Ccna RS

Table of Contents
COMPARE AND CONTRAST OSI AND TCP/IP MODELS: ................................................................... 13
Open Systems Interconnection Model: ................................................................................................................ 13

Problem: ..................................................................................................................................................................13
7) Application Layer: ...............................................................................................................................................13
6) Presentation Layer: .............................................................................................................................................13
5) Session Layer: ......................................................................................................................................................14
4) Transport Layer: ..................................................................................................................................................14
3) Network Layer: ....................................................................................................................................................14
2) Data Link Layer: ...................................................................................................................................................14
1) Physical Layer: .....................................................................................................................................................14
TCP/IP Model:...................................................................................................................................................... 15
COMPARE AND CONTRAST TCP AND UDP PROTOCOLS:................................................................. 16
IMPACT OF INFRASTRUCTURE COMPONENTS ON ENTERPRISE NETWORK: ................................... 17
Firewall: ............................................................................................................................................................... 17
Access Points: ...................................................................................................................................................... 17
Wireless Controllers: ........................................................................................................................................... 17
DESCRIBE THE EFFECTS OF CLOUD RESOURCES ON ENTERPRISE NETWORK: ................................. 17
Traffic Path to Internal and External Cloud Services: ........................................................................................... 17
Virtual Services: ................................................................................................................................................... 17
Cloud Services:..................................................................................................................................................... 17
Software as a Service (SaaS): ...................................................................................................................................17
Platform as a Service (PaaS): ...................................................................................................................................18
Infrastructure as a Service (IaaS): ............................................................................................................................18
COMPARE & CONTRAST COLLAPSED CORE & THREE-TIER ARCHITECTURES:.................................. 18
Three-Tier Architectures: ..................................................................................................................................... 18

Core Layer: ..............................................................................................................................................................18
Distribution Layer: ...................................................................................................................................................18
Access Layer: ...........................................................................................................................................................18
Benefits of Cisco Three-Layer Hierarchical Model: ............................................................................................... 18
Created by Ahmad Ali E-Mail: [email protected] ,Mobile: 0580906422 Page 1 of 107

Collapsed Core: .................................................................................................................................................... 19
COMPARE AND CONTRAST NETWORK TOPOLOGIES: ..................................................................... 19
Star Topology: ..................................................................................................................................................... 19

Advantages of Star Topology: .................................................................................................................................19
Disadvantages of Star Topology: .............................................................................................................................19
Mesh Topology: ................................................................................................................................................... 20
Hybrid Topology: ................................................................................................................................................. 20
Ring Topology: ..................................................................................................................................................... 21
APPROPRIATE CABLING TYPE BASED ON IMPLEMENTATION REQUIREMENTS: .............................. 21
Cable Combinations: ............................................................................................................................................ 21
Ethernet UTP Categories: ..................................................................................................................................... 22
TROUBLESHOOTING METHODOLOGIES TO RESOLVE PROBLEMS:.................................................. 22
Problem Isolation: ............................................................................................................................................... 22
Documentation: ................................................................................................................................................... 22
Resolve: ............................................................................................................................................................... 22
Escalate: .............................................................................................................................................................. 23
Verify and Monitor: ............................................................................................................................................. 23
CONFIGURE, VERIFY, AND TROUBLESHOOT IPV4 ADDRESSING: ..................................................... 23
IPV4 Classes: ........................................................................................................................................................ 23
Loopback Address: ............................................................................................................................................... 23
Unicast Address Type:.......................................................................................................................................... 24
Broadcast Address Type:...................................................................................................................................... 24
Multicast Address Type: ...................................................................................................................................... 24
Class E Address: ................................................................................................................................................... 24
Zero Address:....................................................................................................................................................... 24

Subnet Mask: ....................................................................................................................................................... 24
Network and Host Portions: ................................................................................................................................ 25
Network Mask: .................................................................................................................................................... 25
Network Address: ................................................................................................................................................ 25
Private Addresses: ............................................................................................................................................... 25
APIPA:.................................................................................................................................................................. 26
COMPARE AND CONTRAST IPV6 ADDRESS TYPES:.......................................................................... 26
Why Using IPV6: .................................................................................................................................................. 26
Benefits of Using IPV6: ......................................................................................................................................... 26
IPV6 Address Representation: ............................................................................................................................. 26
Global Unicast Addresses:.................................................................................................................................... 27
Unique Local: ....................................................................................................................................................... 27
Link-local Addresses: ........................................................................................................................................... 27
Multicast: ............................................................................................................................................................ 27
Anycast: ............................................................................................................................................................... 28
Modified EUI 64: .................................................................................................................................................. 28
Stateless Address Auto Configuration (SLAAC):.................................................................................................... 28
IPv4-Compatible IPv6 Addresses: ......................................................................................................................... 29
IPV6 Loopback Addresses: ................................................................................................................................... 29
CONFIGURE, VERIFY, AND TROUBLESHOOT IPV6 ADDRESSING: ..................................................... 29
CONFIGURE AND VERIFY IPV6 STATELESS ADDRESS AUTO CONFIGURATION:................................ 29
IPV4 SUBNETTING: ......................................................................................................................... 30
Benefit of Subnetting: .......................................................................................................................................... 30
Pre-Requisites for Subnetting: ............................................................................................................................. 30

Subnetting Terminologies: ................................................................................................................................... 31
Subnetting Math: ................................................................................................................................................. 31
Class A Subnets: ................................................................................................................................................... 32
Class B Subnets: ................................................................................................................................................... 33
Class C Subnets: ................................................................................................................................................... 33
LAN SWITCHING:............................................................................................................................ 34
MAC Learning and Aging: ..................................................................................................................................... 34
Frame Switching: ................................................................................................................................................. 34
Frame Flooding: ................................................................................................................................................... 35
MAC Address Table: ............................................................................................................................................. 35
CONFIGURING SPEED, DUPLEX, AND DESCRIPTION: ...................................................................... 35
CONFIGURE, VERIFY AND TROUBLESHOOTING VLANS: .................................................................. 36
Access Port: ......................................................................................................................................................... 36
VLAN Database: ................................................................................................................................................... 36
Normal VLAN: ...................................................................................................................................................... 37
Extended VLANs: ................................................................................................................................................. 37
Voice VLAN: ......................................................................................................................................................... 37
CONFIGURE, VERIFY, AND TROUBLESHOOT INTERSWITCH CONNECTIVITY: ................................... 37
Trunk Ports: ......................................................................................................................................................... 37
Manual Pruning: .................................................................................................................................................. 37
DTP (Dynamic Trunking Protocol): ....................................................................................................................... 38
VTP (VLAN Trunking Protocol): ............................................................................................................................ 38
VLAN Trunking Protocol (VTP): ............................................................................................................................ 39
VTP Versions: ....................................................................................................................................................... 39

VTP Version 1 & 2 Modes: ................................................................................................................................... 39
Server Mode: ...........................................................................................................................................................39
Client Mode: ............................................................................................................................................................39
Transparent Mode: .................................................................................................................................................39
VTP Configuration Revision Number: ................................................................................................................... 39
Configuration Revision Numbers: ........................................................................................................................ 39
VTP Pruning: ........................................................................................................................................................ 40
802.1Q Or Dot1Q: ................................................................................................................................................ 40
Native VLAN: ....................................................................................................................................................... 40
CONFIGURE, VERIFY AND TROUBLESHOOTING SPANNING TREE:................................................... 41
PVST+: ................................................................................................................................................................. 41
RPVST+: ............................................................................................................................................................... 41
Switch Priority: .................................................................................................................................................... 42
Port Priority: ........................................................................................................................................................ 42
Path Cost: ............................................................................................................................................................ 42
Spanning Tree Timers: ......................................................................................................................................... 43

Hello Time: ..............................................................................................................................................................43
Forward Delay: ........................................................................................................................................................43
Maximum Age: ........................................................................................................................................................43
CONFIGURE, VERIFY AND TROUBLESHOOT STP OPTIONAL FEATURES: .......................................... 43
Port Fast: ............................................................................................................................................................. 43
BPDU Guard: ........................................................................................................................................................ 43
CONFIGURE AND VERIFY LAYER 2 PROTOCOLS: ............................................................................. 44
CONFIGURE AND VERIFY ETHERCHANNEL: .................................................................................... 45
LACP (Link Aggregation Control Protocol): ........................................................................................................... 45
PAgP (Port Aggregation Protocol): ....................................................................................................................... 45
EtherChannel Static: ............................................................................................................................................ 46

Layer 3 EtherChannel: .......................................................................................................................................... 46
BENEFITS OF SWITCH STACKING AND CHASSIS AGGREGATION: .................................................... 47
Switch Stacking: ................................................................................................................................................... 47
Chassis Aggregation: ............................................................................................................................................ 47
ROUTING CONCEPTS: ..................................................................................................................... 48
Packet Handling & Forwarding Decision: ............................................................................................................. 48
Frame Rewrite: .................................................................................................................................................... 48
COMPONENTS OF A ROUTING TABLE: ........................................................................................... 48
....................................................................................................................................................... 48
Routing Prefix & Network Mask: ......................................................................................................................... 49
Next Hop: ............................................................................................................................................................ 49
Routing Protocol Code: ........................................................................................................................................ 49
Administrative Distance:...................................................................................................................................... 49
Metric: ................................................................................................................................................................. 49
Gateway of Last Resort: ....................................................................................................................................... 49
ADMINISTRATIVE DISTANCE ROLE IN ROUTING TABLE:.................................................................. 50
CONFIGURE, VERIFY, AND TROUBLESHOOT INTER-VLAN ROUTING: .............................................. 50
Router on a Stick: ................................................................................................................................................ 50
SVI (Switch Virtual Interface): .............................................................................................................................. 51
COMPARE & CONTRAST STATIC ROUTING & DYNAMIC ROUTING:................................................. 53
Static Routing: ..................................................................................................................................................... 53

Advantages of Static Routing: .................................................................................................................................53
Disadvantages of Static Routing: .............................................................................................................................53
Dynamic Routing: ................................................................................................................................................ 53

Advantages of Dynamic Routing: ............................................................................................................................53

Disadvantages of Dynamic Routing: ........................................................................................................................53
COMPARE & CONTRAST DISTANCE VECTOR & LINK STATE ROUTING PROTOCOLS: ....................... 54
Distance Vector: .................................................................................................................................................. 54
Link State: ............................................................................................................................................................ 54
COMPARE & CONTRAST INTERIOR & EXTERIOR ROUTING PROTOCOLS: ........................................ 54
Interior Gateway Protocol (IGP): .......................................................................................................................... 54
Exterior Gateway Protocol (EGP): ........................................................................................................................ 54
CONFIGURE, VERIFY, AND TROUBLESHOOT IPV4 STATIC ROUTING:............................................... 55
Default Route: ..................................................................................................................................................... 55
Network Route: ................................................................................................................................................... 55
Host Route: .......................................................................................................................................................... 55
Floating Static Routes: ......................................................................................................................................... 55
CONFIGURE & VERIFY SINGLE AREA & MULTI-AREA OSPFV2 FOR IPV4: ......................................... 56
CONFIGURE, VERIFY, AND TROUBLESHOOT EIGRP FOR IPV4: ........................................................ 59
CONFIGURE, VERIFY, AND TROUBLESHOOT RIPV2 FOR IPV4:......................................................... 60
Split Horizon: ....................................................................................................................................................... 60
Hop Counts: ......................................................................................................................................................... 61
Route Poisoning: .................................................................................................................................................. 61
CONFIGURE & VERIFY SINGLE-HOMED CONNECTIVITY USING EBGP IPV4:..................................... 62
Advantage of BGP: ............................................................................................................................................... 62
BGP Speaker: ....................................................................................................................................................... 62
Internal BGP (iBGP): ............................................................................................................................................. 63
Type of Connection to ISP: ................................................................................................................................... 63

Single Homed: .........................................................................................................................................................63

Dual Homed: ...........................................................................................................................................................63
Single Multi-Homed: ...............................................................................................................................................64
Dual Multihomed: ...................................................................................................................................................64
BGP Configuration: .............................................................................................................................................. 64
CONFIGURE, VERIFY, AND TROUBLESHOOT IPV6 STATIC ROUTING:............................................... 66
CONFIGURE, VERIFY, AND TROUBLESHOOT RIPNG FOR IPV6: ........................................................ 66
CONFIGURE, VERIFY, AND TROUBLESHOOT EIGRP FOR IPV6: ........................................................ 67
CONFIGURE, VERIFY, AND TROUBLESHOOT OSPFV3 FOR IPV6:...................................................... 67
TROUBLESHOOT BASIC LAYER 3 END-TO-END CONNECTIVITY ISSUES:........................................... 68
CONFIGURE & VERIFY PPP AND MLPPP ON WAN INTERFACES:...................................................... 68
PPP (Point-to Point Protocol): .............................................................................................................................. 68

PAP: .........................................................................................................................................................................68
CHAP:.......................................................................................................................................................................68
MLPPP (Multi-Link PPP): ...................................................................................................................................... 70
CONFIGURE AND VERIFY PPPOE CLIENT-SIDE INTERFACES: ........................................................... 71
CONFIGURE, VERIFY, AND TROUBLESHOOT GRE TUNNEL CONNECTIVITY:..................................... 72
DESCRIBE WAN TOPOLOGY OPTIONS:............................................................................................ 73
Point-to-Point Topology: ..................................................................................................................................... 73
Hub and Spoke Topology: .................................................................................................................................... 73
Full Mesh Topology: ............................................................................................................................................. 74
Single Homed:...................................................................................................................................................... 74
Dual Homed: ........................................................................................................................................................ 74
DESCRIBE WAN ACCESS CONNECTIVITY OPTIONS: ......................................................................... 75
MPLS (Multi-Protocol Label Switching): ............................................................................................................... 75

Metro Ethernet: ................................................................................................................................................... 75
Broadband PPPoE: ............................................................................................................................................... 75
Internet VPN: ....................................................................................................................................................... 75
DMVPN: ............................................................................................................................................................... 75
Site-to-Site IPSec VPN: ......................................................................................................................................... 76
Client VPN: .......................................................................................................................................................... 76
DESCRIBE DNS LOOKUP OPERATION: ............................................................................................. 76
TROUBLESHOOT CLIENT CONNECTIVITY ISSUES INVOLVING DNS: ................................................. 77
CONFIGURE AND VERIFY DHCP ON A ROUTER: .............................................................................. 77
DHCP Server: ....................................................................................................................................................... 77
DHCP Relay: ......................................................................................................................................................... 77
DHCP Client: ........................................................................................................................................................ 77
TFTP Option: ........................................................................................................................................................ 77
TROUBLESHOOT CLIENT- AND ROUTER-BASED DHCP CONNECTIVITY ISSUES: ............................... 78
CONFIGURE, VERIFY, AND TROUBLESHOOT BASIC HSRP: ............................................................... 78
Working of FHRP:................................................................................................................................................. 78
HSRP (Hot Standby Router Protocol): .................................................................................................................. 78
CONFIGURE, VERIFY, AND TROUBLESHOOT NAT:........................................................................... 79
Static NAT (Network Address Translation): .......................................................................................................... 79
Dynamic NAT (Network Address Translation): ..................................................................................................... 79
PAT (Port Address Translation): ........................................................................................................................... 80

Inside Local Address: ...............................................................................................................................................80
Inside Global Address: .............................................................................................................................................80
Outside Global Address: ..........................................................................................................................................80
Outside Local Address: ............................................................................................................................................80

CONFIGURE AND VERIFY NTP OPERATING IN A CLIENT/SERVER MODE: ........................................ 81
NTP Client Mode: ................................................................................................................................................. 81
NTP Server Mode: ................................................................................................................................................ 81
NTP Clients/Servers: ............................................................................................................................................ 81
CONFIGURE, VERIFY, TROUBLESHOOT PORT SECURITY: ................................................................. 82
Default Configuration of Port Security: ................................................................................................................ 82
Static: .................................................................................................................................................................. 82
Dynamic:.............................................................................................................................................................. 82
Sticky: .................................................................................................................................................................. 83
Maximum MAC Addresses: .................................................................................................................................. 83
Violation Actions: ................................................................................................................................................ 83

Shutdown: ...............................................................................................................................................................83
Protect: ....................................................................................................................................................................83
Restrict: ...................................................................................................................................................................83
Error Disable Recovery: ....................................................................................................................................... 84
COMMON ACCESS LAYER THREAT MITIGATION: ............................................................................ 85
802.1X: ................................................................................................................................................................ 85
DHCP Snooping: ................................................................................................................................................... 85
Nondefault Native VLAN: ..................................................................................................................................... 86
CONFIGURE & VERIFY IPV4 & IPV6 ACCESS LIST FOR TRAFFIC FILTERING:...................................... 87
Advantages of ACL: .............................................................................................................................................. 87
Standard Access-List: ........................................................................................................................................... 87
Extended Access List: ........................................................................................................................................... 87
Named Access List: .............................................................................................................................................. 87
IPV6 Access List:................................................................................................................................................... 89
CONFIGURE, VERIFY, AND TROUBLESHOOT BASIC DEVICE HARDENING: ....................................... 89

DEVICE SECURITY USING AAA WITH TACACS+ AND RADIUS: .......................................................... 92
AAA (Authentication, Authorization, Accounting): .............................................................................................. 92
AAA with TACACS+: ............................................................................................................................................. 92
AAA with RADIUS: ............................................................................................................................................... 92
Local Privilege Authorization Fallback: ................................................................................................................. 92
CONFIGURE AND VERIFY DEVICE-MONITORING PROTOCOLS: ....................................................... 94
Simple Network Management Protocol(SNMP): .................................................................................................. 94

SNMP Manager: ......................................................................................................................................................94
SNMP Agent: ...........................................................................................................................................................94
Management Information Base (MIB): ...................................................................................................................94
SNMP Messages: .....................................................................................................................................................94
SNMPv1: .............................................................................................................................................................. 94
SNMPv2c: ............................................................................................................................................................ 94
SNMPv3: .............................................................................................................................................................. 95
Syslog Server: ...................................................................................................................................................... 96

Console Logging: .....................................................................................................................................................96
Terminal Logging: ....................................................................................................................................................96
Buffered Logging: ....................................................................................................................................................96
Syslog Server Logging: .............................................................................................................................................96
SNMP Trap Logging: ................................................................................................................................................96
CONFIGURE AND VERIFY DEVICE MANAGEMENT: ......................................................................... 97
Backup and Restore Device Configuration: .......................................................................................................... 97
Using CDP or LLDP for Device Discovery:.............................................................................................................. 98
Cisco Licensing: .................................................................................................................................................... 98
Cisco IOS Version 15: ........................................................................................................................................... 99
Timezone: ............................................................................................................................................................ 99
Loopback: .......................................................................................................................................................... 100
PERFORM DEVICE MAINTENANCE: .............................................................................................. 100
Cisco IOS Upgrades and Recovery: ..................................................................................................................... 100

SCP (Secure Copy): ............................................................................................................................................. 100
FTP and TFTP: .................................................................................................................................................... 101
Cisco IOS MD5 Verification: ............................................................................................................................... 101
Password Recovery: ........................................................................................................................................... 102
Configuration Register: ...................................................................................................................................... 104
File System Management: ................................................................................................................................. 104
CISCO IOS TOOLS TO TROUBLESHOOT AND RESOLVE PROBLEMS: ............................................... 105
Ping and Traceroute Extended Option: .............................................................................................................. 105
Terminal Monitor: ............................................................................................................................................. 106
Local SPAN: ........................................................................................................................................................ 107

Compare and Contrast OSI and TCP/IP Models:
Open Systems Interconnection Model:

Problem:
In the past, networks were built with different hardware and software; thus, they were
incompatible and difficult to communicate with each other. To make these tasks smooth, in
1977 the International Standards Organization (ISO) proposed the Open Systems
Interconnection (OSI) network model. The Open Systems Interconnection (OSI) model breaks
down the problems involved in moving data from one computer to another computer. Open
Systems Interconnection (OSI) model categorizes these hundreds of problems to Seven Layers.
A layer in Open Systems Interconnection (OSI) model is a portion that is used to categorize
specific problems.
o It is data communication model.
o It is logical and conceptual model.
o It is reference model or teaching model.
o Each layer can only talk to the one above it and below it.
o It is a theoretical model.
o It is not a technology, it is not a protocol, it is not a program or software.
o It specifies how layers should talk to each other.
o It defines how information should be handled when being transported over a network.
Layer# Name of Layers Data Format

7 Application Layer Data
6 Presentation Layer Data
5 Session Layer Data
4 Transport Layer Segments
3 Network Layer Packets
2 Data Link Layer Frames
1 Physical Layer Bits
7) Application Layer:
This layer provides services for end user applications Such as HTTP, FTP, TFTP, SMTP, Telnet,
SHH, DHCP, POP and DNS servers, all Operating Systems, Web Browsers, Firewalls,
Communication Software (Messengers, Skype etc.).
6) Presentation Layer:
Three activities are taking place at this layer:
1) Encryption: The process of converting the plain text in to cipher text for data confidentiality.
2) Translation: Coverts protocol from one form to other. Like IPX to IP.
3) Compression: It simply works with the compression of data like win zip.
Encoding, Decoding, Encryption, Decryption, Compression and Decompression

5) Session Layer:
A period in which two machines communicate is called a session. This layer controls the logical
connections between two systems. It establishes, manages, and terminates the connections
between the local and remote systems.
4) Transport Layer:
It uses protocols to transfer data from one machine to another machine. Two protocols work
on this layer, TCP and UDP and port Numbers. Sequencing and Reassembling Error Correction
Flow Control. Total Ports: 0 – 65535, Server Ports: 1 – 1023 and Client Ports: 1024 – 65535.
TCP (Transmission Control Protocol):
1.TCP is connection-oriented.
2.Reliable communication with Acknowledgment.
3.Slower data transportation.
4.TCP allows for error detection.
5.TCP allows "windowing".
6. Ordered data transfer.
SMTP, FTP, and HTTP use TCP.
UDP (User Datagram Protocol):
1.UDP is connection-less.
2.Unreliable communication without Acknowledgment.
3.Faster data transportation.
4.UDP allows best-effort delivery.
5.UDP delivers segments.
6.UDP allows no error detection.
7.UDP offers neither error detection nor error recovery.
DHCP, SNMP, and TFTP use UDP.
DNS uses both TCP and UDP ports. DNS uses TCP for zone exchanges between servers and UDP
when a client is trying to resolve a hostname to an IP address.
3) Network Layer:
It deals with the function of path selection and logical addressing. Routed protocols and
Routing protocols all works on this layer, Routers, multilayer switches (L3) run at Network layer.
2) Data Link Layer:
ARP, Media Access Control (MAC) address, Switch, bridge, NIC card operate at Data Link layer.
Protocols and services run at Data Link layer. Detects and, when possible, corrects errors.
1) Physical Layer:
It is pure hardware layer of OSI model. Defines the electrical and physical specifications. On this
layer frame is converted into bits. Physical layer specifies cables, pins, connectors, voltage,
wire-speed and moves bits between devices. Hubs, modems, repeaters and all cables operate
at Physical layer.

TCP/IP Model:
Like OSI Network Model, TCP/IP also has a Network Model. TCP/IP was on the path of
development when the OSI standard was published and there was interaction between the
designers of OSI and TCP/IP standards. OSI is a seven-layered standard, but TCP/IP is a four-
layered standard. Application layer is the top most layer of four layer TCP/IP model. Transport
Layer is the third layer of the four layer TCP/IP model. Internet Layer is the second layer of the
four layer TCP/IP model. Network Access Layer is the first layer of the four layer TCP/IP model.

Compare and Contrast TCP and UDP Protocols:
The Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the two most
popular protocols in the transport layer. They ensure that messages are delivered error-free, in
sequence, and with no losses or duplication. The key difference between TCP and UDP is that
TCP provides a wide variety of services to applications, whereas UDP does not. At the result of
this, TCP is much more complex than UDP.
Both TCP and UDP are protocols at the Transport layer (of both OSI and TCP/IP Model). TCP is
slower but reliable and UDP is faster but unreliable in most cases we will want to be reliable in
web accessing, email communicating, file uploading as we don’t expect a few corrupted packets
would destroy our whole work. With TCP, these corrupted packets will be resent or repaired to
make sure everything is correct. Yes, TCP is nice to ensure your work is accurate.
TCP Three-Way Handshake (to Start the Communication).
Although UDP cannot guarantee everything is accurate like TCP but UDP is faster than TCP
because it does not require additional bits for tracking and checking purpose. So, which tasks
need speed? Video (streaming) and audio are ideal for this task because they are considered
real-time applications. Suppose you are talking to your friend, surely you want your voice to
reach your friend without any delay.
Difference Between TCP and UDP

TCP UDP
Reliable Unreliable
Connection-Oriented Connectionless
Segment retransmission and windowing No retransmission or windowing
Segment sequence No sequencing
Acknowledge segment No acknowledgement
Start and end the communication by three-way No action is required before and after
handshake and four-way termination sending real data
Slower data transportation Fast data transportation
Example HTTP, FTP, SMTP Example DNS, DHCP, TFTP

Impact of Infrastructure Components on Enterprise Network:
Firewall:
A firewall is used to protect a network from external threats by enforcing access policies
between different security domains. protect one portion of your network or computer system
from another portion. A firewall can be either software-based, or hardware-based. The device
connects to “inside” protected networks and protects them from “outside” networks (Internet).
Example of a network firewall appliance from Cisco Systems is the Adaptive Security Appliance
or ASA. There is Cisco IOS Zone Based Firewall which supports Stateful inspection & application
inspection and control from OSI Layer 3 to Layer 7.
Access Points:
Access points provide wireless access to a wired Ethernet network. An access point plugs into a
hub, switch, or wired router and sends out wireless signals. This enables computers and devices
to connect to a wired network wirelessly.
Wireless Controllers:
A Wireless Controller is used for configuration of wireless policy, management or security
settings at any time through centralized provisioning and management.
Describe the Effects of Cloud Resources on Enterprise Network:

Cloud computing involves large numbers of Computers connected through a network that can
be physically located anywhere. Providers rely heavily on virtualization to deliver their Cloud
computing services. Cloud Computing can reduce operational costs by using resources more
efficiently.
Traffic Path to Internal and External Cloud Services:
Using the Internet to communicate between the enterprise and a public cloud provider is easy
and convenient. Using Private WAN and Internet VPN access to public could.
Virtual Services:
The terms “Cloud Computing” and “Virtualization” are often used interchangeably; however,
they mean different things. Virtualization is the foundation of Cloud Computing. Without it,
Cloud Computing, as it is most-widely implemented, would not be possible. Cloud Computing
separates the application from the hardware. Virtualization separates the OS from the
hardware.
Cloud Services:
Cloud services are available in a variety of options to meet customer requirements.
Software as a Service (SaaS):
The Cloud provider is responsible for access to services, such as email, communication, and
Office 365 that are delivered over the Internet. The user is only needs to provide their data.
Gmail is one of the example of Software as a Service.

Platform as a Service (PaaS):
The Cloud provider is responsible to make virtual machines (VMs) available to the clients so
that they may develop software applications in a test environment. Also, provide development
tools as part of the platform.
Infrastructure as a Service (IaaS):
The Cloud provider is responsible to make available to the client the hardware, software,
servers, storage and other infrastructure components. Such as Amazon Web Services.
Compare & Contrast Collapsed Core & Three-Tier Architectures:

Three-Tier Architectures:
Core Layer:
Core Layer consists of biggest, fastest, and most expensive routers with the highest model
numbers and Core Layer is considered as the back bone of networks. Core Layer routers are
used to merge geographically separated networks. The Core Layer routers move information on
the network as fast as possible. The switches operating at core layer switches packets as fast as
possible.
Distribution Layer:
The Distribution Layer is located between the access and core layers. The purpose of this layer
is to provide boundary definition by implementing access lists and other filters. Therefore, the
Distribution Layer defines policy for the network. Distribution Layer include high-end layer 3
switches. Distribution Layer ensures that packets are properly routed between subnets and
VLANs in your enterprise.
Access Layer:
Access layer includes access switches which are connected to the end devices (Computers,
Printers, and Servers etc.). Access layer switches ensures that packets are delivered to the end
devices.
Benefits of Cisco Three-Layer Hierarchical Model:
The main benefits of Cisco Three-Layer hierarchical model are that it helps to design, deploy
and maintain a scalable, trustworthy, cost effective hierarchical internetwork.
Better Performance: Three-Layer network model allows in creating high performance networks
Better Management & Troubleshooting: Cisco Three Layer Network Model allows better
network management and isolate causes of network trouble.
Better Filter/Policy Creation and Application: Cisco Three Layer Network Model allows better
filter/policy creation application.
Better Scalability: Cisco Three Layer Network Model allows us to efficiently accommodate
future growth.
Better Redundancy: Cisco Three Layer Network Model provides better redundancy. Multiple
links across multiple devices provides better redundancy. If one switch is down, we have
another alternate path to reach the destination.

Collapsed Core:
A “Collapsed Core” is when the distribution layer and core layer functions are implemented by
a single device. The primary motivation for the collapsed core design is reducing network cost,
while maintaining most of the benefits of the three-tier hierarchical model.
Compare and Contrast Network Topologies:

A network topology is the physical layout of computers, cables, and other components on a
network. There are several different network topologies, and a network may be built using
multiple topologies. The different types of network layouts are Bus topology, Star topology,
Mesh topology, Ring topology, Hybrid topology and Wireless topology.
Star Topology:
A star topology is designed with each node like workstations, printers, laptops, servers etc.
connected directly to a central device called as a network switch. Each workstation has a cable
that goes from its network card to a network switch. Most popular and widely used LAN
technology Ethernet currently operates in Star Topology.
Advantages of Star Topology:
Easy to install and wire. No disruptions to the network when connecting or removing devices.
Easy to detect faults and to remove parts.
Disadvantages of Star Topology:
Requires more cable length than a linear bus topology. If the switch fails, nodes attached are
cannot participate in network communication. More expensive than bus topology because of
the Switch cost.

Mesh Topology:
In Mesh topology, every network device is connected to other network devices. Mesh topology
is costly because of the extra cables needed and it is very complex and difficult to manage. The
main advantage of mesh topology is multiple paths to the destination computer. If one link is
down, we have another path to reach the destination. Mesh Topology is not commonly used
these days.
Hybrid Topology:
Hybrid topology is a mixture of different topologies. Example is star-bus-ring topology.

Ring Topology:
In a ring topology, all computers are connected via a cable that loops in a ring or circle. A ring
topology is a circle that has no start and no end and terminators are not necessary in a ring
topology. Signals travel in one direction on a ring while they pass from one computer to the
next, with each computer regenerating the signal so that it may travel the distance required.
The main advantage of Ring topology is that the signal degeneration is low since each
workstation participating in the network is responsible for regenerating the weak signal. The
disadvantage of ring topology is, if one workstation fails, the entire network will fail.
Appropriate Cabling Type Based on Implementation Requirements:

Ethernet is widely use today when it comes to cabling. Ethernet continues to change and get
faster. Below table shown some forms of Ethernet.
Common Name Speed Standard Max. Length
Ethernet 10 Mbps 10BASE-T 100 m
Fast Ethernet 100 Mbps 100BASE-T 100 m
Gigabit Ethernet 1000 Mbps 1000BASE-LX 5000 m
Gigabit Ethernet 1000 Mbps 1000BASE-T 100 m
10 Gig Ethernet 10 Gbps 10GBASE-T 100 m
40 Gig Ethernet 40 Gbps 40GBASE-LR4 10000 m
Cable Combinations:
Cross Cable is use for same devices and Straight through Cable is use for different devices while
Roll Over Cable is use for Router and Switch to PC Console port.

SAME DEVICES CROSS CABLE COMBINATION TESTING
DEVICE 1 DEVICE S/NO SIDE A SIDE B MASTER REMOTE
2
PC PC 1 White Orange White Green 1 3
Router Router 2 Orange Green 2 6
Switch Switch 3 White Green White Orange 3 1
Hub Hub 4 Blue Blue 4 4
PC Router 5 White Blue White Blue 5 5
PC Firewall 6 Green Orange 6 2
PC IPS 7 White Brown White Brown 7 7
PC IDS 8 Brown Brown 8 8
DIFFERENT DEVICES STRAIGHT CABLE COMBINATION TESTING

DEVICE 1 DEVICE 2 S/NO SIDE A SIDE B MASTER REMOTE
Switch Router 1 White Orange White Orange 1 1
Switch PC 2 Orange Orange 2 2
Hub Router 3 White Green White Green 3 3
Hub PC 4 Blue Blue 4 4
5 White Blue White Blue 5 5
6 Green Green 6 6
7 White Brown White Brown 7 7
8 Brown Brown 8 8
Ethernet UTP Categories:

The most popular forms of Ethernet use today are Unshielded Twisted Pair (UTP). There are
many categories of UTP such as CAT1, CAT2, CAT3, CAT4, CAT5, CAT5e, CAT6, CAT6a, and CAT 7.
Cat 5e is capable of 1 Gigabit per second Ethernet, whereas Cat 6 is capable of 10 Gigabits per
second Ethernet.
Troubleshooting Methodologies to Resolve Problems:

Troubleshooting is being able to analyze the problem, determine the cause of the error,
implement a plan of action, and resolve the network issue.
Problem Isolation:
Determining at what layer of the OSI model & on what devices and links the problem may exist.
Documentation:
It is critical to document the processes you use and the information you find; it can not only
help you in the current process, but can become critical for those that troubleshoot after you.
Resolve:
Find the root cause of the problem after your problem isolation process, you document what
has happened, and then you fix the root cause of the problem; fixing the problem is what is
meant by resolving the problem.

Escalate:
Should you not be able to fix the issue, there should be a written escalation process in your
organization; this might involve even communicating to a third party that your company
partners to fix the issue.
Verify and Monitor:
Many times, it might take time to carefully verify and monitor your solution to ensure the
issue(s) are truly resolved. When a problem has been solved and a solution implemented, it is
important to verify the system operation. Verification tools include the ping, traceroute &
show commands. The OSI model is a critical tool when carrying out your troubleshooting.
Bottom-Up troubleshooting approach, A Top-Down Approach and Divide-and-Conquer
approach.
Configure, Verify, and Troubleshoot IPv4 Addressing:

IP address is a logical address for a network adapter. The IP address uniquely identifies
computers on a TCP/IP network. Or IP address is a numeric identifier that is assigned to a device
for communicate with other devices on a network. The designers of the Internet Protocol
defined an IP address as a 32-bit number. In IPv4 an address consists of 32 bits which limits the
address space to 4294967296 (232) possible unique addresses. IP address consists of four
decimal numbers which are separated by dots or decimal points. Hence, we call it dotted-
decimal notation. For example, 192.168.1.0 is an IP address written in dotted-decimal notation,
but the binary version is 11000000 10101000 00000001 00000000 (IP address is stored as
binary numbers). Each decimal numbers of an IP address represents 8-bit (or 1 byte), and is
therefore called an octet. Hence, an IP address represents 32-bit (or 4 bytes). The range of each
octet is between 0 and 255.
IPV4 Classes:
The IPv4 address space can be subdivided into 5 classes - Class A, B, C, D and E. Each class
consists of subset of the overall IPv4 address range.
Class Range Full Range Binary Start-up Bit
A 1-127 1.0.0.0 – 127.0.0.0 0
B 128-191 128.0.0.0 – 191.0.0.0 10
C 192-223 192.0.0.0 – 223.0.0.0 110
D 224-239 224.0.0.0 – 239.0.0.0 1110
E 240-255 240.0.0.0 – 255.0.0.0 1111
Loopback Address:
Address beginning with 127 is unacceptable to assign them any network host. From 127.0.0.0
to 127.255.255.255 is fully reserved for loopback purpose. The loopback interface allows IT
professionals to test IP software without worrying about broken or corrupted drivers or
hardware.

Unicast Address Type:
Unicast is a type of communication where data is sent from one computer to another
computer. Unicast is a one-to-one type of network communication. Different data streams are
generated for each Unicast connection. In Unicast type of communication, there is only one
sender, and only one receiver.
Broadcast Address Type:

Broadcast is a type of communication where data is sent from one computer once and a copy
of that data will be forwarded to all the devices. In Broadcast, there is only one sender and the
data is sent only once. But the Broadcast data is delivered to all connected devices. Switches by
design will forward the broadcast traffic and Routers by design will drop the broadcast traffic.
Multicast Address Type:

Multicast is a type of communication where multicast traffic addressed for a group of devices
on the network. IP multicast traffic are sent to a group and only members of that group receive
and/or process the Multicast traffic. Devices which are interested in a particular Multicast
traffic must join to that Multicast group to receive the traffic. IP Multicast Groups are identified
by Multicast IP Addresses Class D Addresses. In Multicast, the sender transmits only one copy of
data and it is delivered and/or processed to many devices. A class D network is reserved for
multicasting. The entire address range from 224.0.0.0 to 255.255.255.255 are unacceptable for
assignment to network hosts.
Class E Address:
Class E network is reserved for "experimental use". It shouldn’t be assigned to host devices.
Zero Address:
As with the loopback range, the address range from 0.0.0.0 through 0.255.255.255 should not
be considered part of the normal Class A range. 0. x.x.x addresses serve no function in IP, but
nodes attempting to use them will be unable to communicate properly on the Internet.
Subnet Mask:
Class A's default mask is 255.0.0.0, or /8
Class B's default mask is 255.255.0.0, or /16
Class C's default mask is 255.255.255.0, or /24
255.0.0.0 in binary is 11111111 00000000 00000000 00000000.
255.255.0.0 in binary is 11111111 11111111 00000000 00000000.
255.255.255.0 in binary is 11111111 11111111 11111111 00000000.
Class A = /8 = 224 (16,600,000) Addresses for hosts
Class B = /16 = 216 (65,000) Addresses for hosts
Class C = /24 = 28 (256) Addresses for hosts

Network and Host Portions:
Class A network mask 255.0.0.0 means the first octet of the address is the network portion and
the final three octets are the host portion.
Class B network mask 255.255.0.0 means the first two octets of the address are the network
portion, and the final two octets are the host portion.
Class C network mask 255.255.255.0 means the first three octets of the address are the
network portion, and the final octet is the host portion.
Network Mask:
Network mask or NetMask is a 32-bit binary number, usually written in dotted-decimal format.
Network mask defines the size of the host part of an IP address, representing the host part of
the IP address with binary 0s in the mask.
Class Network Part Host Part Default Mask
A 8 24 255.0.0.0
B 16 16 255.255.0.0
C 24 8 255.255.255.0
Network Address:
Network address or network number is a number that uses dotted-decimal notation like IP
addresses, but the number itself represents all hosts in a single Class A, B, or C IP network. For
example, given an IP address 192.168.0.1 with network mask 255.255.255.0, the network
address will be 192.168.0.0. To calculate network address, we use logical AND operation
between one IP address (any) in the network and its network mask. For example, an IP address
192.168.0.1 with network masks 255.255.255.0. Convert the IP address 192.168.0.1 to binary
format, we get 11000000 10101000 00000000 00000001. Convert its network mask
255.255.255.0 to binary format, we get 11111111 11111111 11111111 00000000
Do logical AND operation on two binary numbers, we get 11000000 10101000 00000000
00000000.
Private Addresses:
The IP standard defines specific address ranges within Class A, Class B, and Class C reserved for
use by private networks (Intranet). A private IP address is a non-Internet facing IP address on an
internal network. Private IP addresses are provided by network devices, such as routers, using
network address translation (NAT).
Class Private Start Address Private End Address
A 10.0.0.0 10.255.255.255
B 172.16.0.0 172.31.255.255
C 192.168.0.0 192.168.255.255
B APIPA 169.254.0.0 169.254.255.255
Class A is used by relatively large companies as it allows more than 16 million hosts. Class B
manages 16,384 hosts per network where Class C is used 254 hosts and is employed in small or
middle size organizations.

APIPA:
APIPA stand for Automatic Private IP Addressing. A Windows-based computer that is configured
to use DHCP can automatically assign itself an Internet Protocol (IP) address if a DHCP server is
not available. For example, this could occur on a network without a DHCP server or on a
network if a DHCP server is temporarily down for maintenance. With this feature, a Windows
computer can assign itself an Internet Protocol (IP) address if a DHCP server is not available or
does not exist on the network. This feature makes configuring and supporting a small Local
Area Network (LAN) running TCP/IP less difficult.
Compare and Contrast IPv6 Address Types:

Why Using IPV6:
IPv4 has only about 4.3 billion addresses available—in theory. Only about 250 million addresses
that can be assigned to devices. In fact, there are about 6.5 billion people in the world today.
Estimated over 10 percent of that population is connected to the Internet. Besides PC there are
mix phones, laptops, game consoles, fax machines, routers, switches, and other devices we use
every day to connect Internet. That short-term solution was Network Address Translation. IPv6
replaces the 32-bit IPv4 address with a 128-bit address, making 340 trillion, trillion, trillion IP
addresses available.
Benefits of Using IPV6:
Larger Address Space: IPv6 uses 128-bit addresses instead of the 32-bit addresses.
Globally Unique IP addresses: The additional address spaces allow each node to have a unique
address and eliminate the need for NAT.
Simplified Header: IPv6’s header has been simplified by moving all unnecessary information
and options to the end of the IPv6 header.
End-to-end Connectivity: Every system now has unique IP address and can traverse through the
Internet without using NAT or other translating components.
Address Auto Configuration: Dynamic assignment of IPv6 addresses. IPv6 hosts can
automatically configure themselves, with or without a DHCP server.
No Broadcast: IPv6 does not have any broadcast support any more. It uses multicast to
communicate with multiple hosts.
Anycast Support: IPv6 has introduced Anycast mode of packet routing. In this mode, multiple
interfaces over the Internet are assigned same Anycast IP address. Routers, while routing, send
the packet to the nearest destination.
IPV6 Address Representation:
Rather than using dotted-decimal format, IPv6 addresses are written as hexadecimal numbers
with colons between each set of four hexadecimal digits (which is 16 bits). So ipv6 is a 16bit-
eight coloned-hex, the format is x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field.
2035:0001:2BC5:0000:0000:087C:0000:000A

Fortunately, you can shorten the written form of IPv6 addresses. Leading 0s within each set of
four hexadecimal digits can be omitted, and a pair of colons (::) can be used, once within an
address, to represent any number of successive 0s but once in the address
2035:1:2BC5:: 87C:0:A
IPV4 VS IPV6
IPV4 IPV6
32 Bits Address 128 Bits Address
8 Bits Group 16 Bits Group
4 Groups 8 Groups
Dotted (.) Decimal Notation Use (:) to Separate Groups
Decimal Number System Hexadecimal Number System
Classes [A, B, C, D, E] No Classes
Subnetting Required No Subnetting Required
No Built-In Security Built-In Security
Unicast, Multicast, Broadcast Unicast, Multicast, Anycast, No Broadcast
No Short Form Available Short Form Available
Manual or DHCP Auto configuration or DHCPv6
ICMP ICMPv6
Broadcast Yes Broadcast No
Broadcast ARP Multicast Neighbor Finding
Global Unicast Addresses:

A unicast address is an address that identifies a single device. A global unicast address is a
unicast address that is globally unique. Global Unicast IPv6 addresses are internet routable IPv6
addresses and they’re the same as public IPv4. (2000:: /
Unique Local:
Works somewhat like private IPv4 addresses, with the possibility that multiple organizations
use the exact same addresses, and with no requirement for registering with any numbering
authority. Use FD as the first two hex digits.
Link-local Addresses:
Link Local IPv6 addresses allow communications between devices on a local link. Link Local IPv6
addresses are not routable. They are used on a subnet. Link-Local addresses are like the private
addresses in IPv4. Staring from FE80:: /.
Multicast:
A multicast address identifies not one device but a set of devices a multicast group. The format
of the IPv6 multicast address is that the first 8 bits of the address are always all ones (FF).

Function Multicast Group IPv4 Equivalent
All Hosts FF02::1 Subnet broadcast address
All Routers FF02::2 224.0.0.2
OSPFv3 Routers FF02::5 224.0.0.5
OSPFv3 Routers FF02::6 224.0.0.6
EIGRPv6 FF02::9 224.0.0.9
RIPng FF02::A 224.0.0.10
DHCP FF02::C
Anycast:
An Anycast address represents a service rather than a device, and the same address can reside
on one or more devices providing the same service. In this addressing mode, multiple interfaces
(hosts) are assigned same Anycast IP address.
Modified EUI 64:

A host can auto-configure its Interface ID by using IEEE’s Extended Unique Identifier (EUI-64)
format. First, a host divides its own MAC address into two 24-bits halves. Then 16-bit Hex value
0xFFFE is sandwiched into those two halves of MAC address, resulting in EUI-64 Interface ID.
To convert EUI-64 ID into IPv6 Interface Identifier, the most significant 7th bit of EUI-64 ID is
complemented.
Stateless Address Auto Configuration (SLAAC):

Nodes listen for ICMPv6 Router Advertisements (RA) messages periodically sent out by routers
on the local link, or requested by the node using an RA solicitation message. They can then
create a Global unicast IPv6 address by combining its interface EUI-64 (based on the MAC

address on Ethernet interfaces) plus the Link Prefix obtained via the Router Advertisement. This
is a unique feature only to IPv6 which provides simple “plug & play” networking. By default,
SLAAC does not provide anything to the client outside of an IPv6 address and a default gateway.
IPv4-Compatible IPv6 Addresses:
These address use 0s in the 1st 96bits, and are used in the transition/migration strategies.
Example: 10.10.100.16 can be represented in IPv6 as:
0:0:0:0:0:10:10:100:16
:: 10:10:100:16
:: A: A: 64:10
IPV6 Loopback Addresses:
Used by a node to send an IPv6 packet to itself. An IPv6 loopback address functions the same as
an IPv4 loopback address. It normally uses for checking protocols stacks. The IPv6 loopback
address is 0000:0000:0000:0000:0000:0000:0000:0001/128, which can be represented as ::1.
Configure, Verify, and Troubleshoot IPv6 Addressing:

IPv6 address configuration is simple like IPV4. IPV6 can be configured many ways Manually,
through DHCP Server, Auto-Configuration, and through EUI-64.
Description Commands
Enable IPV6 routing on router R(config)# ipv6 unicast-routing
Go to interface mode R(config)# interface f0/0
Manually configure IPV6 address R(config-if)# ipv6 address 2000::1/64
Manually configure IPV6 Anycast address R(config-if)# ipv6 address 2000::1/64 anycast
Configure interface to take IP from DHCP R(config-if)# ipv6 address dhcp
Automatically configure IPV6 address R(config-if)# ipv6 address autoconfig
Automatically configure host portion EUI R(config-if)# ipv6 address 2000::1/64 eui-64
List IPV6 interfaces status R# show ipv6 interface br
Details f0/0 info regarding IPV6 R# show ipv6 interface fa0/0
Configure and Verify IPv6 Stateless Address Auto Configuration:

IPv6 has a new IPv6 address configuration feature called Stateless Auto-configuration. IPv6
Stateless Autoconfiguration allows a network interface to automatically learn the IPv6 Network
Prefix, IPv6 Prefix Length, default router IPv6 address and DNSv6 server addresses. Stateless
Address Auto Configuration work properly IPv6 Unicast Routing must be enabled.

Enabled IPv6 Unicast Routing R(config)# ipv6 unicast-routing
Stateless Address Auto Configuration R(config)# interface GigabitEthernet1/0
Server Configuration R(config-if)# ipv6 address 2001:1111:1111::1/64
R(config-if)# ipv6 enable
Details IPv6 view of G1/0 R# show ipv6 interface g1/0
Enabled IPv6 Unicast Routing R(config)# ipv6 unicast-routing
Stateless Address Auto Configuration R(config)# interface GigabitEthernet1/0
Client Configuration R(config-if)# ipv6 address autoconfig
R(config-if)# ipv6 enable
Details IPv6 view of G1/0 R# show ipv6 interface g1/0
IPV4 Subnetting:
Each IP class is equipped with its own default subnet mask which bounds that IP class to have
prefixed number of Networks and prefixed number of Hosts per network. Classful IP addressing
does not provide any flexibility of having less number of Hosts per Network or more Networks
per IP Class. Subnets short for Sub Network. Subnetting is the strategy used to partition a single
physical network into more than one smaller logical sub-networks (subnets). Subnetting
process allows the administrator to divide a single Class A, Class B, or Class C network number
into smaller portions. The subnets can be subnetted again into sub-subnets.
Benefit of Subnetting:
Reduce Broadcast. Reduce Network Complexity. Shortage of IP Address. Helps Easy Security
Subnets help you specify different networks. Improve Network Performance. Improve Network
Management.
Pre-Requisites for Subnetting:
o Binary Numbers System
o Decimal Numbers System
o Binary to Decimal Conversion
o Decimal to Binary Conversion
o IPV4 Addresses (Class A, B, and C)
o Basic Mathematics

Subnetting Terminologies:
Subnet Mask: A mask used to determine what subnet an IP address belongs to.
Subnetting: The process of dividing a network into smaller network sections.
CIDR: Classless Inter-Domain Routing simply represents the number of bits used for the subnet
mask. For example, /14, /16, /24.
FLSM: Fixed-Length Subnet Masks all subnets will have same number of available hosts address.
VLSM: Variable Length Subnet Masking is a way of further subnetting a subnet. All subnets have
different number of hosts address.
Supernetting: Supernetting combines several networks into one large one. Supernetting
reduces the number of entries in a routing table.
Network ID: In classful addressing, the portion of the IP address that identifies the network.
Host ID: In classful addressing, the portion of the IP address that identifies the host is Host-ID.
Classful IP: Classful is based on the default Class A, B or C networks.
Classless IP: Classless IP addressing means you can use any subnetmask you want.
Default Subnet Mask: A subnet Mask Before Subnetting such as 255.0.0.0 class A, 255.255.0.0
class B, and 255.255.255.0 class C.
Customize Subnet Mask: A subnet Mask After Subnetting such as 255.128.0.0, 255.255.192.0
and 255.255.255.224
Direct Broadcast or Local Broadcast: Direct broadcast or local broadcast is the last address of
subnet and can be hear by all hosts in subnet.
Full Broadcast: Full Broadcast is the last address of IP classes and can be hear by all IP hosts in
network. Full broadcast address is 255.255.255.255
Binary Decimal Bit Borrowed
10000000 128 1
11000000 192 2
11100000 224 3
11110000 240 4
11111000 248 5
11111100 252 6
11111110 254 7
11111111 255 8
Subnetting Math:
Subnetting process involves binary math calculation. Computers communicate with each other
in binary language. Subnetting needs two type of calculation, convert decimal to binary &
convert binary to decimal. Binary system works exactly same as decimal system, except the
base number. Base number is 2 in binary system & 10 in decimal system. To calculate decimal
equivalent value of a binary number, replace base value 10 with 2. Binary numbers are
displayed in columns & each position in binary system has double value than the position in
right.

Base Position 27 26 25 24 23 22 21 20
Decimal Value 128 64 32 16 8 4 2 1
Class A Subnets:
In Class A, only the first octet is used as Network identifier and rest of three octets are used to
be assigned to Hosts (i.e. 16777214 Hosts per Network). To make more subnet in Class A, bits
from Host part are borrowed and the subnet mask is changed accordingly.
In case of subnetting too, the very first and last IP address of every subnet is used for Subnet
Number and Subnet Broadcast IP address respectively. Because these two IP addresses cannot
be assigned to hosts, sub-netting cannot be implemented by using more than 30 bits as
Network Bits, which provides less than two hosts per subnet.

Class B Subnets:
By default, using Classful Networking, 14 bits are used as Network bits providing (214) 16384
Networks and (216-2) 65534 Hosts. Class B IP Addresses can be subnetted the same way as
Class A addresses, by borrowing bits from Host bits.
Class C Subnets:
Class C IP addresses are normally assigned to a very small size network because it can only have
254 hosts in a network.

LAN Switching:
Switch is an intelligent device used to extend network. Switch is layer 2 and full-duplex device,
used different path for sending and receiving data. Single broadcast domain and multiple
collision domains. No collision occurs, no need of CSMA/CD. Switch broadcast first time than
unicast. Purpose of assigning an IP address to a switch is to allow remote management of the
switch. By default, Cisco Routers interfaces are shut down, but Cisco Switches interfaces are
open by default. Under these three situations switch always broadcast. Unknown Unicast
Frame, Unknown Multicast Frame and Broadcast Frame.
Unknown Unicast Frame:
When a switch receives a frame with a destination MAC address, but the switch does not have
an entry for that MAC address in its CAM table, by default, the frame is flooded by the switch.
This is called Unknown Unicast Frame.
Unicast:
When a switch receives a frame and the destination MAC address is in CAM table, that frame is
going to be Unicast. If the destination MAC address is known, there is no reason to flood the
frame.
Machines may have been removed from a port, turned off, or moved to another port on the
same switch or a different switch. This could cause confusion in frame forwarding. The MAC
address entry is automatically discarded of aged out after 300 seconds. Switch MAC address
table steps: Learning, Filtering, Flooding, Forwarding and Aging.
MAC Learning and Aging:

Learning is the process of obtaining the MAC address of connected devices. When a frame
reaches into the port of a switch, the switch reads the MAC address of the source device from
Ethernet frame and compares it to its MAC address table. If the switch cannot find a
corresponding entry in MAC address table, the switch will add the address to the table with the
port number via the Ethernet frame arrived. If the MAC address is already available in the MAC
address table, the switch compares the incoming port with the port already available in the
MAC table. If the port numbers are different, the switch updates the MAC address table new
port number. Whenever switch updates an entry in the MAC address table, the switch resets
the timer for that entry. Timers are used in aging process of old entries. Aging helps to remove
old entries and free memory of MAC address table to add new entries. The MAC address entry
is automatically discarded of aged out after 300 seconds by default.
Frame Switching:
The switch forwards frames intelligently from port to port. If its MAC address table is fully
populated for all ports, then it filters the frame from being forwarded out ports unnecessarily. It
forwards the frame to the correct port based on the destination MAC address. If unicast frame
is received, the switch examines the MAC address table, finds the destination MAC address in
this table, and forwards the frame out only that port.

Frame Flooding:
When a frame has a destination address that is not in the MAC address table. The frame is
flooded out all ports other than the port on which the frame was received. This also happens
when the destination MAC address in the frame is the broadcast address.
MAC Address Table:

A switch maintains a dynamically built address table using the source MAC addresses of
received frames. The switch takes the received frame and its incoming MAC address of the
sending device with the LAN port it was received on and puts that in the address table.MAC
entries are retained on switch reboot. To maintain a clean table, an aging timer is used to
remove inactive Media Access Control addresses from the table.
Managing MAC Address Table

Change default aging time setting SW(config)# mac address-table aging-time seconds
Configure static CAM table entries SW(config)# mac address-table static mac-address
vlan vlan-id interface
Display contents of the MAC table SW# show mac address-table
Show MAC address dynamic list SW# show mac address-table dynamic
Show MAC address static list SW# show mac address-table static
Show number of MAC Address in table SW# show mac address-table count
Display MAC address table time out SW# show mac address-table aging-time
Show MAC address of specific interface SW# show mac address-table interface eth 0/0
Clear dynamic MAC address from table SW# clear mac address-table dynamic
Configuring Speed, Duplex, and Description:

Switch interfaces that support multiple speeds (10/100 and 10/100/1000 interfaces), by
default, will autonegotiate what speed to use. However, you can configure the speed and
duplex settings with the duplex {auto | full | half} and speed {auto | 10 | 100 | 1000} interface
subcommands. The description text interface subcommand lets you add a text description to
the interface.
Changing interface duplex mode to SW(config)# interface f0/1
auto, full or half SW(config-if) #duplex auto (auto, full, half)
Changing interface speed to 10Mbps, SW(config)# interface f0/1
100Mbps, or 1000 Mbps SW(config-if) #speed 100 (10,100,1000)
Given description text to interface for SW(config)# interface f0/1
easy management purpose SW(config-if) #description Connect to Server
Command to check interface status SW# show interfaces status
To check interface error & problem SW# show interface f0/1

Configure, Verify and Troubleshooting VLANs:
The standard VAN range is from VLAN 1 to 1000. The extended VLAN range is from VLAN 1006 –
4094. The reserved VLAN range is from VLAN 1002-1005. A voice VLAN enables the access port
to carry IP voice traffic from an IP phone. By default, the voice VLAN is disabled.
Type of VLAN Descriptions
Data Use for normal data
Voice Use for IP phone/Voice over IP
Private Use for security, it divided primary and secondary VLAN
Management A VLAN which for Telnet, SSH for configuration
Extended Usable if VTP mode is transparent on switches
Native VLAN Untagged frame is send over trunk link (by default VLAN1)
Create a VLAN no 10 SW(config)#vlan 10
Give name to VLAN SW(config-vlan)#name HR
Delete VLAN SW(config)# no vlan 10
Verify VLAN creation SW# show vlan brief
Verify VLAN database SW# show flash OR dir flash
Configure a Voice VLAN SW(config)#vlan 5
Given name to VLAN VOICE SW(config-vlan) # name VOICE
Go to interface fast0/4 SW(config)#interface f0/4
Put interface in voice vlan 5 SW(config-if)#switchport voice vlan 5
Verify switchport configuration SW# show interface f0/4 switchport
Determine the physical status SW# show interface fa 1/24 status
Access Port:
Access port transports traffic to and from only the specified VLAN allotted to it. Access port will
only have a single VLAN set up on the interface and it carries traffic for just a single VLAN. If the
VLAN for an access port is not configured, the interface can carry traffic using only the default
VLAN, which is usually VLAN1.
Specifically addresses port 1 SW(config)# interface FastEthernet0/1
Places the port f0/1 in vlan 2 SW(config-if)# switchport access vlan 2
Defines the port as an access port SW(config-if)# switchport mode access
VLAN Database:
The VLAN database is used to store vlan data, such as the VLAN ID, name and MTU. The default
location of the VLAN database is in the local vlan.dat file, this is stored in non-volatile memory.

Normal VLAN:
Normal VLANs range are VLANs 1-1005. Normal range VLANS can be configured in both
database configuration mode and global configuration mode and are stored in vlan.dat file in
Flash memory. VTP versions 1 and 2 can advertise normal range VLANs only.
Extended VLANs:
Extended VLANs are VLANs that fall in the range 1006 to 4094. They are mainly used in service
provider networks to allow for the provisioning of large numbers of customers. Extended VLANs
differ from normal VLANs because they have higher numbers. Extended VLANs must be
configured in VTP transparent mode. Extended VLANs are saved to the running-config.
Voice VLAN:
A voice VLAN enables the access port to carry IP voice traffic from an IP phone. By default, the
voice VLAN is disabled. When enabled, all untagged traffic is sent according to the default CoS
priority of the port.
Verify VLAN database vlan.dat SW# show flash OR dir flash
Verify VLAN creation SW# show vlan brief OR show vlan
Check VTP mode and status SW# show vtp status
Configure a Voice VLAN SW(config)#vlan 5
SW(config-vlan) # name VOICE
SW(config)#interface f0/4
SW(config-if)#switchport voice vlan 5
Verify switchport Configuration SW# show interface f0/4 switchport
Configure, Verify, and Troubleshoot Interswitch Connectivity:

Trunk Ports:
A trunk port is a port that is assigned to carry traffic for all the VLANs that are accessible by a
specific switch, a process known as trunking. Trunk ports mark frames with unique identifying
tags – either 802.1Q tags or Interswitch Link (ISL) tags – as they move between switches.
Therefore, every single frame can be directed to its designated VLAN.
Manual Pruning:
By default, all VLANs are allowed on a trunk interface. VLANs can be manually added or
removed using the switchport trunk allowed command. Security best practices recommend
limiting the allowed VLANs to only those that need to traverse the trunk.

Selecting interface fas0/1 and making SW(config)# interface f0/1
them trunk port SW(config-if)# switchport mode truck
Manually prune VLAN 10 from the SW(config-if)#switchport trunk allowed vlan remove
trunk link 10
Allow only VLANs 6 and 50 to 52 SW(config-if)#switchport trunk allowed vlan 6,50-52
Configure VLANs should not be SW(config-if)#switchport trunk pruning vlan remove
pruned 10
Check vlan status on trunk interface SW# show interface trunk
Check vlan status on trunk interface SW# show interfaces interface ID trunk
DTP (Dynamic Trunking Protocol):

Dynamic Trunking Protocol (DTP) is a Cisco proprietary trunking protocol, which is used to
automatically negotiate trunks between Cisco switches. Dynamic Trunking Protocol (DTP) can
be used negotiate and form trunk connection between Cisco switches dynamically. DTP is
normally used on Cisco IOS switches to negotiate if the interface should become an access port
or trunk. By default, DTP is enabled and the interfaces of your switches will be in “dynamic
auto” or “dynamic desirable” mode. This means that whenever you receive a DTP packet that
requests to form a trunk, your interface will be in trunk mode.
Dynamic Auto Dynamic Desirable Trunk Access
Dynamic Auto Access Trunk Trunk Access
Dynamic Desirable Trunk Trunk Trunk Access
Trunk Trunk Trunk Trunk Not Compatible
Access Access Access Not Compatible Access
VTP (VLAN Trunking Protocol):

VLAN Trunking Protocol, or VTP, allows VLAN information to be managed from one or more
switches and automatically advertised to all switches in the same administrative domain. All
VTP-enabled switches in the same VTP domain can then update their VLAN databases to
maintain consistency throughout the switched environment. With the alternative being adding
and maintaining individual VLANs on each switch, VTP can dramatically increase administrative
efficiency. Switches can only participate and be configured for a single VTP domain.
Each switch within that domain must have the same VTP domain name configured otherwise
VLAN database information will not be synchronized. Because each switch can only be
configured with a single VTP domain, it will only listen and act on VTP advertisements it hears
that match its own configured VTP domain name. VTP advertises the VLAN ID, name, type, and
state for each VLAN. VTP does not advertise which switch interfaces are assigned to VLANs.
VLANs must still be assigned to specific access ports using the switchport access vlan command
on each switch.

VLAN Trunking Protocol (VTP):
 VLAN Trunk Protocol (VTP) reduces administration in a switched network.
 Use to synchronize VLAN creation and modification.
 Not assign port to the VLANs, required manual assignment or VMPS.
 VTP is Cisco proprietary protocol.
 All trunk port will send & receive VTP advertisement by default whatever VTP mode (v 1 & 2).
 VTP need configure VTP domain name (by default Null) and appropriate trunk link.
 By default VTP v1 is enabled.
 VTP v1 & v2 not able to advertised Extended and private VLAN.
 In VTP domain no one device can disable VTP.
VTP Versions:
VTP is currently have three versions: VTPv1, VTPv2, and VTPv3. VTPv1 is often the default
version of VTP running on Cisco IOS switches. Even new platforms that have full VTPv3 support
usually default to VTPv1 unless configured otherwise. VTPv1 and VTPv2 provides basic VLAN
learning across normal-range VLANs only (1-1005).
VTP Version 1 & 2 Modes:

Server Mode:
Switches in VTP server mode have full control to add and make changes to VLANs. All changes
are advertised out to all other switches. Each domain has at least one VTP server. By default,
switches operate on VTP server mode.
Client Mode:
Switches in VTP client mode cannot add or change VLANs, but they do send periodic VLAN
database advertisements and can change their configurations to match those they hear. VTP
servers and clients store the VLAN configuration in a vlan.dat file in flash memory.
Transparent Mode:
Creation and modification allowed but locally not entire domain. Doesn’t synchronize from
servers. If server or client change as transparent it keeps previous VLAN as it is but revert
configuration reversion no. to 0. forwarding incoming VTP messages to VTP neighbors.
VTP Configuration Revision Number:

Basically use to represent and resynchronize VLAN database. It increases on every modification
of VLAN database like (Creation/deletion/renaming VLANs). Server/client updates their
database if higher configuration is received. Range of Configuration reversion no is 0-65535.
Can be reset (or 0) by changing to transparent mode or deleting VLAN.dat file. Trigger updates
send on modification to entire domain.
Configuration Revision Numbers:
the revision number can only be set to 0 by modifying the VTP domain name or by configuring a
VTP password.

Check VTP output details SW# show vtp status
Change the VTP version to 2 SW(config)#vtp version 2
Configure VTP Domain Name SW(config)#vtp domain Test
Configure VTP Pruning SW(config)#vtp pruning
Set VTP password SW(config)#vtp password test
Change the VTP version to 3 SW(config)#vtp version 3
Set primary server in enable mode SW# vtp primary
Disabled VTPv3 SW(config)#vtp mode off
VTP Pruning:
VTP pruning makes more efficient use of trunk bandwidth by reducing unnecessary flooded
traffic. Broadcast and unknown unicast frames on a VLAN are forwarded over a trunk link only if
the switch on the receiving end of the trunk has ports in that VLAN. By default, VTP pruning is
disabled. Uses bandwidth more efficiently by reducing unnecessary flooded traffic. 1002-4094
will not pruned eligible to prune it required manual pruning.
802.1Q Or Dot1Q:
Dot1Q is IEEE 802.1Q, the standard for trunking encapsulation. On Cisco switches, you
configure dot1q on trunk ports which allow tagged frames to be transported on a trunk link,
allowing multiple VLANs to traverse through one link. This extends the VLANs across the
network. dot1Q trunks use VLAN 1 as the default native VLAN. 802.1Q also adds a 4-byte tag
into the Ethernet frame for VLAN tagging.
Configure a VLAN trunk interface SW(config)# interface fa 1/5
Configure VLAN encapsulation SW(config-if)# switchport trunk encapsulation isl dot1q
Verify the trunk configuration SW# show interfaces fa1/5 switchport
Verify the trunk configuration SW# show interfaces fa1/5 trunk
Verify the trunk configuration SW# show interfaces trunk
Native VLAN:
A VLAN that travel Without tag it assigned to an 802.1Q trunk port. By default, the Native VLAN
is 1. Packet without tagged on a dot1q link belongs to Native VLAN. Best practice to change
Native VLAN on all switches. Native VLAN ID must match on both end of the trunk. The VLAN
dot1q tag native command will tag VLAN on all trunks.
SW(config-if) # switchport trunk native vlan vlan-id

Configure, Verify and Troubleshooting Spanning Tree:
Switch perform frame flooding in case of unknown unicasting, multicasting and broadcasting so
if there any redundant link available that can cause layer 2 loop. In layer 2 loops can cause
problem like layer 2 loops, Unnecessary resources utilization and multiple frame transmission,
Unstable MAC table, and Unnecessary frame lookup by host. To prevent this problem spanning
tree protocol used STP/STA (Spanning Tree Algorithm) for detecting layer 2 loops casing link,
and block it till first one link goes down or disconnected. To work STP every port send BPDU
(Bridge Protocol Data Unit) every 2 second for preventing layer 2 loop and send/receive
topology changes.
BPDU works for Detecting layer 2 loops, Selecting Root Bridge, Finding Root port, Synchronizing
topology changes and acknowledgement.
o Bridge priority increment use 4096 because no of VLAN can exist in switches.
o Bridge ID & system ID tie by default so Lower MAC address switch selected as Root Bridge.
o Root Bridge can change timers of STP and advertised to all.
o Root Bridge is also responsible for propagate topology changes notification.
o Root bridge switch all port is designated port and forwarding state.
PVST+:
Per-VLAN STP Plus (PVST+) is a Cisco implementation of STP that provides a separate spanning-
tree instance for each configured VLAN in the network. It means run a spanning-tree instance
per VLAN. PVSTP+ is usually the default STP on Cisco switches.
RPVST+:
Rapid PVST+ (IEEE 802.1w) is an enhanced version of PVST+ and allows for faster spanning-tree
calculations and convergence in response to Layer 2 topology changes. Rapid PVST+ defines
three port states: discarding, learning, and forwarding, and provides multiple enhancements to
optimize network performance. UplinkFast and BackboneFast are not required for rapid
spanning tree because it’s already implemented by default.

Switch Priority:
By default, all Cisco Switches has a Bridge Priority or Switch Priority value of 32,768. Bridge
Priority or Switch Priority value decides which Switch can become Root Bridge (Root Switch). A
Switch with lowest Bridge Priority (Switch Priority) Value will become the Root Switch.
Port Priority:
Each port of a Switch has a Spanning Tree Port Priority value associated with it, 128 by default.
Gi0/1 128.25 P2P: Gi0/1 is the interface 128 is default value and 25 is port number. P2P
means Point-to-Point (Full Duplex) and Shr means Shared (Half Duplex).
Path Cost:
The Root Port is calculated by using the lowest accumulated Path Cost Value to reach the Root
Switch. The Spanning Tree Cost Value is inversely proportional to the associated bandwidth of
the path and therefore a path with a low cost value is more preferable than a path with high
cost value.
Port Costs
Bandwidth Cost
10 Mbps 100
100 Mbps 19
1 Gbps 4
10 Gbps 2
20 Gbps 1
STP RSTP
Disabled (Shutdown by Admin) Discarding (Blocking data frame)
Blocking (Blocked redundant link)
Listing (Listing the data frame) Learning (Building CAM table)
Learning (Creating CAM table)
Forwarding (Converged, Data flow allowed) Forwarding (Converged, Data flow allowed)
Enable Per-VLAN ST SW(config)# spanning-tree mode pvst
Enable Rapid-PVST SW(config)# spanning-tree mode rapid-pvst
Configure the switch as primary root SW(config)# spanning-tree vlan 1 root primary
Configure the switch as secondary root SW(config)# spanning-tree vlan 1 root secondary
Configure the switch priority the SW(config)# spanning-tree vlan 1 priority <0-
priority in increments of 4096 61440>
Verify Spanning Tree SW# show spanning-tree vlan 1
Verify spanning tree features SW# #show spanning-tree summary
Configure path cost on interface SW(config-if) #spanning-tree cost 10
Configure port priority on interface SW(config-if) #spanning-tree vlan 1 port-priority 64

Spanning Tree Timers:
Hello Time:
The Hello Time defines the interval the Root Bridge will send out Configuration BPDUs. This is
set to 2 seconds by default.
Forward Delay:
The Forward Delay is the length of the Listening and Learning states. This is 15 seconds by
default.
Maximum Age:
The Maximum Age timer, often referenced as MaxAge, is the length of time each switch will
save the superior BPDU’s information before discarding it. This is 20 seconds by default.
Display STP details SW# show spanning-tree vlan 1
Changing STP Hello time SW(config)#spanning-tree vlan 1 hello-time 5
Changing STP Forward Delay time SW(config)#spanning-tree vlan 1 forward-time 20
Changing STP Maximum Age time SW(config)#spanning-tree vlan 1 max-age 40
Configure, Verify and Troubleshoot STP Optional Features:

Port Fast:
By passing the listening and learning states for trunk and access port. Better to connect to
workstation or server. This feature should not be used on ports that connect to switches
because it can cause a switching loop. All PVST+, rapid PVST+, or MSTP, support this feature.
Can be enable on interface or globally. When running on globally its enable Portfast on
interface that is edge port.
BPDU Guard:
Keeps portfast enable port error disable mode immediately if BPDU received. BPDU Guard can
be configured globally or in interface level.
Interface-level PortFast Configuration SW(config)#interface f0/1
SW(config-if)#spanning-tree portfast
Global PortFast Configuration SW(config)#spanning-tree portfast default
BPDU Guard Global Configuration SW(config)#spanning-tree portfast bpduguard
default
BPDU Guard Interface-level SW(config)# interface f0/1
Configuration SW(config-if)#spanning-tree bpduguard enable
Check root guard inconsistent port SW# show spanning-tree inconsistentports
BPDU Guard and BPDU Filter verification SW# show spanning-tree summary
BPDU Guard & BPDU Filter verification SW# show spanning-tree interface f0/0 detail

Configure and Verify Layer 2 Protocols:
CDP (Cisco Discovery Protocol) and LLDP (Link Layer Discovery Protocol) are used for network
devices to communicate their information between each other. CDP is Cisco proprietary and
LLDP is an industry standard. CDPv2 is used to provision Cisco IP phones with VLAN and Quality
of Service (QoS) power information.
LLDP CDP
Link Layer Discovery Protocol Cisco Discovery Protocol
LLDP is a layer two discovery protocol CDP is a layer two discovery protocol
LLDP is a standard protocol CDP is Cisco Proprietary protocol
LLDP use TLVs (Type, Length, Value) to send CDP use TLVs (Type, Length, Value) to send
and receive information to their directly and receive information to their directly
connected neighbors. connected neighbors.
CDP message contains information about CDP message contains information about
port, system name, system capabilities, Device ID, IP address, port ID, VLAN and
management address. hardware platform.
LLDP allows switch ports configured with a CDPv2 allows switch ports configured with a
voice vlan. voice vlan.
LLDP announcements are send to the CDP announcements are send to the
multicast destination address multicast destination address
01-80-C2-00-00-0e on each interface 01-00-0c-cc-cc-cc on each interface
LLDP is disabled by default CDP is enable by default
LLDP advertisements are sent every 30 sec CDP advertisements are sent every 60 sec
LLDP hold time advertised is 120 seconds CDP hold time advertised is 180 seconds
Globally enable LLDP Globally enable CDP
SW(config)#lldp run SW(config)#cdp run
Globally disable LLDP Globally disable CDP
SW(config)#no lldp run SW(config)#no cdp run
Enable LLDP on an interface Enable CDP on an interface
SW(config-if) #lldp transmit SW(config-if)#cdp enable
SW(config-if)#lldp receive
N/A Enable CDP version 2
SW(config)# cdp advertise-v2
SW# show lldp neighbors SW# show cdp neighbors
SW# show lldp entry * SW# show cdp entry *
SW# show lldp traffic SW# show cdp traffic
SW# show lldp SW# show cdp
SW# show lldp interface SW# show cdp interface
SW(config)#lldp timer <time_ in_ second> SW(config)#cdp timer <time_ in_ second>
SW(config)#lldp holdtime <time_ in_ second> SW(config)#cdp holdtime <time_ in_ second>

Configure and Verify EtherChannel:
Technique to combine multiple physical link to make a single logical link for load balancing or
load sharing and fault tolerance. It is otherwise known as bundling, port channel or
EtherChannel. You can combine multiple interfaces into one of these three modes are LACP,
PAgP and On. Increased bandwidth, Increased availability, Load Sharing, Auto Configuration,
Faster convergence, Cheaper solution, L2/L3, and can be use as trunk, access, tunnel.
LACP (Link Aggregation Control Protocol):
LACP is the standard 802.3ad. You combine multiple links into a single logical link to increase
bandwidth and redundancy. All links participating in a single logical link must have the same
settings such as duplex mode, link speed, and interface mode such as access or trunk. You can
have up to 16 ports in an LACP EtherChannel but only eight can be active at one time. LACP can
be configured in either passive or active mode. In active mode, the port actively tries to bring
up LACP. In passive mode, it does not initiate the negotiation of LACP.
Selecting range of interfaces SW(config-if-range) #interface range f0/1 -2
Make shut the interfaces range SW(config-if-range)#shutdown
Set trunk encapsulation SW(config-if-range) #switchport trunk encap dot1q
Make selected interface trunk SW(config-if-range) #switchport mode trunk
Set EtherChannel protocol LACP SW(config-if) #channel-protocol lacp
Set LACP mode active or passive SW(config-if-range) #channel-group 1 mode active
Verify EtherChannel summary SW# show etherchannel summary
Verify EtherChannel details SW# show etherchannel detail
PAgP (Port Aggregation Protocol):

Cisco’s proprietary Port Aggregation Protocol. It also creates EtherChannel links and is
configured similarly to LACP. Configuring PAgP properly and it will automatically configure
individual ports into a single logical link. There are two modes for PAgP: auto – This is the
passive negotiating state which responds to PAgP packets. desirable – Places interface into an
active negotiating state. Having two ends of a PAgP link in auto mode will not result in a PAgP
link because neither will negotiate to bring up the PAgP EtherChannel. PAgP protocol data units
(PDUs) are sent and received on the lowest numbered VLAN of the trunk link. You can have up
to eight ports in a single PAgP EtherChannel. Just like LACP, all ports in a PAgP EtherChannel
must have the same speed and duplex settings.
Set trunk encapsulation SW(config-if-range) #switchport trunk encap dot1q
Set EtherChannel protocol PAgP SW(config-if) #channel-protocol pagp
Set PAgP mode auto and desirable SW(config-if-range) #channel-group 1 mode auto

EtherChannel Static:
Switchports can be configured to bypass LACP or PAgP by simply changing the mode to on. This
mode is used to statically configure EtherChannel. This mode can be used if the device on the
other end doesn’t support PAgP or LACP.
Shutdown the range of interfaces SW(config-if-range)# shutdown
Set trunk encapsulation do1q SW(config-if-range) #switchport trunk encap dot1q
Set Statically mode on SW(config-if-range) #channel-group 1 mode on
Verify EtherChannel port channel SW# show etherchannel port-channel
Layer 3 EtherChannel:
Creating Port Channel Interface SW(config) # interface port-channel 1
Set port channel interface to layer 3 SW(config-if) #no switchport
Assign IP address to Port Channel SW(config-if)# ip address 10.10.10.1 255.255.255.0
Shutdown the interfaces SW(config-if-range) # shutdown
Set interface range to Layer 3 SW(config-if-range) #no switchport
Set Static mode on SW(config-if-range) #channel-group 1 mode on
No shutdown the interfaces SW(config-if-range) # no shutdown
Verify EtherChannel port channel SW# show etherchannel port-channel

Benefits of Switch Stacking and Chassis Aggregation:
Switch Stacking:
Cisco introduced the StackWise and StackWise Plus technologies to enable separate physical
switches to act as a single logical switch. StackWise is available on switch models such as the
Cisco Catalyst 3750-E, 3750-X, and 3850 platforms.
o Physical switches must be connected to each other using special-purpose stacking cables.
o Each switch supports two stack ports; switches are connected in a daisy-chain fashion.
o Required single IP address to manage all physical switches.
o Better resources utilization and aggregation.
o STP, CDP, VTP and other protocol deal as single switch.
o Online Stack Adds and Removals allowed.
o Bidirectional Flow on stack cables.
o Sub-second Failover.
o Select a master switch for managements and all.
o A centralized MAC address table for all the physical devices.
Chassis Aggregation:
Chassis Aggregation refers to another Cisco technology used to make multiple switches operate
as a single switch. Virtual Switching System (VSS) is very platform-specific. Currently, it can only
be run on certain 6500, 6800 and 4500 series switch. There will be exactly two switches in a
VSS domain. VSS works by bundling links into a port-channel and dedicating this port-channel
to the purposes of communicating between the two switches in the VSS domain, and for
forwarding data traffic flowing between chasses. This port-channel is call the Virtual Switch
Link (VSL). These port-channel links are not physically separate ports dedicated to VSS
functions. Rather, they are used from the actual interfaces on the switch, and it is by
configuration that they are considered VsL links.

Routing Concepts:
Packet Handling & Forwarding Decision:
When a IPv4 packet arrives on a router interface, the router de-encapsulates the Layer 2
frame and examines the Layer 3 IPv4 header. The router identifies the destination IPv4
address, and proceeds through the route lookup process. The router scans the routing
table to find a best match for the destination IPv4 address. The best match is the longest
match in the table. For example, if the destination IPv4 address is 172.16.0.10 and the
entries in the routing table are for 172.16.0.0/12, 172.16.0.0/18, and 172.16.0.0/26, the
longest match and the entry used for the packet is 172.16.0.0/26.
Frame Rewrite:
The frame rewrite procedure by the router is to encapsulates the IP packet with the same
source and destination IP address that was sent from the original sending device into a new
Layer 2 frame. It changes the source MAC address to the forwarding interface of the local
router. The router changes the destination MAC address to the receiving interface of the
nexthop device. An FCS as part of the trailer is also added. This process continues from hop
to hop on Ethernet networks until the packet reaches the destination host.
Components of a Routing Table:

Routing Prefix & Network Mask:
A subnetwork or subnet is a logical subdivision of an IP network. expressed in CIDR notation
written as the first address of a network, followed by a slash character (/), and ending with the
bit-length of the prefix. example like 172.16.4.0/28. It is Destination Network, Identifies the
address of the remote network and /28 is Network Mask.
Next Hop:
Identifies the IPv4 address of the next router to forward the packet to. Example like
209.165.200.226 in above given table.
Routing Protocol Code:

It’s called Route Source Identifies how the route was learned. Common codes include O (OSPF),
D (EIGRP), R (RIP), S* (Static Default), S (Static) and B (BGP). Example like R in above given table.
Administrative Distance:
Administrative distance is the feature that routers use to select the best path when there are
two or more different routes to the same destination from two different routing protocols.
Administrative distance defines the reliability of a routing protocol. The administrative number
is from 0 to 255. Lowes administrative distance is most preferred.
Route Source Default Administrative Distance
Connected Interfaces 0
Static Route 1
EBGP 20
IBGP 200
EIGRP 90
External EIGRP 170
OSPF 110
RIP 120
Metric:
Routers use various metrics and calculations to determine the best route for a packet to reach
its final network destination. Each routing protocol uses its own algorithm with varying weights
to determine the best possible path. Identifies the value assigned to reach the remote network.
Lower values indicate preferred routes. Example like 2 hops in above given table.
Gateway of Last Resort:
A Gateway of Last Resort or Default gateway is a route used by the router when no other
known route exists to transmit the IP packet. Known routes are present in the routing table.
Hence, any route not known by the routing table is forwarded to the default route. Use the ip
default-gateway command when ip routing is disabled on a Cisco router. Use the ip default-
network and ip route 0.0.0.0 0.0.0.0 commands to set the gateway of last resort on Cisco
routers that have ip routing enabled.

Administrative Distance Role in Routing Table:
Routing protocols uses metrics for calculating best path for a remote network. Distance Vector
Routing Protocols use Distance (Hop-Count) as their metric. Link State Protocols use Cost as
their metric. EIGRP use minimum bandwidth and delay as their metric. If router is running
multiple routing protocols, administrative distance is used to determine which routing protocol
to trust the most. Routing protocol with lowest administrative distance wins.
Configure, Verify, and Troubleshoot Inter-VLAN Routing:

Configuring VLANs helps control the size of the broadcast domain and keeps local traffic local.
However, when an end station in one VLAN needs to communicate with an end station in
another VLAN, Inter-VLAN communication is required. This communication is supported by
Inter-VLAN routing. Network devices in different VLANs cannot communicate with one another
without a router to route traffic between the VLANs. In most network environments, VLANs are
associated with individual networks or subnetworks.
Router on a Stick:
The router on a stick configuration provides us with the ability to perform Inter-VLAN routing.
Single physical interface routes traffic between multiple VLANs on a network. Many sub-
Interfaces are configured in a router that is independently configured with an IP address and
VLAN assignment to permit devices on separate VLANs to communicate.

Creating VLANs in Switch SW(config)# vlan 10
SW(config-vlan)#name Student
SW(config)# vlan 20
SW(config-vlan)#name Teacher
Assigning Membership to Interfaces SW(config)#interface range FastEthernet 0/1-3
in Switch SW(config-if-range)#switchport mode access
SW(config-if)# switchport access vlan 10
SW(config)#interface range FastEthernet 0/4-6
SW(config-if-range)#switchport mode access
Making Trunk Interface of Switch SW(config)#interface FastEthernet 0/7

Connected to Router SW(config-if)# switchport mode trunk
Router Configuration up the main Router(config)#interface FastEthernet 0/0
interface Router(config-if)#no shutdown
Router configuration R(config)#interface FastEthernet 0/0.10
Creating sub-interfaces Applying R(config-subif)#encapsulation dot1Q 10
Encapsulation and VLAN IDs R(config-subif)#ip address 192.168.1.1 255.255.255.0
R(config)#interface FastEthernet 0/0.20
R(config-subif)#encapsulation dot1Q 20
R(config-subif)#ip address 192.168.2.1 255.255.255.0
Switch show commands SW# show vlan brief
SW# show interfaces trunk
Router show commands R# show ip int br
R# show run-config
SVI (Switch Virtual Interface):

Configure SVI (Switch Virtual Interface) for each VLAN and put an IP address on it. This IP
address can be used for computers as their default gateway. Start by enabling routing using the
ip routing command. If forget to enable ip routing switch won’t build a routing table. Layer 3
switch is used instead of a switch and a “Router on a Stick”, this helps reduce the complexity of
the topology and cost.

Creating VLANs in Multi-Layer- SW(config)# vlan 10
Switch SW(config-vlan)#name Student
SW(config)# vlan 20
SW(config-vlan)#name Teacher
Assigning Membership to SW(config)#interface range FastEthernet 0/1-3
Interfaces in Layer3-Switch SW(config-if-range)#switchport mode access
SW(config)#interface range FastEthernet 0/4-6
SW(config-if-range)#switchport mode access
Creating SVI and assigning IP SW(config)#interface vlan10
addresses to them SW(config-config-if)#ip address 192.168.1.1 255.255.255.0
SW(config-config-if)# no shutdown
SW(config)#interface vlan20
SW(config-config-if)#ip address 192.168.2.1 255.255.255.0
SW(config-config-if)# no shutdown
Enable IP routing SW(config)#ip routing
Switch show commands SW# show ip int br
SW# show run-config
SW# show ip route

Compare & Contrast Static Routing & Dynamic Routing:
Static Routing:
In Static Routing administrator manually inputs all routing table information. Static route tells
the network devices about exact location. Static routers can only work well with small network.
Configure static routes between routers to allow data transfer between routers without the use
of dynamic routing protocols. The command is: IP route network, mask address/interface
[distance] Example: ip route 2.0.0.1 255.0.0.0 1.0.0.2. Here, 2.0.0.0 is the destination network
or subnet. 255.0.0.0 is the subnet mask and 1.0.0.2 is the default gateway.
Advantages of Static Routing:
 Easy to Configure.
 High Secure.
 Use Low Resources.
 Required Low Bandwidth.
 Use in Small Network.
 No more Advanced Knowledge is required.
Disadvantages of Static Routing:
 Not able to support VLSM.
 It is only Class Full Network.
 No Scalability required in static protocol is required.
 Administrator should know the destination IP-address.
 When changes occur in a network Configured by the administrator manually.
Dynamic Routing:
Dynamic routing protocols can dynamically respond to changes in the network. The routing
protocol is configured on each router and the routers learn about both each other and remote
networks. A dynamic routing table is created, maintained, and updates by routing protocol
running on the router. Examples of routing protocols includes RIP, EIGRP, and OSPF and BGP.
Dynamic routing protocols share routing updates with neighbors and they find best path to
destination networks depends on various factors.
Advantages of Dynamic Routing:
 Dynamically choose a different route if a link goes.
 Ability to load balance between multiple links.
 Updates are shared between routers dynamically.
Disadvantages of Dynamic Routing:
 Routing protocols put additional load on router CPU/RAM.
 The choice of the best route is on the hands of the routing protocol.

Compare & Contrast Distance Vector & Link State Routing Protocols:
Distance Vector:
Distance vector routing protocol uses distance (metric value) and direction (vector) to find the
best path to destination network. Router receives routing update from neighboring router and
these neighboring routers receive updates from their neighboring routers until the destination
network. Every router in the way of destination network called hop. Each time a packet goes
through a router, it adds one in hop count value. Route with the least hop count value will be
chosen as best path and will be placed in routing table. RIP is the example of distance vector
routing protocol. These protocol shares entire routing table to the directly connected
neighbors. Distance Vector Protocols are slow and have chances for loops. Distance Vector
Protocols maintain only routing table.
Link State:
Link State Routing Protocols operate differently. Routers send information about the state of
their links to the entire network or area that they are part of. In this way, each router
understands the entire network topology. They run an algorithm every time a network change
is announced to recalculate the best routes throughout the network. This makes Link State
Routing Protocols much more processor intensive. Link State Protocols only send triggered
updates not periodic updates. Link State Protocols maintain three separate tables. Neighbor
Table, Topology Table, and Routing Table.
Compare & Contrast Interior & Exterior Routing Protocols:

Interior Gateway Protocol (IGP):
A routing protocol operating within an Autonomous System (AS) like Open Shortest Path First
(OSPF), Enhance Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP),
and Intermediate System to Intermediate System (IS-IS). Usually routers running Interior
Gateway Protocol (IGP) are under the same administration of a company, corporation or
individual.
Exterior Gateway Protocol (EGP):

A routing protocol operating between different Autonomous System (AS). Border Gateway
Protocol (BGP) is the only EGP used nowadays. Exterior Gateway Protocol (EGP) is commonly used
between hosts on the Internet to exchange routing table information.

Configure, Verify, and Troubleshoot IPv4 Static Routing:
When routers learn from an administrator, it is called static routing. In static routing, we must
add all network locations manually. If any change occurs in network, administrator is
responsible to update it by hand in all routers.
Default Route:
A Default Route also known as the gateway of last resort is a special type of static route. Where
a static route specifies a path a router should use to reach a specific destination, a default route
specifies a path the router should use if it doesn’t know how to reach the destination.
Default Route is the Network Route used by a router when there is no other known route exists
for a given IP destination address. All the IP with unknown destination address are sent to the
default route.
Network Route:
Network Route used by a router when there is no other known route exists for a given IP
destination address. All the IP with unknown destination address are sent to the default route.
Host Route:
A host route is where the destination address is a specific device IP with a subnet mask of /32
for IPv4 or /128 for IPv6. Also, installed Automatically when an IP address is configured on the
router interface.
Floating Static Routes:

Floating Static routes are static routes that have an Administrative Distance greater than the
Administrative Distance of another static route or dynamic routes. They are very useful when
providing a backup to a primary link. By default, static routes have an AD of 1.

Configure & Verify Static Routing
Create default route with next hop R(config)# ip route 0.0.0.0 0.0.0.0 1.1.1.1
Create default route with exit interface R(config)# ip route 0.0.0.0 0.0.0.0 s0/0
Create static route with next hop R(config)# ip route 192.168.1.0 255.55.255.0 1.1.1.1
Create static route with exit interface R(config)# ip route 192.168.1.0 255.55.255.0 s0/0
Create specific route for host R(config)# ip route 192.168.1.1 255.55.255.255
1.1.1.1
Creating floating static routes first one R(config)# ip route 192.168.1.0 255.55.255.0 1.1.1.1
has default AD, second one is AD 5 R(config)# ip route 192.168.1.0 255.55.255.0 2.2.2.2
5
Creating floating static routes first one R(config)# ip route 0.0.0.0 0.0.0.0 1.1.1.1
has default AD, second one is AD 5 R(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 5
Display ip routing table R# show ip route
Display only connected routes R# show ip route connected
Display only static routes R# show ip route static
Display only given IP address route R# show ip route [IP-Address]
Configure & Verify Single Area & Multi-Area OSPFv2 for IPv4:
The Open Shortest Path First (OSPF) protocol is a link state protocol that handles routing for IP
traffic. OSPF is an open standard and it will run on most routers independent of make. OSPF
uses the Shortest Path First (SPF) algorithm, to provide a loop-free topology. OSPF provides fast
convergence with triggered, incremental updates via Link State Advertisements (LSAs). OSPF is
a classless protocol and allows for a hierarchical design with VLSM and route summarization.
The main disadvantages of OSPF are requires more memory and CPU processing to run.
The two important concepts in case of OSPF are Autonomous Systems and Areas. Areas are
used to provide hierarchical routing, within an Autonomous System. Areas are used to control
when and how much routing information is shared across your network. OSPF implements a
two-layer hierarchy: the backbone (Area 0) and areas off of the backbone (Areas 1–65,535).
Here the two different areas can summarize routing information between them. All areas
should connect to Area 0 and all routers in an Area will have the same topology table.
o OSPF External and Internal Administrative Distance is 110.
o OSPF default Hello time is 10 seconds and dead time is 40 seconds.
o OSPF metric is Cost.
o OSPF work on area. Area 0 is the backbone of OSPF technology.
o OSPF use multicast address 224.0.0.5 to send hello packet.
o OSPF supports VLSM and route summarization.
o OSPF have Neighbor table, Topology table & Routing table.
o OSPF use Wildcard Mask which is the reciprocal of Subnet Mask.
o OSPF packets are only sends to the neighbor of own Area.
o OSPF supports both IPv4 and IPv6 routed protocols.

Area:
OSPF implements two levels hierarchy with areas: backbone and area off backbone.
Backbone:
Backbone is the central point of this implementation. Routers running in this area required to
maintain a complete database of entire network. All areas need to connect with this area.
Area Off Backbone:
Area off backbone is the extension of backbone. Routes running in this area required to
maintain an area specific database instead of complete database. It will speed-up the
convergence time.
Router ID:
Every Router in an OSPF network needs a unique OSPF Router ID. The OSPF Router ID is used to
provide a unique identity to the OSPF Router.
Area Border Router (ABR):
An Area border router (ABR) is a router that connects one or more OSPF areas to the main
backbone network. It is considered a member of all areas it is connected to.
Internal Router:
An Internal Router is a router that has only OSPF neighbor relationships with routers in the
same area.
Backbone Router:
Backbone Routers are part of the OSPF backbone. This includes all area border routers and
routers connecting different areas.
Designated Router (DR) and Backup Designated Router (BDR):
A Designated Router (DR) is the router interface elected among all routers on a network
segment, and Backup designated (BDR) is a backup for the Designated Router (DR). Designated
Routers (DRs) are used for reducing network traffic by providing a source for routing updates.
The Designated Router (DR) maintains a complete topology table of the network and sends the
updates to the other routers via multicast. All routers in an area will form a slave/master
relationship with the Designated Router (DR).
DR and BDR Election:
The router with the highest priority will become DR. The router with the second highest
priority will become BDR. If the priority is the same the OSPF router ID is the tiebreaker.
The higher router ID, the better. if you change the priority or router ID you must reset OSPF to
select a new DR/BDR. Routers that are not DR or BDR show up as DROTHER.
Router Priority:
This value is used to determine who will become Designated or Backup Designated Router.
OSPF Metric:
OSPF uses a metric called cost which is based on the bandwidth of an interface.
Cost = Reference Bandwidth / Interface Bandwidth
The reference bandwidth is a default value on Cisco routers which is a 100Mbit interface.
You divide the reference bandwidth by the bandwidth of the interface and you’ll get the
cost. The lower the cost the better the path is. In route that has lowest cumulative cost value
between source and destination will be selected for routing table. If two path is equal cost OSPF
will use both paths and will load balance among them 50/50.
Default Cost of Interfaces
Interface Type Bandwidth Metric Calculation Cost
Ethernet Link 10Mbps 100000000/10000000 = 10 10
FastEthernet Link 100Mbps 100000000/100000000 = 1 1
Serial Link 1544Kbps 100000000/1544000 = 64.76 64
Configure & Verify OSPFv2

Enable OSPF routing under process ID 1 R(config)#router opsf 1
Enable OSPF with area 0 on matching R(config-router) #network 10.10.0.0
interface 0.0.255.255 area 0
Enable OSPF with area 1 on matching R(config-router) #network 10.10.0.0
interface 0.0.255.255 area 1
Set 1.1.1.1 as router ID R(config-router)#router-id 1.1.1.1
Disable OSPF advertisement for interface R(config-router)#passive-interface f0/0
Make all interface passive R(config-router)#passive-interface default
Creating Loopback interface R(config)#interface loopback 0
Inter in interface configuration mode R(config)#interface serial 0/0
Used to influence DR/BDR selection process R(config-if)#ip ospf priority 100
Used to influence route metric cost R(config-if)#bandwidth 256
Set hello interval timer to 15 seconds R(config-if)#ip ospf hello-interval timer 15
Set dead interval timer to 60 seconds R(config-if)#ip ospf dead-interval 60
Display all routes from routing table R# show ip route
Display all routers learned through OSPF R# show ip route ospf
Display basic information about OSPF R# show ip ospf
Display info about all OSPF active interfaces R# show ip ospf interface
Display OSPF info about se0/0 interface R# show ip ospf interface s0/0
List OSPF neighbors R# show ip ospf neighbor
Display data for OSPF database R# show ip ospf database
Clear all routes from routing table R# clear ip route *
Clear OSPF counters R# clear ip ospf counters
Clear ip ospf process reconnect R# clear ip ospf process
Display all ospf events R# debug ip ospf events
Display exchanged OSPF packets R# debug ip ospf packets
Display DR/BDR election process state R# debug ip ospf adjacency

Configure, Verify, and Troubleshoot EIGRP for IPv4:
EIGRP Stands for Enhanced Interior Gat-way Routing Protocols. It is a hybrid Technology
because it contains both Distance Vector & Link State properties. EIGRP is a Cisco technology.
External Administrative Distance of EIGRP is 170 and hope count is 100. EIGRP uses bandwidth
and delay as a metric. EIGRP keeps 2nd metric as a topology table. EIGRP take load balancing by
default up-to 4 paths. EIGRP support Variable Length Subnet Mask and EIGRP Link State
Advertising. Hello time of EIGRP is 5 seconds and dead time is 20 seconds.
EIGRP may use five metric components to select the best route for routing table. These are
Bandwidth, Load, Delay, Reliability and MTU. By default, EIGRP uses only two components;
Bandwidth and delay. K1-Bandwidth, K2-Load, K3-Delay, K4-Reliability, K5-MTU.
o It uses DUAL (Diffusing Update Algorithm) algorithm to select the best path.
o It uses multicast for routing updates.
o It supports route summarization and discontinuous networks.
o It supports VLSM/CIDR.
o It supports load balancing across the six routes for a single destination.
o It supports trigger updates.
o It is a Cisco Proprietary routing protocol.
o It is a hybrid routing protocol.
o It has characteristics of both distance vector and link state protocols.
o It supports both IPv4 and IPv6 routed protocols.
Advertised Distance: How far the destination is away for your neighbor.
Feasible Distance: The total distance to the destination.
Successor: The best path to the destination is called the Successor. The successor will be copied
from the topology table to the routing table.
Feasible Successor: In EIGRP it’s possible to have a backup path which we call the feasible
successor.
EIGRP Metric:
EIGRP uses a complex equation to find the Route Metric value. EIGRP calculate metric value. 1)
Bandwidth 2) Delay 3) Reliability and 4) Load. By default, the values of K1 and K3 are set to 1,
and K2, K4 and K5 are set to 0. Hence simple formula:
EIGRP Metric = 256*((10^7 / min. Bw) + Delay)
=256*((10000000/Minimum BW) + Sum of Interface Delays/10)
Where Bandwidth = 10000000/bandwidth(i), where bandwidth(i) is the least bandwidth of all
outgoing interfaces on the route to the destination network represented in kilobits. Delay =
delay(i) where delay(i) is the sum of the delays configured on the interfaces, on the route to the
destination network, in tens of microseconds.
Bandwidth is a static value. Amount of data that can be transmitted in a fixed amount of time.
Delay reflects the time taken by a packet in crossing the interface.

Configure & Verify EIGRP
Enable EIGRP routing process 1 R(config)#router eigrp 1
Enable EIGRP on interface network R(config-router) #network 10.10.0.0
Enable EIGRP on interface with wildcard R(config-router) #network 10.10.0.0
Mask method 0.0.255.255
Disable EIGRIP for this network R(config-router) #no network 10.10.0.0
Enable/Disable K values used in metric R(config-router) # metric weights tos k1 k2 k3
calculation formula. k4 k5
Enable Auto Summary R(config-router) # auto-summary
Disable Auto Summary R(config-router) # no auto-summary
Disable EIGRP Advertisement for interface R(config-router)#passive-interface f0/0
Make all interfaces passive R(config-router)#passive-interface default
Disable EIGRP routing process 1 R(config)#no router eigrp 1
Inter in interface configuration mode R(config)#interface serial 0/0
Used to influence metric calculation R(config-if)#bandwidth 256
Show running protocols configuration R# show ip protocols
Display all routers learned through eigrp R# show ip route eigrp
Display the neighbor table in brief R# show ip eigrp neighbors
Display info about all eigrp active interfaces R# show ip eigrp interface
Display EIGRP info about se0/0 interface R# show ip ospf interface s0/0
Display info about EIGRP interfaces run AS 1 R# show ip eigrp interfaces 1
Displays the topology table R# show ip eigrp topology
Displays the no & type of packets R# show ip eigrp traffic
Clear all routes from routing table R# clear ip route *
Display event related to EIGRP R# debug eigrp packets
Display EIGRP changes & updates R# Debug ip eigrp events
Configure, Verify, and Troubleshoot RIPv2 for IPv4:

RIP is a distance vector routing protocol. It shares routing information through the local
broadcast in every 30 seconds. Routers keep only one route information for one destination in
routing table. Routers use AD value and metric to select the route. RIP is the simplest and one
of the oldest Distance Vector routing protocol. It is very easy to setup and troubleshoot. The
Administrative Distance of RIP is 120. RIP always send periodic updates to other routers in
every 30 seconds. RIP doesn’t work on more than 15 routers and have no stability. RIP have no
idea of the whole map.
Split Horizon:
Split horizon is a mechanism that states if a router receives an update for a route on any
interface, it will not propagate the same route information back to the sender router on same
port. Split horizon is used to avoid routing loops.

Hop Counts:
RIP counts every hop (router) which a packet crossed to reach the destination. It limits the
number of hop to 15. RIP uses TTL filed of packet to trace the number of hops. For each passing
hop RIP decrement the TTL value by 1. If this value reaches to 0, packet will be dropped. This
solution only prevents a packet from trapping into the loop. It does not solve routing loop
problem.
Route Poisoning:
When a router notices that any one of its directly connected, route has failed, it will poison that
route. Any route beyond the 15 hops is invalid route for RIP. In a route failure condition, RIP
assign a value higher than 15 to that specific route. This procedure is known as route poisoning.
Poisoned route will be broadcast from all active interfaces. Receiving neighbor will ignore the
split horizon rule by broadcasting the same poisoned route back to the sender. This process
insures that every router update about a poisoned route.
RIPv1 RIPv2
It uses broadcast for routing update It uses multicast for routing update
Sends broadcast on 255.255.255.255 Sends multicast on 224.0.0.9 destination
It does not support VLSM It supports VLSM
It does not support any authentication It supports MD5 authentication
It only supports classful routing It supports both classful and classless routing
Configure & Verify RIP

Description Command
Enable RIP routing protocol R(config)#router rip
advertisement 1.0.0.0 network in RIP R(config-router)#network 1.0.0.0
Remove 1.0.0.0 network from RIP routing R(config-router)#no network 1.0.0.0
Enable RIP routing protocol version one R(config-router)#version 1
Enable RIP routing protocol version two R(config-router)#version 2
Off Auto Summary R(config-router)#no auto-summary
RIP will not broadcast update to interface R(config-router)#passive-interface s0/0
Make all interfaces passive R(config-router)#passive-interface default
Disable split horizon (Enable by default) R(config-router)#no ip split-horizon
Enable spilt horizon R(config-router)#ip split-horizon
Set RIP timer. routing update, invalid timer, R(config-router)#timers basic 30 90 180 270
hold timer, Flush timer, & sleep timer 360
Set the number of equal cost load balance R(config-router)# maximum-paths 2
Disable RIP routing protocol R(config)#no router rip
Display only RIP routes from routing table R# show ip route rip
Show running protocols configuration R# show ip protocols
Display RIP related activity in real time R# debug ip rip
Display RIP database including routes R# show ip rip database

Configure & Verify Single-Homed Connectivity Using eBGP IPv4:
BGP is a Path Vector Protocol. Path Vector Protocol does not rely on the bandwidth of the links
(like OSPF) or hop count (like RIP) or a group of parameters (like EIGRP). Path Vector Protocol
relies on the number of autonomous systems it must go through. In other words, it chooses the
path with least number of autonomous systems (shortest AS Path) to reach the destination,
provided, that the path is loop-free. The path can be easily change for our purpose.
In the topology above R1, R2 and R3 should run an IGP to communicate with each other
because they are in the same AS. But to connect with other routers in another AS (like a
different ISP), R1 and R3 must use an EGP. With BGP, the term autonomous system (AS) refers
to a network that operates separately from other networks and usually operates within a single
administrative domain. Each AS is represented by an AS number. BGP is used mainly by the
Internet Service Provider (ISP) all over the world. BGP AS numbers can be between 1 to 65,535.
The Internet that we are going “online” every day is a collection of interconnected autonomous
systems and BGP is running to provide routing between them.
Advantage of BGP:
The most important reason is BGP greatly supports path control. Another reason to use BGP is
BGP can handle very big routing tables. Currently the global Internet routing table contains over
500,000 routes.
BGP Speaker:
A router running BGP is called Border Gateway Protocols (BGP) Speakers.
BGP Peer or BGP Neighbor:
Any two routers that have formed a TCP connection to exchange BGP routing information.
Prefix:
Maybe you learned the word “Subnet”. In BGP world, it is usually called “Prefix” because BGP
usually does not advertise small subnets. It advertises blocks of large subnets so “Prefix” is
often used instead. If this value is a number (including “0”, which means BGP neighbor does
not advertise any route) then the BGP neighbor relationship is good. If this value is a word
(including “Idle”, “Connect”, “Active”, “OpenSent”, “OpenConfirm”) then the BGP neighbor
relationship is not good.

Internal BGP (iBGP):
Refers to the BGP neighbor relationship within the same AS. The iBGP neighbor does not have
to be directly connected.
External BGP (eBGP):
Refers to the BGP neighbor relationship between two peers belongs to different AS. It is
recommended that eBGP should be directly connected. Never run an IGP between eBGP peers.
Type of Connection to ISP:
BGP is often used to connect to the ISP so we list here all the type of connection to the ISP.
Your company may connect to ISP in several ways.
Single Homed:
The most popular and simple way is single homed with a single link between the company and
the ISP. With this design, only one possible next-hop router exists for all routes to the Internet.
A big disadvantage of this design is when the link fails or either of the routers fails, the
connection to the Internet fails as well. But of course, this design saves money comparing to
multiple connections to the Internet designs and in fact it is the only reason for small company
to accept this design. With this design, we don’t need BGP in fact, all things we need are: A
default route from the company to the ISP. A static route from the ISP to the company’s public
address range.
Dual Homed:
The next design is called “Dual Homed”, in which the “Dual” word refers to the designs with
two links to the same router.
In this design, we can use BGP to share the traffic between two routers of the company with
our specific ratio (load balancing) or fail over. Of course, this design is better in redundancy
than the first one but it still has a “Single Point of Failure” at the ISP router.

Single Multi-Homed:
The next design is called “Single Multihomed” refers to: Having connections to multiple ISPs
from one router at the company. Single link per ISP.
This design is good if we want to separate important traffic to a specific ISP while still has the
other ISP as the fail over path.
Dual Multihomed:
And the last design is called “Dual Multihomed” refers to: Multiple links per ISP. Multiple links
to Company.
If your company has a strong budget, then Dual Multihomed design is ideal to make sure your
connection to outside is always up. And BGP is highly recommended in this case.
BGP Configuration:

Both Routers IP Configuration
R1 IP Configuration R2 IP Configuration
R1(config)#interface fastethernet0/0 R2(config)#interface fastethernet0/0
R1(config-if)#ip address 11.0.0.1 R2(config-if)#ip address 11.0.0.2
255.255.255.0 255.255.255.0
R1(config-if)#no shutdown R2(config-if)#no shutdown
R1(config-if)#interface loopback 0 R2(config-if)#interface loopback 0
R1(config-if)#ip address 1.1.1.1 R2(config-if)#ip address 2.2.2.2 255.255.255.0
255.255.255.0
Both Routers BGP Configuration

R1 BGP Configuration R2 BGP Configuration
R1(config)#router bgp 1 R2(config)#router bgp 2
R1(config-router)#neighbor 11.0.0.2 R2(config-router)#neighbor 11.0.0.1 remote-
remote-as 2 as 1
R1(config-router)#network 1.1.1.0 mask R2(config-router)#network 2.2.2.0
255.255.255.0 255.255.255.0
Configure and Verify BGP

Description Command
Enter BGP configuration mode R1(config)#router bgp 1
Defined BGP neighbor and AS R1(config-router)#neighbor 11.0.0.2 remote-as 2
Directs the BGP process to add a BGP R1(config-router)#network 1.1.1.0 mask
table entry for the prefix 255.255.255.0
Verify BGP neighbor relationship R# show ip bgp summary
Check BGP routing table R# show ip bgp
Display ip routing table R# show ip route

Configure, Verify, and Troubleshoot IPv6 Static Routing:
Like IPv4, static routes also can be configured in IPv6 Cisco Routers. Static IPv6 routes can be
used in small networks where the overhead of a routing protocol is not required. As in IPv4,
routers in IPv6 find best paths to destinations based on metrics and administrative distances
Configure & Verify IPV6 Static Routing
Enable IPV6 routing on router R(config)# ipv6 unicast-routing
Create ipv6 default route with next hop R(config)# ipv6 route 0::/0 2000::2
Create ipv6 default route with exit interface R(config)# ipv6 route 0::/0 serial0/0/0
Create ipv6 static route with next hop R(config)# ipv6 route 3000::/64 2000::1
Create ipv6 static route with exit interface R(config)# ipv6 route 3000::/64 s0/0/0
Create ipv6 specific route for host R(config)# ipv6 route 3000::2/64 2000::1
Creating floating ipv6 static routes first one R(config)# ipv6 route 3000::/64 2000::1
has default AD, second one is AD 5 R(config)# ipv6 route 3000::/64 4000::1 5
Creating floating ipv6 static routes first one R(config)# ipv6 route 0::/0 2000::1
has default AD, second one is AD 5 R(config)# ipv6 route 0::/0 4000::1 5
Display ipv6 routing table R# show ipv6 route
Display only connected ipv6 routes R# show ipv6 route connected
Display only static ipv6 routes R# show ipv6 route static
Configure, Verify, and Troubleshoot RIPng for IPv6:

The Routing Information Protocol Next-Generation (RIPng) is an Interior Gateway Protocol (IGP)
that uses a Distance-Vector algorithm to determine the best route to a destination, using the
hop count as the metric. RIPng is a routing protocol that exchanges routing information used to
compute routes and is intended for IPv6-based networks. Routing Information Protocol next
generation (RIPng) is like RIP for IPv4.
Description commands
Enable IPV6 routing on router R(config)#ipv6 unicast-routing
Entering RIPng configuration mode R(config)#ipv6 router rip 1
Go to serial interface mode R(config)#interface serial 0/0/0
Enable RIPng on sub-interface R(config-if)#ipv6 rip 1 enable
Go to FastEthernet interface mode R(config-if)#int f 0/0
Enable RIPng on interface R(config-if)#ipv6 rip 1 enable
Display only rip ipv6 routes R# show ipv6 route rip
Display ipv6 configured protocols R# show ipv6 protocols

Configure, Verify, and Troubleshoot EIGRP for IPv6:
The EIGRP for IP version 6 will work on the same way as EIGRP IP version 4. There are few major
differences between the version 4 and version 6 are such as: The EIGRP for IPv6 routing process
will use the shutdown feature. With the EIGRP for IPv6, the router ID is needed on each router
or a routing process will not start. The EIGRP for the IPv6 is configured directly on a router
interface. EIGRP for IPv6 uses a same concept for the hold timers and hello as like EIGRP ipv4.
Entering eigrp configuration mode R(config)#ipv6 router eigrp 1
Define eigrp router ID R1(config-rtr)#eigrp router-id 1.1.1.1
Enable EIGRP IPV6 process R1(config-rtr)#no shutdown
Configure passive interface R1(config-rtr)# passive-interface g0/0
Enable EIGRP on interface R(config-if)#ipv6 eigrp 1
Display only eigrp ipv6 routes R# show ipv6 route eigrp
Display eigrp enable interfaces R# show ipv6 eigrp interfaces
Verify adjacency with their neighbors R# show ipv6 eigrp neighbors
Display eigrp ipv6 topology table R# show ipv6 eigrp topology
Configure, Verify, and Troubleshoot OSPFv3 for IPv6:

Entering OSPF configuration mode R(config)#ipv6 router ospf 1
Define OSPF router ID R1(config-rtr)#router-id 1.1.1.1
Configure passive interface R1(config-rtr)# passive-interface g0/0
Enable OSPF on interface for area 0 R(config-if)#ipv6 ospf 1 area 0
Enable OSPF on interface for area 1 R(config-if)#ipv6 ospf 1 area 1
Display only OSPF ipv6 routes R# show ipv6 route ospf
Display eigrp enable interfaces R# show ipv6 ospf interfaces
Verify adjacency with their neighbors R# show ipv6 ospf neighbors
Display eigrp ipv6 topology table R# show ipv6 ospf topology

Troubleshoot Basic Layer 3 End-to-End Connectivity Issues:
When troubleshooting a routed Layer 3 topology, the traceroute and ping tools can be helpful.
PING utility is one of the most helpful networking commands. It's the first command needs to
be issued when facing network reachability problems and to find out whether a certain host is
"alive" or not. The ping utility operates basically on layer 3 (Network Layer) of the OSI model.
The ping command operates the same way in Windows, Unix, Cisco machines and in every
other networking device.
TRACEROUTE is another very helpful utility that operates similarly to ping and uses the services
of the ICMP protocol. Traceroute, is used to trace the path between the sender and the
destination host. On Windows machines the function of traceroute comes with the command
TRACERT, which operates in a slightly different manner than in Cisco.
Configure & Verify PPP and MLPPP on WAN Interfaces:

PPP (Point-to Point Protocol):
The Point-to-Point Protocol (PPP) is an encapsulation protocol that allows the transporting of
network layer traffic over point-to-point links. Examples of point-to-point links are ISDN and
Synchronous serial links. The default encapsulation for serial interfaces is HDLC (High-Level Data
Link Control). PPP provides authentication using PAP (Password Authentication Protocol) and
CHAP (Challenge Handshake Authentication Protocol).
PAP:
In PAP protocol, password is sent in clear text format that makes it less secure in comparison
with CHAP. PAP authentication is a two steps process. In step one, Router that want to be
authenticate will send its user name and password to the Router that will authenticate it. In
second step, if user name and password match, remote router will authenticate originating
router otherwise authentication process will be failed. PAP authentication is only performed
upon the initial link establishment. Once link is established, no more sequential authentication
is done for that session.
CHAP:
CHAP authentication is only used by PPP. After the PPP, has established connection, the local
router sends a unique “challenge” message to the remote node. The remote node responds
with a value (MD5). I.e. CHAP created the MD5 algorithm across the WAN rather than an
encrypted password. So, CHAP doesn’t send the encrypted password – it sends a hash value
across the WAN created from the MD5 algorithm. The local router checks the response against
its own calculation of the expected hash value. If the value matches, the authentication is
acknowledged. Otherwise, the connection is terminated immediately. CHAP uses a three-way
handshake similar TCP.

R1 Basic & PPP Configuration R2 Basic & PPP Configuration
R1>enable R2>enable
R1#configure terminal R2#configure terminal
R1(config)#interface serial 0/0/0 R2(config)#interface serial 0/0/0
R1(config-if)#ip address 192.168.1.1 R2(config-if)#ip address 192.168.1.2
255.255.255.252 255.255.255.252
R1(config-if)#clock rate 64000 R2(config-if)#no shutdown
R1(config-if)#no shutdown
R1(config-if)# encapsulation ppp R2(config-if)# encapsulation ppp
R1(config)#username R2 password test R2(config)#username R1 password test
R1 PAP Configuration R2 PAP Configuration

R1(config-if)#encapsulation ppp R2(config-if)#encapsulation ppp
R1(config-if)#ppp authentication pap R2(config-if)#ppp authentication pap
R1(config-if)#ppp pap sent-username R1 R1(config-if)#ppp pap sent-username R2
password test password test
R1 CHAP Configuration R2 CHAP Configuration
R1(config-if)#ppp authentication chap R2(config-if)#ppp authentication chap
R1 CHAP & PAP Configuration R2 CHAP & PAP Configuration
R1(config-if)#ppp authentication chap pap R2(config-if)#ppp authentication chap pap
R1 PAP & CHAP Configuration R2 PAP & CHAP Configuration
R1(config-if)#ppp authentication pap chap R2(config-if)#ppp authentication pap chap
Display information about the interface R1# show interface s0/0/0
Debug ppp authentication R1#debug ppp authentication
Briefly display all interfaces R1# show ip interface brief
Display status of ppp R1# show ppp all

MLPPP (Multi-Link PPP):
PPP Multilink is used to take multiple PPP links and bond them together, making them act as a
single PPP link. It enables the load-balancing of traffic from different links and allows
redundancy in case of a line failure on a single link. Examples of PPP Multilink can be usually
found at service providers, who will bond multiple links for a customer to provide increased
bandwidth. It is important to understand that PPP Multilink requires both ends to be configured
the same, which means that both user and ISP must have PPP Multilink configured otherwise
the link will not work.
R1 Configuration R2 Configuration
R1# configure terminal R2# configure terminal
R1(config)# interface multilink 1 R2(config)# interface multilink 1
R1(config-if)# ip address 192.168.42.1 R2(config-if)# ip address 192.168.42.2
255.255.255.252 255.255.255.252
R1(config-if)# ppp multilink R2(config-if)# ppp multilink
R1(config-if)# ppp multilink group 1 R2(config-if)# ppp multilink group 1
R1(config-if)# interface serial 0/0 R2(config-if)# interface serial 0/0
R1(config-if)# no shutdown R2(config-if)# no shutdown
R1(config-if)# interface serial 0/1 R2(config-if)# interface serial 0/1
R1(config-if)# no shutdown R2(config-if)# no shutdown
Display Layer 3 operation R1# show ip route
Display details of multilink R1# show interfaces multilink 1
Briefly display all interfaces R1# show ip interface brief
Verifying MLPPP group R1# show ppp multilink

Configure and Verify PPPoE Client-Side Interfaces:
Point-to-Point Protocol Over Ethernet (PPPoE) provides a point-to-point link across a shared
medium, typically a broadband aggregation network such as those found in DSL service
providers. A very common scenario is to run a PPPoE client on the customer side router, which
connects to and obtains its configuration from the PPPoE server ISP side router.
PPPoE can be used to have an office or building-full of users share a common Digital Subscriber
Line (DSL), cable modem, or wireless connection to the Internet. PPPoE combines the Point-to-
Point Protocol (PPP), commonly used in dialup connections, with the Ethernet protocol, which
supports multiple users in a Local Area Network. PPPoE is configured as a point to point
connection between two Ethernet Ports. PPPoE is a protocol that is widely used b ISPs to
provision digital subscriber Line DSL high speed Internet services.
Client Configuration ISP Configuration

Client# configure terminal ISP# configure terminal
Client(config)# interface Dialer 1 ISP(config)# username admin password 123
Client(config-if)# mtu 1492 ISP(config)# bba-group pppoe MyGroup
Client(config-if)# ip address negotiated ISP(config-bba-group)# virtual-template 1
Client(config-if)# encapsulation ppp
Client(config-if)# dialer pool 1 ISP(config)# interface fastEthernet0/0
Client(config-if)# ppp chap hostname admin ISP(config-if)# no ip address
Client(config-if)# ppp chap password 123 ISP(config-if)# pppoe enable group MyGroup
Client(config-if)# ppp ipcp route default ISP(config-if)# no shutdown
Client(config)# interface fastEthernet0/0 ISP(config)# ip local pool MyPool 192.168.1.2

Client(config-if)# no ip address 192.168.1.254
Client(config-if)# pppoe enable ISP(config)# Interface Virtual-Template1
Client(config-if)# pppoe-client dial-pool- ISP(config-if)# ip address 192.168.1.1
number 1 255.255.255.0
Client(config-if)# no shutdown ISP(config-if)# peer default ip address pool
MyPool
ISP(config-if)# ppp authentication chap callin

Create dialer interface for PPPoE connection Client(config)# interface Dialer 1
Lower our MTU on the dialer interface Client(config-if)# mtu 1492
IP address provided by the PPPoE server Client(config-if)# ip address negotiated
Enable PPP encapsulation Client(config-if)# encapsulation ppp
Creating pool to be used for PPPoE Client(config-if)# dialer pool 1
Username to authenticate with ISP Client(config-if)# ppp chap hostname admin
Password to authenticate with ISP Client(config-if)# ppp chap password 123
Get default route from ISP Client(config-if)# ppp ipcp route default
Go to physical interface Client(config)# interface fastEthernet0/0
Enable PPoE on physical interface Client(config-if)# pppoe enable
Add the interface to the same pool number Client(config-if)# pppoe-client dial-pool-
configure on the dialer interface number 1
Verify IPv4 Address Assigned to Customer Client# show ip interface brief
Verify the MTU and PPP Encapsulation Client# show interface dialer
Verifying Active PPPoE Sessions Client# show pppoe session
Verifying Default route and Dialer interface Client# show ip route
Verify PPP negotiation Client# debug ppp negotiation
Configure, Verify, and Troubleshoot GRE Tunnel Connectivity:

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that allows the
encapsulation of a wide variety of network layer protocols inside point-to-point links. A GRE
tunnel is used when packets need to be sent from one network to another over the Internet or
an insecure network.
R1 Basic Configuration R2 Basic Configuration

R1(config)# interface FastEthernet0/0 R2(config)# interface FastEthernet0/0
R1(config-if)# ip address 1.1.1.10 255.0.0.0 R2(config-if)# ip address 2.2.2.10 255.0.0.0
R1(config)# no shutdown R2(config)# no shutdown
R1(config)# interface Loopback0 R2(config)# interface Loopback0

255.255.255.0 255.255.255.0
R1(config)# router eigrp 1 R1(config)# router eigrp 1
R1(config-router)# network 1.0.0.0 R1(config-router)# network 2.0.0.0

Internet Router Basic Configuration
R3#configure terminal router eigrp 1
R3(config)#hostname Internet network 1.0.0.0
Internet(config)# network 2.0.0.0
Internet(config)# interface Gigabit1/0 Internet(config)# interface FastEthernet0/0
Internet(config-if)#ip address 1.1.1.20 Internet(config-if)#ip address 2.2.2.20
255.0.0.0 255.0.0.0
R1 GRE Configuration R2 GRE Configuration

R1(config)# interface Tunnel0 R2(config)# interface Tunnel0
255.255.255.0 255.255.255.0
R1(config-if)# ip mtu 1400 R2(config-if)# ip mtu 1400
R1(config-if)# tunnel source 1.1.1.10 R2(config-if)# tunnel source 2.2.2.10
R1(config-if)# tunnel destination 2.2.2.10 R2(config-if)# tunnel destination 1.1.1.10
R1(config)# ip route 192.168.2.0 R2(config)# ip route 192.168.1.0
255.255.255.0 172.16.0.2 255.255.255.0 172.16.0.1
Describe WAN Topology Options:

A Wide Area Network (WAN) is a computer network covering multiple distance areas, which
may spread across the entire world. WANs often connect multiple smaller networks, such as
Local Area Networks (LANs) or Metro Area Networks (MANs). Large Enterprises have multiple
business offices (physical sites) in different geographical locations. Normally, Internet Service
Providers (ISPs) provide network connectivity solutions to connect multiple physical sites in
different geographical locations.
Point-to-Point Topology:
A point-to-point topology, connects exactly two points. This is the simplest type of WAN
topology. Packets sent from one site are delivered to the other and vice versa. Point-to-point
connections are used to connect LANs to service provider WANs.
Hub and Spoke Topology:

In a Hub-and-Spoke Site-to-Site Wide Area Network (WAN) network topology, one physical site
act as Hub (Example, Main Office), while other physical sites act as spokes. Spoke sites are
connected to each other via Hub site. In Hub-and-spoke Wide Area Network (WAN) topology,
the network communication between two spokes always travel through the hub. Main
disadvantage is that it may cause communication time lags. Wide Area Network (WAN) network

topology also has redundancy issues. If the Main Office network fails, entire Enterprise network
communication may fail. Also, known as point-to-multipoint.
Full Mesh Topology:

In a Full-Mesh Site-to-Site Wide Area Network (WAN) topology, every physical site is connected
to every other site, using WAN links. Any site can communicate directly with any other site. Full-
Mesh topology is highly redundant. A Full-mesh network is difficult to build and maintain. Full-
Mesh network is much expensive. Also, called multipoint-to-multipoint.
Single Homed:
The single homed design means you have a single connection to a single ISP. The advantage of a
single-homed is that it’s cost effective, the disadvantage is that you don’t have any redundancy.
Your link is a single point of failure but so is using a single ISP.
Dual Homed:
The dual homed connection adds some redundancy. You are still only connected to a single ISP,
but you use two links instead of one. These networks have several advantages, such as network
redundancy and load balancing.

Describe WAN Access Connectivity Options:
MPLS (Multi-Protocol Label Switching):
Multiprotocol Label Switching (MPLS) is a protocol for speeding up and shaping network traffic
flows. MPLS allows most packets to be forwarded at Layer 2 rather than having to be passed up
to Layer 3. Each packet gets labeled on entry into the service provider's network by the ingress
router. All the subsequent routing switches perform packet forwarding based only on those
labels—they never look as far as the IP header. Finally, the egress router removes the labels
and forwards the original IP packet toward its final, destination. Most common WAN
technology used by service providers in today’s network.
Metro Ethernet:
Initially Ethernet was only restricted to LAN due to distance limits but not anymore. A Metro
Ethernet network is a Metropolitan Area Network (MAN) that is based on Ethernet standards. It
is commonly used to connect subscribers to a larger service network or the Internet. Businesses
can also use Metro Ethernet to connect their own offices to each other. Metro Ethernet
Switches are ME 3400, ME3800X, ME 4900.
Broadband PPPoE:
Many Internet Service Providers (ISPs) from around the world offer their internet services to
residential users through Point-to-Point Protocol over Ethernet or PPPoE connections. To be
able to use such internet connections, the ISP usually gives you a unique username and
password that you must use to connect to their network.
Internet VPN:
A Virtual Private Network (VPN) is a Network Security Technology, which is used to secure
private network traffic over a public network such as the Internet. A VPN ensures Data
Confidentiality and Data Integrity for network data in its journey from the source device to
destination device using network security protocols like IPSec (Internet Protocol Security).
DMVPN:
Multipoint VPN (DMVPN) is a Cisco software solution for building multiple VPNs in an easy,
dynamic, and scalable manner. The goal is to simplify the configuration while easily and flexibly
connecting central office sites with branch sites. This is called hub-to-spoke.
With DMVPNs, branch sites can also communicate directly with other branch sites. DMVPN
relies on IPsec to provide secure transport of private information over public networks, such as
the Internet.

Site-to-Site IPSec VPN:
Site-to-Site IPSec VPN Tunnels are used to allow the secure transmission of data, voice and
video between two sites (e.g. offices or branches). The VPN tunnel is created over the Internet
public network and encrypted using several advanced encryption algorithms to provide
confidentiality of the data transmitted between the two sites.
Client VPN:
A client-based VPN is a virtual private network created between a single user and a remote
network. There’s often an application involved to make the VPN connection. In most scenarios,
the user manually starts the VPN client, and authenticates with a username and password. The
client creates an encrypted tunnel between the user’s computer and the remote network. The
user then has access to the remote network via the encrypted tunnel. Examples of client-based
VPN applications include Cisco’s AnyConnect.
SSL or Secure Socket Layer is a VPN accessible via https over web browser. SSL creates a secure
session from your PC browser to the application server you’re accessing. The major advantage
of SSL is that it doesn’t need any software installed because it uses the web browser as the
client application.
Describe DNS Lookup Operation:

The DNS protocol is used to resolve FQDN (Fully Qualified Domain Names) to IP addresses.
Domain Name System (DNS) is an Internet service that translates domain names into IP
addresses or vice versa. This allows us to successfully find and connect to Internet websites and
services no matter where they are.
Enables DNS-based host translation R(config)# ip domain lookup
Disable DNS based host translation R(config)# no ip domain lookup
Configure router to use DNS server R(config)# ip name-server
Enable the DNS service on router R1(config)# ip dns server
Statically mapping host to IP addresses R1(config)# ip host r1 192.168.1.1
Display statically mapped hosts R# show hosts

Troubleshoot Client Connectivity Issues Involving DNS:
Examining DNS Settings on a Windows Client issue “ipconfig /all” command in windows CMD to
check client DNS request details. To Check DNS Functionality, ping any website from Command
Prompt if get reply DNS is working. Another utility is NSLOOKUP to verify DNS on client PC.
Configure and Verify DHCP on a Router:

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically
provides an IP host with its IP address, subnet mask, default gateway, DNS server and other
related configuration.
DHCP Server:
Software that waits for DHCP clients to request to lease IP addresses, with the server assigning
a lease of an IP address as well as listing other important IP settings for the client.
DHCP Relay:
A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay
agents are used to forward requests and replies between clients and servers when they are not
on the same physical subnet.
DHCP Client:
A DHCP client is an Internet host using DHCP to obtain configuration parameters such as an IP
address from DHCP Server.
TFTP Option:
Cisco phones IP addresses can be assigned by using DHCP. Devices also require access to a TFTP
server that contains device configuration name files (.cnf file format), which enables the device
to communicate with Cisco Call Manager. Cisco IP Phones download their configuration from a
TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP
server IP address pre-configured, it sends a request with option 150 to the DHCP server to
obtain this information. DHCP option 150 provides the IP addresses of a list of TFTP servers.
DHCP Option 150 is Cisco proprietary. Also, can use next-server to specify TFTP server IP.
Excluded IP not to assign to client R(config)#ip dhcp excluded-address 1.1.1.1
Command to create a DHCP server pool R(config)#Ip dhcp pool mypool
Used to specify the range of addresses R(dhcp-config)# Network 1.0.0.0 255.0.0.0
Assign default router or gateway address R(dhcp-config)# default-router 1.1.1.1
Used to assign domain name. R(dhcp-config)# domain-name test.com
Used to assign DNS Server IP or address R(dhcp-config)# dns-server 8.8.8.8
Used to assign TFTP server IP R(dhcp-config)# next-server TFTP-server-IP
Used to assign NETBIOS name server R(dhcp-config)# NetBIOS-name-server 7.7.7.7
Specify the lease duration R(dhcp-config)#lease 7
Configure TFTP option R(config)# option 150 ip 10.10.1.1
Acquire a DHCP address on an interface R(config-if)#Ip address dhcp

Go to interface mode R2(config)#interface fa1/0
Configure DHCP Relay-Agent R2(config-if)#ip helper-address 1.1.1.1
Used to see the assigned DHCP addresses R# show ip dhcp binding
Show DHCP statistics R# show ip dhcp server statistics
Resets all DHCP server counters to 0 R# clear ip dhcp server statistics
Clear DHCP addresses on the server R# clear ip dhcp binding *
To check ip address conflict R# show ip dhcp conflict
Clears conflicts for all addresses R# clear ip dhcp conflict *
Terminate a PC’s DHCP-assigned lease C:\> Ipconfig /release
To renew a PC’s DHCP-assigned lease. C:\>Ipconfig/ renew
Check IP configuration on system C:\>ipconfig /all
Debug DHCP server event or packet R# debug ip dhcp server event | packet
Troubleshoot Client- and Router-Based DHCP Connectivity Issues:

There can be many issues to prevent proper DHCP connectivity. Errors in router or switch
configurations, DHCP server configuration, DHCP relay-agent configuration, DHCP server scope
configuration.
Configure, Verify, and Troubleshoot Basic HSRP:

Basically, FHRP (First Hop Redundancy Protocol) provide redundancy and load balancing of
default gateway (First Hop) by connecting multiple physical Router and treat as one or more
logical router which work as gateway for LAN devices. HSRP, VRRP and GLBP.
Working of FHRP:
o Creating group of Physical gateway using Layer 3 device Router/Switches.
o Agree to assign one virtual IP address, which same to all first hop device.
o Virtual IP going to use as gateway address to all LAN device.
o Creating one or more virtual MAC address.
o One first hop is respond ARP request (A.K.A. Active/AVG/Master).
o Use keepalives message in order to get Virtual gateway status.
o LAN devices use Virtual IP & MAC address as default gateway.
HSRP (Hot Standby Router Protocol):

o Cisco proprietary protocol.
o There are two versions of HSRP (HSRPv1 and HSRPv2).
o Highest priority gateway elects as active gateway
o Active gateway is owner of Virtual MAC and Virtual IP.
o Default priority is 100 can be modify (0-255).
o Highest interface IP as the tie-breaker.
o Preempt disabled by default.

o Uses UDP multicast 224.0.0.2 at port 1985 for transport.
o Messages can be authenticated using clear text or MD5.
o HSRPv1 virtual MAC 0000. 0c07.acXX. (XX is group no. {0-255})
o HSRPv2 virtual MAC 0000. 0c9f.fXXX. (XXX is group no. {0-4095}).
o HSRPv2 support IPv6 address.
o HSRP versions are not compatible.
o Load sharing using multiple groups & virtual IP with priority modification.
HSRP Configuration
Descriptions Commands
Enable HSRP & set the virtual IP address SW(config-if)#standby <0-255> ip <Virtual IP>
Overthrow lower priority Active routers SW(config-if)#standby <0-255> preempt
Set the Priority level SW(config-if)#standby <0-255> priority < >
Set the Hello & hold timers SW(config-if)#standby <0-255> timers <He><Ho>
Set Priority Tracking SW(config-if)#standby <0-255> track
Set the authentication SW(config-if)#standby <0-255> authentication
Set Virtual MAC Address SW(config-if)#standby <0-255> mac-address
Display HSRP information SW# show standby {all, brief, neighbors}
Configure, Verify, and Troubleshoot NAT:

Network Address Translation (NAT) transforms private IP addresses to public IP address so
users can access the public Internet. Network Address Translation (NAT) can be used to hide
the private IP addressing scheme of the entire network from the Internet. NAT should always
be configured on the border device, the router that resides between the Internet and the rest
of the private internal network. 160 bytes of memory does each NAT mapping use. You can
configure NAT three ways on a Cisco router: static, dynamic, and NAT Overload (PAT).
NAT representing multiple devices as a single logical device. NAT can be used if not having
enough public addresses. NAT can be used if require two intranets with duplicate addresses to
merge. NAT can be used if merging networks with overlapping addresses. NAT increases
flexibility when connecting to the Internet. NAT reduces address overlap occurrence.
Static NAT (Network Address Translation):
Static NAT is one-to-one mapping of a private IP address to a public IP address. When the
router received any packet from LAN, the private source IP is removed and a public IP is added
or replaced. Static NAT is useful when a network device inside a private network needs to be
accessible from internet.
Dynamic NAT (Network Address Translation):
Dynamic NAT can be defined as mapping of a private IP address to a public IP address from a
group of public IP addresses called as NAT Pool. Dynamic NAT establishes a one-to-one
mapping between a private IP address to a public IP address. Here the public IP address is taken
from the pool of IP addresses configured on the end NAT router. The public to private mapping
may vary based on the available public IP address in NAT pool.

PAT (Port Address Translation):
PAT is another type of dynamic NAT which can map multiple private IP addresses to a single
public IP address by using a technology known as Port Address Translation.
When a client from inside network communicate to a host in the internet, the router changes
the source port number with another port number. These port mappings are kept in a table.
When the router receives data packet from internet, it will refer the table which keep the port
mappings and forward the data packet to the original sender.
Inside Local Address:

Inside local address is an IP address assigned to a workstation inside our network. Inside Local
addresses are typically private IP addresses, which stay inside our network.
Inside Global Address:
Inside Global address are typically public IP addresses which are assigned to our end internet
facing router to be used as the IP address for communicating with other devices in the internet.
The Inside Local IP addresses are removed at the NAT router and translated with Inside Global
address.
Outside Global Address:
Outside Global address is the public IP address assigned to the end device on the other network
to communicate other devices in the internet. Outside Global addresses are public IP addresses
which are routable.
Outside Local Address:
Outside local address is the real IP address of the end device at other network. Outside local
addresses are typically private IP addresses assigned to the computers in the other private
network. We cannot know the Outside local addresses because in a NAT enabled network we
use the destination IP address as Outside Global address.
To configures Static NAT R(config)# ip nat inside source static ip
Enter interface mode R(config-if)# interface (interface no)
Define inside Interface Sub configuration R(config-if)# ip nat inside
Enter interface mode R(config-if)# interface (interface no)
Define outside Interface Sub configuration R(config-if)# ip nat outside
Creating named Access List R(config)#ip access-list standard client-list
Define which network will be translated

R(config-std-nacl)#permit 192.168.0.0
Define the NAT pool used in the NAT 0.0.0.255
translation R(config)#ip nat pool dynamic-ip 1.1.1.5
Define the dynamic source NAT 1.1.1.10 netmask 255.0.0.0
R(config)#ip nat inside source list client-list
pool dynamic-ip
Creating standard Access List R(config)#ip access-list 1 permit 192.168.0.0
Define which network will be translated 0.0.0.255
Define the PAT IP used in the PAT R(config)#ip nat pool dynamic-ip 1.1.1.5
translation 1.1.1.5 netmask 255.0.0.0
Define the dynamic source PAT R(config)#ip nat inside source list client-list
pool dynamic-ip overload
Shows the address translations table R# show ip nat translations
Displays all the translation table R# show ip nat statistics
Clear the dynamic translations from table R# clear ip nat translations *
Shows actual translation process R# debug ip nat
Configure and Verify NTP Operating in a Client/Server Mode:

Network Time Protocol (NTP) is used to synchronize the time on the Cisco device clock. NTP
usually gets its time from an accurate and trusted time source, such as a radio clock or an
atomic clock attached to a time server. NTP is a client server protocol and uses UDP port 123 as
both the source and destination. NTP communications can be secured using an authentication
mechanism that uses the MD5 algorithm. NTP is essential for syslog messages as it is used to
keep accurate timing information. Timestamps with syslog messages must be accurate to make
the logging information useful for troubleshooting or incident handling. NTP supports four
different modes, Client, Server, Peer and Broadcast/Multicast.
NTP Client Mode:
An NTP client is a network device which is configured to let its clock synchronized from an
external NTP Time Server. NTP Client mode devices will not provide synchronization services to
other network infrastructure devices.
NTP Server Mode:
An NTP server is a network device which is running NTP service and configured to provide Time
information to NTP clients using NTP. NTP servers provide only Time information to NTP Clients
and will never accept time synchronization information from other devices.
NTP Clients/Servers:
NTP Clients/Servers play both roles. As a client, the device connects to an NTP server to
synchronize its time, and as a server, it supplies time information to other devices. The NTP
master command tells the router to act as an NTP server and trust its internal clock as a
good clock source. The stratum level defines the quality of the clock source; the lower the
stratum, the better the source.

Display Hardware clock R1#show calendar
Display Software clock R1#show clock
Display Details of clock time R1#show clock detail
Setting clock date and time R1#clock set 1:1:1 jan 30 2014
Set the router 1 act as an NTP client R1(config)#ntp server 172.16.2.2
Set the router 2 act as an NTP client R2(config)#ntp server 172.16.3.3
Make Router 3 as NTP server R3(config)#ntp master 2
Time to time update calendar date & time R3(config)#ntp update-calendar
Verify NTP client status R1#show ntp status
Verify NTP client associations R1#show ntp associations
Configure, Verify, Troubleshoot Port Security:

Use to prevent unauthorized access & limit access, based on MAC address. Can be limit (1-
8192) MAC address to attached on particular port. Port security can apply on static trunk &
static access ports. If limit exceed/violation occur port can be going to Shutdown, Protect or
Restrict. Ports maintain address table can be Static configured MAC address or Sticky MAC
address.
Default Configuration of Port Security:
o Disabled on every interface.
o 1 MAC address allow if port security enabled.
o Default violation is shutdown.
o No aging configured by default for recovery.
Static:
Static secure MAC addresses are statically configured on each switchport and stored in the
address table. The configuration for a static secure MAC address is stored in the running
configuration by default and can be made permanent by saving them to the startup
configuration.
Dynamic:
Dynamic secure MAC addresses are learned from the device (or devices) connected to the
switchport. These addresses are stored in the address table only and will be lost when the
switchport state goes down or when the switch reboots.
SW(config-if)# switchport port-security

Without configuring any other specific parameters, the switchport security feature will only
permit one MAC address to be learned per switchport dynamically. By default, MAC addresses
are learned on a switchport dynamically and are called dynamic MAC addresses.
Sticky:
A sticky MAC address is a hybrid between a static and dynamic MAC address. When it is
dynamically learned, the MAC address is automatically entered into the running configuration
as a static MAC address; the address is then kept in the running configuration until a reboot. On
reboot, the MAC address will be lost; if the network engineer wants to keep the MAC address
across a reboot a configuration save is required.
Maximum MAC Addresses:
By default, each secure switchport is configured with a maximum of one MAC address. What
this means is that if more than one MAC address is seen on any given port a violation will occur.
But it can be modified.
Violation Actions:
There are three different types of violation actions you can use with Port Security.
Shutdown:
this is the default switchport security violation mode. Port send to err-disabled mode. For re-
enable err-disabled recover, shutdown/no shutdown. MAC counter keeps history.
Protect:
When a violation occurs in this mode, the switchport will permit traffic from known MAC
addresses to continue sending traffic while dropping traffic from unknown MAC addresses. No
notification message is sent when this violation occurs. No MAC counter keeps history.
Restrict:
When a violation occurs in this mode, the switchport will permit traffic from known MAC
addresses to continue sending traffic while dropping traffic from unknown MAC addresses.
However, notification message is also sent indicating that a violation has occurred. No MAC
counter keeps history.
Port Security Configuration
Configure Static Port Security SW(config)#interface f0/1
Make the interface mode access SW(config-if)#switchport mode access
Set limit of hosts on interface SW(config-if)#switchport port-security maximum 2
Set the MAC address statically on this SW(config-if)#switchport port-security mac-
interface address fa16.3e20.58f1
Set the MAC address statically on this SW(config-if)#switchport port-security mac-
interface address fa16.3e20.aabb
Enable port security feature on this port SW(config-if)#switchport port-security
Configure Dynamic Port Security SW(config)#interface f0/1
Configure Sticky Port Security SW(config)#interface f0/1

Set limit of hosts on interface SW(config-if)#switchport port-security maximum 2
Enable sticky feature to learn the MAC SW(config-if)#switchport port-security mac-
address dynamically address sticky
Set security violation mode to SW(config-if)#switchport port-security violation
shutdown, restrict or protect shutdown (shutdown, protect, restrict)
Move in interface mode SW(config)# interface f0/1
Reset an interface that is disabled due SW(config-if) #shutdown
to violation of port security manually SW(config-if)# no shutdown
Reset interface automatically disabled SW(config)# errdisable recovery cause psecure-
by violation of port security violation
Move in interface mode SW(config)#interface fa0/1
Set the aging time automatically SW(config-if)#switchport port-security aging time
recover from err-disable state 10
Displays port security of all interfaces SW# show port-security
Show learn address with port security SW# show port-security address
Display port security info on interface SW# show port-security interface f0/1
Error Disable Recovery:
Error Disable Recovery is the act of a switch detecting an error condition and then
automatically turns the err-disabled interface back on after a default time. You can specify
reasons for an interface to become re-enabled. When a port goes into err-disabled it will shut
down and stop sending and receiving traffic. The LED changes to orange and err-disabled will be
shown under the show interfaces command.
Error Disable Recover Configuration
To enable auto recovery cause SW(config)#errdisable recovery cause cause-name
To automatically recover an err- SW(config)# errdisable recovery interval
disabled port time in seconds timer_interval_seconds
Display the ErrDisable Reason SW# show errdisable recovery
Show the current settings of errdisable SW# show errdisable detect
Display any port currently err-disabled SW# show interfaces status err-disabled
To manually reenable an err-disabled SW(config)# interface eth0/0
port, shutdown the port and issue a no SW(config-if) # shutdown
shutdown SW(config-if)# no shutdown
Disable error disable causes SW(config)# no errdisable detect cause ?

Common Access Layer Threat Mitigation:
802.1X:
IEEE 802.1X was developed to provide real security for wired and wireless networks at layer
two. A client connected to an 802.1X-protected port can't send any traffic other than EAP
(Extensible Authentication Protocol) which is known as “EAP over LAN” or EAPoL to the switch
until he successfully authenticates with the proper credentials. A switch acts as the middleman
between an authenticating client and an authentication server. The switch implements two
protocols: EAP is used to communicate with the client, while RADIUS is used to relay
authentication details to the server inside the network.
Dot1x Configuration
Enable AAA serveries SW(config)# aaa new-model
Creating username and password SW(config)# username admin password 123
configure the switch with the address SW(config)# radius-server host 19 auth-port 1812
and shared key of RADIUS server acct-port 1813 key 123
configuring AAA for RADIUS server for SW(config)# aaa authentication dot1x default
802.1X authentication requests group radius
Globally on dot1x security SW(config)# dot1x system-auth-control
Selecting interface f1/1 SW(config)# interface f1/1
Make switchport mode access SW(config-if)# switchport mode access
Normal 802.1X authentication SW(config-if)# dot1x port-control auto
Show command to check dot1x SW# show dot1x interface f1/1
DHCP Snooping:
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and
trusted DHCP servers.
o Use trusted source to reply DHCP offer message.
o Rate-limits DHCP traffic from trusted and untrusted sources.
o If untrusted port exceeds the limit interface sent to err-disable.
o Keep DHCP snooping binding database, which is untrusted hosts with leased IP addresses.
o DHCP snooping binding database to validate subsequent requests from untrusted hosts.
o Can be enable to disabled DHCP snooping per VLAN basis.
o By default, the feature is inactive on all VLANs.
o DHCP snooping device insert DHCP option no 82 (gateway & other information).

DHCP snooping benefits are Rogue DHCP servers are not permitted. DHCP database exhaustion
attacks are prevented. IP address to MAC address security information can be maintained.
Enable DHCP snooping SW(config)#ip dhcp snooping
Enable DHCP snooping for vlan1 SW(config)#ip dhcp snooping vlan 1
Go to interface mode SW(config)#interface f0/1
Make interface trusted port SW(config-if)#ip dhcp snooping trust
Set Rate limit configuration SW(config-if)#ip dhcp snooping limit rate <1-2048>
Display DHCP snooping details SW# show ip dhcp snooping
Display DHCP snooping bindings SW# show ip dhcp snooping binding
DHCP snooping database agent SW# show ip dhcp snooping database
Display DHCP snooping statistics SW# show ip dhcp snooping statistics
Nondefault Native VLAN:

By default, the Native VLAN is 1. Packet without tagged on a dot1q link belongs to Native VLAN.
Best practice to change Native VLAN on all switches. Security practice is to change the native
VLAN to a different VLAN than VLAN 1.
SW(config-if) # switchport trunk native vlan vlan-id

Configure & Verify IPv4 & IPV6 Access List for Traffic Filtering:
Access Control List (ACL) are filters that enable you to control which routing updates or packets
are permitted or denied in or out of a network. They are specifically used by network
administrators to filter traffic and to provide extra security for their networks. This can be
applied on Cisco routers. ACLs provide a powerful way to control traffic into and out of your
network; this control can be as simple as permitting or denying network hosts or addresses.
You can configure ACLs for all routed network protocols. The most important reason to
configure ACLs is to provide security for your network. However, ACLs can also be configured to
control network traffic based on the TCP port being used.
Advantages of ACL:
Limits network traffic to increase network performance. ACLs provide traffic flow control by
restricting the delivery of routing updates. It can be used as additional security. Controls which
type of traffic are forwarded or blocked by the router. Ability to control which areas a client
access.
Standard Access-List:
Standard Access Control Lists can filter the IP traffic only based on the source IP address.
Standard ACLs should be placed as close as possible to the destination, to outbound interface of
traffic to be denied. Standard Access List can allow or deny the request only based on source
address. The standard IP access-list will only filter or match only on the source IP address
contained in the packet. Standard IP access lists use the numbers 1–99.
Extended Access List:

Extended access lists create filters based on source addresses, destination addresses, protocol,
port number and other features and are used for packet based filtering for packets that travel
the network. The extended ACL ranges are 100 – 199. Extended ACLs should be placed as close
as possible to the source, to inbound interface of traffic to be denied since extended ACLs have
destination information. Place an extended ACL on the first router interface the packet enters
and specify inbound in the access-group command.
Named Access List:

This allows standard and extended ACLs to be given names instead of numbers. Provide more
flexibility than Number Access List. Given names to identify Access-Lists. Another benefit of
using named access configuration mode is that you can add new statements to the access list,
and insert them wherever you like. With the legacy syntax, you must delete the entire access
list before reapplying it using the updated rules. There are two common types of named access
lists IP Standard named access lists and IP extended named access lists.

Standard ACL permit statement R(config)#access-list [1-99] permit source address
Standard ACL deny statement R(config)#access-list [1-99] deny source address
Standard ACL permit statement for R(config)#access-list [1-99] permit source address
network wildcard mask
Standard ACL deny statement for R(config)#access-list [1-99] deny source address
network wildcard mask
Standard ACL to permit host R(config)# access-list 1 permit 1.1.1.1
Standard ACL to permit network R(config)# access-list 1 permit 1.0.0.0
0.255.255.255
Standard ACL to permit any traffic R(config)# access-list 1 permit any
Standard ACL to deny any traffic R(config)# access-list 1 deny any
Apply ACL to an interface R(config-if)#ip access-group ACL-Number[in|out]
Go to interface mode R(config)#interface fastEthernet 0/0
Apply standard ACL outbound direction R(config-if)#ip access-group 1 out
Apply standard ACL inbound direction R(config-if)#ip access-group 1 in
Creating Extended ACL R(config)#access-list ACL-Number {permit | deny}
protocol source {source-mask} destination
{destination-mask} [eq destination-port]
Apply Extended ACL to block Telnet R(config)#access-list 100 deny tcp host
traffic 192.168.0.2 host 2.1.1.2 eq telnet
Apply Extended ACL to an interface R(config-if)#ip access-group ACL-Number[in|out]
Apply Extended ACL inbound direction R(config-if)#ip access-group 101 in
Creating Named ACL R(config)#ip access-list {standard | extended}
{name | number}
Creating named ACL to permit telnet R(config)#ip access-list extended test permit tcp
traffic host 10.0.0.1 host 187.100.1.6 eq telnet
Apply named ACL on interface R(config)#interface fastEthernet 0/0
R(config-if)#ip access-group test in
Display all access lists with parameters R# show access-lists
Display only the parameters for given R# show access-list [number | name]
Shows only the IP access lists R# show ip access-lists
Shows only the IP access lists for given R# show ip access-lists [number | name]
Shows which interfaces have IP ACL R# show ip access-lists interface [interface]
Show which interfaces have IP ACL R# show ip interface [interface]
Shows the access lists all details R# show running-config
Clear ACL counter R# clear access-list counter [list#]

IPV6 Access List:
IPv4 access-lists can be standard or extended, numbered or named. IPv6 only has named
extended access-lists. IPv4 access-lists have an invisible implicit deny any at the bottom of every
access-list. IPv6 access-lists have three invisible statements at the bottom:
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
Instead of using the access-group command you must use the ipv6 traffic-filter command
Creating IPV6 named ACL to permit R(config)#ipv6 access-list test
telnet traffic R(config-ipv6-acl)# permit tcp host 1000::2 host
2000::2 eq telnet
Apply IPV6 named ACL on interface R(config)#interface fastEthernet 0/0
R(config-if)#ipv6 traffic-filter test in
Display all access lists R# show access-lists
Display only the parameters for given R# show access-list name
Shows only the IP access lists R# show ipv6 access-lists
Configure, Verify, and Troubleshoot Basic Device Hardening:

Configuring Console Authentication Router
Go to console mode R(config-)≠ line console 0
Set console password to cisco R(config-line)≠ password cisco
Enable password checking at login R(config-line)≠ login
Configuring Console Local Authentication Router

Creating local user and password R(config-)≠ username admin password cisco
Go to console mode R(config-)≠ line console 0
Check local username and password R(config-line)≠ login local
Configuring Enable Mode Password Router

Set Enable mode password to 123 R(config)≠ enable password 123
Set Enable encrypted password R(config)≠ enable secret cisco
Configuring Telnet Authentication Router

Go to VTY line R(config)≠ line vty 0 4
Sets vty password to cisco R(config-line)≠ password cisco

Enables password checking at login R(config-line)≠ login
Configuring Local Telnet Authentication Router
Creating local user and password R(config-)≠ username admin password cisco
Go to VTY line R(config)≠ line vty 0 4
Check local username and password R(config-line)≠ login local
Configuring SSH Authentication Router

Create local user and password R(config)≠ username ali password 123
Set domain name ksa.com R(config)≠ ip domain-name ksa.com
Generate RSA crypto Key R(config)≠ crypto key generate RSA
Go to VTY Line R(config)≠ line vty 0 4
Checking local database users R(config-line)≠ login local
Incoming traffic SSh R(config-line)≠ transport input ssh
Password Encryption Router

Enable encryption services R(config)≠ service password-encryption
Sets enable password to cisco R(config)≠ enable password cisco
Turns off password encryption R(config)≠ no service password-encryption
Login Banner Router

Set Login Banner Message R(config)#banner login $ Login Message $
Set MOTD banner R(config)#banner motd & Message here &
Setting a Source Address Router

Setting source address for snmp trap R(config)# snmp-server source-interface traps f0/0
Setting source address for logging R(config)# logging source-interface loopback 1
Setting source address for tftp server R(config)# ip tftp source-interface f 0/0
Setting source address for radius R(config)# ip radius source-interface f0/0
Configuring Console Authentication Switch

Go to console mode SW(config-)≠ line console 0
Set console password to cisco SW(config-line)≠ password cisco
Enable password checking at login SW(config-line)≠ login

Configuring Console Local Authentication Switch
Creating local user and password SW(config-)≠ username admin password cisco
Go to console mode SW(config-)≠ line console 0
Check local username and password SW(config-line)≠ login local
Configuring Enable Mode Password Switch

Set Enable mode password to 123 SW(config)≠ enable password 123
Set Enable encrypted to cisco SW(config)≠ enable secret cisco
Configuring Telnet Authentication Switch

Go to VTY line SW(config)≠ line vty 0 4
Sets vty password to cisco SW(config-line)≠ password cisco
Enables password checking at login SW(config-line)≠ login
Configuring Local Telnet Authentication Switch
Creating local user and password SW(config-)≠ username admin password cisco
Go to VTY line SW(config)≠ line vty 0 4
Check local username and password SW(config-line)≠ login local
Configuring SSH Authentication Switch

Create local user and password SW(config)≠ username ali password 123
Set domain name ksa.com SW(config)≠ ip domain-name ksa.com
Generate RSA crypto Key SW(config)≠ crypto key generate RSA
Go to VTY Line SW(config)≠ line vty 0 4
Checking local database users SW(config-line)≠ login local
Incoming traffic SSh SW(config-line)≠ transport input ssh
Password Encryption Switch

Enable encryption services SW(config)≠ service password-encryption
Sets enable password to cisco SW(config)≠ enable password cisco
Turns off password encryption SW(config)≠ no service password-encryption
Login Banner Switch

Set Login Banner Message SW(config)#banner login $ Login Message $
Set MOTD banner SW(config)#banner motd & Message here &

Configure IP Address & Default Gateway on Switch
Go to enable mode SW>enable
Go to configuration mode SW#configure terminal
Go to interface vlan 1 SW(config)# interface vlan 1
Assign IP address to VLAN 1 for SW(config-if)# ip address 192.168.1.100
remote Management. 255.255.255.0
Make up the Interface VLAN 1 SW(config-if)# no shutdown
Exit from VLAN 1 Switch(config)# exit
Assign default gateway Switch(config)# ip default-gateway 192.168.1.1
Device Security Using AAA with TACACS+ and RADIUS:

AAA (Authentication, Authorization, Accounting):
o Centralized management of users to access network (Telnet, SSH, VPN etc.).
o Whenever user attempts to login it verifies by AAA database.
o User management done on AAA database without the need to reconfigure each device.
o AAA also control connections passing through switch/Router for access network resources.
o AAA can be RADIUS or TACACS+ where database located.
o Also, need to configure local as fallback.
Authentication: who are you? And are you a right person?
Authorization: After authentication, checks what allowed to do for specific user.
Accounting: Collect & store info about a user’s login. Information can have utilized for audit.
AAA with TACACS+:

Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco proprietary protocol
that is used to deliver AAA security services. It is an application which is implemented through
AAA and provides centralized acceptance of user to take the access control of routers and other
access servers in the network.
AAA with RADIUS:

Remote Authentication Dial in User Service (RADIUS) is a security protocol that secures the
network against unauthorized access. The RADIUS clients run on the Cisco routers and send
authentication request to a centralized RADIUS server which contains network service access
information and user authentication.
Local Privilege Authorization Fallback:

For several functions, local database act as fallback method. It is designed to help the user to
prevent accidental lockout from security devices.

Difference between Radius & Tacacs+
RADIUS TACACS+
RADIUS uses UDP TACACS+ uses TCP
RADIUS uses UDP ports 1812 and 1813 TACACS+ uses TCP port 49
RADIUS encrypts passwords only TACACS+ encrypts the entire communication
RADIUS combines authentication and TACACS+ treats Authentication, Authorization, and
Authorization Accountability differently
RADIUS is an open protocol TACACS+ is Cisco proprietary protocol
RADIUS is a light-weight protocol TACACS+ is a heavy-weight protocol
consuming less resources consuming more resources
RADIUS is limited to privilege mode TACACS+ supports 15 privilege levels
Mainly used for Network Access Mainly used for Device Administration
Switch Configuration for RADIUS

Enable AAA server SW(config)# aaa new-model
Create default method List SW(config)# aaa authentication login default
group radius none
Specify a Radius server IP with port SW(config)# radius-server host 192.168.5.100
numbers and key auth-port 1812 acct-port 1813 key WinRadius
Create custom method list for VTY login SW(config)# aaa auth login TEL group radius
Create custom method for console login SW(config)# aaa auth login CON group radius
Enter to VTY line SW(config)# line vty 0 4
Apply method list to VTY line SW(config-line) # login authentication TEL
Enter to Console Line SW(config)# line console 0
Apply method list to console line SW(config-line) # login authentication CON
Specify maximum fail attempts SW(config)#aaa local auth attempts max-fail 3
Create user for fallback, if radius down SW(config)# username admin password 123
View aaa lockout users SW# show aaa local user lockout
View active users in the AAA system SW# show aaa user
Clear locked out local AAA users SW# clear aaa local user lockout all
On debugging for authentication SW# debug aaa authentication
On debugging for accounting SW# debug aaa accounting
On debugging for authorization SW# debug aaa authorization

Configure and Verify Device-Monitoring Protocols:
Simple Network Management Protocol(SNMP):
Simple Network Management Protocol (SNMP) is used by enterprises to manage and monitor
many network devices. SNMP has several uses, from monitoring and generating alerts to device
configuration. The Simple Network Management Protocol is the application layer protocol.
SNMP is the key protocol used by the network industry to retrieve information from network
infrastructure devices Routers, Switches, Network Servers etc.
SNMP can be configured as Read-Only mode (can be used only to retrieve information from
network infrastructure devices (Routers, Switches, Network Servers etc) or Read-Write mode
(can be used to retrieve information from network infrastructure devices (Routers, Switches,
Network Servers etc) or configure devices).
SNMP Manager:
A software runs on the device of the network administrator in most case, a computer to
monitor the network.
SNMP Agent:
A software runs on network devices that we want to monitor router, switch, server, etc.
Management Information Base (MIB):
MIB is the collection of managed objects. MIB contains a set of questions that the SNMP
Manager can ask the Agent and the Agent can understand them. MIB is commonly shared
between the Agent and Manager.
SNMP Messages:
SNMP Messages are used to communicate between the SNMP Manager and Agents. SNMPv1
supports five basic SNMP messages: SNMP Get, SNMP Get-Next, SNMP Get-Response, SNMP
Set and SNMP Trap. SNMPv2c, two new messages were added: Inform and Getbulk.
In general, the GET messages are sent by the SNMP Manager to retrieve information from the
SNMP Agents while the SET messages are used by the SNMP Manager to modify or assign the
value to the SNMP Agents. GET-NEXT retrieves the value of the next object in the MIB. The GET-
RESPONSE message is used by the SNMP Agents to reply to GET and GET-NEXT messages. TRAP
messages are initiated from the SNMP Agents to inform the SNMP Manager on the occurrence
of an event.
Inform message, the SNMP Manager can now acknowledge that the message has been
received. The Getbulk operation efficiently retrieve large blocks of data, such as multiple rows
in a table.
SNMPv1:
SNMP version 1 security is based on community strings. An SNMP community string can be
considered as password for a particular SNMP community.
SNMPv2c:
SNMPv2c is an update SNMPv2 and SNMPv2c uses the community based security model of
SNMPv1. "c" in SNMPv2c stands for "community".

SNMPv3:
SNMPv3 is the most secure version among other SNMP versions. SNMPv3 provides secure
access to devices using authentication and encryption mechanisms. Authentication security
feature makes sure that the message is from a valid source. Integrity security feature makes
sure that the message has not been tampered. Encryption security feature provides
confidentiality by encrypting the contents of a message to prevent eavesdropping. The SNMPv3
will never send the user password in the clear text but uses the SHA1 or MD5 hash based
authentication, encryption is done using the AES, 3DES and DES.
SNMP V2 Configuration
Configure community string read only R1(config)# snmp-server community cisco ro
Configure community string read write R1(config)# snmp-server community cisco rw
Configure SNMP agent description location R1(config)# snmp-server location snmp_1
Configure SNMP agent for contact details R1(config)# snmp-server contact admin
Configure SNMP agent to send traps to R1(config)# snmp-server host 192.168.1.3
server version 2c cisco
Send all type of traps & inform messages R1(config)# snmp-server enable traps
Display SNMP group detail R1# show snmp group
Display SNMP users R1# show snmp user
Display SNMP ID R1# show snmp engine ID
SNMP V3 Configuration
Configure SNMP server group name G1 to R1(config)# snmp-server group G1 v3 priv
enable authentication write v1
Add user U1 to an SNMP group G1 with R1(config)# snmp-server user U1 G1 v3 auth
authentication & Privacy Password sha AUTH_PASS priv aes 256 PRIV_PASS
Configure the SNMP Engine ID for remote R1(config)# snmp-server engineID remote
User 192.168.1.100
446172742E506F776572534E4D50
Add user U1 to Group G1 for Remote server R1(config)# snmp-server user U1 G1 remote
with Authentication and Privacy Password 192.168.1.100 v3 auth sha AUTH_PASS priv
aes 256 PRIV_PASS
Configure SNMP host to send traps R1(config)# snmp-server host 192.168.1.100
informs version 3 priv U1

Syslog Server:
Syslog is used on a variety of server/devices to give system information to the system
administrator. Most Cisco devices use the syslog protocol to manage system logs and alerts.
Logging can use for fault notification and security auditing. Cisco routers log messages can
handle in five different ways:
Console Logging:
By default, the router sends all log messages to its console port. Hence only the users that are
physically connected to the router console port can view these messages.
Terminal Logging:
It is like console logging, but it displays log messages to the router's VTY lines instead. This is
not enabled by default. To enable it use this command: R1# terminal monitor
Buffered Logging:
This type of logging uses router's RAM for storing log messages. Buffer has a fixed size to ensure
that the log will not deplete valuable system memory. The router accomplishes this by deleting
old messages from the buffer as new messages are added. To enable it use configuration mode
command: R1 (config)# logging buffered
Syslog Server Logging:
The router can use syslog to forward log messages to external syslog servers for storage. This
type of logging is not enabled by default.
SNMP Trap Logging:
The router can use SNMP traps to send log messages to an external SNMP server.
Syslog Severity Level
Level Name Level Router Messages
Emergency 0 System-Unusable Messages (Missing Fan Tray)
Alert 1 Take Immediate Action (Temperature Limit Exceeded)
Critical 2 Critical Condition (Memory Allocation Failures)
Error 3 Error Message (Interface Up/Down)
Warning 4 Warning Message (File Written to Server)
Notice 5 Normal but Significant Condition (Line Protocol Up/Down)
Informational 6 Information Message (Access-List Violation)
Debug 7 Debug Messages and Log FTP Commands
Logging Configuration Commands

IP address of the logging host R1 (config)# logging 192.168.1.100
IP address or host of the logging host R1 (config)# logging host 192.168.1.100
Set local storage of router log R1 (config)# logging buffered
Specifies the syslog message level as a R1 (config)# logging trap <1-7>
number or string R1 (config)# logging trap notifications
R1 (config)# logging traps 5
Stop the console logging messages R1 (config)# no logging console

Limit of Messages to the Console R1 (config)# logging console <Level>
local storage of router log messages R1(config)#logging buffered informational
Set the Log Size on router R1(config)#logging buffered 64000
Disable Timestamps on log message R1(config)# no service timestamps
Enabling Sequence number for logs R1(config)# service sequence-number
Enable displaying of log messages to VTY R1# terminal monitor
Disable logging to VTY session R1# terminal no monitor
Specify an IP for syslog messages R1(config)#logging source-interface Loopback0
Clearing the Router’s Log R1# clear logging
Display State of System Logging R1# show logging
Configure and Verify Device Management:

Backup and Restore Device Configuration:
Cisco routers and switches use two different configuration files: a startup-config file to save the
configuration to use each time when the device boot, and the running-config is the device
configuration currently in use and stored in RAM on the device.
Backup and Restore Device Configuration
Save current config from RAM to NVRAM R1# copy running-config startup-config
Merge NVRAM configuration to RAM R1# copy startup-config running-config
Copy RAM configuration to a TFTP server R1# copy running-config tftp
Merge TFTP configuration to RAM R1# copy tftp: running-config
Backup the IOS onto a TFTP server R1# copy flash tftp:
Upgrade the router IOS from a TFTP server R1# copy tftp: flash
Save NVRAM configuration to TFTP R1# Copy startup-config tftp:
Restore TFTP backup to NVRAM R1# Copy tftp: startup-config
Define username for ftp R1(config)# ip ftp username admin
Define password for ftp R1(config)# ip ftp password 123
Save RAM Configuration to FTP Server R1# Copy running-config FTP:
Save NVRAM Configuration to FTP Server R1# Copy startup-config FTP:
Save Flash Configuration to FTP Server R1# Copy Flash FTP:
Restore configuration from FTP to RAM R1# Copy FTP: running-config
Restore configuration from FTP to NVRAM R1# Copy FTP: startup-config
Restore configuration from FTP to flash R1# Copy FTP: flash
Description Command
Delete the contents of Flash memory R1# erase flash
Erase the contents of the startup-config file R1# erase start
Delete the contents of NVRAM R1# erase nvram
Delete the contents of NVRAM R1# write erase
Compare the MD5 Hash R1#verify /md5 filesystem:name[MD5-hash]

Using CDP or LLDP for Device Discovery:
Cisco IP Phones use CDP to discover and communicate key capabilities with a switch. CDP can
be used to discover the IP address of a directly connected neighboring device. Link Layer
Discovery Protocol (LLDP) is an open standard protocol that provides similar functionality like
Cisco Discovery Protocol (CDP).
Cisco Licensing:
IOS is the Operating System software used on Cisco Routers and Switches. Cisco IOS
(Internetwork Operating System) image file is normally stored in flash memory and it has a
naming convention.
Below is a chart comprised of common pre-standing naming convention identification letters.

Image Letter Feature Set
I IP
Y IP on 1700 Series Platforms
S IP Plus
S6 IP Plus – No ATM
S7 IP Plus – No Voice
J Enterprise
O IOS Firewall/Intrusion Detection
K Cryptography/IPSEC/SSH
K8 56Bit DES Encryption (Weak Cryptography)
K9 3DES/AES Encryption (Strong Cryptography)
X H323
G Services Selection Gateway (SSG)
C Remote Access Server or Packet Data Serving Node (PDSN)
B Apple Talk
N Novel IP/IPX
V Vox
R IBM
U Unlawful Intercept
P Service Provider
Telco Telecommunications Feature Set
Boot Boot Image (Used on high end routers/switches)

Many images differ in how they load and their compression. As these features are also
identified in the image name, the following chart will identify execution types and compression
formats.
Image Letter IOS Boot Location
f The image executes from Flash memory
m The image executes from RAM
r The image executes from ROM
l The image is relocatable
z The image is compressed using ZIP format
x The image is compressed using MZIP format
w The image is compressed using STAC format
Cisco IOS Version 15:

Cisco IOS 15 is Universal IOS Image. Universal IOS Image contains all Cisco IOS features. Single
universal IOS Image is shipped with the ISR G2 devices. IOS functionality is determined by the
specific licenses applied to the devices. Four technology packages available: IP Base, Security,
UC and Data.
Display all the Unique Device Identifier R# show license udi
Display package license info R# show version
Display detailed info of license R# show license
Lists the available licenses R# show license feature
Activate technology package R(config)# license boot module c2900
technology-package datak9
Deactivate technology package R(config)# no license boot module c2900
technology-package datak9
Timezone:
If you are managing large number of network infrastructure devices (Routers, Switches, Servers,
Computers etc), it is very important to know that device time is an important factor in network
security. Many authentication protocols will fail to work if you are different system time
configured in different devices in your network.
Display software clock details R1# show clock
Configure Timezone R1(config)# clock timezone CST -6
Configure the clock time and date Router# clock set 10:50:00 Oct 26 2016

Loopback:
A loopback interface is a logical, virtual interface in a Cisco Router. A loopback interface is not a
physical interface like Fast or Gigabit Ethernet interface. A loopback interface has many uses.
Loopback interface’s IP Address determines a router’s OSPF Router ID. A loopback interface is
always up and allows Border Gateway Protocol (BGP) neighborship between two routers to stay
up even if one of the outbound physical interface connected between the routers is down. NTP
using a Loopback Interface for Better Availability. Loopback interfaces are treated like physical
interfaces in a router and we can assign IP addresses to them.
Router(Config)#interface loopback 1
Router(Config-if)#ip address 192.168.1.1 255.255.255.0
Router# show ip interface brief
Perform Device Maintenance:

Cisco IOS Upgrades and Recovery:
Want to upgrade IOS to experience new features, or to fix issues in current IOS. Obtain your
new IOS. Place this new IOS in a location that is accessible to the device that you want to
upgrade. Such as in TFTP server, or FTP server. Use the copy command to move the new IOS to
the file system on your Cisco device. To verify copy operation was a success use "show flash"
command. There are many options such as TFTP server, an FTP server, or even a USB stick for
insertion into a USB-capable Cisco device for transfer of the IOS image to your local device.
SCP (Secure Copy):
The Secure Copy (SCP) feature provides a secure and authenticated method for copying router
configuration or router image files. SCP relies on Secure Shell (SSH). Before enabling SCP, you
must correctly configure SSH, authentication, and authorization on the router.
SCP Configuration
Enable aaa module R(config)#aaa new-model
Make login authentication default R(config)#aaa authentication login default local
Make exec mode authorization default R(config)#aaa authorization exec default local
Create local user and password for login R(config)#username admin privilege 15
password 123
Enable scp services R(config)#ip scp server enable
Create domain name R(config)#ip domain-name test
Generate RSA Key for ssh R(config)#crypto key generate rsa modulus 1024
Enable SSh version 2 R(config)#ip ssh version 2
In cmd go to that directory where PSCP is R(config)#c:\> pscp.exe -scp
store and type this command to copy files [email protected]:running-config c:\file.txt
FTP and TFTP:
FTP and TFTP are used to save and restore a router/switch configuration or to backup an IOS
image. FTP (File Transfer Protocol) uses Transport control protocol, which provides reliability
and flow control that can guarantee that the file will reach its destination while the connection
is established. TFTP (Trivial File Transfer Protocol) uses User Datagram Protocol which doesn’t
establish a connection and therefore cannot guarantee that files to get to their destinations.
FTP (File Transfer Protocol) uses usernames and passwords for setup. Therefore, routers or
switches are required to have a username and password setup for FTP.
FTP is faster when compared to TFTP. FTP uses two TCP ports: port 20 for sending data and port
21 for sending control commands. TFTP use UDP port 69 for communication.
IOS Upgrade and Recovery by FTP & TFTP

Backup the IOS onto a TFTP server R1# copy flash tftp:
Upgrade the router IOS from a TFTP server R1# copy tftp: flash
Define username for ftp R1(config)# ip ftp username admin
Define password for ftp R1(config)# ip ftp password 123
Save Flash Configuration to FTP Server R1# Copy Flash FTP:
Restore configuration from FTP to flash R1# Copy FTP: flash
Cisco IOS MD5 Verification:

MD5 is an algorithm that is used to verify data integrity. Once the MD5 hash value of the
installed Cisco IOS image is determined, it can be compared with the MD5 hash, provided by
Cisco to verify the integrity of the image file. This feature allows to calculate the MD5 hash of a
Cisco IOS software image previously loaded on a device's flash. Cisco publishes the MD5 hash
value for every software image in their download area. This enables to easily check and
compare the calculated MD5 hash value against Cisco’s site.
Cisco IOS MD5 Verification
Compare the MD5 Hash R1#verify /md5 filesystem:name[MD5-hash]
First verify MD5 Hash R1#verify /md5 flash:c3725-ad.bin
Compare the MD5 hash with original R1#verify /md5 flash:c3725-ad.bin
504a6c27522d9e1db1cc246f84f5ebe3
Password Recovery:
Recover a Cisco Passwords such as Console Password, Enable Password, Enable secret, or
Telnet Password etc. Follow these steps.
Step 1: Restart / Power on the Router “R1”
Step 2: Press Ctrl + Break, (Ctrl+Shift+F6+C in Packet Tracer) When the router is booting IOS.
This key will interrupt the router boot process and prompt you ROM Monitor (ROMMON)
Mode.
Step 3: Change the Configuration Register key to 0x2142 using confreg 0x2142 command. The
key 0x2142 used to avoid coping configuration from NVRAM to RAM during next boot process.
Then restart the router using reset command.
Step 4: After router restarted you will prompt for Initial Configuration. Type no to avoid Initial
Configuration.
Step 5: Now the router with basic default configuration will be loaded. You can verify your
passwords by show startup-config in Privilege EXEC mode.
Step 6: Copy the Startup Configuration to RAM by using command copy start run.
Step 7: Now remove the password using Global Configuration commands. And change the
configuration register key back to 0x2102 (Default).
R1(config)#config-register 0x2102
Step 8: Now save the current configuration to NVRAM by copy running-config startup-config
command. And restart the router by reload command.
Configuration Register:
Configuration Register is a 16-bit hexadecimal number, which used to change router behavior in
several ways to boot the router into ROMMON, NetBoot, ignore configuration etc. By default,
the configuration register on a router is set to a value of 0×2102. 0x2142 boots from flash
without using start-up contents good for password recovery.
File System Management:

The "system" file system contains the system memory and the current running configuration.
NVRAM contains the startup configuration. In Flash file systems, you can create, remove and
rename a directory also can format flash file systems.
File System Management
Lists the file systems available R1#show file systems
Change Directory command R1#cd filesystem:
Display list of files on a file system R1# dir [/all]
Deletes a file from a flash memory R1# delete [device:] filename
Erases file in flash file system R1# erase filesystem:
Formats a flash file system R1# format filesystem:
Create new directory R1# mkdir flash: folder-name
Remove directory R1# rmdir flash: folder-name
Rename directory R1# rename flash: folder-name
Copy files R1# copy files-source files-destination
Cisco IOS Tools to Troubleshoot and Resolve Problems:
Ping and Traceroute Extended Option:
The ping (Packet Internet Groper) command is a very common method for troubleshooting the
accessibility of devices. The extended ping is used to perform a more advanced check of host
reachability and network connectivity. The extended ping command works only at the
privileged EXEC command line. To use extended feature, enter ping at the command line and
press enter. Also, can be in one line ping ip 1.1.1.1 data 0000 repeat 500 size 18000 verbose
Extended Ping Options

Field Description
Protocol [ip]: Prompts for a supported protocol
Target IP address: Prompts for the IP address or host name of the destination node
Repeat count [5]: Number of packets that will be sent to the destination address
Datagram size [100]: Size of the ping packet (in bytes). Default: 100 bytes
Timeout in seconds [2]: Timeout interval. Default: 2 (seconds)
Extended commands [n]: Specifies whether a series of additional commands appears
Source address or The interface or IP addresses of the router to use as a source
interface: address
Validate reply data? [no]: Specify whether to validate the reply data
Sweep range of sizes [n]: Each exclamation point (!) indicates receipt of a reply. A period
(.) indicates the network server timed out while waiting for a
reply. Other characters may appear in the ping output display,
depending on the protocol type.
Success rate is 100 Percentage of packets successfully echoed back to the router.
percent Anything less than 80 percent is usually considered problematic
round-trip min/avg/max Round-trip travel time intervals for the protocol echo packets,
= 1/2/4 ms including minimum/average/maximum (in milliseconds).
Ping Output Options

Output Description
! Each bang represents the receipt of a reply.
. Timeout while waiting for reply.
U Destination unreachable.
N Network unreachable.
P Protocol unreachable.
C Congestion Occurred.
M Maximum transmission unit (MTU) problem.
A Administratively prohibited.
I User-interrupted ping.
? Unknown packet type.
& Packet lifetime exceeded.
Ctrl+Shift+6 Abort Cisco ping.
The traceroute command can be used to discover the routes packets take to a remote
destination, as well as where routing breaks down. The extended traceroute command is a
variation of the traceroute command. An extended traceroute command can be used to see
what path packets are taking to get to a destination, and the command can be used to check
routing at the same time. This is helpful for troubleshooting routing loops, or for determining
where packets are getting lost.
Extended Traceroute Options

Field Description
Protocol [ip]: Prompts for a supported protocol
Target IP address You must enter a host name or an IP address
Source address: Interface or IP addresses of the router to use as a source address
Numeric display [n]: The default is to have both a symbolic and numeric display
Timeout in seconds [3]: The number of seconds to wait for a response to a probe packet
Probe count [3]: The number of probes to be sent at each TTL level
Minimum Time to Live The TTL value for the first probes. The default is 1, but it can be
[1]: set to a higher value to suppress the display of known hops
Maximum TTL [30]: The largest TTL value that can be used. The default is 30
Port Number [33434]: The destination port used by the UDP probe messages
Loose, Strict, Record, IP header options. You can specify any combination
Timestamp,
Verbose[none]:
Traceroute Output Options

Output Description
nn msec Round-trip time per probe in milliseconds
* The probe timed out
? Unknown packet type
A Administratively unreachable; check for access list issues
H Host unreachable
N Network unreachable
P Protocol unreachable
Q Source quench
U Port unreachable
Terminal Monitor:
By default, Cisco IOS does not send log messages to a terminal session. Console connections on
a serial cable have logging enabled by default while telnet or SSH connections don’t get log
messages. To get logging messages from IOS to appear on terminal use the “terminal monitor”
command. To stop logging to terminal use “terminal no monitor” command.
Local SPAN:
You can analyze network traffic passing through ports or VLANs by using SPAN (Switch Port
analyzer) to send a copy of the traffic to another port on the local switch that has been
connected to a network analyzer or other monitoring or security device.
o Analyze or monitor traffic for security and other purpose.
o Can be analyze interface(s) or VLAN(s) as source.
o As destination interface(s) or VLAN(s) can used.
o Traffic can be analyzing one or both direction.
o On destination ports Analyzer device can connect (IDS, host with packet sniffer software).
o When Source and destination ports on same switch or switch stack called Local SPAN
o Tagging or encapsulation not require.
Local SPAN Configuration

Configure Local SPAN source S(config)#monitor session 1 source interface Gig0/1
Configure Local SPAN destination S(config)#monitor session 1 destination interface Gig0/2
Only copy traffic that is received S(config)#monitor session 1 source interface Gig0/1 rx
Only copy traffic that is transmit S(config)#monitor session 1 source interface Gig0/1 tx
Copy traffic both received and S(config)#monitor session 1 source interface Gig0/1
transmitted both
Verify Local SPAN configuration S# show monitor session 1
Verify all SPAN configuration S# show monitor session all

Ccna RS

Uploaded by

Copyright:

Available Formats

Ccna RS

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ccna RS

Uploaded by

Copyright:

Available Formats

Table of Contents

COMPARE AND CONTRAST OSI AND TCP/IP MODELS: ................................................................... 13

Open Systems Interconnection Model: ................................................................................................................ 13

COMPARE AND CONTRAST TCP AND UDP PROTOCOLS:................................................................. 16

IMPACT OF INFRASTRUCTURE COMPONENTS ON ENTERPRISE NETWORK: ................................... 17

Access Points: ...................................................................................................................................................... 17

Wireless Controllers: ........................................................................................................................................... 17

DESCRIBE THE EFFECTS OF CLOUD RESOURCES ON ENTERPRISE NETWORK: ................................. 17

Traffic Path to Internal and External Cloud Services: ........................................................................................... 17

Virtual Services: ................................................................................................................................................... 17

COMPARE & CONTRAST COLLAPSED CORE & THREE-TIER ARCHITECTURES:.................................. 18

Three-Tier Architectures: ..................................................................................................................................... 18

Benefits of Cisco Three-Layer Hierarchical Model: ............................................................................................... 18

Created by Ahmad Ali E-Mail: [email protected] ,Mobile: 0580906422 Page 1 of 107

COMPARE AND CONTRAST NETWORK TOPOLOGIES: ..................................................................... 19

Star Topology: ..................................................................................................................................................... 19

Mesh Topology: ................................................................................................................................................... 20

Hybrid Topology: ................................................................................................................................................. 20

Ring Topology: ..................................................................................................................................................... 21

APPROPRIATE CABLING TYPE BASED ON IMPLEMENTATION REQUIREMENTS: .............................. 21

Cable Combinations: ............................................................................................................................................ 21

Ethernet UTP Categories: ..................................................................................................................................... 22

TROUBLESHOOTING METHODOLOGIES TO RESOLVE PROBLEMS:.................................................. 22

Problem Isolation: ............................................................................................................................................... 22

Verify and Monitor: ............................................................................................................................................. 23

CONFIGURE, VERIFY, AND TROUBLESHOOT IPV4 ADDRESSING: ..................................................... 23

IPV4 Classes: ........................................................................................................................................................ 23

Loopback Address: ............................................................................................................................................... 23

Unicast Address Type:.......................................................................................................................................... 24

Broadcast Address Type:...................................................................................................................................... 24

Multicast Address Type: ...................................................................................................................................... 24

Class E Address: ................................................................................................................................................... 24

Created by Ahmad Ali E-Mail: [email protected] ,Mobile: 0580906422 Page 2 of 107

Network and Host Portions: ................................................................................................................................ 25

Network Mask: .................................................................................................................................................... 25

Network Address: ................................................................................................................................................ 25

Private Addresses: ............................................................................................................................................... 25

COMPARE AND CONTRAST IPV6 ADDRESS TYPES:.......................................................................... 26

Why Using IPV6: .................................................................................................................................................. 26

Benefits of Using IPV6: ......................................................................................................................................... 26

IPV6 Address Representation: ............................................................................................................................. 26

Global Unicast Addresses:.................................................................................................................................... 27

Unique Local: ....................................................................................................................................................... 27

Link-local Addresses: ........................................................................................................................................... 27

Modified EUI 64: .................................................................................................................................................. 28

Stateless Address Auto Configuration (SLAAC):.................................................................................................... 28

IPv4-Compatible IPv6 Addresses: ......................................................................................................................... 29

IPV6 Loopback Addresses: ................................................................................................................................... 29

CONFIGURE, VERIFY, AND TROUBLESHOOT IPV6 ADDRESSING: ..................................................... 29

CONFIGURE AND VERIFY IPV6 STATELESS ADDRESS AUTO CONFIGURATION:................................ 29

IPV4 SUBNETTING: ......................................................................................................................... 30

Benefit of Subnetting: .......................................................................................................................................... 30

Pre-Requisites for Subnetting: ............................................................................................................................. 30

Created by Ahmad Ali E-Mail: [email protected] ,Mobile: 0580906422 Page 3 of 107

Subnetting Math: ................................................................................................................................................. 31

Class A Subnets: ................................................................................................................................................... 32

Class B Subnets: ................................................................................................................................................... 33

Class C Subnets: ................................................................................................................................................... 33