IPexperts CCNA R&S ICND2 Video On Demand Slide Deck
IPexperts CCNA R&S ICND2 Video On Demand Slide Deck
IPexperts CCNA R&S ICND2 Video On Demand Slide Deck
Simple
Network
What
REMOTE OFFICE
Is
HOME USER
TELECOMMUTER
Software
VPN Link
Webmail
/ File Transfer
HEAD OFFICE
MOBILE WORKER
Network?
Physical
Components
of
Network
Interpreting
Network
Diagram
Impact
Batch applications
of
User
Applications
Batch applications:
FTP, TFTP, inventory updates
No direct human interaction
Bandwidth important, but not critical
Interactive applications:
Interactive applications
Real-time
applications
Real-time
applications:
VolP, video
Human-to-human interaction
End-to-end latency critical
on the
Network
Characteristics
Topology
Speed
Cost
Security
Availability
Scalability
Reliability
of
Network
Physical
Topologies
Bus Topology
Star Topology
Mesh Topology
Logical
Topologies
Logical paths that the signals use to travel from one point on the network to another
Summary
Understanding
the
Host-to-Host
Model
Communications
Introducing Hostto-Host
Communications
Two different types of host-to-host models:
OSI
Reference
Model
TCP/IP
Protocol
TCP/IP Stack
Application
Transport
Internet
Link
Suite
Data
Encapsulation
Sender
Application
User Data
Transport
Internet
Network Access
L2
HDR
L3
HDR
L3
HDR
L4
HDR
L4
HDR
L4
HDR
Other HDR
User Data
Other HDR
User Data
Other HDR
User Data
HDR = Header
FCS
Data
De-Encapsulation
Receiver
Application
User Data
Transport
Internet
Network Access
L2
HDR
L3
HDR
L3
HDR
L4
HDR
L4
HDR
L4
HDR
Other HDR
User Data
Other HDR
User Data
Other HDR
Peer-to-Peer
Communications
Receiver
Sender
PDUs
Application
Data
Application
Transport
Segment
Transport
Network
Packet
Network
Link
Frame
Link
Summary
Operating
Cisco
IOS
Software
Cisco
IOS
Software
Features and
Functions
Cisco
IOS
CLI
Functions
Pressing Enter instructs the device to parse (translate) and execute the
command.
The two primary EXEC modes are user mode and privileged mode.
User
EXEC
Mode
Privileged
EXEC
Mode
Change from user EXEC mode to privileged EXEC mode using the enable command
Privileged
EXEC
Mode
(Cont.)
Help
Functions
in
the
Description
Context-sensitive help
CLI
Help
Functions
in
the
CLI
(Cont.)
This sequence of commands shows how CLI context-sensitive help can be used:
CLI
Error
Messages
Managing
Cisco
IOS
Congurations
(Cont.)
Managing
Cisco
IOS
Conguration
(Cont.)
Managing
Cisco
IOS
Conguration
(Cont.)
Managing
Cisoo
IOS
Conguration
(Cont.)
Managing
Cisco
IOS
Conguration
(Cont.)
Improving
the
User
Experience
in
the
CLI
Description
Tab
Ctrl-A
Ctrl-E
Backspace
Ctrl-U
Erases a line
Ctrl-Shift-6
Allows the user to abort a Cisco IOS process such as ping or traceroute
Ctrl-C
Ctrl-Z
Improving
the
User
Experience in the
CLI (Cont.)
Improving
the
User
Experience in the
CLI (Cont.)
The Cisco IOS CLI pauses after a specic number of lines is displayed
Improving
the
User
Experience in the
CLI (Cont.)
You can filter show outputs using the pipe (|) character and a filtering
parameter.
Use the include parameter to display configuration commands that include a specific word:
Summary
1) Cisco IOS Software provides network services to Cisco products to perform various
internetworking functions.
2) The Cisco IOS CLI uses a hierarchy of commands in its command-mode structure.
3) Two basic configuration modes are user EXEC mode and privileged EXEC mode.
4) Context-sensitive help and console error messages are available in the Cisco IOS
CLI to help you configure Cisco devices.
5) Two general configurations that are used by Cisco routers and switches are the
running configuration and the startup configuration.
6) You can use hot keys and shortcuts, command history, and output filters to improve
the CLI user experience.
Starting
Switch
Switch
Installation
Switch
LED
Indicators
1System LED
2Remote Power Supply LED
3-6Port Mode LEDs
7Mode Button
8Port Status LED
4
6
7
Connecting
Console Cable
Console Port
to
Console
Port
USB-to-Serial Port
Adapter
Basic
Switch
Configuration modes:
Global configuration mode
Conguration
Basic
Switch
Conguration
(Cont.)
Basic
Switch
Conguration
(Cont)
Verifying
the
Switch
Initial
Startup
Status
Displays the configuration of the system hardware, software version, and boot images
Verifying
the
Switch
Initial
Status
Startup
(Cont.)
Verifying
the
Switch
Initial
Status
Startup
(Cont.)
Summary
1) Physical switch installation must meet power and environmental requirements.
2) Cisco IOS switches have several status LEDs that are generally green when the
switch is functioning normally but turn amber when there is a malfunction.
3) A console cable and port are needed to access the switch console and perform
the initial configuration.
4) Cisco IOS switches can be configured in the CLI using the global
configuration mode and other configuration modes.
Understanding
Ethernet
and
Switch
Operation
Ethernet
LAN
Connection
Media
Ethernet
LAN
Connection
Media
(Cont.)
Modifying Ethernet to conform to existing twisted-pair telephone wiring enabled cost reduction.
UTP-based Ethernet, which uses copper, became widely deployed after the 1OBASE-T standard.
Fiber-optic variants of Ethernet offer high performance, electrical isolation, and long distance
(tens of kilometers with some versions).
Outer Jacket
Characteristic
Value
Least expensive
Small
Varies
(Cont.)
Twisted-Pair
Cable
Color-Coded Plastic
Insulation
RJ-45 Connector
Ethernet
LAN
Connection
Media
(Cont.)
Ethernet
LAN
Connection
Media
(Cont)
Ethernet
LAN
Connection
Media
(Cont.)
Fiber Types
Multimode Fiber (MMF)
n2
n1
Core
n2
Cladding
n1
Core
Fiber
SMA
Bionic
ST
SC
FC
Connector
D4
LC
Types
Ethernet
Frame
Structure
Preamble
46-1500
Type
Data
FCS
MAC
Unicast
Broadcast
Multicast
Client
Group
Member
Client
Group
Member
Addresses
MAC
Addresses
(Cont.)
MAC
Addresses
(Cont.)
Switching
MAC Table
Port: 1: MAC PC A
Port: 2: Empty
Port: 3: Empty
MAC Table
Port: 1: MAC PC A
Port: 2: Empty
Port: 3: Empty
Frame
PC A
Operation
Frame
1
PC C
PC A
3
2
Frame
PC B
Switching
MAC Table
Port: 1: MAC PC A
Port: 2: Empty
Port: 3: Empty
4
PC A
Operation
5
6
Frame
MAC Table
Port: 1: MAC PC A
Port: 2: Empty
Port: 3: MAC PC B
Frame
PC B
PC A
PC C
(Cont.)
PC C
PC B
Duplex
Half-duplex operation:
Unidirectional data flow
Higher potential for collision
Legacy connectivity
Communication
Duplex
Communication
Full-duplex operation:
Point-to-point only
Attached to dedicated switched port
Requires full-duplex support on both ends
(Cont.)
Configuring
Duplex
and
Speed
Options
General recommendation:
Use manual settings on infrastructure links.
Use auto settings on ports toward end devices.
Configuring
Duplex
and
Speed
Duplex settings
Half
Full
Auto
Half
Half
Mismatch
Half
Full
Mismatch
Full
Full
Auto
Half
Full
Full
Options
(Cont.)
Configuring
Duplex
and
Speed
Options
(Cont.)
Summary
1) Ethernet over twisted-pair technologies use twisted-pair cables for the
physical layer of an Ethernet computer network. Optical fiber permits
transmission over longer distances and at higher data rates.
2) The Ethernet frame contains header information, trailer information, and the
actual data that is being transmitted.
3) An Ethernet MAC address consists of two parts: OUI and a vendor- assigned
end-station address.
4) The switch creates and maintains a MAC address table by using the source MAC
addresses of incoming frames and the port number through which the frame
entered the switch.
5) Full-duplex communication increases effective bandwidth by allowing both ends
of the connection to transmit simultaneously.
Troubleshooting
Common
Switch
Media
Issues
Common
Troubleshooting
ping command
Tools
Common
Troubleshooting
Telnet
Tools
(Cont.)
Media
Issues
Copper
Media
Issues
Fiber Core
Splice losses
Fiber
Troubleshooting
show interface
No or bad
connection
Verify
interface
status
Down
Fix damaged
cabling or
connectors
Switch
show interface
Operational
No
Check for
excessive
noise
Yes
Remove source
of noise
Check cable length
Media
Issues
show interface
No
Check for
excessive
collisions
Yes
Verify and fix
duplex settings
Successful
connection
Troubleshooting
Switch
Media
Issues
(Cont.)
Interface Status
Link State
Up
Up
Operational
Up
Down
Connection problem
Down
Down
Down
Administratively down
Down
Disabled
Interface
Status
Verication
Excessive noise:
Presence of many CRC errors
Inspect the cable for damage and correct length, and search for noise sources
Excessive collisions:
Normal in half-duplex operations
Configure the link to use full-duplex
Interface
Status
Verication
(Cont.)
Port
Issues
full
auto
Most common port issues are related to duplex and speed issues.
Speed-related issues result from a mismatch in speed settings:
100
auto
Port
Issues
(Cont.)
One end is set to half duplex and the other is set to autonegotiation:
If autonegotiation fails, and that end reverts to half duplex.
Both ends are set to half duplex, and there is no mismatch.
Port Issues
More examples of duplex-related issues:
(Cont.)
full
half
Port
Issues
(Cont.)
100
auto
Troubleshooting
Port
Issues
show interface
show interface
No or bad
connection
Check for
speed
mismatch
Yes
Duplex mismatch detected by Cisco
Discovery Protocol
No
Check for
duplex
mismatch
Yes
Manually fix the
duplex settings on
both sides
No
Successful
connection
Troubleshooting
Port
Issues
(Cont.)
Summary
Module
Summary
Module
Summary
(Cont.)
1) Cisco IOS Software provides network services to Cisco products to perform various
internetworking functions.
2) Ethernet over twisted-pair technologies use twisted-pair cables for the physical
layer of an Ethernet computer network. Optical fibers permit transmission over
longer distances and at higher data rates.
3) The switch creates and maintains a MAC address table by using the source MAC
addresses of incoming frames and the port number through which the frame entered
the switch.
4) Switch media issues are common and have several possible sources, such as damaged
copper wiring, EMI sources, and macrobend and splice losses in fiber media.
5) Speed or duplex mismatch on a link leads to serious performance degradation.
Establishing
Internet
Connectivity
Internet
Protocol
Application
IP characteristics:
Operates at the internet layer of the TCP/IP stack
Connectionless protocol
Transport
Packets treated independently
Hierarchical addressing
IP
Internet
Best-effort delivery
No data-recovery features
Media-independent
Link
Two variants: IPv4 and IPv6
IPv4
Address
Representation
Host ID:
Network
Host
32 Bits
IPv4
Ver.
IHL
Header
Service Type
Identification
Time to Live
Address
Total Length
Flag
Protocol
Fields
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Padding
Decimal
and
Binary
Decimal
Binary
Decimal
Binary
10
1010
11
1011
10
12
1100
11
13
1101
100
101
14
15
1110
1111
110
16
10000
11
17
10001
1000
18
10010
1001
19
10011
Systems
Decimal-to-Binary
Conversion
BaseExponent
27
26
25
24
23
22
21
20
Place Value
128
64
32
16
Example: Convert
decimal 35 to
binary
35 =
(27*0)
+
(26*0)
+
(25*1)
+
(32*1)
(24*0)
+
(23*0)
+
+
(22*0)
+
35 =
35 =
35 = 00100011
(21*1)
(20*1)
+
+
(2*1) + (1*1)
0
IP
Address
Classes
ABC . . . Easy as 1 2 3
Host
10 x x x x x x
110 x x x x x
0xxxxxxx
Host
Host
Network
Host
Host
Network
Network
Host
IP
Address
Classes
(Cont.)
IP Address Ranges
IP Address Class
Possible Number of
Hosts
Class A
1-126
00000001 to 01111110*
16,777,214
Class B
128-191
10000000 to 10111111
65,534
Class C
192-223
11000000 to 11011111
254
*127 (O1111111) is a Class A address reserved for Ioopback testing and cannot be
assigned to a network.
Reserved
Network address
Directed broadcast address
Local broadcast address
Local loopback address
All zeros address
IPv4
Address
Domain
Name
DNS Server
2
Web Server
cisco.com
198.133.219.25
I need to access cisco.com.
What is its IP address?
System
DNS Server
Verifying
the
IPv4
Windows Platform
Address
of
Host
Verifying
the
IPv4
Address
of
a Host
(Cont.)
Summary
1) IP is a Layer 3 media-independent connectionless protocol that uses
hierarchical logical addressing and provides service in a best-effort
manner.
2) Every node that is connected to the Internet has a unique IP address that
identifies it. An IP address consists of two parts: the network ID and the
host ID.
3) Every packet that travels through the network contains a source address and
a destination address.
4) Certain IP addresses (for example, network and broadcast addresses) are
reserved and cannot be assigned to individual network devices.
5) DNS is an application that is specified in the TCP/IP suite. It provides a
means to translate human-readable names into IP addresses.
Understanding
IP
Addressing
and
Subnets
Subnets
There can be problems within a single broadcast domain:
The domain relies on MAC addresses for packet delivery.
Larger amounts of broadcast traffic consume resources.
All devices share the same broadcast domain.
Subnets
Solution: Subnetworks
Smaller networks are easier to manage.
Overall traffic is reduced.
You can apply network security policies more easily.
Finance
Subnetwork 3
Engineering
Subnetwork 1
WAN
Interface
Manufacturing
Subnetwork 2
(Cont.)
Subnet
Masks
A subnet mask:
Defines the number of bits that represent the network and subnet part of the address
Used by end systems to identify the destination IP address as either local or remote
Used by Layer 3 devices to determine network path
Network
Subnet
Host
Octet
Values
of
Subnet
Mask
Subnet masks, like IP addresses, are represented in the dotted decimal format,
such as 255.255.255.0.
The binary 1 reflects the network and subnetwork part of the IP address.
Octet
Values
of
Subnet
Mask
128
64
32
16
128
192
224
240
248
252
254
255
(Cont.)
Octet
Values
of
Subnet
Mask
(Cont.)
10.0.0.0
00001010.00000000.00000000.00000000
11111111.00000000.00000000.00000000
255.0.0.0
/8
Octet
Values
of
Subnet
Mask
(Cont.)
172.16.0.0
10101100.00010000.00000000.00000000
11111111. 11111111.00000000.00000000
255.255.0.0
/16
Octet
Values
of
Subnet
Mask
(Cont.)
192.168.42.0
11000000.101010000.00101010.00000000
255.255.255.0
/24
Default
Gateways
Default Gateway
10.1.1.254
IP: 10.1.1.1
Subnet Mask:
255.255.255.0
IP: 10.1.1.2
Subnet Mask:
255.255.255.0
IP: 192.168.3.2
Subnet Mask:
255.255.255.0
Default
Gateways
(Cont.)
IP: 10.1.1.1
Subnet Mask:
255.255.255.0
IP: 10.1.1.2
Subnet Mask:
255.255.255.0
IP: 192.168.3.2
Subnet Mask:
255.255.255.0
Possible
Network
Subnets
Network
.
Bits to Borrow
1
2
3
13
14
15
16
2
4
8
8192
16384
32768
65536
15
14
13
3
2
1
0
32,766
16,382
8,190
6
2
0
0
Applying
Subnet
Masks
Determining
the
Network
Addressing
Scheme
Determining
the
Network Addressing
Scheme (Cont.)
Step
Description
Example
Write down the octet that is being split and all remaining
octets on the right in binary.
Assigned mask(/24):
Write down the mask or classful prefix length in the binary. 11111111.11111111.11111111.00000
000
Split octet (binary)
Draw a line to delineate the subnet and host bits in the
assigned IP address. Write the IP address and the mask on
00100100 | 00101010
top of each other so that you are able to identify the
Split mask (binary)
significant bits in the IP address
11111111 | 00000000
Determining
the
Network Addressing
Scheme (Cont.)
Step
Description
Example
6
7
8
00100101.00000000
Determining
the
Network Addressing
Scheme (Cont.)
Determining
the
Network Addressing
Scheme (Cont.)
Determining
the
Network Addressing
Scheme (Cont.)
Step
Description
Example
Assigned mask(/29):
Write down the mask or classful prefix length in the
11111111.11111111.11111111.
binary.
11111000
Split octet (binary):
Draw a line to delineate the subnet and host bits in
the assigned IP address. Write the IP address and
00100 | 101
the mask on top of eachother so that you are able
Split mask (binary):
to identify the significant bits in the IP address
11111 | 000
Determining
the
Network Addressing
Scheme (Cont.)
Step
Description
Example
6
7
8
Determining
the
Network Addressing
Scheme (Cont.)
Example:
Addressing
192
168
139
IP address
11000000
10101000
00000101
100|01001
Subnet mask
11111111
11111111
11111111
111|00000
Network(2)
11000000
10101000
00000101
100|00000
Network(10)
192
168
128
First Host
192
168
100|00001 = 29
Last Host
192
168
100|11110 = 158
Directed
broadcast
192
168
100|11111 = 159
Next Network
192
168
101|00000 = 160
Scheme
Variable-Length
Subnet
Masking
172.16.0.0/24
172.16.3.0/24
172.16.6.0/24
B
HQ
172.16.1.0/24
172.16.7.0/24
C
172.16.0.0/16
Variable-Length
Subnet
Masking
(Cont.)
172.16.1.0/24
172.16.14.64/27
172.16.14.136/30
B
172.16.14.96/27
172.16.0.0/16
172.16.2.0/24
VLSM
Entire Region Subnet
172.16.32.0/20
Example
?
50 Hosts
?
50 Hosts
?
50 Hosts
?
50 Hosts
VLSM
Example
(Cont.)
10101100.00010000.00100000.00000000
VLSM address:
In binary:
172.16.32.0/26
10101100.00010000.00100000.00000000
Network
Host
1st subnet:
172
16
.0010
0000.00
000000 = 172.16.32.0/26
2nd subnet:
172
16
.0010
0000.01
000000 = 172.16.32.64/26
4th subnet:
172
16
.0010
0000.10
5th subnet:
172
16
.0010
0000.11
172
16
.0010
0001.00
3rd subnet:
000000 = 172.16.32.128/26
000000 = 172.16.32.192/26
000000 = 172.16.33.0/26
VLSM
Entire Region Subnet
172.16.32.0/20
LAN Subnets Derived from
172.16.32.0/20
?
2 Hosts
?
2 Hosts
2 Hosts
?
2 Hosts
?
Example
(Cont.)
172.16.32.0/26
50 Hosts
172.16.32.64/26
50 Hosts
172.16.32.128/26
50 Hosts
172.16.32.192/26
50 Hosts
VLSM
Example
(Cont.)
10101100.00010000.00100001.00000000
VLSM address:
In binary:
1st subnet:
2nd subnet:
3rd subnet:
4th subnet:
172.16.33.0/30
10101100.00010000.00100001.00000000
Network
Subnet
VLSM Subnet
172
16
.33 .0000
00
172
16
.33 .0000
01
172
16
.33 .0000
10
172
16
.33 .0000
11
Host
00 = 172.16.33.0/30
00 = 172.16.33.4/30
00 = 172.16.33.8/30
00 = 172.16.33.12/30
VLSM
Entire Region Subnet
172.16.32.0/20
LAN Subnets Derived from
172.16.32.0/20
(Cont.)
172.16.32.0/26
172.16.33.030
2 Hosts
172.16.33.4/30
2 Hosts
2 Hosts
172.16.33.8/30
Example
2 Hosts
172.16.33.12/30
50 Hosts
172.16.32.64/26
50 Hosts
172.16.32.128/26
50 Hosts
172.16.32.192/26
50 Hosts
Summary
1) Networks, particularly large networks, are often divided into smaller subnetworks, or
subnets, which can improve network performance and control.
2) The subnet mask defines the number of bits that represent the network part or subnet
part of an IP address.
3) End systems use subnet masks to identify the destination IP address as either local or
remote.
4) A default gateway is needed to send a packet out of the local network.
5) Determining the optimal number of subnets and hosts depends on the type of network and
the number of host addresses required.
6) The algorithm for computing a number of subnets is 2n, where n is the number of subnet
bits.
7) VLSM lets you alocate IP addresses more efficiently by adding multiple layers to the
addressing hierarchy.
Understanding
the
TCP/IP
Transport
Layer
TCP/IP
Transport
Layer
Application
TCP UDP
Transport
Internet
Link
Session multiplexing
Identication of different
applications
Segmentation *
Flow control *
Connection-oriented *
Reliability *
* When Required
Functions
Reliable
vs.
Best-Effort
Transport
Reliable
Best Effort
Protocol
TCP
UDP
Connection Type
Connection-oriented
Connectionless
Sequencing
Yes
No
Uses
Email
File sharing
Downloading
Video streaming
Voice streaming
TCP
vs.
UDP
Analogy
ACK is returned
TCP
Registered Letter
Source
UDP
Regular Letter
Source
Letter Received
Destination
No ACK
Best-Effort Delivery
Destination
UDP
Characteristics
UDP
Characteristics
(Cont.)
TCP
Characteristics
TCP
Characteristics
Destination Port
Sequence Number
Acknowledgment Number
Header Length
Reserved
Flags
TCP Checksum
Window Size
Urgent Pointer
Options
Data
(Cont.)
TCP/IP
FTP
SSH
21
22
Applications
TFTP SNMP
Application
Layer
23
Transport Layer
Network Layer
TCP
IPv6
80
443
53
69
UDP
IPv4
161
Port
Numbers
Protocols
Summary
1) The purpose of the transport layer is to hide the network requirements
from the application layer and to ensure end-to-end transfer of
application data.
2) Connection-oriented transport provides reliable transport.
Connectionless transport provides best-effort transport.
3) UDP is a protocol that operates at the transport layer and provides
applications with access to the network layer without the overhead of
the reliability mechanisms of TCP. UDP is a connectionless, best-effort
delivery protocol.
4) TCP is a protocol that operates at the transport layer and provides
applications with access to the network layer. TCP is connectionoriented and provides reliable transport.
5) Port numbers identify applications.
Exploring
the
Functions
of
Routing
Role
of
Router
Routers are required to reach hosts that are not in the local network.
Routers use a routing table to route between networks.
Host A
Router
Fa0/0
192.168.1.0/24
Host B
Fa0/1
192.168.2.0/24
Routing Table:
192.168.1.0/24 Fa0/0
192.168.2.0/24 Fa0/1
Router
Characteristics
Router components:
CPU Motherboard
Memory
Ports
Management: For the connection of a terminal
used for management
Network: Various LAN or WAN media ports
Router
CPU
RAM
Ports
Motherboard
Memory
ROM
Flash
Network
Path determination
Packet forwarding
Router
Functions
Path
Determination
Routers select the best path to the destination among various sources.
Administrative distance defines the reliability of the route source.
Should I use the EIGRP or OSPF best path?
OSPF Best Path
Which path?
Routing
Network
10.1.2.0
Network
10.8.3.0
Network
10.1.1.0
S0/0/0
fa0/0
fa0/1
Routing Table
Network Interface or Next Hop
10.1.2.0
R2
Network
10.1.3.0
10.1.1.0
10.8.3.0
10.1.3.0
Table
Types
of
Routes
Dynamic
Routing
Protocols
Host B
Bandwidth
Delay
Cost
Hop Count
100 Mb/s
1 Gb/s
1 Gb/s
Distance
Vector
vs.
Link
State
Summary
1) Routers enable internetwork communication.
2) Routers include various ports and hardware similar to PCs.
3) The primary functions of a router are path determination and packet
forwarding.
4) Routers select the best path from among different sources, based on
administrative distance.
5) Routing tables provide an ordered list of best paths to known networks.
6) Routers use various types of routes: directly connected networks and
static, dynamic, and default routes.
7) Dynamic routing protocols use different metrics to calculate the best
path.
Configuring
Cisco
Router
Initial
Router
Startup
Initial startup:
Before you start the router, verify the power and cooling requirements, cabling, and console
connection.
Push the power switch to On.
System startup routines initiate the router software.
Cisco IOS Software output text appears on the Console.
Initial
Router
Setup
Console
A congured router with an existing conguration displays a user EXEC mode prompt.
A router without an existing conguration enters the system conguration dialog.
Configuring
Router
Interfaces
Enters Serial 0/0/0 interface conguration mode and adds descriptive text
Configuring
Router
Interfaces
(Cont.)
Configuring
the
Cisco
Router IP
Address
172.18.0.1
192.168.1.1
172.18.0.2
S0/0/0
Gi0/0
Router
show
ip
interface brief
Command
Router
show
ip
interface brief
Command (Cont.)
Router
show
interfaces
Command
Veries the statistics for all interfaces that are congured on the router
Exploring
Connected
172.18.0.1
192.168.1.1
Gi0/0
?
S0/0/0
Devices
Cisco
Discovery
Protocol
A proprietary utility that gathers information about directly connected Cisco switches,
routers, and other Cisco devices
Discovers neighboring devices, regardless of which protocol suite they are running
LLDPan alternative standards-based discovery protocol
Upper-layer entry
addresses
Media
Discovering
10.1.1.11
Fa0/13
SW1
10.1.1.1
Gi0/0
192.168.1.1
S0/0/0
Branch
192.168.1.2
S0/0/1
HQ
Displays information about neighboring devices discovered with Cisco Discovery Protocol
Using
the
10.1.1.11
cdp
neighbors
Branch
Fa0/13
SW1
show
10.1.1.1
Gi0/0
192.168.1.1
S0/0/0
detail
Command
192.168.1.2
S0/0/1
HQ
Summary
1) The router startup sequence begins with POST, then the Cisco IOS image is
found and loaded. Finally, the configuration file is loaded, if it exists.
2) If a router starts without a configuration, the Cisco IOS Software
executes a question-driven configuration dialog, which can be skipped.
3) The main function of a router is to relay packets from one network device
to another.
4) Interface characteristics, such as the IP address and description, are
configured using interface configuration mode.
5) When you have completed router interface configuration, you can verify it
by using the show ip interface brief and show interfaces commands
Summary
(Cont.)
Exploring
the
Packet
Delivery
Process
Layer
Addressing
Layer 2 characteristics:
Ethernet uses MAC addresses
Identifies end devices in the LAN.
Enables the packet to be carried by the local media across each segment.
MAC Address
Layer 2
Layer
Addressing
(Cont.)
Layer 2 addressing:
The router has two interfaces directly connected to two PCs.
Each PC and each router interface has its own unique MAC address.
Layer 2
L2 = 0800:0222:2222
L2 = Layer 2
L2 = 0800:0333:2222
L2 = 0800:0333:1111
L2 = 0800:0222:1111
Layer
Addressing
Layer 3
Layer
Addressing
(Cont.)
Layer 3 addressing:
Layer 3 addresses must include identifiers that enable intermediary network devices to locate
hosts on different networks.
TCP/IP protocol stack uses IP.
Layer 3
Layer
Addressing
(Cont.)
Layer 3 addresses are assigned to hosts and network devices that provide Layer 3 functions.
Network devices maintain a routing table.
Routing Table
192.168.3.0/24
Interface Gi0/0
192.168.4.0/24
Interface Gi0/1
Gi 0/0
L3 = 192.168.3.1
L3 = Layer 3
L3 = 192.168.3.2
Gi 0/1
L3 = 192.168.4.1
L3 = 192.168.4.2
Address
Resolution
Protocol
Ethernet
Address
Resolution
Protocol
(Cont.)
The ARP table keeps a record of recent bindings of IP addresses to MAC addresses.
On the PC:
On the router:
Host-to-Host
Packet
Delivery
(Step 1
of 16)
L3 = 192.168.3.1
L2 = 0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
APP
Data
UDP
HDR
Packet
Delivery
(Step 2
of 16)
APP
Data
SRC IP
192.168.3.1
DST IP
192.168.4.2
UDP
HDR
APP
Data
L3 = 192.168.3.1
L2 = 0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 3
of 16)
Parking Lot
Packet
L3 = 192.168.3.1
L2 = 0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 4
of 16)
L3 = 192.168.3.1
L2 = 0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 5
of 16)
Parking Lot
Packet
ARP
Request
DST MAC
Broadcast
SRC MAC
0800:0222:2222
L3 = 192.168.3.1
L2 = 0800:0222:2222
DST MAC
Broadcast
ARP
Request
SRC MAC
0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
ARP
Request
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 6
of 16)
Parking Lot
Packet
Router: I just received an ARP request.
Let me add host 192.168.3.1 to my ARP table with
MAC address of 0800:0222:2222.
ARP
Request
A
DST MAC
Broadcast
L3 = 192.168.3.1
L2 = 0800:0222:2222
SRC MAC
0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
ARP
Request
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 7
of 16)
Parking Lot
Packet
L3 = 192.168.3.1
L2 = 0800:0222:2222
B
DST MAC
0800:0222:2222
SRC MAC
0800:0333:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
ARP
Reply
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Delivery
(Step 8
of 16)
Parking Lot
Packet
ARP
Reply
Packet
DST MAC
0800:0222:2222
L3 = 192.168.3.1
L2 = 0800:0222:2222
SRC MAC
0800:0333:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
ARP
Reply
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 9
of 16)
APP
Data
UDP
HDR
DST IP
192.168.4.2
SRC IP
192.168.3.1
SRC MAC
0800:0222:2222
DST MAC
0800:0333:2222
L3 = 192.168.3.1
L2 = 0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 10
of 16)
APP
Data
APP
Data
L3 = 192.168.3.1
L2 = 0800:0222:2222
UDP
HDR
DST IP
192.168.4.2
UDP
HDR
SRC IP
192.168.3.1
L3 = 192.168.3.2
L2 = 0800:0333:2222
DST IP
192.168.4.2
SRC MAC
0800:0222:2222
SRC IP
192.168.3.1
DST MAC
0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Delivery
Destination
Next Hop
Interface
192.168.3.0/24
Connected
Gi 0/0
192.168.4.0/24
Connected
Gi 0/1
APP
Data
L3 = 192.168.3.1
L2 = 0800:0222:2222
Packet
L3 = 192.168.3.2
L2 = 0800:0333:2222
UDP
HDR
(Step 11
of 16)
SRC IP
192.168.3.1
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 12
of 16)
Parking Lot
Packet
ARP
Request
L3 = 192.168.3.1
L2 = 0800:0222:2222
B
DST MAC
Broadcast
SRC MAC
0800:0333:1111
L3 = 192.168.3.2
L2 = 0800:0333:2222
ARP
Request
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 13
of 16)
Parking Lot
ARP
Request
Packet
DST MAC
Broadcast
ARP
Request
L3 = 192.168.3.1
L2 = 0800:0222:2222
SRC MAC
0800:0333:1111
L3 = 192.168.3.2
L2 = 0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 14
of 16)
Parking Lot
Packet
ARP
Reply
DST MAC
0800:0333:1111
L3 = 192.168.3.1
L2 = 0800:0222:2222
DST MAC
0800:0333:1111
L3 = 192.168.3.2
L2 = 0800:0333:2222
SRC MAC
0800:0222:1111
ARP
Reply
L3 = 192.168.4.1
L2 = 0800:0333:1111
ARP
Reply
SRC MAC
0800:0222:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 15
of 16)
Parking Lot
Packet
L3 = 192.168.3.1
L2 = 0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
ARP
Reply
SRC MAC
0800:0222:1111
ARP
Reply
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Host-to-Host
Packet
Delivery
(Step 16
of 16)
APP
Data
UDP
HDR
DST IP
192.168.4.2
SRC IP
192.168.3.1
SRC MAC
0800:0333:1111
DST MAC
0800:0222:1111
L3 = 192.168.3.1
L2 = 0800:0222:2222
L3 = 192.168.3.2
L2 = 0800:0333:2222
L3 = 192.168.4.1
L2 = 0800:0333:1111
L3 = 192.168.4.2
L2 = 0800:0222:1111
Role
of
DST MAC
Broadcast
Switch
in
Packet Delivery
(Step 1 of 4)
MAC
Port
0800:0222:2222
Fa0/1
ARP
Request
L3 = 192.168.3.2
L2 = 0800:0333:2222
Fa0/1
L3 = 192.168.3.1
L2 = 0800:0222:2222
Fa0/3
Fa0/6
Role
of
Switch
in
Packet Delivery
(Step 2 of 4)
MAC
Port
0800:0222:2222
Fa0/1
L3 = 192.168.3.2
L2 = 0800:0333:2222
DST MAC
Broadcast
Fa0/1
L3 = 192.168.3.1
L2 = 0800:0222:2222
Fa0/3
Fa0/6
SRC MAC
0800:0222:2222
ARP
Request
Role
of
Switch
in
Packet Delivery
(Step 3 of 4)
MAC
Port
0800:0222:2222
0800:0333:2222
Fa0/1
Fa0/3
SRC MAC
0800:0222:2222
Fa0/3
L3 = 192.168.3.2
L2 = 0800:0333:2222
Fa0/6
ARP
Request
Role
of
Switch
in
Packet Delivery
(Step 4 of 4)
MAC
Port
0800:0222:2222
0800:0333:2222
Fa0/1
Fa0/3
SRC MAC
0800:0333:2222
DST MAC
Broadcast
ARP
Reply
Fa0/1
L3 = 192.168.3.1
L2 = 0800:0222:2222
SRC MAC
0800:0222:2222
Fa0/3
L3 = 192.168.3.2
L2 = 0800:0333:2222
Fa0/6
ARP
Request
Summary
1) If hosts are not in the same network, the frame is sent to the default
gateway.
2) Frames sent to the default gateway have the local host source MAC address
and the default gateway destination MAC address.
3) A router changes the Layer 2 address as needed, but it does not change
the Layer 3 address.
4) The switch does not change the frame in any way, it just forwards the
frame out on the proper port according to the MAC address table.
Enabling
Static
Routing
Routing
Operations
10.120.2.0
172.16.1.0
Routing
Operations
(Cont.)
A router must learn about destinations that are not directly connected to it.
The routing table is used to determine the best path to the destination.
10.120.2.0
172.16.1.0
Network Protocol
Destination Network
Exit Interface
Connected
10.120.2.0
fa0/0
Learned
172.16.1.0
s0/0/0
Next Hop
172.20.1.2
Static
and
Dynamic
Routing
Comparison
Static routes:
A network administrator manually enters static routes into the router.
A network topology change requires a manual update to the route.
When
to
Use
Static
Routing
Static
Route
Conguration
Configure unidirectional static routes to and from a stub network to allow communication to
occur.
Stub Network
Network
10.0.0.0
172.16.1.0
s0/0/0
172.16.2.2
172.16.2.1
Static
Route
Conguration
(Cont.)
Network
10.0.0.0
172.16.1.0
s0/0/0
172.16.2.2
172.16.2.1
Stub Network
Static route pointing to next-hop IP.
Default
Routes
This route allows the stub network to reach all known networks beyond Router A.
Network
10.0.0.0
172.16.1.0
s0/0/0
172.16.2.2
172.16.2.1
Stub Network
Static
Route
Configuration
Verification
Static
Route Configuration
Verification (Cont.)
Verifying
the
Default Route
Configuration
To verify the default route configuration, examine the routing table on RouterB:
Summary
1) Routing is the process by which items get from one location to another.
Routers can forward packets over static routes or dynamic routes.
2) Static routes are entered manually by a network administrator. Dynamic
routes are learned by a routing protocol, and dynamic routes change
automatically when circumstances in the network change.
3) Unidirectional static routes must be configured to and from a stub network
to allow communication to occur.
4) The ip route command can be used to configure default route forwarding.
5) The show ip route command is used to verify that static routing is
properly configured. Static routes are signified in the command output by
S in the first position.
Managing
Traffic
Using
ACLs
Understanding
ACLS
What is an ACL?
An ACL is a Cisco IOS tool for traffic identification.
An ACL is a list of permit and deny statements.
An ACL identifies traffic based on the information within the IP packet.
After traffic is identified, different actions can be taken.
ACLs can be used on routers and switches.
ACL
Operation
Deny
ACL tests:
An ACL consists of a series of permit
and deny statements.
An ACL is consulted in tcp-down order.
The first match executes the permit or
deny action and stops furtherACL matching.
There is an implicit deny all statement
at the end of each ACL.
Match?
Permit
No
Deny
Match?
Permit
No
Deny
Match?
No
Implicit Deny
Packet Discarded
Permit
Packet
Permitted
A C L W i laddress
d c a rbits:
d Masking
Wildcard bitshow to check the corresponding
0 means to match the value of the corresponding address bit.
1 means to ignore the value of the corresponding address bit.
128
64
32
16
ACL
Wildcard
Masking
(Cont.)
Wildcard
Bit
Mask
Abbreviations
Abbreviate this wildcard mask using the IP address preceded by the keyword
host (host 172.30.16.29).
0.0.0.0 255.255.255.255 ignores all address bits.
Abbreviate expression with the keyword any.
Types
of
ACLS
Extended ACL:
Checks source and destination IP address
Types
of
ACLs
(Cont.)
Numbered Standard
1-99, 1300-1999
Numbered Extended
100-199, 2000-2699
Name
Frame Header
(For Example, HDLC)
Packet
(IP Header)
Source
Address
Deny
Segment
(For Example,
TCP Header)
Data
Permit
Basic
Configuration of Numbered
Standard IPv4 ACLS
Basic
Configuration of Numbered
Standard IPv4 ACLS (Cont.)
Summary
Enabling
Internet
Connectivity
The
CPE
Demarcation
Demarcation Point
Router
CSU/D
SU
Cable
Modem
Media
Converter
LAN
DSL Modem
Wireless Router
ISP
Point
Dynamic
Host
Configuration
Protocol
Understanding DHCP:
DHCP is a client-server model.
A DHCP server allocates network addresses and delivers configurations.
A DHCP client is a host that requests an IP address and configuration from a DHCP server.
IP Address Pool
192.168.1.1-192.168.1.250
IP Address Allocation
DHCP Server
DHCP Clients
Dynamic
Host
Conguration
Protocol
(Cont.)
Options
for
DHCP Server
IP Address
Customer LAN
Internet
Configuring
Company LAN
Gi0/0
Configuring
Router automatically injects default route based
on optional default gateway parameter received
with assigned IP address
DHCP
DHCP Server
IP Address
Customer LAN
Internet
Client
Public
vs.
Private
IPv4
Class
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Class
1.0.0.0 to 9.255.255.255
11.0.0.0 to 126.255.255.255
128.0.0.0 to 172.15.255.255
172.32.0.0 to 191.255.255.255
192.0.0.0 to 192.167.255.255
192.169.0.0 to 223.255.255.255
B
C
Addresses
Introducing
NAT
NAT allows private users to access the Internet by sharing one or more public IP addresses.
Translate IP Address
LAN
10.1.1.100
Internet
209.165.201.5
Types
of
Addresses
in
NAT
Types
of
Addresses
Inside
in
NAT
(Cont.)
Outside
10.1.1.100
209.165.201.5
10.1.1.100
Internet
10.1.1.101
209.165.201.6
10.1.1.101
NAT Table
Inside Local
IPv4 Address
Outside Global
IPv4 Address
10.1.1.100
10.1.1.101
209.165.201.5
209.165.201.6
Types
of
NAT
Understanding
10.1.1.100
Inside
Static
NAT
Outside
10.1.1.101
209.165.201.5
Internet
1
10.1.1.101
Host B
209.165.202.131
209.165.201.5
10.1.1.101
2
NAT Table
Inside Local
IPv4 Address
Inside Global
IPv4 Address
Outside Global
IPv4 Address
10.1.1.101
209.165.201.5
209.165.202.131
Configuring
Static
10.1.1.2
Inside
Outside
Gi0/0
Gi0/1
10.1.1.1
209.165.201.1
Internet
NAT
Verifying
Static
NAT
Configuration
10.1.1.100
Verify static NAT conguration.
Internet
Gi0/0
Gi0/1
10.1.1.1
209.165.201.1
Understanding
10.1.1.100
Inside
Dynamic
NAT
Outside
10.1.1.101
209.165.201.5
Internet
1
10.1.1.101
10.1.1.101
Host B
209.165.202.131
209.165.201.5
Inside Local
IPv4 Address
Inside Global
IPv4 Address
Outside Global
IPv4 Address
10.1.1.101
209.165.201.5
209.165.202.131
10.1.1.100
209.165.201.6
209.165.202.131
NAT Table
Configuring
10.1.1.100
10.1.1.101
Dynamic
Congure ACL
Inside
Gi0/0
10.1.1.1
Outside
Gi0/1
209.165.201.1
Internet
NAT
Verifying
NAT
Configuration
10.1.1.100
10.1.1.101
Dynamic
Inside
Gi0/0
10.1.1.1
Outside
Gi0/1
209.165.201.1
Internet
Understanding
10.1.1.100
Inside
Outside
10.1.1.101
PAT
Host B
209.165.202.131
209.165.201.5
Internet
1
10.1.1.101
10.1.1.101
3
209.165.201.5
209.165.201.5
Host C
209.165.202.132
Protocol
Inside Local
IPv4 Address
Inside Global
IPv4 Address
Outside Global
IPv4 Address
TCP
TCP
TCP
10.1.1.100:1723
10.1.1.101:1927
10.1.1.101:1723
209.165.201.5:1723
209.165.201.5:1927
209.165.201.5:1724
209.165.202.131:23
209.165.202.132:23
209.165.202.131:23
NAT Table
Configuring
10.1.1.100
10.1.1.101
Congure ACL
Inside
Gi0/0
10.1.1.1
Outside
Gi0/1
209.165.201.1
Internet
PAT
Verifying
Configuration
Verify PAT
Configuration
10.1.1.100
10.1.1.101
PAT
Gi0/0
10.1.1.1
Gi0/1
209.165.201.1
Internet
Troubleshooting
show ip nat translations show
ip nat statistics show accesslist
No connectivity to
the outside
Are translations
occurring?
No
Check that NAT ACL is identifying the
correct trafc.
Check that there are enough
addresses in the pool.
Check that inside/outside interfaces
are correctly dened.
Check that there is a trafc- initiating
translation.
NAT
show ip route
Yes
Yes
Check that the remote
router has a return route
back to the translated
address.
No
Connectivity
Troubleshooting
NAT
(Cont.)
Troubleshooting
NAT
(Cont.)
To display detailed dynamic data and events, you can use debug commands.
A debug command can intensively use device resources. Use carefully on production
equipment.
Always turn off debug after troubleshooting with the no debug all command.
Troubleshooting
NAT
(Cont.)
10.1.1.100
10.1.1.100
NAT
10.1.1.1
209.165.201.1
209.165.201.2
Branch
If translations are occurring, but there is no connectivity, verify that the remote router has a route to the translated
address.
Troubleshooting
NAT
Case
Study
Host A and host B are unable to ping after a new NAT configuration is put in place.
Ping fails!
Gi0/0
Host A
10.1.1.100
10.1.1.1
Gi0/1
209.165.201.1
Internet
Host B
209.165.201.131
Troubleshooting
NAT
Case Study
(Cont.)
Troubleshooting
NAT
Case Study
(Cont.)
10.1.1.1
Gi0/1
209.165.201.1
Internet
Host B
209.165.201.131
Troubleshooting
NAT
Case Study
(Cont.)
The router interfaces are incorrectly defined as NAT inside and NAT outside.
Ping fails!
Gi0/0
Host A
10.1.1.100
10.1.1.1
Gi0/1
209.165.201.1
Internet
Host B
209.165.201.131
Troubleshooting
NAT
Case Study
(Cont.)
Troubleshooting
NAT
Case Study
(Cont.)
Ping fails!
Gi0/0
Host A
10.1.1.100
10.1.1.1
Gi0/1
209.165.201.1
Internet
Host B
209.165.201.131
Troubleshooting
NAT
Case Study
(Cont.)
Ping successful!
Gi0/0
Host A
10.1.1.100
10.1.1.1
Gi0/1
209.165.201.1
Internet
Host B
209.165.201.131
Verify that translations are occurring and you have connectivity to the remote network.
Summary
Summary
(Cont.)
Managing
Network
Device
Security
Network
Device
Security
Overview
Electrical threats
Maintenance threats
Improper handling
Poor cabling
Inadequate labeling
Securing
Access
to
Privileged
EXEC
Mode
Securing
Access
to
Privileged EXEC
Mode (Cont.)
Securing
Console password:
EXEC timeout:
ConsoleAccess
Securing
EXEC timeout:
Remote
Access
Securing
Remote
Configuring SSH:
Access
(Cont.)
Securing
Remote
Access
(Cont.)
Securing
Remote
Access
(Cont.)
Enabling
Remote
Access
Connectivity
10.1.1.1
Switch X
Default Gateway
Limiting
Remote
Access
Branch
10.1.1.100/24
with
PC1
10.1.1.100/24
PC2
Use an ACL to permit Telnet access from 10.1.1.0 /24 but deny everybody else:
ACLs
External
Authentication
Options
Request Authentication
Console
Network Device
Authentication Server
Configuring
the
Login
Banner
Summary
1) Security threats to network devices include remote access threats, physical and
local access threats, environmental threats, electrical threats, and maintenance
threats.
2) You can secure a network device by using passwords to restrict access.
3) You can secure console access to a network device by using console passwords and by
using an EXEC timeout setting to prevent access from connected terminals.
4) You can secure a network device for Telnet and SSH access by using vty passwords to
restrict access and an EXEC timeout setting to prevent access from connected
terminals.
5) You can secure a network device for Telnet and SSH access by using an ACL to limit
the users who can access the device.
6) If you want a scalable option instead of a local authentication database, use the
RADIUS or TACACS+ external authentication service.
7) Use the banner command to configure a login or MOTD banner.
Implementing
Device
Hardening
Securing
Unused
Ports
Disabling
an
Interface
(Port)
To shut down multiple ports, use the interface range command and use the shutdown command.
The Fa0/1, Fa0/2, and Fa0/3 interfaces are disabled in the example.
Port
Security
How do you prevent users from connecting unauthorized host devices to the network?
Port
Security
(Cont.)
Configuring
Port
Security
To configure port security on the FaO/5 port to limit and identify the MAC
addresses of stations that are allowed to access the port, do as follows:
1. Enable port security
2. Setthe MAC address limit
3. Specify the allowable MAC addresses (optional)
4. Define the violation action
Port
Security
Verication
Displays the port security settings that are dened for an interface
Displays the port security settings that are dened for the FastEthernet O/5 interface
Port
Security
Verification
(Cont.)
Displays the port security violation for the FastEthernet 0/5 interface
Port
Security
Verication
(Cont.)
Port
Security
Verication
(Cont.)
Disabling
Unused
Services
Some services on Cisco devices may not be needed and therefore can be disabled,
providing these benefits:
Helps preserve system resources
Eliminates the potential for security exploits on the disabled services
Disabling
Unused
Services
(Cont.)
Disabling
Unused
Services
(Cont.)
Network
Time
Protocol
Network
Time
Protocol
(Cont.)
A router can act as an NTP server and client. Other devices (NTP clients) synchronize time with
the router (NTP server).
Configuring
NTP
Configure the Branch router as the NTP client, which will synchronize its time with the NTP server.
Configure the SW1 switch as the NTP client, which will synchronize its time with the Branch router
NTP Server
NTP Client
NTP Client
.1
10.1.1.0/24
209.165.201.15
SW1
Branch
Verifying
Displays the status of NTP associations
NTP
Summary
1) Secure unused ports by disabling interfaces.
2) The port security feature restricts a switch port to a specific set or
number of MAC addresses.
3) Before port security can be activated, the port mode must be set to
static switchport mode.
4) Use the show port-security interface command to display the port
security settings that are defined for an interface.
5) Some services on Cisco devices may not be needed and therefore can be
disabled.
6) NTP provides time synchronization between network devices.
7) A Cisco router can act as an authoritative NTP server.
8) Use the show ntp associations command to display the status of NTP
associations.
Implementing
Traffic
Filtering
with
ACLs
Using
ACLs
to
Filter
Network
PC1
PC2
Traffic
ACL
Operation
Packet
Inbound
Interface
Packets
E0
Choose
Outbound
Interface
Outbound
Interface
Test
ACL
Statements
Routing
Table
Entry?
S0
ACL?
Y
Permit?
N
Discard Packet
Notify Sender
Packet
S1
Applying
ACLs
to
Interfaces
Important: Only one ACL per protocol, per direction, and per interface is allowed.
Applying
ACLS
to
Interfaces
Example:
Deny Internet access for a specific host (10.1.1.101).
Allow all other LAN hosts to access the Internet.
Internet
Gi0/1
Gi0/0
PC2
PC1
10.1.1.100
10.1.1.101
(Cont.)
The
Need
for
Extended
ACLS
How can you prevent PC2 from accessing only a specific server on the Internet?
How can you allow other users only web access?
Server
Gi0/1
Internet
Gi0/0
PC1
10.1.1.100
209.165.202.197
PC2
10.1.1.101
The
Need
for
Extended
ACLS
Frame Header
(for example,
HDLC)
Segment
(For Example,
TCP Header)
Packet
(IP Header)
Data
Port Number
Protocol
Source Address
Destination Address
Deny
Permit
(Cont.)
Configuring
Numbered
Extended
IPv4ACLs
Configuring
Named
ACLS
Configuring
Named
ACLS
(Cont.)
Edit an ACL in the access-list configuration mode to deny web access for host 10.1.1.25:
ACL
Configuration
Guidelines
An ACL can filter traffic going through the router or traffic to and from the
router, depending on how it is applied.
Monitoring
ACLS
Monitoring
ACLS
(Cont.)
Troubleshooting
Common
ACL Errors:
Scenario 1
Branch
ACL Inbound
10.10.1.0/24
S 0/0/0
10.160.22.11
10.10.1.1
10.1.1.1
S 0/0/0
10.160.22.33
10.1.1.101
192.168.1.0/24
Troubleshooting
Common
ACL Errors:
Scenario 2
Branch
ACL Inbound
10.10.1.0/24
S 0/0/0
10.160.22.11
10.10.1.1
10.1.1.1
S 0/0/0
10.160.22.33
10.1.1.101
192.168.1.0/24
Troubleshooting
Common
ACL Errors:
Scenario 3
Users from the 192.168.1.0 network cannot open a TFTP session to 10.1.1.2.
172.16.0.0/16
10.1.1.2
Branch
ACL Inbound
10.10.1.0/24
S 0/0/0
10.160.22.11
10.10.1.1
192.168.1.0/24
10.1.1.1
S 0/0/0
10.160.22.33
10.1.1.101
Troubleshooting
Common
ACL Errors:
Scenario 4
Users from the 172.16.0.0 network can use Telnet to connect to 10.1.1.2, but this connection
172.16.0.0/16
should not be allowed.
10.1.1.2
Branch
ACL Inbound
10.10.1.0/24
S 0/0/0
10.160.22.11
10.10.1.1
192.168.1.0/24
10.1.1.1
S 0/0/0
10.160.22.33
10.1.1.101
Troubleshooting
Common
ACL Errors:
Scenario 5
Host 10.10.1.1 can use Telnet to connect to 10.1.1.2, but this connection should not be allowed.
172.16.0.0/16
10.1.1.2
Branch
ACL Inbound
10.10.1.0/24
S 0/0/0
10.160.22.11
10.10.1.1
192.168.1.0/24
10.1.1.1
S 0/0/0
10.160.22.33
10.1.1.101
Troubleshooting
Common
ACL Errors:
Scenario 6
Host 10.1.1.2 can use Telnet to connect to 10.10.1.1, but this connection should not be allowed.
172.16.0.0/16
10.1.1.2
Branch
ACL Inbound
10.10.1.0/24
S 0/0/0
10.160.22.11
10.10.1.1
192.168.1.0/24
10.1.1.1
S 0/0/0
10.160.22.33
10.1.1.101
Troubleshooting
Common
ACL Errors:
Scenario 7
Host 10.10.1.1 can use Telnet to connect into the Branch router IP address, but this connection
172.16.0.0/16
should not be allowed.
10.1.1.2
Branch
ACL Inbound
10.10.1.0/24
S 0/0/0
10.160.22.11
10.10.1.1
192.168.1.0/24
10.1.1.1
S 0/0/0
10.160.22.33
10.1.1.101
Summary
Summary
(Cont.)
Module
Summary
1) You should secure network devices by using passwords to restrict console, SSH,
and Telnet access.
2) Device hardening includes disabling unused ports, disabling unneeded services,
configuring the port security feature, and configuring NTP.
3) ACLs can be used for traffic filtering.
Routing
Between
VLANs
Purpose
of
Inter-VLAN
10.1.10.100/24
VLAN 10
10.1.20.100.0/24
VLAN 20
Routing
Options
for
Inter-VLAN
Routing
Options
for
Inter-VLAN
Router
fa0/0
10.1.10.1
VLAN 10
10.1.10.100/24
fa0/1
10.1.20.1
VLAN 20
10.1.20.100.0/24
Routing
(Cont.)
Options
for
Inter-VLAN
fa0/0.10 - 10.1.10.1
fa0/0.20 - 10.1.20.1
VLAN 10
10.1.10.100/24
Router with a
trunk link
fa0/0.10
fa0/0.20
VLAN 20
10.1.20.100.0/24
Routing
(Cont.)
Options
for
Inter-VLAN
Routing
(Cont.)
fa0/0 - 10.1.10.1
fa0/1 - 10.1.20.1
Layer 3 Switch
VLAN 10
10.1.10.100/24
VLAN 20
10.1.20.100.0/24
Configuring
Router
with
Fa0/13
Fa0/1
Configure the
router for inter-VLAN
routing
VLAN 10
Fa0/3
VLAN 20
Trunk
Link
Configuring
Router
with
Trunk Link
(Cont.)
Assigns ports to specific VLANs and configures the port toward the router as a trunk
Gi0/0
Fa0/13
Fa0/1
Configure the
switch for interVLAN routing
VLAN 10
Fa0/3
VLAN 20
Configuring
Router
with
Trunk Link
(Cont.)
Configuring
Router
with
Trunk Link
(Cont.)
Summary
Using
Cisco
Network
Device
as
DHCP
Server
Need
for
DHCP
Server
Understanding
1
2
End Host
3
4
Discover (broadcast)
Offer (unicast)
Request (broadcast)
Acknowledge (unicast)
DHCP
Server
DHCP
Conguring
DHCP
Configuration scenario:
1. Configure a DHCP server on a Cisco router
2. Assign IP addresses from address pool
10.1.50.0/24 with a lease time of 12 hours
3. Do not assign IP addresses from 10.1.50.1 to
10.1.50.50 Additional parameters: default
gateway, domain name, and DNS server
Subnet
Server
Conguring
DHCP
Server
(Cont.)
Monitoring
DHCP
Server
Functions
Monitoring
DHCP
Server
Functions
(Cont.)
Monitoring
DHCP
Server
Functions
(Cont.)
DHCP
Relay
Agent
DHCP
1
End Host
4
5
8
Relay
Discover (broadcast)
Discover (broadcast)
Offer (unicast)
Offer (unicast)
Request (broadcast)
Request (broadcast)
Acknowledge (unicast)
Acknowledge (unicast)
Agent
(Cont.)
2
3
6
7
Gi 0/0
DHCP
Server
Summary
Introducing
WAN
Technologies
Introducing
What is a WAN?
WANS
Introducing
WANS
(Cont.)
Branch
Main Office
Home Offices
Internet
WAN
Mobile Worker
Business Partners
Regional Office
Remote Office
WANS
vs.
LANs
Area
Ownership
Owned by organization
Cost
Recurring
Fixed
LANS
WANS
SP
vs.
LANs
SP
SP
WAN
SP
WAN
LAN
SP
WAN
LAN
LAN
(Cont.)
Role
of
Routers
in
SP
WAN
WANs
WAN
Communication
Link
WAN
Dedicated
Switched
Internet
Options
Point-to-Point
Connectivity
Ethernet emulation:
Simple
Affordable
Flexible
Service Provider Network
Demarc
Demarc
London Office
Configuring
Point-to-Point
HQ
Gi0/1
SP Network
Gi0/0
Link
Summary
Introducing
Dynamic
Routing
Protocols
Purpose
of
Dynamic
Routing
Protocols
Purpose
of
Dynamic
Routing
Network
10.1.1.0
Network
172.16.0.0
Network Protocol
Destination Network
Exit Interface
EIGRP
10.1.1.0
FA0/ 1
OSPF
172.16.0.0
FA0/2
Protocols
(Cont.)
Purpose
of
Dynamic
Routing
Protocols
(Cont.)
Interior
and
Exterior Routing
Protocols
EGPs (BGP)
Distance
Understanding
Link-State Routing
Protocols
Understanding
Link-State
Protocols
B
A
D
C
Topological Database
Link-State Packets
Routing
Table
SPF
Algorithm
SPF Tree
Routing
(Cont.)
Understanding
Link-State
Protocols
Routing
(Cont.)
Hierarchical routing:
Consists of areas and autonomous systems
Area 0
Area 1
Autonomous System
Area 2
Summary
1) Routing protocols are a set of processes, algorithms, and messages that are
used to exchange routing information.
2) lGPs operate within an AS, while EGPs connect different autonomous systems.
3) The distance vector routing approach determines the direction (vector) and
distance to any link in the internetwork.
4) Routers running link-state routing protocols maintain their own view of the
network, so the router is less likely to propagate incorrect information that
is provided by another router.
Implementing
OSPF
Introducing
OSPF
Floods LSAs to all OSPF routers in the area, not just directly connected routers
Pieces together all of the LSAs that are generated by the OSPF routers to create the
OSPF link-state database
Uses the SPF algorithm to calculate the shortest path to each destination and places it
in the routing table
OSPF
Adjacencies
Hello!
Hello!
Hello!
Hello!
Router ID
Hello/Dead Interval*
Neighbors
Area ID*
Router Priority
DR IP Address
BDR IP Address
Authentication Data*
SPF
Algorithm
R1
R2
Cost = 1
Cost = 4
Cost = 10
Cost = 20
Cost = 10
Cost = 2
Cost = 10
R3
Cost = 10
R4
SPF
R1
Algorithm
(Cont.)
R2
4
1
10
20
10
LSAs
Link-State
Database
SPF
Best Routes
2
10
R3
10
R4
SPF Tree
R1 SPF Tree
Destination
R2 LAN
R3 LAN
R4 LAN
Shortest Path
R1 to R2
R1 to R3
R1 to R4
Cost
14
22
30
Routing Table
Router
ID
The number by which the router is known to OSPF can be set manually
using the router-id command.
If router-id is not configured, the highest IP address on the active
loopback interface at the moment of OSPF process startup is selected
as the router ID.
If there is no active loopback interface, then the router selects the
highest IP address on the active interface at the moment of OSPF
process startup.
Router
ID
(Cont.)
Configuring
Single-Area
OSPF
Congure OSPF
10.1.1.0/24Gi0/0.1
10.1.10.0/24Gi0/0.10
10.1.20.0/24Gi0/0.20
Gi0/1
192.168.1.1
Branch
Congure OSPF
Gi0/1
172.16.1.10/24
192.168.1.2
HQ
Configuring
Single-Area
10.1.1.0/24Gi0/0.1
10.1.10.0/24Gi0/0.10
10.1.20.0/24Gi0/0.20
Gi0/1
192.168.1.1
Branch
OSPF
(Cont.)
Gi0/1
172.16.1.10/24
192.168.1.2
HQ
Configuring
10.1.1.0/24Gi0/0.1
10.1.10.0/24Gi0/0.10
10.1.20.0/24Gi0/0.20
Gi0/1
192.168.1.1
Branch
Single-Area
OSPF
Gi0/1
172.16.1.10/24
192.168.1.2
Announced Default
Route
(Cont.)
HQ
Verifying
OSPF
Configuration
Veries that OSPF on the Branch router is routing for all networks that it needs to
Verifying
OSPF
Configuration
(Cont.)
Shows which interfaces are enabled for the OSPF routing process
Verifying
OSPF
Configuration
(Cont.)
Verifying
OSPF
Configuration
(Cont.)
Summary
2)
5) The show ip ospf neighbor command displays OSPF neighbor information on a perinterface basis.
Module
Summary
1) VLANs are independent LAN networks that address segmentation, security, and organizational
flexibility.
2) Inter-VLAN communication cannot occur without a Layer 3 device (a Layer 3 switch or
router).
3) The DHCP server provides dynamic IP address assignments to end hosts, reducing errors and
the time that is needed to administer address assignment.
4) A WAN is a collection of LANs, and routers play a central role in transmitting data
through these networks.
5) Routing protocols are a set of processes, algorithms, and messages that are used to
exchange routing information.
6) Configuration of basic OSPF requires two steps:
Enable the OSPF routing process.
Identify the networks to advertise.
Introducing
IPv6
IPv4
Addressing
Exhaustion
Workarounds
To extend the lifetime and usefulness of IPv4 and circumvent address shortage, several
mechanisms were created:
CIDR
VLSM
NAT
DHCP
Over the years, hardware support has been added to devices to support IPv4 enhancements.
Problems
with
IPv4
Addressing
Workarounds
IPv6
Features
Simpler header:
Routing code streamlined, simpler processing in hardware
Transition richness:
Several mechanisms available, including dual-stacking
IPv6
Addresses
2001:0DB8:010F:0001:0000:0000:0000:0ACD
2001:DB8:10F:1:0:0:0:ACD
2001:DB8:10F:1::ACD
IPv6
Unicast
Anycast
Multicast
Broadcast
Address
Types
IPv6
/23
/32
/48
Unicast
Addresses
/64
IPv6
0
1111 1110 10
UnicastAddresses
128
Bits
Interface ID
64
Bits
Private: Link local (startswith FE80::/10)
FE80::/10
10 Bits
Loopback (::1)
Unspecied (::)
Reserved: Used by
(Cont.)
EUI-64
MAC
Address
00
64-Bit
Version
U/L Bit
EUI-64
Address
00
00
90
90
27
90
000000X0
X=1
02
90
27
Interface
27
FF
FE
FF
FE
where X = {
27
17
FF
ID
Assignment
FC
0F
17
FC
0F
17
FC
0F
1 = Universally
Unique
0 = Locally Unique
FE
17
FC
0F
IPv6
Addresses
Allocation
Basic
IPv6
Connectivity
Cisco
IOS
IPv6
Configuration
Branch
HQ
2001:db8
:D1A5:C900::1
2001:db8
:D1A5:C900::2
Example
Cisco
IOS
IPv6
Configuration
Example
(Cont.)
Basic
IPv6
Connectivity
(Cont.)
Summary
To extend the lifetime and usefulness of IPv4 and circumvent address shortage, several
mechanisms were created: CIDR, VLSM, NAT, and DHCP.
Main IPv6 features are larger address space, simpler header, security, mobility, and transition
richness.
IPv6 addresses are represented as a series of eight 16-bit hexadecimal fields that are separated
by colons.
There are several basic types of IPv6 unicast addresses: global, reserved, private (link-local),
loopback, and unspecified.
IPv6 addresses can be allocated by manual assignment with or without EUI-64. Addresses can also
be obtained automatically through stateless or stateful autoconfiguration.
Understanding
IPv6
IPv6
Header
Changes
Address
Data Portion
32 Bits
Padding
and
Benets
20
Octets
Variable
Length
IPv6
Header
Changes
Next Header
Destination
Address
Extension Header Information
Data Portion
32 Bits
and
Benets
(Cont.)
Hop Limit
40
Octets
Variable
Length
ICMPv6
Next Header =
58 ICMPv6
Packet
IPv6 Basic
Header
ICMPv6 Packet
ICMPv6 TyperouterICMPv6
Code
Router discovery (router solicitation,
advertisement)
Checksum
ICMPv6 Data
Neighbor
Discovery
Neighbor discovery performs the same functions in IPv6 as ARP does in IPv4
Neighbor discovery:
Determines the link layer address of a neighbor
Finds neighbor routers on the link
Queries for duplicate addresses
Is achieved by using lCMPv6 with IPv6 multicast
Stateless
Autoconguration
Router
Advertisement
Stateless
Autoconguration
(Cont.)
Router solicitations
At boot time, nodes send router solicitations to promptly receive router advertisements.
Router Solicitation
Router solicitation packet:
Router
Advertisement
Stateless
Autoconguration
(Cont.)
Branch
Router Solicitation
HQ
Router
Advertisement
Summary
The IPv6 header has removed unnecessary fields, resulting in a more streamlined, simpler
protocol.
ICMPv6 provides diagnostic, router, and neighbor discovery.
Neighbor discovery is a critical processthat allows neighbors to determine the link-layer address
that is associated with a given IPv6 address.
Autoconfiguration provides a type of network plug-and-play feature, in which devices can assign
their own address, based on router-provided information.
Configuring
IPv6
Routing
Routing
for
IPv6
Routing
for
IPv6
(Cont.)
Static
IPv6
2001 :DB8:D1A5:C900::1
Gi0/1
Routing
2001 :DB8:D1A5:C900::2
Gi0/1
Branch
HQ
Interne
t
Default route
Static route
Server
Static
Routing
(Cont.)
Static
Routing
(Cont.)
Static
Routing
(Cont.)
Verify IPv6 connectivity from the Branch router to IPv6 address 2001:db8:AC10:100::64:
OSPFv3
OSPFv3
OSPFv3
Router ID 0.0.0.2
Gi0/0
Gi0/1
Branch
2001:DB8:A01::/48
Router ID 0.0.0.1
Gi0/1
Gi0/0
HQ
(Cont.)
OSPFv3
(Cont.)
OSPFv3
(Cont.)
OSPFv3
(Cont.)
Summary
Cisco supports all of the major IPv6 routing protocols: RIPng, OSPFv3, and EIGRP.
Configure the IPv6 static and default route by using the ipv6 route command.
OSPFv3 is enabled per link and not per network. OSPFv3 adjacencies use linklocal addresses to communicate.
Module
Summary
IPv6 includes a number of features that make it attractive for building global-scale,
highly effective networks. The larger address space and autoconfiguration provide
important capabilities.
Neighbor discovery is used on-link for router solicitation and advertisement, for neighbor
solicitation and advertisement, and for the redirection of nodes to the best gateway.
You can use and configure IPv6 static routing in the same way that you would with IPv4.
OSPFv3 is one of the dynamic routing protocols that supports lPv6.