

463
Full Duplex Transmitting
Full-duplex Ethernet allows the transmission of a packet and the reception of a
different packet at the same time.
This simultaneous transmission and reception requires the use of two pairs of wires
in the cable and a switched connection between each node. This connection is
considered point-to-point and is collision free.
The full-duplex Ethernet switch takes advantage of the two pairs of wires in the
cable by creating a direct connection between the transmit (TX) at one end of the
circuit and the receive (RX) at the other end.
Ethernet usually can only use 50%-60% of the available 10 Mbps of bandwidth
because of collisions and latency. Full-duplex Ethernet offers 100% of the
bandwidth in both directions. This produces a potential 20 Mbps throughput.

464
Why Segment LANs?

465
Collision Domains

466
Segmentation with Bridges

467
Segmentation with Routers

468
Segmentation with Switches

469
Basic Operations of a Switch
Switching is a technology that decreases congestion in Ethernet, Token
Ring, and FDDI LANs. Switching accomplishes this by reducing traffic and
increasing bandwidth. LAN switches are often used to replace shared hubs
and are designed to work with existing cable infrastructures.
Switching equipment performs the following two basic operations:
• Switching data frames
• Maintaining switching operations

470
Switching Methods
1. Store-and-Forward
The entire frame is received before any forwarding takes place. Filters are
applied before the frame is forwarded. Most reliable and also most latency
especially when frames are large.
2. Cut-Through
The frame is forwarded through the switch before the entire frame is
received. At a minimum the frame destination address must be read before
the frame can be forwarded. This mode decreases the latency of the
transmission, but also reduces error detection.
3. Fragment-Free
Fragment-free switching filters out collision fragments before forwarding
begins. Collision fragments are the majority of packet errors. In a properly
functioning network, collision fragments must be smaller than 64 bytes.
Anything > 64 bytes is a valid packet and is usually received without error.

471
Frame Transmission Modes

472
Benefits of Switching

473
How Switches and Bridges
Learn Addresses
Bridges and switches learn in the following ways:
• Reading the source MAC address of each
received frame or datagram
• Recording the port on which the MAC address
was received.
In this way, the bridge or switch learns which addresses
belong to the devices connected to each port.

474
CAM
Content Addressable Memory
CAM is used in switch applications:
• To take out and process the address information from
incoming data packets
• To compare the destination address with a table of
addresses stored within it
The CAM stores host MAC addresses and associated port
numbers. The CAM compares the received destination MAC
address against the CAM table contents. If the comparison
yields a match, the port is provided, and switching control
forwards the packet to the correct port and address.

475
Shared vs. Dedicates Bandwidth
If a hub is used, bandwidth is shared. If a switch is used, then bandwidth is
dedicated. If a workstation or server is directly connected to a switch port, then the
full bandwidth of the connection to the switch is available to the connected
computer. If a hub is connected to a switch port, bandwidth is shared between all
devices connected to the hub.

476
Microsegmentation of a Network

477
Microsegmentation

478
3 Methods of Communication

479
Switches & Broadcast Domains
When two switches are connected, the broadcast domain is increased.
The overall result is a reduction in available bandwidth. This happens because all
devices in the broadcast domain must receive and process the broadcast frame.
Routers are Layer 3 devices. Routers do not propagate broadcasts. Routers are
used to segment both collision and broadcast domains.

480
Broadcast Domain

481

482
Overview
To design reliable, manageable, and scalable networks, a network
designer must realize that each of the major components of a
network has distinct design requirements.
Good network design will improve performance and also reduce the
difficulties associated with network growth and evolution.
The design of larger LANs includes identifying the following:
• An access layerthat connects end users into the LAN
• A distribution layerthat provides policy-based connectivity
between end-user LANs
• A core layerthat provides the fastest connection between
the distribution points
Each of these LAN design layers requires switches that are best
suited for specific tasks.

483
The Access Layer
The access layer is the entry point for user workstations and servers to
the network. In a campus LAN the device used at the access layer can
be a switch or a hub.
Access layer functions also include MAC layer filtering and
microsegmentation. Layer 2 switches are used in the access layer.

484
Access Layer Switches
Access layer switches operate at Layer 2 of the OSI model
The main purpose of an access layer switch is to allow end
users into the network.
An access layer switch should provide this functionality with
low cost and high port density.
The following Cisco switches are commonly used at the
access layer:
• Catalyst 1900 series
• Catalyst 2820 series
• Catalyst 2950 series
• Catalyst 4000 series
• Catalyst 5000 series

485
The Distribution Layer
The distribution layer of the network is between the access and core layers.
Networks are segmented into broadcast domains by this layer. Policies can be
applied and access control lists can filter packets.
The distribution layer isolates network problems to the workgroups in which they
occur. The distribution layer also prevents these problems from affecting the core
layer. Switches in this layer operate at Layer 2 and Layer 3.

486
Distribution Layer Switches
The distribution layer switch must have high performance.
The distribution layer switch is a point at which a broadcast domain is
delineated. It combines VLAN traffic and is a focal point for policy
decisions about traffic flow.
For these reasons distribution layer switches operate at both Layer 2
and Layer 3 of the OSI model.
Switches in this layer are referred to as multilayer switches. These
multilayer switches combine the functions of a router and a switch in
one device.
The following Cisco switches are suitable for the distribution layer:
• Catalyst 2926G
• Catalyst 5000 family
• Catalyst 6000 family

487
The Core Layer
The core layer is a high-speed switching backbone.
This layer of the network design should not perform any packet manipulation.
Packet manipulation, such as access list filtering, would slow down the process.
Providing a core infrastructure with redundant alternate paths gives stability to the
network in the event of a single device failure.
The core can be designed to use Layer 2 or Layer 3 switching. Asynchronous
Transfer Mode (ATM) or Ethernet switches can be used.

488
Core Layer Switches
The switches in this layer can make use of a number of Layer 2
technologies. Provided that the distance between the core layer
switches is not too great, the switches can use Ethernet technology.
In a network design, the core layer can be a routed, or Layer 3, core.
Core layer switches are designed to provide efficient Layer 3
functionality when needed.
Factors such as need, cost, and performance should be considered
before a choice is made.
The following Cisco switches are suitable for the core layer:
• Catalyst 6500 series
• Catalyst 8500 series
• IGX 8400 series
• Lightstream 1010

489

490
Physical Startup of the Catalyst Switch
Switches are dedicated, specialized
computers, which contain a CPU, RAM, and
an operating system.
Switches usually have several ports for the
purpose of connecting hosts, as well as
specialized ports for the purpose of
management.
A switch can be managed by connecting to
the console port to view and make changes
to the configuration.
Switches typically have no power switch to
turn them on and off. They simply connect or
disconnect from a power source.
Several switches from the Cisco Catalyst
2950 series are shown in graphic to the right.

491
Switch LED Indicators
The front panel of a switch has several lights to help monitor system
activity and performance. These lights are called light-emitting diodes
(LEDs). The switch has the following LEDs:
• System LED
• Remote Power Supply (RPS) LED
• Port Mode LED
• Port Status LEDs
The System LED shows whether the system is receiving power and
functioning correctly.
The RPS LED indicates whether or not the remote power supply is in use.
The Mode LEDs indicate the current state of the Mode button.
The Port Status LEDs have different meanings, depending on the current
value of the Mode LED.

492
Verifying Port LEDs During Switch POST
Once the power cable is connected, the switch initiates a
series of tests called the power-on self test (POST).
POST runs automatically to verify that the switch functions
correctly.
The System LED indicates the success or failure of POST.

493
Connecting a Switch to a Computer

494
Examining Help in the Switch CLI
The command-line interface (CLI) for Cisco switches is very
similar to the CLI for Cisco routers.
The helpcommand is issued by entering a question mark (?).
When this command is entered at the system prompt, a list of
commands available for the current command mode is
displayed.
The helpcommand is very flexible and essentially functions
the same way it does in a router CLI.
This form of help is called command syntax help, because it
provides applicable keywords or arguments based on a partial
command.

495
Switch Command Modes
Switches have several command modes.
The default mode is User EXEC mode, which ends in a
greater-than character (>).
The commands available in User EXEC mode are limited to
those that change terminal settings, perform basic tests, and
display system information.
The enablecommand is used to change from User EXEC
mode to Privileged EXEC mode, which ends in a pound-sign
character (#).
The configurecommand allows other command modes to be
accessed.

496
Show Commands in User-Exec Mode

497
Setting Switch Hostname
Setting Passwords on Lines

498

499
Overview
Redundancy in a network is extremely important because
redundancy allows networks to be fault tolerant.
Redundant topologies based on switches and bridges are
susceptible to broadcast storms, multiple frame
transmissions, and MAC address database instability.
Therefore network redundancy requires careful planning
and monitoring to function properly.
The Spanning-Tree Protocol is used in switched networks
to create a loop free logical topology from a physical
topology that has loops.

500
Redundant Switched Topologies
Networks with redundant paths and devices allow for more network uptime.
In the graphic, if Switch A fails, traffic can still flow from Segment 2 to
Segment 1 and to the router through Switch B. If port 1 fails on Switch A then
traffic can still flow through port 1 on Switch B.
Switches learn the MAC addresses of devices on their ports so that data can
be properly forwarded to the destination. Switches will flood frames for
unknown destinations until they learn the MAC addresses of the devices.
A redundant switched topology may cause broadcast storms, multiple frame
copies, and MAC address table instability problems.

501
Broadcast Storms
Broadcasts and multicasts can cause problems in a switched network.
Multicasts are treated as broadcasts by the switches.
Broadcasts and multicasts frames are flooded out all ports, except the one on
which the frame was received.
The switches continue to propagate broadcast traffic over and over. This is
called a broadcast storm. This will continue until one of the switches is
disconnected. The network will appear to be down or extremely slow.

502
Multiple Frame Transmissions
In a redundant switched network it is possible for an end device to receive
multiple frames. Assume that the MAC address of Router Y has been timed
out by both switches. Also assume that Host X still has the MAC address of
Router Y in its ARP cache and sends a unicast frame to Router Y. The router
receives the frame because it is on the same segment as Host X. Switch A
does not have the MAC address of the Router Y and will therefore flood the
frame out its ports. Switch B also does not know which port Router Y is on.
Switch B then floods the frame it received causing Router Y to receive
multiple copies of the same frame. This is a cause of unnecessary processing
in all devices.

503
MAC Database Instability
A switch can incorrectly learn that a MAC address is on one port, when it is
actually on a different port. In this example the MAC address of Router Y is
not in the MAC address table of either switch. Host X sends a frame directed
to Router Y. Switches A & B learn the MAC address of Host X on port 0. The
frame to Router Y is flooded on port 1 of both switches. Switches A and B see
this information on port 1 and incorrectly learn the MAC address of Host X on
port 1. When Router Y sends a frame to Host X, Switch A and Switch B will
also receive the frame and will send it out port 1. This is unnecessary, but the
switches have incorrectly learned that Host X is on port 1.

504
Using Bridging Loops
for Redundancy

505
Logical Loop Free Topology
Created with STP

506
NOTE:
Don’t confuse Spanning Tree Protocol
(STP) with Shielded Twisted Pair (STP).

507
Spanning Tree Protocol -1
Ethernet bridges
and switches can
implement the
IEEE 802.1D
Spanning-Tree
Protocol and use
the spanning-tree
algorithm to
construct a loop
free shortest path
network.
Shortest path is
based on
cumulative link
costs.
Link costs are
based on the
speed of the link.

508
Spanning Tree Protocol -2
The Spanning-Tree Protocol
establishes a root node, called the
root bridge/switch.
The Spanning-Tree Protocol
constructs a topology that has one
path for reaching every network
node. The resulting tree originates
from the root bridge/switch.
The Spanning-Tree Protocol requires
network devices to exchange
messages to detect bridging loops.
Links that will cause a loop are put
into a blocking state.
The message that a switch sends,
allowing the formation of a loop free
logical topology, is called a Bridge
Protocol Data Unit (BPDU).

509
Selecting the Root Bridge
The first decision that all switches in the network make, is to identify
the root bridge. The position of the root bridge in a network will affect
the traffic flow.
When a switch is turned on, the spanning-tree algorithm is used to
identify the root bridge. BPDUs are sent out with the Bridge ID (BID).
The BID consists of a bridge priority that defaults to 32768 and the
switch base MAC address.
When a switch first starts up, it assumes it is the root switch and
sends BPDUs. These BPDUs contain the switch MAC address in both
the root and sender BID. As a switch receives a BPDU with a lower
root BID it replaces that in the BPDUs that are sent out. All bridges
see these and decide that the bridge with the smallest BID value will
be the root bridge.
A network administrator may want to influence the decision by setting
the switch priority to a smaller value than the default.

510
BDPUs
BPDUs contain enough information so that all switches can do
the following:
• Select a single switch that will act as the root of the
spanning tree
• Calculate the shortest path from itself to the root switch
• Designate one of the switches as the closest one to the
root, for each LAN segment. This bridge is called the
“designated switch”. The designated switch handles all
communication from that LAN towards the root bridge.
• Each non-root switch choose one of its ports as its root
port, this is the interface that gives the best path to the
root switch.
• Select ports that are part of the spanning tree, the
designated ports. Non-designated ports are blocked.

511
Spanning Tree Operation
When the network has stabilized, it has converged and there is one spanning
tree per network. As a result, for every switched network the following
elements exist:
• One root bridge per network
• One root port per non root bridge
• One designated port per segment
• Unused, non-designated ports
Root ports and designated ports are used for forwarding (F) data traffic.
Non-designated ports discard data traffic.
Non-designated portsare called blocking (B) or discarding ports.

512
Spanning Tree Port States

513
Spanning Tree Recalculation
A switched internetwork has converged when all the switch and
bridge ports are in either the forwarding or blocked state.
Forwarding ports send and receive data traffic and BPDUs.
Blocked ports will only receive BPDUs.
When the network topology changes, switches and bridges
recompute the Spanning Tree and cause a disruption of user
traffic.
Convergence on a new spanning-tree topology using the IEEE
802.1D standard can take up to 50 seconds.
This convergence is made up of the max-age of 20 seconds, plus
the listening forward delay of 15 seconds, and the learning forward
delay of 15 seconds.

514
Rapid STP Designations

515

516
VLANs
VLAN implementation combines Layer 2 switching and Layer 3 routing
technologies to limit both collision domains and broadcast domains.
VLANs can also be used to provide security by creating the VLAN
groups according to function and by using routers to communicate
between VLANs.
A physical port association is used to implement VLAN assignment.
Communication between VLANs can occur only through the router.
This limits the size of the broadcast domains and uses the router to
determine whether one VLAN can talk to another VLAN.
NOTE: This is the only way a switch can break up a broadcast domain!

517
Setting up VLAN Implementation

518
VLAN Communication

519
VLAN Membership Modes
•VLAN membership can either be static or dynamic.

520
•All users attached to same switch port must be in the same VLAN.
Static VLANs

521
Configuring VLANs in Global
Mode
Switch#configure terminal
Switch(config)#vlan 3
Switch(config-vlan)#name Vlan3
Switch(config-vlan)#exit
Switch(config)#end

522
Configuring VLANs
in VLAN Database Mode
Switch#vlan database
Switch(vlan)#vlan 3
VLAN 3 added:
Name: VLAN0003
Switch(vlan)#exit
APPLY completed.
Exiting....

523
Deleting VLANs in Global Mode
Switch#configure terminal
Switch(config)#no vlan 3
Switch(config)#end

524
Deleting VLANs
in VLAN Database Mode
Switch#vlan database
Switch(vlan)#no vlan 3
VLAN 3 deleted:
Name: VLAN0003
Switch(vlan)#exit
APPLY completed.
Exiting....

525
Assigning Access Ports to a
VLAN
Switch(config)#interface gigabitethernet 1/1
•Enters interface configuration mode
Switch(config-if)#switchport mode access
•Configures the interface as an access port
Switch(config-if)#switchport access vlan 3
•Assigns the access port to a VLAN

526
Verifying the VLAN
Configuration
Switch#show vlan [id | name] [vlan_num | vlan_name]
VLAN Name Status Ports
------------------------------------ ----------------------------------------
1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/11, Fa0/12
Gi0/1, Gi0/2
2 VLAN0002 active
51 VLAN0051 active
52 VLAN0052 active
…
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
--------------------------------------------------------------------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
51 enet 100051 1500 - - - - - 0 0
52 enet 100052 1500 - - - - - 0 0
…
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
--------------------------------- ------------------------------------------

527
Verifying the VLAN Port
Configuration
Switch#show running-config interface {fastethernet |
gigabitethernet} slot/port
•Displays the running configuration of the interface
Switch#show interfaces [{fastethernet | gigabitethernet}
slot/port] switchport
•Displays the switch port configuration of the interface
Switch#show mac-address-table interface interface-id[vlan
vlan-id] [ | {begin | exclude | include} expression]
•Displays the MAC address table information for the specified
interface in the specified VLAN

529
VLAN Trunking

530
Importance of Native VLANs

531
–Performed with ASIC
–Not intrusive to client
stations; client does not
see the header
–Effective between
switches, and between
routers and switches
ISL Encapsulation

532
ISL and Layer 2 Encapsulation

533
Configuring ISL Trunking
Switch(config)#interface fastethernet 2/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encapsulation [isl|dot1q]
•Enters interface configuration mode
•Selects the encapsulation
•Configures the interface as a Layer 2 trunk

534
Verifying ISL Trunking
Switch#show running-config interface {fastethernet |
gigabitethernet} slot/port
Switch#show interfaces [fastethernet | gigabitethernet]
slot/port[ switchport | trunk ]
Switch#show interfaces fastethernet 2/1 trunk
Port Mode Encapsulation Status Native VLAN
Fa2/1 desirable isl trunking 1
Port VLANs allowed on trunk
Fa2/1 1-1005
Port VLANs allowed and active in management domain
Fa2/1 1-2,1002-1005
Port VLANs in spanning tree forwarding state and not pruned
Fa2/1 1-2,1002-1005

535
802.1Q Trunking

536
Configuring 802.1Q Trunking
Switch(config)#interface fastethernet 5/8
Switch(config-if)#shutdown
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport trunk allowed vlan 1,15,11,1002 -1005
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport nonegotiate
Switch(config-if)#no shutdown

537
Verifying 802.1Q Trunking
Switch#show running-config interface {fastethernet |
gigabitethernet} slot/port
Switch#show interfaces [fastethernet | gigabitethernet]
slot/port[ switchport | trunk ]
Switch#show interfaces gigabitEthernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2 -1001
. . .

539
–Advertises VLAN configuration information
–Maintains VLAN configuration consistency throughout a
common administrative domain
–Sends advertisements on trunk ports only
VTP Protocol Features

540
•Cannot create,
change, or delete
VLANs
•Forwards
advertisements
•Synchronizes
VLAN
configurations
•Does not save in
NVRAM
•Creates, modifies, and deletes
VLANs
•Sends and forwards
advertisements
•Synchronizes VLAN
configurations
•Saves configuration in NVRAM
•Creates, modifies, and
deletes VLANs locally
only
•Forwards
advertisements
•Does not
synchronize VLAN
configurations
•Saves configuration in
NVRAM
VTP Modes

541
VTP Operation
•VTP advertisements are sent as multicast frames.
•VTP servers and clients are synchronized to the latest update identified
revision number.
•VTP advertisements are sent every 5 minutes or when there is a change.

542
•Increases available bandwidth by reducing unnecessary flooded traffic
•Example: Station A sends broadcast, and broadcast is flooded only toward
any switch with ports assigned to the red VLAN.
VTP Pruning

543
VTP Configuration Guidelines
–Configure the following:
•VTP domain name
•VTP mode (server mode is the default)
•VTP pruning
•VTP password
–Be cautious when adding a new switch into an existing
domain.
–Add a new switch in a Client mode to get the last up-to-
date information from the network then convert it to
Server mode.
–Add all new configurations to switch in transparent mode
and check your configuration well then convert it to
Server mode to prevent the switch from propagating
incorrect VLAN information.

544
Configuring a VTP Server
Switch(config)#vtp server
•Configures VTP server mode
Switch(config)#vtp domain domain-name
•Specifies a domain name
Switch(config)#vtp password password
•Sets a VTP password
Switch(config)#vtp pruning
•Enables VTP pruning in the domain

545
Configuring a VTP Server
(Cont.)
Switch#configure terminal
Switch(config)#vtp server
Setting device to VTP SERVER mode.
Switch(config)#vtp domain Lab_Network
Setting VTP domain name to Lab_Network
Switch(config)#end

546
Verifying the VTP Configuration
Switch#show vtp status
Switch#show vtp status
VTP Version : 2
Configuration Revision : 247
Maximum VLANs supported locally : 1005
Number of existing VLANs : 33
VTP Operating Mode : Client
VTP Domain Name : Lab_Network
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80
Configuration last modified by 0.0.0.0 at 8 -12-99 15:04:49
Switch#

547
Verifying the VTP Configuration
(Cont.)
Switch#show vtp counters
Switch#show vtp counters
VTP statistics:
Summary advertisements received : 7
Subset advertisements received : 5
Request advertisements received : 0
Summary advertisements transmitted : 997
Subset advertisements transmitted : 13
Request advertisements transmitted : 3
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0
VTP pruning statistics:
Trunk Join Transmitted Join Received Summary advts received from
non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Fa5/8 43071 42766 5

548

549
Contents
•Remote access overview
•WAN Connection Types
•Defining WAN Encapsulation Protocols
•Determining the WAN Type to Use
•OSI Layer-2 Point-to-Point WANs
–PPP
–HDLC
–Frame Relay

550
Remote Access Overview
•A WAN is a data communications network
covering a relatively broad geographical
area.
•A network administrator designing a
remote network must weight issues
concerning users needs such as
bandwidth and cost of the variable
available technologies.

551
WAN Connection Types

552
WAN Connection Types
•Leasedlines
–It is a pre-established WAN communications path
from the CPE, through the DCE switch, to the CPE
of the remote site, allowing DTE networks to
communicate at any time with no setup procedures
before transmitting data.
•Circuit switching
–Sets up line like a phone call. No data can transfer
before the end-to-end connection is established.

553
WAN Connection Types
•Packet switching
–WAN switching method that allows you to share
bandwidth with other companies to save money. As
long as you are not constantly transmitting data and
are instead using bursty data transfers, packet
switching can save you a lot of money.
–However, if you have constant data transfers, then
you will need to get a leased line.
–Frame Relay and X.25 are packet switching
technologies.

554
Defining WAN Encapsulation
Protocols
•Each WAN connection uses an
encapsulation protocol to encapsulate
traffic while it crossing the WAN link.
•The choice of the encapsulation protocol
depends on the underlying WAN
technology and the communicating
equipment.

555
Defining WAN Encapsulation
Protocols
•Typical WAN encapsulation types include the
following:
–Point-to-Point Protocol (PPP)
–Serial Line Internet Protocol (SLIP)
–High-Level Data Link Control Protocol (HDLC)
–X.25 / Link Access Procedure Balanced (LAPB)
–Frame Relay
–Asynchronous Transfer Mode (ATM)

556
Determining the WAN Type to
Use
•Availability
–Each type of service may be available in certain
geographical areas.
•Bandwidth
–Determining usage over the WAN is important to
evaluate the most cost-effective WAN service.
•Cost
–Making a compromise between the traffic you need to
transfer and the type of service with the available cost
that will suit you.

557
Determining the WAN Type to
Use
•Ease of Management
–Connection management includes both the
initial start-up configuration and the outgoing
configuration of the normal operation.
•Application Traffic
–Traffic may be as small as during a terminal
session , or very large packets as during file
transfer.

558
Max. WAN Speeds for WAN
Connections
WAN Type
Maximum
Speed
Asynchronous Dial-Up 56-64 Kbps
X.25, ISDN –BRI 128 Kbps
ISDN –PRI E1 / T1
Leased Line / Frame RelayE3 / T3

559
OSI Layer-2 Point-to-Point
WANs
•WAN protocols used on Point-to-Point
serial links provide the basic function of
data delivery across that one link.
•The two most popular data link protocols
used today are Point-to-Point Protocol
(PPP) and High-Level Data Link Control
(HDLC).

560
HDLC
•HDLC performs OSI Layer-2 functions.
•It determines when it is appropriate to use
the physical medium.
•Ensures that the correct recipient receives
and processes the data that is sent.
•Determines whether the sent data was
received correctly or not (error detection).

561
HDLC
•HDLC Frame Format
•The original HDLC didn’t include any
Protocol Type field, every company
(including Cisco) added its own field, so it
became a proprietary protocol that can be
used between only Cisco routers.

562
Point-to-Point Protocol (PPP)
•PPP is a standard encapsulation protocol for the
transport of different Network Layer protocols
(including, but not limited to, IP).
•It has the following main functional components
–Link Control Protocol (LCP) that establishes,
authenticates, and tests the data link connection.
–Network Control Protocols (NCPs) that establishes
and configure different network layer protocols.

563
Point-to-Point Protocol (PPP)
•PPP discards frames that do not pass the
error check.
•PPP is a standard protocol, and so it can
be used with all types of routers (not Cisco
Proprietary).

564
PPP LCP Features
•Authentication
•Compression
•Multilink PPP
•Error Detection
•Looped Link Detection

565
PAP Authentication

566
CHAP Authentication

567
Compression
•Compression enables higher data throughput
across the link.
•Different compression schemes are available:
–Predictor : checks if the data was already
compressed.
–Stacker : it looks at the data stream and only sends
each type of data once with information about where
the type occurs and then the receiving side uses this
information to reassemble the data stream.
–MPPC (Microsoft Point-to-Point Compression) :
allows Cisco routers to compress data with Microsoft
clients.

568
PPP Multilink
•PPP Multilink provides load balancing over
dialer interfaces-including ISDN,
synchronous, and asynchronous
interfaces.
•This can improve throughput and reduce
latency between systems by splitting
packets and sending fragments over
parallel circuits.

569
Error Detection
•PPP can take down a link based on the
value of what is called LQM (Link Quality
Monitor) as it gets the ratio of corrupted
packets to the total number of sent
packets, and according to a predetermined
value, the link can be brought down if it is
thought that its performance is beyond
limits accepted.

570
Looped Link Detection
•PPP can detect looped links (that are
sometimes done by Teleco companies)
using what is called Magic Number.
•Every router will have a magic number,
and if packets were received having the
same router’s magic number, then the link
is looped.

571
PPP Configuration Commands
•To enable PPP
–Router(config-if)#encapsulation ppp
•To configure PAP authentication
–Router(Config-if)#ppp authentication pap
–Router(Config-if)#ppp pap username .. password ..
•To configure Compression
–Router(Config-if)#compress [predictor|stack|mppc]

573
Frame Relay Components

574
Frame Relay
•The switch examines the frame sent by the
router that has a header containing an address
called DLCI (Data Link Control Identifier) and
then switches the frame based on the DLCI till
it reaches the router on the other side of the
network.

575
Frame Relay
•Frame Relay networks use permanent virtual circuits
(PVCs) or switched virtual circuits (SVCs) but most
nowadays Frame Relay networks use permanent virtual
circuits (PVCs).
•The logical path between each pair of routers is called a
Virtual Circuit (VC).
•VCs share the access link and the frame relay network.
•Each VC is committed to a CIR (Committed Information
Rate) which is a guarantee by the provider that a
particular VC gets at least this much of BW.

576
Video
PBX
Controller
PC
Router
CPE
UNI
ISDN dial-up connection
or
direct connection
(V.35, E1, RS232)
Desktop & LAN Network access Frame Relay
Network
Formats
packets
in frames
Port
PVC
PVC
PVC
SVC
SVC
Switch

577
LMI and Encapsulation Types
•The LMI is a definition of the messages used
between the DTE and the DCE.
•The encapsulation defines the headers used by
a DTE to communicate some information to the
DTE on the other end of a VC.
•The switch and its connected router care about
using the same LMI; the switch does not care
about the encapsulation. The endpoint routers
(DTEs) do care about the encapsulation.

578
LMI
•The most important LMI message is the LMI
status inquiry message. Status messages
perform two key functions:
–Perform a keepalive function between the DTE and
DCE. If the access link has a problem, the absence of
keepalive messages implies that the link is down.
–Signal whether a PVC is active or inactive. Even
though each PVC is predefined, its status can
change.

579
LMI
•Three LMI protocol options are available in
Cisco IOS software: Cisco, ITU, and ANSI.
•Each LMI option is slightly different and
therefore is incompatible with the other two.

580
LAPF
•A Frame Relay-connected router encapsulates
each Layer 3 packet inside a Frame Relay header
and trailer before it is sent out an access link.
•The header and trailer are defined by the Link
Access Procedure Frame Bearer Services (LAPF)
specification.
•The LAPF framing provides error detection with
an FCS in the trailer, as well as the DLCI, DE,
FECN, and BECN fields in the header.

581
LAPF
•DTEs use and react to the fields specified by
these two types of encapsulation, but Frame
Relay switches ignore these fields. Because the
frames flow from DTE to DTE, both DTEs must
agree to the encapsulation used.
•However, each VC can use a different
encapsulation. In the configuration, the
encapsulation created by Cisco is called cisco,
and the other one is called ietf.

582
DLCI Addressing Details
•The logical path between a pair of DTEs is called a
virtual circuit (VC).
•The data-link connection identifier (DLCI) identifies
each individual PVC.
•When multiple VCs use the same access link, the
Frame Relay switches know how to forward the
frames to the correct remote sites.
The DLCI is the Frame Relay address describing
a Virtual Circuit

583
B
R
R
Virtual circuit
Router
Bridge
Frame Relay switch
R
B
FR-network
DLCI=16
DLCI=32
DLCI=16 DLCI=16
DLCI=21
DLCI=17
DLCI=17
DLCI=32

584
DLCI Addressing Details
•The difference between layer-2 addressing
and DLCI addressing is mainly because
the fact that the header has a single DLCI
field, not both Source and Destination
DLCI fields.

585
Global DLCI Addressing
•Frame Relay DLCIs are locally significant; this
means that the addresses need to be unique
only on the local access link.
•Global addressing is simply a way of choosing
DLCI numbers when planning a Frame Relay
network so that working with DLCIs is much
easier.
•Because local addressing is a fact, global
addressing does not change these rules. Global
addressing just makes DLCI assignment more
obvious.

586
Global DLCI Addressing

587
Global DLCI Addressing
•The final key to global addressing is that the
Frame Relay switches actually change the DLCI
value before delivering the frame.
•The sender treats the DLCI field as a
destination address, using the destination’s
global DLCI in the header.
•The receiver thinks of the DLCI field as the
source address, because it contains the global
DLCI of the frame’s sender.

588
Layer 3 Addressing
•Cisco’s Frame Relay implementation
defines three different options for
assigning subnets and IP addresses on
Frame Relay interfaces:
–One subnet containing all Frame Relay DTEs
–One subnet per VC
–A hybrid of the first two options

589
One Subnet Containing All Frame
Relay DTEs
•The single-subnet option is typically used
when a full mesh of VCs exists.
•In a full mesh, each router has a VC to
every other router, meaning that each
router can send frames directly to every
other router

590
One Subnet Containing All Frame
Relay DTEs

591
One Subnet Containing All Frame
Relay DTEs

592
One Subnet Per VC
•The single-subnet-per-VC alternative, works better with a
partially meshed Frame Relay network.

593
One Subnet Per VC

594
Hybrid Terminology
•Point-to-point subinterfaces are used when a
single VC is considered to be all that is in the
group—for instance, between Routers A and D
and between Routers A and E.
•Multipoint subinterfaces are used when more
than two routers are considered to be in the
same group—for instance, with Routers A, B,
and C.

595
Hybrid Terminology

596
Hybrid Terminology

597
Frame Relay Address Mapping
•Mapping creates a correlation between a Layer-
3 address (IP Address) and its corresponding
Layer-2 address (DLCI in Frame Relay).
•It is used so that after the router receives the
packet with the intended IP address could be
able to handle it to the right Frame Relay switch
(with the appropriate DLCI)

598
Mapping Methods
•Mapping can be done either two ways:
•Dynamic Mapping
–Using the Inverse ARP that is enabled by
default on Cisco routers.
•Static Mapping
–Using the frame-relay mapcommand but you
should first disable the inverse arp using the
command no frame-relay inverse-arp

599
Inverse ARP Process

600
Frame Relay Configuration

601
Frame Relay Verification

603
ISDN Protocols

604
BRI & PRI B and D Channels

605
LAPD & PPP on D and B
Channels

606
LAPD & PPP on D and B
Channels
•LAPD is used as a data-link protocol across an
ISDN D channel.
•Essentially, a router with an ISDN interface
needs to send and receive signaling messages
to and from the local ISDN switch to which it is
connected.
•LAPD provides the data-link protocol that allows
delivery of messages across that D channel to
the local switch.

607
LAPD & PPP on D and B
Channels
•The call setup and teardown messages
themselves are defined by the Q.931
protocol. So, the local switch can receive a
Q.931 call setup request from a router
over the LAPD-controlled D channel, and it
should react to that Q.931 message by
setting up a circuit over the public network.

608
LAPD & PPP on D and B
Channels
•An ISDN switch often requires some form of
authentication with the device connecting to it.
•Switches use a free-form decimal value, call the
service profile identifier (SPID), to perform
authentication.
•In short, before any Q.931 call setup messages
are accepted, the switch asks for the configured
SPID values. If the values match what is
configured in the switch, call setup flows are
accepted.

609
PRI Encoding and Framing
•ISDN PRI in North America is based on a digital
T1 circuit. T1 circuits use two different encoding
schemes—Alternate Mark Inversion (AMI) and
Binary 8 with Zero Substitution (B8ZS).
•The two options for framing on T1s are to use
either Extended Super Frame (ESF) or the older
option—Super Frame (SF). In most cases today,
new T1s use ESF.

610
DDR (Dial On Demand Routing)
•You can configure DDR in several ways,
including Legacy DDRand DDR dialer profiles.
•The main difference between the two is that
Legacy DDR associates dial details with a
physical interface, whereas DDR dialer profiles
disassociate the dial configuration from a
physical interface, allowing a great deal of
flexibility.

611
Legacy DDR Operation
1.Route packets out the interface to be dialed.
2.Determine the subset of the packets that
trigger the dialing process.
3.Dial (signal).
4.Determine when the connection is
terminated.

612
Legacy DDR Operation

613
DDR Step 1: Routing Packets Out the
Interface to Be Dialed
•DDR does not dial until some traffic is directed
(routed) out the dial interface.
•The router needs to route packets so that they are
queued to go out the dial interface. Cisco’s design for
DDR defines that the router receives some user-
generated traffic and, through normal routing
processes, decides to route the traffic out the interface
to be dialed.
•The router (SanFrancisco) can receive a packet that
must be routed out BRI0; routing the packet out BRI0
triggers the Cisco IOS software, causing the dial to
occur.

614
DDR Step 2:
Determining the Interesting Traffic
•Packets that are worthy of causing the device to
dial are called interesting packets.
•Two different methods can be used to define
interesting packets.
–In the first method, interesting is defined as all
packets of one or more Layer 3 protocols.
–The second method allows you to define packets as
interesting if they are permitted by an access list.

615
DDR Step 3:
Dialing (Signaling)
•Defining the phone number to be dialed.
•The command is dialer string , where
string is the phone number (used when
dialing only one site).
•The dialer map command maps the
different dialer numbers to the equivalent
IP addresses of the routers to be dialed.

616
Configuring SPIDs
•You might need to configure the Service Profile
Identifier (SPID) for one or both B channels,
depending on the switch’s expectations.
•When the telco switch has configured SPIDs, it
might not allow the BRI line to work unless the
router announces the correct SPID values to the
switch. SPIDs, when used, provide a basic
authentication feature.

617
ISDN PRI Configuration
1.Configure the type of ISDN switch to which this
router is connected.
2.Configure the T1 or E1 encoding and framing
options (controller configuration mode).
3.Configure the T1 or E1 channel range for the
DS0 channels used on this PRI (controller
configuration mode).
4.Configure any interface settings (for example,
PPP encapsulation and IP address) on the
interface representing the D channel.

618
PRI Configuration Commands

619
ISDN Switch Types

620
Configuring a T1 or E1 Controller
•Your service provider will tell you what
encoding and framing to configure on the
router. Also, in almost every case, you will
use all 24 DS0 channels in the PRI—23 B
channels and the D channel.

621
DDR With Dialer Profiles
•Dialer profiles pool the physical interfaces
so that the router uses any available B
channel on any of the BRIs or PRIs in the
pool.
•Dialer profiles configuration moves most of
the DDR interface configuration to a virtual
interface called a dialer interface.

622
Dialer Profiles Configuration

623
Dialer Profiles Configuration

CCNA PPT score increases as you pick a category, fill out a long description and add more t.ppt

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

CCNA PPT score increases as you pick a category, fill out a long description and add more t.ppt

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77