CCENT ICND1 100-101 Cert Guide by Antun Peicevic First edition Technical editor: Marko Maslac Copyright© 2015 Geek University Press Disclaimer This book is designed to provide information about selected topics for the Cisco 100-101 ICND1 exam. Every effort has been made to make this book as complete and as accurate as possible, but no warranty is implied. The information is provided on an as is basis. Neither the authors, Geek University Press, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book. The opinions expressed in this book belong to the author and are not necessarily those of Geek University Press. Note that this is not an unofficial book. Cisco Systems, Inc. is in no way affiliated with this book or its content. Trademarks Geek University is a trademark of Signum Soft, LLC, and may not be used without written permission. Feedback Information At Geek University Press, our goal is to create in-depth technical books of the highest quality and value. Readers’ feedback is a natural continuation of this process. If you have any comments about how we could improve our books and learning resources for you, you can contact us through email at
[email protected]. Please include the book title in your message. For more information about our books, visit our website at http://geekuniversity.com.
About the author
Antun Peicevic is a systems engineer with more than 10 years of experience in the internetworking field. His certifications include CCNA Routing and Switching, CompTIA Network+, CompTIA Security+, and much more. He is the founder and editor of geekuniversity.com, an online education portal that offers courses that cover various aspects of the IT system administration. Antun can be reached at
[email protected].
About this book This book was written to help you pass the CCENT exam (ICND1), a certification from Cisco, the world’s most famous company that manufactures and sells networking equipment. I’ve tried to cover every topic from the CCENT curriculum and explain it in an easy and fun way. This book covers the latest version of the exam (100-101), available since 2013. The book follows the Cisco organization of topics. We start with basics, explaining what really a computer networks is, the difference between the OSI and TCP models, what an IP address is, how to configure an IP address on a Cisco router, etc. In later lessons we will go through some more advanced topics such as routing protocols, IPv6, NAT, ACLs… Here is a list of chapters: Chapter 1 - Introduction - what is a computer network, OSI and TCP/IP models, data encapsulation. Chapter 2 - Basic networking - what is a hub, switch, bridge, router, collision & broadcast domains explained. Chapter 3 - TCP/IP - what is an IP address, IP address classes & types, TCP & UDP explained. Chapter 4 - Network protocols - what is Telnet, SSH, FTP, DNS, DHCP, and other important protocols. Chapter 5 - Subnetting - what is a subnet mask, how to create subnets. Chapter 6 - Cisco IOS - IOS overview, how to access IOS, get help. Chapter 7 - IOS commands - basic IOS commands, configure banners and descriptions, configure interface IP address, use CDP, how to show running processes. Chapter 8 - IP routing - what is a routing table, difference between static and dynamic routes, what are routing protocols. Chapter 9 - RIP - what is RIP and how to configure it on Cisco routers. Chapter 10 - EIGRP - what is EIGRP, how EIGRP forms neighbor relationships, how to configure EIGRP, EIGRP route summarization. Chapter 12 - OSPF - what is OSPF, what are OSFP areas, how to configure OSPF. Chapter 13 - Layer 2 switching - how switches learn MAC addresses and forward frames, port security. Chapter 14 - VLANs - what are VLANs, how you can configure them, difference between trunk & access ports. Chapter 15 - VLAN Trunking Protocol (VTP) - what is VTP and what it is used for, basic configuration. Chapter 16 - Access Control Lists (ACLs) - what are ACLs, what they are used for, configure standard & extended ACLs. Chapter 17 - Network Address Translation (NAT) - what is NAT, configure static, dynamic NAT and PAT. Chapter 18 - IPv6 - what is IPv6, address types, how to shorten an IPv6 address, configure IPv6 address on a Cisco router.
About the 100-101 ICND1 exam To obtain the Cisco Certified Entry Networking Technician (CCENT) certification, you need to pass a single exam: ICND1 100-101. The exam contains 50-60 questions, must be completed in about 90 minutes, and has a passing score of about 85%. You can take any Cisco exam at any of the Pearson VUE authorized testing centers. Pearson VUE has testing centers throughout the world, so you can probably locate a test center in your vicinity. You need to register with Pearson VUE (http://www.pearsonvue.com) to schedule an exam. If you fail an exam, you must wait five days before retaking it. You can cancel or reschedule your exam appointment, but do it at least 24 hours in advance. There are several types of questions on the CCNA exam: multiple-choice single answer, multiple-choice multiple answer, testlet, drag-and-drop, simulated lab, and simlet. After you pass the ICND1 exam, you will need to pass ICND2 200-101 exam to obtain your CCNA certification.
Table of Contents Chapter 1 - Introduction Computer network explained OSI reference model TCP/IP reference model Data encapsulation Data encapsulation in the OSI model Local Area Network (LAN) What is Ethernet? Ethernet frame MAC address Unicast, multicast, broadcast addresses Half and full duplex Chapter 2 - Basic networking What is a network hub? What is a network bridge? What is a network switch? Differences between a switch and a bridge What is a router? Collision domain explained Broadcast domain explained CSMA/CD explained IEEE Ethernet standards Cisco three-layered hierarchical model Chapter 3 - TCP/IP TCP/IP suite of protocols What is an IP address? Private IP addresses IP address classes IP address types Transmission Control Protocol (TCP) explained User Datagram Protocol (UDP) explained TCP and UDP ports Chapter 4 - Network protocols Telnet protocol Secure Shell (SSH) protocol File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) Simple Network Management Protocol (SNMP) Hypertext Transfer Protocol (HTTP) Hypertext Transfer Protocol Secure (HTTPS)
Network Time Protocol (NTP) Domain Name Service (DNS) Dynamic Host Configuration Protocol (DHCP) Automatic Private IP Addressing (APIPA) Internet Control Message Protocol (ICMP) Address Resolution Protocol (ARP) IPv4 header Chapter 5 - Subnetting What is subnetting? Subnet mask explained How to create subnets Chapter 6 - Cisco IOS Cisco Internetwork Operating System (IOS) Access IOS Power on IOS device Command modes in IOS Get help in IOS Display IOS command history Chapter 7 - IOS commands Configure the hostname in IOS Configure banners in IOS Configure passwords in IOS service password-encryption command Configure descriptions in IOS Run privileged commands in global config mode Interfaces on an IOS device Configure an IP address for an interface Pipe function in IOS Memory on a Cisco device Configuration files on an IOS device IOS show command Boot sequence of a Cisco device Back up IOS configuration Configure DHCP server on a Cisco router Configure NTP on a Cisco device Use Cisco Discovery Protocol (CDP) Mapping hostnames to IP addresses Configure DNS on a Cisco device Use extended ping traceroute command in IOS debug command in IOS Use telnet Show running processes
Chapter 8 - IP routing IP routing explained Routing table explained Directly connected routes Static routes Dynamic routes Types of routing protocols Administrative distance (AD) explained Routing metric explained Chapter 9 - RIP RIP (Routing Information Protocol) overview RIP configuration Split horizon explained Route poisoning explained Holddown timer explained Chapter 10 - EIGRP EIGRP overview EIGRP neighbors EIGRP tables Reported and feasible distance explained Successor and feasible successor explained EIGRP configuration Wildcard mask explained EIGRP and wildcard masks Reliable Transport Protocol (RTP) Diffusing Update Algorithm (DUAL) EIGRP auto-summary EIGRP manual summarization Chapter 12 - OSPF OSPF overview OSPF neighbor discovery OSPF neighbor states OSPF areas explained Link-state advertisement (LSA) Types of LSAs (Link-state advertisements) Configure OSPF Configure multiarea OSPF Designated router and backup designated router OSPF clear text authentication OSPF MD5 authentication OSPF route summarization
Chapter 13 - Layer 2 switching Layer 2 switching How switches learn MAC addresses How switches forward frames Port security feature Assign the switch IP address Assign static MAC address Chapter 14 - VLANs VLANs explained Access and trunk ports explained Frame tagging explained Inter-Switch Link (ISL) overview 802.1q overview Configure VLANs Configure trunk ports Configure allowed VLANs on trunk Routing between VLANs Configure router on a stick Chapter 15 - VLAN Trunking Protocol (VTP) VLAN Trunking Protocol (VTP) overview VTP modes explained Configure VTP Chapter 16 - Access Control Lists (ACLs) What is ACL (Access Control List)? Standard ACLs Extended ACLs Chapter 17 - Network Address Translation (NAT) NAT definition Static NAT configuration Dynamic NAT PAT configuration Chapter 18 - IPv6 IPv6 overview IPv6 address format IPv6 address types IPv6 global unicast address IPv6 unique local address IPv6 link-local addresses IPv6 EUI-64 calculation Configure IPv6 on a Cisco router
Chapter 1 - Introduction Computer network explained OSI reference model TCP/IP reference model Data encapsulation Data encapsulation in the OSI model Local Area Network (LAN) What is Ethernet? Ethernet frame MAC address Unicast, multicast, broadcast addresses Half and full duplex
Computer network explained A computer network is a telecommunications network that enables sharing of resources and information. Nodes in a network are connected with each other using either cable or wireless media and use a system of digital rules for data exchange. Data is transferred in the form of a packet, a formatted unit of data. When you are browsing the Internet, your computer is a part of the biggest network in the world - the Internet. If you have access to the Internet at home, your devices are part of a LAN (Local Area Network). Here is how a simple LAN looks like:
In the picture above you can see that the computer is connected to the router which is then connencted to the Internet. The computer can send and receive data on the Internet using Internet protocols such as HTTP and DNS. To connect two computers together, we would use a device called a switch. Switches serve as a central point to which all computers on a network connect to:
OSI reference model The Open Systems Interconnection (OSI) model was created by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards. It is a layered model that was created to enable different networks to communicate reliably between disparate systems. The OSI model provides a framework for creating and implementing networking standards and devices and describes how network applications on different computers can communicate through the network media. The OSI model has seven hierarchical layers. Each layer describes a different network function. The layers are: Application Presentation
Session Transport Network Data Link Physical The layers are usually numbered from the last one, which means that the Physical layer is the first layer. A mnemonic can be used to remember the seven layers: Please Do Not Throw Sausage Pizza Away Application - Away Presentation - Pizza Session - Sausage Transport - Throw Network - Not Data Link - Do Physical - Please Here is a description of each layer in the OSI model: 1. Physical – defines how to move bits from one device to another. It deals with the physical characteristics of the transmission medium, describing connectors, pins, cables, connectors, and network interface cards. 2. Data Link – combines packets into bytes and bytes into frames. Each frame has a header and a trailer. A header contains the source and destination MAC address. A trailer contains the Frame Check Sequence field, used for errors detection. The Data Link layer is divided into two sublayers: Logical Link Control – used for flow control and error detection and Media Access Control – used for hardware addressing and controlling the access method. 3. Network – provides logical addressing used by routers for path determination. Logical addressing is used to identify a host on a network (for example, by its IP address). 4. Transport – provides reliable or unreliable delivery and error recovery and flow control. 5. Session – determines how to establish, control and terminate a session between the two systems. 6. Presentation – defines data formats. Processes such as compression and encryption are handled at this layer 7. Application – provides a user interface and enables network applications to communicate with other network applications. The following list shows which protocols reside on which layer: Application – HTTP, Telnet, FTP Presentation – MIME
Session – SSL, NetBIOS Transport – TCP, UDP Network – IP, ICMP Data Link – PPP, HDLC, Ethernet Physical – Ethernet
TCP/IP reference model The TCP/IP model is the network model used by computer networks today. It was created in the 1970s by DARPA (Defense Advance Research Project Agency) as an open, vendorneutral, public networking model. Just like the OSI reference model, the TCP/IP model provides general guidelines for designing and implementing network protocols. The TCP/IP model has fewer layers than the OSI model, just four. These layers describe different network functions and have their own standards and protocols. The layers are: Application Transport Internet Link The Link layer is sometimes referred to as the Network access layer. The Transport layer is sometimes called the Host-to-Host layer. Here is a brief description of each layer: Link - defines the protocols and hardware required to deliver data across a physical network. Internet - defines the protocols for the logical transmission of packets over the network. Transport - defines protocols for setting up the level of transmission service for applications. This layer is responsible for reliable transmission of data and the the error-free delivery of packets. Application - defines protocols for node-to-node application communication and provide services to the application software running on a computer. Differences between the TCP/IP model and OSI model The TCP/IP model and the OSI model are similar in concept, but have a different number of layers, sometimes with different names:
As you can see from the picture above, the Application, Presentation, and Session layers of the OSI model are merged in only one layer - the Application layer, in the TCP/IP model. The Physical and Data Link layers of the OSI model are merged into one layer, the Link layer, in the TCP/IP model. The following list shows which protocols reside on which layer: Application - HTTP, POP3, SMTP Transport - TCP, UDP Internet - IP Link - Ethernet, PPP
Data encapsulation The term encapsulation describes a process of putting headers (and sometimes trailers) around some data. Each layer adds its own header (Data Link protocols also add a trailer) to the data supplied by the higher layer. This process can be explained with the five-layer TCP/IP model (the Link layer of the TCP/IP model is sometimes divided into two layers, Data Link and Physical, hence the five-layer TCP/IP model), with each step corresponding to the role of each layer. Consider the following example. Let’s say that you are browsing a web site. The web server on which the website is hosted will create and encapsulate the application data with the Application layer headers. For example, the HTTP OK message will be stored in the header, followed by the requested content of the web page. The encapsulated data will then be forwarded to the next layer, the Transport layer. The Transport layer will add its own header around the encapsulated data. In the case of the TCP protocol, this can be something like the source and destination ports or the sequence number. The data will then be forwarded to the next layer - the Network layer. The Network layer will store the source and destination IP addresses in its header and forward the data to the
Data Link layer. The Data Link layer is the only layer that uses both the header and trailer. The data is then sent through a physical network link. Here is a graphical representation of these five steps:
Each data packet (header + encapsulated data) defined by a particular layer has a specific name: Frame - encapsulated data defined by the Network Access layer. A frame can have both header and trailer. Packet - encapsulated data defined by the Network layer. A header contains the source and destination IP addresses. Segment - encapsulated data defined by the Transport layer. Information such as the source and destination ports or sequence and acknowledgment numbers are included in the header. The term decapsulation describes a process of removing headers and trailers as data passes from a lower to the upper layer. This process transpires on a computer that is receiving data.
Data encapsulation in the OSI model In the previous lesson we have learned that the term encapsulation describes the process of putting headers (and sometimes trailers) around some data. Like with the TCP/IP layers, each OSI layer asks for services from the next lower layer. The lower layer encapsulates the higher layer’s data between a header (Data Link protocols also add a trailer). While the TCP/IP model uses terms like segment, packet and frame to refer to a data packet defined by a particular layer, the OSI model uses a different term: protocol data unit (PDU). A PDU represent a unit of data with headers and trailers for the particular layer, as well as the encapsulated data. Since the OSI model has 7 layers, PDUs are numbered from 1 to 7, with the Physical layer being the first one. For example, the term Layer 3 PDU refers to the data encapsulated at the Network layer of the OSI model. Here is a graphical representation of the PDUs in the OSI model:
Local Area Network (LAN) The term local area network (LAN) is used to describe a network of devices inside a limited area (in the same room, building…). A typical SOHO (small office/home office) LAN consist of PCs, printers, switches, routers, and cabling that connects all these devices together. The following figure shows a typical LAN:
This type of network is usually capable of achieving a high data transfer rate of (up to 10 Gbps) at relatively low cost. The twisted-pair cabling is commonly used in LANs for connections between end user devices and switches, while fiber-optic cabling is used for links between network devices, such as switches and routers. Some of the LAN technologies are Ethernet, Token Ring and FDDI. Ethernet is by far the most popular wired LAN technology. It defines wiring, signaling, connectors, frame formats, protocol rules, etc. Most modern LANs also support the wireless LAN (WLAN) technology, defined by the IEEE 802.11 standards. WLANs use radio waves instead of wires or cables for links between devices.
What is Ethernet? The term Ethernet refers to an entire family of standards that define wiring, signaling, connectors, frame formats, protocol rules, etc. Ethernet is standardized by the Institute of
Electrical and Electronics Engineers (IEEE) as the 802.3 standard. The standard defines several wiring variants, such as coaxial, twisted pair and fiber optic cabling. Coaxial cables are rarely used anymore, while twisted pair cables are usually used in SOHO environments. Optical fibers are the most expensive option, but they allow longer cabling distances and greater speeds. Ethernet uses the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) access method and supports speeds up to 100 Gbps. It is by far the most popular LAN technology today. The term Ethernet LAN refers to a combination of computers, switches, and different kinds of cables that use the Ethernet standard to communicate over the network.
Ethernet frame We have already learned that encapsulated data defined by the Network Access layer is called an Ethernet frame. An Ethernet frame starts with a header, which contains the source and destination MAC addresses, among other data. The middle part of the frame is the actual data. The frame ends with a field called Frame Check Sequence (FCS). The Ethernet frame structure is defined in the IEEE 802.3 standard. Here is a graphical representation of an Ethernet frame and a description of each field in the frame:
Preamble - informs the receiving system that a frame is starting and enables synchronisation. SFD (Start Frame Delimiter) - signifies that the Destination MAC Address field begins with the next byte. Destination MAC - identifies the receiving system. Source MAC - identifies the sending system. Type - defines the type of protocol inside the frame, for example IPv4 or IPv6. Data and Pad - contains the payload data. Padding data is added to meet the minimum length requirement for this field (46 bytes). FCS (Frame Check Sequence) - contains a 32-bit Cyclic Redundancy Check (CRC) which allows detection of corrupted data
MAC address Ethernet uses MAC (Media Access Control) addresses to uniquely identify a host in an Ethernet environment. Every Ethernet network interface card (NIC) has a MAC address burned in its firmware, which is why MAC addresses are sometimes known as hardware addresses. MAC addresses are 6 Bytes (48 bits) long. Every network card manufacturer gets a universally unique 3-byte code called the Organizationally Unique Identifier (OUI). Manufacturers agree to give all NICs a MAC address that begins with the assigned OUI. The manufacturer then assigns a unique value for the last 3 bytes, which ensures that
every MAC address is globaly unique. In the following picture we can see the structure of a MAC address:
MAC addresses are usually written in the form of 12 hexadecimal digits. For example, this is a valid MAC address: D8-D3-85-EA-1B-EE. Each hexadecimal character is 4 bits long, so the first six hexadecimal characters represent the vendor (in this case, Hewlett Packard). How to find the MAC address of your computer You can find out the MAC address your computer is using. The process depends on your operating system: Windows Go to the Command Prompt (Start - Programs - Accessories - Command Prompt on Windows XP, for newer versions of Windows, just type cmd from the Start screen). Once inside the Command Prompt, type the ipconfig/all command. The MAC address is shown in the Physical Address field:
Linux Go to the shell and type the ifconfig command. The MAC address should be listed as HWaddr:
Unicast, multicast, broadcast addresses Three types of Ethernet addresses exist: unicast addresses - represents a single LAN interface. A unicast frame will be sent to a specific device, not to a group of devices on the LAN. multicast addresses - represents a group of devices in a LAN. A frame sent to a multicast address will be forwarded to a group of devices on the LAN. broadcast addresses - represents all device on the LAN. Frames sent to a broadcast address will be delivered to all devices on the LAN. The broadcast address has the value of FFFF.FFFF.FFFF (all binary ones). The switch will flood broadcast frames out all ports except the port that it was received on. Multicast frames have a value of 1 in the least-significant bit of the first octet of the destination address. This helps a network switch to distinguish between unicast and multicast addresses. One example of an Ethernet multicast address would be 01:00:0C:CC:CC:CC, which is an address used by CDP (Cisco Discovery Protocol).
Half and full duplex In telecommunication, a duplex communication system is a point-to-point system of two devices that can communicate with each other in both direction. Two types of duplex communication systems exist in Ethernet environments: half-duplex - a port can send data only when it is not receiving data. In other words, it cannot send and receive data at the same time. Network hubs run in half-duplex mode in order to prevent collisions. Since hubs are rare in modern LANs, the half-duplex system is not widely used in Ethernet networks anymore. full-duplex - all nodes can send and receive on their port at the same time. There are no collisions in full-duplex mode, but the host NIC and the switch port must support the fullduplex mode. Full-duplex Ethernet uses two pairs of wires at the same time instead of a
single wire pair like half-duplex. Each NIC and switch port has a duplex setting. For all links between hosts and switches, or between switches, the full-duplex mode should be used. However, for all links connected to a LAN hub, the half-duplex mode should be used in order to prevent a duplex mismatch that could decrease network performance.
Chapter 2 - Basic networking What is a network hub? What is a network bridge? What is a network switch? Differences between a switch and a bridge What is a router? Collision domain explained Broadcast domain explained CSMA/CD explained IEEE Ethernet standards Cisco three-layered hierarchical model
What is a network hub? A network hub serves as a connection point for all devices in a LAN. It is basically a multiple-port repeater because it repeats an electrical signal that comes in one port out all other ports (except the incoming port). Here is an example 4-port Ethernet hub (source: Wikipedia):
Hubs are OSI Layer 1 devices and have no concept of Ethernet frames or addressing. They have no way of distinguishing which port a signal should be sent to; instead, an electrical signal is broadcast to every port. All nodes on the network will receive data, and the data will eventually reach the correct destination, but with a lot of unnecessary network traffic:
In the picture above you can see that the hub has sent out the receiving signal out all other ports, except the incoming port. Modern LANs rarely use hubs; switches are used instead. Hubs have many disadvantages, including: they operate in half-duplex. they are prone to collisions. each port on a hub is in the same collision domain. data is forwarded out all ports and can be captured with a network sniffer.
What is a network bridge? A network bridge is a device that divides a network into segments. Each segment represent a separate collision domain, so the number of collisions on the network is reduced. Each collision domain has its own separate bandwidth, so a bridge also improves the network performance. A bridge works at the Data link layer (Layer 2) of the OSI model. It inspects incoming traffic and decide whether to forward it or filter it. Each incoming Ethernet frame is inspected for destination MAC address. If the bridge determines that the destination host is on another segment of the network, it forwards the frame to that segment. Consider the following example network:
In the picture above we have a network of four computers. The network is divided into segments by a bridge. Each segment is a separate collision domain with its own bandwidth. Let’s say that Host A wants to communicate with Host C. Host A will send the frame with the Host C’s destination MAC address to the bridge. The bridge will inspect the frame and forward it to the segment of the network Host C is on. Network bridges offer substantial improvements over network hubs, but they are not widely used anymore in modern LANs. Switches are commonly used instead.
What is a network switch?
A network switch is a device that connects devices together on a LAN. A switch is essentially a multiport network bridge and performs the same basic functions as a bridge, but at much faster speeds and with many additional features. Each port on a switch is in a separate collision domain and can run in the full duplex mode, which means that hosts connected to a switch port can transmit to the switch at the same time that the switch transmits to them. An Ethernet switch usually works at the Data link layer of the OSI model (Layer 2). It manages the flow of data across a network by inspecting the incoming frame’s destination MAC address and forwarding the frame only to the host for which the message was intended. Each switch has a dynamic table (called the MAC address table) that maps MAC addresses to ports. With this information, a switch can identify which system is sitting on which port and where to send the received frame. To better understand how a switch works, consider the following example:
Host A is trying to communicate with Host C and sends a packet with the Host C’s destination MAC address. The packet arrives at the switch, which looks at the destination MAC address. The switch then searches that MAC address in its MAC address table. If the MAC address is found, the switch then forwards the packet only out the port connected to the frame’s destination. Hosts connected to other ports will not receive the frame.
Differences between a switch and a bridge Switches are basically multiport bridges. Although both types of devices perform a similar function, segmenting a LAN into separate collision domains, there are some differences between them: most bridges have only 2 or 4 ports. A switch can have hundreds of ports. bridges are software based. Switches are hardware-based and use chips (ASICs) when
making forwarding decisions, which makes them much faster than bridges. switches can have multiple spanning-tree instances. Bridges can have only one. switches can have multiple broadcast domains (one per VLAN). To better understand the difference between a bridge and a switch, consider the following example. Let’s say that we have a network of four computers. First, we will connect them together using a two-port bridge:
Because the bridge has only two ports, we need to use hubs in order to connect all computers together. Only two collision domains are created. If Host A wants to send a frame to Host C, all computers on the network will receive the frame, since hubs forward the frames out all ports. Now consider what happens if we replace the bridge with a switch. Since the switch has plenty of ports, no hubs are necessary. Each port is a separate collision domain and four collision domains are created. If Host A wants to send a frame to Host C, the switch will forward the frame only to Host C. Other hosts on the network will not receive the frame:
What is a router? A router is a network device that connects different computer networks by routing packets from one network to the other. This device is usually connected to two or more different networks. When a data packet comes to a router port, the router reads the address information in the packet to determine out which port the packet will be sent. For example, a router provides you with the internet access by connecting your LAN with the Internet. A router is considered a Layer 3 device of the OSI model because its primary forwarding decision is based on the information of the OSI Layer 3 (the destination IP address). If two hosts from different networks want to communicate with each other, they will need a router between them. Consider the following example:
We have a network of three computers. Note that each computer is on a different network. Host A wants to communicate with Host B and sends a packet with Host B’s IP address (10.0.0.20) to the default gateway (the router). The router receives the packet, compares the packet’s destination IP address to the entries in its routing table and finds a match. It then sends the packet out the interface associated with that network. Only Host B will receive the packet. In fact, Host C will not even be aware that the communication took place. Each port on a router is in a separate collision and broadcast domain and can run in the full duplex mode.
Collision domain explained The term collision domain is used to describe a part of a network where packet collisions can occur. Packet collisions occur when two devices on a shared network segment send packets simultaneously. The colliding packets must be discarded and sent again, which
reduces network efficency. Collisions occur often in a hub environment because all devices connected to the hub are in the same collision domain. Only one device may transmit at time, and all the other devices connected to the hub must listen to the network in order to avoid collisions. Total network bandwidth is shared among all devices. In contrast to hubs, every port on a bridge, switch, or a router is in a separate collision domain. This eliminates the possibility of collisions and enables the devices to use the full-duplex mode of communication, which effectively doubles the maximum data capacity. To better understand the concept of collision domains, consider the following example:
In the picture above you can see a network of seven computers, two hubs, a bridge, a switch, and a router. The collision domains created by these devices are marked in red. Remember, all devices connected to the hub are in the same collision domain. Each port on a bridge, a switch or router is in a seperate collision domain. That is why there are seven collision domains in the network pictured above.
Broadcast domain explained The term broadcast domain is used to describe a group of devices on a specific network segment that can reach each other with Ethernet broadcasts. Broadcasts sent by a device in one broadcast domain are not forwarded to devices in another broadcast domain. This improves the performance of the network because not all devices on a network will receive and process broadcasts. Routers separate a LAN into multiple broadcast domains (every port on a router is in a different broadcast domain). Switches (by default) flood Ethernet broadcast frames out all ports, just like bridges and hubs. All ports on these devices are in the same broadcast domain. To better understand the concept of broadcast domains, consider the following example:
In the picture above we have a network of six computers, two hubs, a bridge, a switch, and a router. The broadcast domains are marked in red. Remember, all devices connected to a hub, a bridge, and a switch are in the same broadcast domain. Only routers separate the LAN into multiple broadcast domains. That is why we have four broadcast domains in the network pictured above. Ethernet broadcasts are usually used by Address Resolution Protocol (ARP) to translate IP addresses to MAC addresses.
CSMA/CD explained Half-duplex Ethernet networks use an algorithm called Carrier Sense Multiple Access with Collision Detection (CSMA/CD). This algorithm helps devices on the same network segment to decide when to send packets and what to do in case of collisions. CSMA/CD is commonly used in networks with repeaters and hubs because these devices run in the halfduplex mode and all of their ports are in the same collision domain. Packet collisions occur when packets are transmitted from different host at the same time. To prevent this, CSMA/CD forces a transmitting station to check for the presence of a digital signal on the wire. If no other hosts are transmitting packets, the sender begins sending the frame. The sender also monitors the wire to make sure no other hosts begin transmitting. However, if another host begins transmitting at the same time and a collision occur, the transmitting host sends a jam signal that causes all hosts on the network segment to stop sending data. After a random period of time, hosts retransmit their packets. Consider the following example:
In the picture above we have a network of four hosts connected to a hub. Since hubs work in the half-duplex mode and each port on a hub is in the same collision domain, packet collisions can occur and CSMA/CD is used to prevent and detect them. Host A detects that there are no other signals on the network and decides to send a packet. However, Host B also assumes that no other station is transmitting and sends a packet as well. A collision occurs and it is detected by Host A and Host B. The sending stations send a jamming signal telling all hosts on the segment that a collision occured. After a random period of time, Host A and Host B resend their packets. Since switches have replaced hubs in most of today’s LANs, CSMA/CD is not often used anymore. Switches work in full-duplex mode and each port on a switch is in a seperate collision domain, so no collisions can occur.
Cisco three-layered hierarchical model Because large networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable, reliable, and cost-effective network. Each of layers has its own features and functionality, which reduces network complexity. Here is an example of the Cisco hierarchical model:
Here is a description of each layer: Access - controls user and workgroup access to the resources on the network. This layer usually incorporates Layer 2 switches and access points that provide connectivity between workstations and servers. You can manage access control and policy, create separate collision domains, and implement port security at this layer. Distribution - serves as the communication point between the access layer and the core. Its primary functions is to provide routing, filtering, and WAN access and to determine how packets can access the core. This layer determines the fastest way that network service requests are accessed - for example, how a file request is forwarded to a server - and, if necessary, forwards the request to the core layer. This layer usually consists of routers and multilayer switches. Core - also referred to as the network backbone, this layer is responsible for transporting large amounts of traffic quickly. The core layer provides interconnectivity between distribution layer devices it usually consists of high speed devices, like high end routers and switches with redundant links.
IEEE Ethernet standards Ethernet is defined in a number of IEEE (Institute of Electrical and Electronics Engineers) 802.3 standards. These standards define the physical and data-link layer specifications for Ethernet. The most important 802.3 standards are: 10Base-T (IEEE 802.3) - 10 Mbps with category 3 unshielded twisted pair (UTP) wiring, up to 100 meters long. 100Base-TX (IEEE 802.3u) - known as Fast Ethernet, uses category 5, 5E, or 6 UTP wiring, up to 100 meters long.
100Base-FX (IEEE 802.3u) - a version of Fast Ethernet that uses multi-mode optical fiber. Up to 412 meters long. 1000Base-CX (IEEE 802.3z) - uses copper twisted-pair cabling. Up to 25 meters long. 1000Base-T (IEEE 802.3ab) - Gigabit Ethernet that uses Category 5 UTP wiring. Up to 100 meters long. 1000Base-SX (IEEE 802.3z) - 1 Gigabit Ethernet running over multimode fiber-optic cable. 1000Base-LX (IEEE 802.3z) - 1 Gigabit Ethernet running over single-mode fiber. 10GBase-T (802.3.an) - 10 Gbps connections over category 5e, 6, and 7 UTP cables. Notice how the first number in the name of the standard represents the speed of the network in megabits per second. The word base refers to baseband, meaning that the signals are transmitted without modulation. The last part of the standard name refers to the cabling used to carry signals. For example, 1000Base-T means that the speed of the network is up to 1000 Mbps, baseband signaling is used, and the twisted-pair cabling will be used (T stands for twisted-pair).
Chapter 3 - TCP/IP TCP/IP suite of protocols What is an IP address? Private IP addresses IP address classes IP address types Transmission Control Protocol (TCP) explained User Datagram Protocol (UDP) explained TCP and UDP ports
TCP/IP suite of protocols The TCP/IP suite is a set of communications protocols used on computer networks today, most notably on the Internet. It provides an end-to-end connectivity by specifying how data should be packetized, addressed, transmitted, routed and received on a TCP/IP network. This functionality is organized into four abstraction layers and each protocol in the suite resides in a particular layer. The TCP/IP suite is named after its most important protocols, the Transmission Control Protocol (TCP) and the Internet Protocol (IP). Some of the protocols included in the TCP/IP suite are: ARP (Address Resolution Protocol) – used to convert an IP address to a MAC address. IP (Internet Protocol) – used to deliver packets from the source host to the destination host based on the IP addresses. ICMP (Internet Control Message Protocol) – used to detects and reports network error conditions. Used in ping. TCP (Transmission Control Protocol) – a connection-oriented protocol that enables reliable data transfer between two computers. UDP (User Datagram Protocol) – a connectionless protocol for data transfer. Since a session is not created before the data transfer, there is no guarantee of data delivery. FTP (File Transfer Protocol) – used for file transfers from one host to another. Telnet (Telecommunications Network) – used to connect and issue commands on a remote computer. DNS (Domain Name System) – used for host names to the IP address resolution. HTTP (Hypertext Transfer Protocol) – used to transfer files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. The following table shows which protocols reside on which layer of the TCP/IP model:
What is an IP address? An IP address is a 32-bit number assigned to each host on a network. Each device that wants to communicate with other devices on a TCP/IP network needs to have an IP address configured. For example, in order to access the Internet, your computer will need to have an IP address assigned (usually obtained by your router from your ISP). An IP address is usually represented in dot-decimal notation, consisting of four-decimal
numbers seperated by periods (e.g. 192.168.0.1). The first part of the address usually represents a network the device is on (e.g. 192.168.0.0), while the last part of the address identifies the host device (e.g. 192.168.0.1). An IP address is a software (logical) address, not a hardware address hard-coded on a NIC like a MAC address. An IP address can be configured manually or be obtained from a DHCP server on your network. To find out your IP address in Windows, open the Command Prompt (Start > Run > cmd):
Type the ipconfig command. You should see a field named IPv4 Address:
To find out your IP address in Linux, use the ifconfig command. The field inet addr represents an IP address:
The term IP address is usually used for IPv4, which is the fourth version of the IP protocol. A newer version, IPv6, exists, and uses 128-bit addressing.
Private IP addresses The original design of the Internet specified that every host on every network should have a real routable IP address. An organization that wanted to access the Internet would complete some paperwork, describing its internal network and the number of hosts on it. The organization would then receive a number of IP addresses, according to its needs. But there was one huge problem with this concept - if every host on every network in the world was required to have an unique IP address, we would have run out of IP addresses to hand out a long time ago! The concept of private IP addressing was developed to address the IP address exhaustion problem. The private IP addresses can be used on the private network of any organization in the world and are not globally unique. Internet routers are configured to discard any packets coming from the private IP address ranges, so these addresses are not routable on the Internet. Consider the following network:
In the picture above you can see that two organizations use the same private IP network (10.0.0.0/24) inside their respective internal networks. Because private IP addresses are not globally unique, both organizations can use private IP addresses from the same range. To access the Internet, the organizations can use a technology called Network Address Translation (NAT), which we will describe in the later lessons. There are three ranges of addresses that can be used in a private network:
10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255 Private IP addresses are specified in RFC 1918.
IP address classes IP addresses are divided into five classes that are identified by the value of the first octet (the first decimal number). The system of IP address classes was developed for the purpose of Internet IP addresses assignment. The classes created were based on the network size. For example, for the small number of networks with a very large number of hosts, the Class A was created. The Class C was created for the numerous networks with the small number of hosts. The IP address classes are: Class A, 0-127 - for example, 10.50.13.40. For large networks with many devices. Class B, 128-191 - for example, 130.5.4.77. For medium-sized networks. Class C, 192-223 - for example, 192.168.5.10. For small networks with the small number of hosts. Class D, 224-239 - for example, 224.0.0.5. For multicast addresses. Class E, 240-255 - for example, 241.0.0.1. Experimental. Reserved addresses (used for special purposes): 0.0.0.0/8 - used to communicate with the network the device is on. 127.0.0.0/8 - loopback addresses. 169.254.0.0/16 - link-local addresses (APIPA). An IP address consists of 32 bits. These bits are divided into two parts: network bits - identify a particular network. host bits - identify a host on the network. For the IP addresses from Class A, the first 8 bits (the first decimal number) represent the network part, while the remaining 24 bits represent the host part. For Class B, the first 16 bits (the first two numbers) represent the network part, while the remaining 16 bits represent the host part. For Class C, the first 24 bits represent the network part, while the remaining 8 bits represent the host part. For example, consider the following IP addresses: 10.50.120.7 - because this is a Class A address, the first number (10) represents the network part, while the remainder of the address represents the host part (50.120.7). This means that, in order for devices to be on the same network, the first number of their IP addresses has to be the same for both devices. In this case, a device with the IP address of 10.47.8.4 is on the same network as the device with the IP address listed above. The device with the IP address 11.5.4.3 is not on the same network, because the first number of its IP address is different.
172.16.55.13 - because this is a Class B address, the first two numbers (172.16) represents the network part, while the remainder of the address represents the host part (55.13). The device with the IP address of 172.16.254.3 is on the same network, while a device with the IP address of 172.55.54.74 isn’t. The system of network address ranges described here is generally bypassed today by use of the Classless Inter-Domain Routing (CIDR) addressing.
IP address types IP addresses are divided into three types, based on their operational characteristics: 1. unicast IP addresses - an address of a single interface. The IP addresses of this type are used for one-to-one communication. Unicast IP addresses are used to direct packets to a specific host. Here is an example:
In the picture above you can see that the host wants to communicate with the server. It uses the IP address of the server (192.168.0.150) to do so. 2. multicast IP addresses - used for one-to-many communication. Multicast messages are sent to IP multicast group addresses. Routers forward copies of the packet out to every interface that has hosts subscribed to that group address. Only the hosts that need to receive the message will process the packets. All other hosts on the LAN will disard them. Here is an example:
R1 has sent a multicast packet destined for 224.0.0.9. This is an RIPv2 packet, and only routers on the network should read it. R2 will receive the packet and read it. All other hosts on the LAN will discard the packet. 3. broadcast IP addresses - used to send data to all possible destinations in the broadcast domain (the one-to-everybody communication). The broadcast address for a network has all host bits on. For example, for the network 192.168.30.0 255.255.255.0 the broadcast address would be 192.168.0.255. Also, the IP address of all 1’s (255.255.255.255) can be used for local broadcast. Here’s an example:
R1 has sent a broadcast packet to the broadcast IP address 192.168.30.255. All hosts in the same broadcast domain will receive and process the packet.
Transmission Control Protocol (TCP) explained One of the main protocols in the TCP/IP suite is Transmission Control Protocol (TCP). This protocol provides reliable and ordered delivery of data between applications running on hosts on a TCP/IP network. Because of its reliable nature, TCP is used by applications that require high reliability, such as FTP, SSH, SMTP, HTTP, etc. TCP is connection-oriented, which means that, before data are sent, a connection between two hosts must be established. The process used to establish a TCP connection is known as the three-way handshake. After the connection has been established, the data transfer phase begins. After the data is transmitted, the connection is terminated. One other notable characteristic of TCP is its reliable delivery. TCP uses sequence numbers to identify the order of the bytes sent from each computer so that the data can be reconstructed in order. If any data is lost during the transmission, the sender can retransmit the data. Because of all of its characteristics, TCP is considered to be complicated and costly in terms of network usage. The TCP header is up to 24 bytes long and consists of the following fields:
source port - the port number of the application on the host sending the data destination port - the port number of the application on the host receiving the data sequence number - used to identify each byte of data acknowledgment number - the next sequence number that the receiver is expecting header length - the size of the TCP header reserved - always set to 0 flags - used to set up and terminate a session window - the window size the sender is willing to accept checksum - used for error-checking of the header and data urgent - indicates the offset from the current sequence number, where the segment of non-urgent data begins options - various TCP options, such as Maximum Segment Size (MSS) or Window Scaling
User Datagram Protocol (UDP) One other important protocol in the TCP/IP site is User Datagram Protocol (UDP). This protocol is basically a scaled-down version of TCP. Just like TCP, this protocol provides delivery of data between applications running on hosts on a TCP/IP network, but it does not sequence the data and does not care about the order in which the segments arrive at the destination. Because of this it is considered to be an unreliable protocol. UDP is also considered to be a connectionless protocol, since no virtual circuit is established between two endpoints before the data transfer takes place. Because it does not provide many features that TCP does, UDP uses much less network resources than TCP. UDP is commonly used with two types of applications: applications that are tolerant of the lost data - VoIP (Voice over IP) uses UDP because if a voice packet is lost, by the time the packet would be retransmitted, too much delay would have occurred, and the voice would be unintelligible. applications that have some application mechanism to recover lost data - Network File System (NFS) performs recovery with application layer code, so UDP is used as a transport-layer protocol. The UDP header is 8 bytes long and consists of the following fields:
Here is a description of each field: source port - the port number of the application on the host sending the data. destination port - the port number of the application on the host receiving the data. length - the length of the UDP header and data. checksum - checksum of both the UDP header and UDP data fields. UDP is a Transport layer protocol (Layer 4 of the OSI model).
TCP and UDP ports A port is a 16-bit number used to identify specific applications and services. TCP and UDP specify the source and destination port numbers in their packet headers and that information, along with the source and destination IP addresses and the transport protocol (TCP or UDP), enables applications running on hosts on a TCP/IP network to communicate. Applications that provide a service (such as FTP or and HTTP servers) open a port on the local computer and listen for connection requests. A client can request the service by pointing the request to the application’s IP address and port. A client can use any locally unused port number for communication. Consider the following example:
In the picture above you can see that a host with an IP address of 192.168.0.50 wants to communicate with the FTP server. Because FTP servers use, by default, the well-known port 21, the host generates the request and sends it to the FTP server’s IP address and port. The host use the locally unused port of 1200 for communication. The FTP server receives the request, generates the response,and sends it to the host’s IP address and port. Port numbers are from 0 to 65535. The first 1024 ports are reserved for use by certain privileged services:
The combination of an IP address and a port number is called a socket. In our example the socket would be 192.168.0.50:1200.
Chapter 4 - Network protocols Telnet protocol Secure Shell (SSH) protocol File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) Simple Network Management Protocol (SNMP) Hypertext Transfer Protocol (HTTP) Hypertext Transfer Protocol Secure (HTTPS) Network Time Protocol (NTP) Domain Name Service (DNS) Dynamic Host Configuration Protocol (DHCP) Automatic Private IP Addressing (APIPA) Internet Control Message Protocol (ICMP) Address Resolution Protocol (ARP) IPv4 header
Telnet protocol Telnet is an application protocol that allows a user to communicate with a remote device. A user on a client machine can use a software (known as a Telnet client) to access a command-line interface of another, remote machine that is running a Telnet server program. Telnet is often used by network administrators to access and manage remote devices. A network administrator can access the device by telnetting to the IP address or hostname of a remote device. The network administrator will then be presented with a virtual terminal that can interact with the remote host. To use telnet, you must have a software (Telnet client) installed. On a remote device, a Telnet server must be installed and running. Consider the following example:
The network administrator wants to use his computer (Host A) to access and manage the router (R1). The administrator will start a Telnet client program on Host A and enter the IP address of the router R1 (telnet 10.0.0.1):
The administrator can now manage the remote device (R1) from his own computer.
Telnet uses a well-known TCP port 23 for its communication. Although Telnet is simple and easy to use, it is not widely used anymore, especially in production environments. This is because Telnet sends all data in clear-text, including usernames and passwords! SSH is commonly used today instead of Telnet. Telnet is only used if SSH is not available on the device, for example on some older Cisco equipment.
Secure Shell (SSH) protocol Just like Telnet, the Secure Shell (SSH) protocol enables a user to access a remote device and manage it. The key difference between Telnet and SSH is that SSH uses encryption. All data transmitted over a network (including usernames and passwords) is encrypted and secure from eavesdropping. SSH employs public key cryptography for the encryption. A user on a client machine can use a software (an SSH client) to establish a connection to an SSH server running on a remote machine. Once the connection has been established, the user can execute commands on the remote device. Consider the following example:
The network administrator wants to use his computer (Host A) to access and manage the router with the IP address of 10.0.0.1. The administrator will start an SSH client program on Host A and enter the IP address of the router R1 to access it (in this case, the client program is Putty):
The devices will agree upon the symmetric key that will be used for encryption and the administrator will be presented with the usual login screen. SSH uses a well-known TCP port 22.
File Transfer Protocol (FTP) File Transfer Protocol (FTP) is a network protocol used to transfer files between machines on a TCP/IP network. FTP employs a client-server architecture; the client has an FTP client installed and establishes a connection to an FTP server running on a remote machine. After the connection has been established and the user is successfully authenticated, the data transfer phase can begin. Note that, although FTP does support user authentication, all data is sent in clear text, including usernames and passwords. Consider the following example:
A user wants to transfer files from Host A to the FTP server. The user will start an FTP client program (in this example, Filezilla), and initiate the connection:
In the example above, the anonymous authentication was used, so the user was not asked to provide the password. The client can now transfer files from and to the FTP server using the graphical interface. FTP uses two TCP ports: port 20 is used for sending data and port 21 for sending control commands.
Trivial File Transfer Protocol (TFTP) Trivial File Transfer Protocol (TFTP) is a network protocol used to transfer files between hosts in a TCP/IP network. It is a simpler version of FTP and it doesn’t have all of its functions; for example, you can not list, delete, or rename files or directories on a remote server. In fact, TFTP can only be used to send and receive files between the two computers. TFTP doesn’t support user authentication and all data is sent in clear text. The only real advantage that TFTP has over FTP is that it uses less resources. It is not widely used today, but Cisco does still use it on its devices, for example to backup a router’s IOS image. Consider the following example:
A user wants to transfer files from Host A to the router R1. R1 is a Cisco device and it has a TFTP server installed. The user will start an TFTP client program and initiate the data transfer. TFTP uses a well-known UDP port 69.
Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is an application layer protocol that is used for network device management. This protocol can collects and manipulate valuable network information from switches, routers, servers, printers, and other network-attached devices. An SNMP-managed network consists of two components: Network management station (NMS) - the software which runs on the administrative computer. This software gathers SNMP data by requiring the devices on the network to disclose certain information. Devices can also inform the NMS about problems they are experiencing by sending an SNMP alert (called a trap). Agent - the software which runs on managed devices and reports information via SNMP to the NMS. Consider the following example:
The router R1 is configured to send SNMP traps to the NMS Station. If a problem occurs, the router will send an SNMP trap to Host A. For example, if there is a port security violation on R1, the router will send the SNMP trap, notifying that there has been a potential security breach on the network. SNMP agents use a UDP port 161, while the manager uses a UDP port 162. The current
SNMP version is SNMPv3. The prior versions, SNMPv1 and SNMPv2 are considered obsolete and should not be used.
Hypertext Transfer Protocol (HTTP) Hypertext Transfer Protocol (HTTP) is an application layer protocol used by web browsers and web servers to transfer files, such as text and graphic files. It is a clientserver protocol; a client (usually a web browser) requests a resource (a web page) from a web server. The web server responds with the requested web page. Consider the following example:
The client wants to access http://google.com and points his browser to the URL http://google.com (this is an example of an HTTP Request message). The web server hosting http://google.com receives the request and responds with the content of the web page (an HTTP response message). Web servers usually use a well-known TCP port 80. If the port is not specified in a URL, browsers will use this port when sending HTTP request. For example, you will get the same result when requesting http://google.com and http://google.com:80. The version of HTTP most commonly used today is HTTP/1.1. A newer version, HTTP/2, is currently in development.
Hypertext Transfer Protocol Secure (HTTPS) Hypertext Transfer Protocol Secure (HTTPS) is an application layer protocol used for secure communication over an insecure computer network, for example over the Internet. It is a secure version of HTTP; it uses the Transport Layer Security (TLS) protocol to encrypt the traffic between the client and the web server. HTTPS creates a secure channel for two hosts to communicate over an insecure network (most commonly the Internet). Since HTTP sends all data in clear text, HTTPS can be used instead to encrypt sensitive information, for example usernames and passwords. Because HTTPS requires more resource than HTTP, it is usually used only to protect sensitive information (e.g. login credentials or credit card numbers), but many websites today use HTTPS for the entire site. For example, Google uses HTTPS by default on its global search pages. HTTPS URLs begin with https, as in https://gmail.com. The whole HTTPS encyption process happens in the backgroud and is transparent to the user. In Firefox, a lock icon
appears left of the URL, indicating that the requested website is using HTTPS:
HTTPS uses a well-known TCP port 443. If the port is not specified in a URL, browsers will use this port when sending HTTPS request. For example, you will get the same result when requesting https://gmail.com and https://gmail.com:443.
Network Time Protocol (NTP) Network Time Protocol (NTP) is an application layer protocol used for clock synchronization between hosts on a TCP/IP network. The goal of NTP is to ensure that all computers on a network agree on the time, since even a small difference can create problems. For example, if there is more than 5 minutes difference on your host and the Active Directory domain controller, you will not be able to login into your AD domain. NTP uses a hierarchical system of time sources. At the top of the structure are highly accurate time sources – typically atomic or GPS clocks. These clocks are known as stratum 0 servers. Stratum 1 servers are directly linked to stratum 0 servers and computers run NTP servers that deliver the time to stratum 2 servers, and so on (image source: Wikipedia):
NTP uses a client-server architecture; one host is configured as the NTP server and all other hosts on the network are configured as NTP clients. Consider the following example:
Host A is configured to use a public NTP server uk.pool.ntp.org. Host A will periodically send an NTP request to the NTP server. The NTP server will provide the accurate data and time, so Host A can synchronize its clock. NTP uses a well-known UDP port 123. The current version is NTPv4, and it is backward compatible with NTPv3.
Domain Name Service (DNS) Domain Name Service (DNS) is an application layer protocol used to resolve hostnames to
IP addresses. Although a host can be accessed by using only its IP address, DNS makes your life easier by using domain names. For example, you can access the Google website by typing http://208.117.229.214 in your browser, but it is much easier to type http://www.google.com. Each host that wants to use DNS needs to have a DNS server configured. When you type a URL in your browser (e.g. http://www.google.com), your host will query the DNS server for the IP address of www.google.com. The DNS server will resolve the query and send the answer back to the host. The host will then be able to establish a connection to http://www.google.com. Consider the following example:
1. The user enters www.google.com in his browser. The host needs to know the IP address of www.google.com in order to establish a network connection. The host sends a DNS query to its DNS server, looking for the IP address of www.google.com. 2. The DNS server sends a reply back to the host, listing the IP address of 208.117.229.214 as www.google.com’s IP address. 3. The host can establish a network connection to the web server hosting www.google.com. DNS uses a well-known UDP port 53.
Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is an application layer protocol used to distribute network configuration parameters, such as IP addresses, subnet masks, default gateways, etc. to hosts on a TCP/IP network. Assigning network parameters using DHCP reduces the amount of work of a network administrator, since there is no need to
statically configure parameters on each device. DHCP employs a client-server architecture; a DHCP client is configured to request network parameters from a DHCP server. A DHCP server is configured with a pool of available IP addresses and assigns one of them to the DHCP client. Besides IP addresses, a DHCP server can provide some additional network parameters, such as: subnet mask default gateway domain name DNS server Here is an overview of the DHCP process:
As you can see from the picture above, a DHCP client goes through the four-step process: 1. A DHCP client sends a broadcast packet (DHCPDiscover) to discover DHCP servers on the network. 2. The DHCP server receives the DHCPDiscover packet and respond with a DHCPOffer packet, offering IP addressing information to the DHCP client. 3. If there is more than one DHCP server on the network segment and the DHCP client receives more than one DHCPOffer packets, the client will accept the first DHCPOffer packet. The DHCP client responds by broadcasting a DHCPRequest packet, requesting network parameters from the DHCP server. 4. The DHCP server approves the lease with a DHCPACK (Acknowledgement) packet. The packet includes the lease duration and other configuration information. DHCP uses a well-known UDP port number 67 for the DHCP server, and the UDP port number 68 for the client.
Automatic Private IP Addressing (APIPA)
Automatic Private IP Addressing (APIPA) is a feature in Windows operating systems that enables computers to automatically self-configure an IP address and subnet mask when their DHCP server isn’t reachable. The IP address range for APIPA is 169.254.0.1169.254.255.254, and the subnet mask is 255.255.0.0. When a DHCP client boots up, it looks for a DHCP server in order to obtain network parameters. If the client can’t communicate with the DHCP server, it uses APIPA to configure itself with an IP address from the APIPA range. This way, the host will still be able to communicate with other hosts on the local network segment that are also configured for APIPA. If your host is using an IP address from the APIPA range, there is usually a problem on the network. Check the network connectivity of your host and the status of the DHCP server. The APIPA service also checks regularly for the presence of a DHCP server (every three minutes). If it detects a DHCP server on the network, the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP) is a network layer protocol that reports errors and provides information related to IP packet processing. ICMP is used by network devices to send error messages indicating, for example, that a requested service is not available or that a host isn’t reachable. ICMP is commonly used by network tools such as ping or traceroute. For example, consider the following example that illustrates how ping can be used to test the reachability of a host:
Host A wants to test whether it can reach Server over the network. Host A will start the ping utility that will send ICMP Echo Request packets to Server. If Server is reachable, it will respond with ICMP Echo Reply packets. If Host A receives no response from Server, there might be a problem on the network. ICMP messages are encapsulated in IP datagrams.
One other common ICMP message is the Destination unreachable message. Here is an example:
Host A sends a packet to Host B. Because the R1’s interface connected to Host B is down, the router will send an ICMP Destination unreachable message to Host A, informing it that the destination host is unreachable.
Address Resolution Protocol (ARP) Address Resolution Protocol (ARP) is a network protocol used to find the hardware (MAC) address of a host from an IP address. ARP is used on Ethernet LANs because hosts that want to communicate with each other need to know their respective MAC addresses. It is a request-reply protocol; ARP request messages are used to request the MAC address, while ARP reply messages are used to send the requested MAC address. Consider the following example:
Host A wants to communicate with the host with the IP address of 10.0.0.2. Host A doesn’t know the MAC address of the host with that IP address, so it will send an ARP request, requesting the MAC address. Because the ARP request is sent to the broadcast address, the switch will flood the request out all interfaces. Every device on the LAN will receive the request, but only the device with the IP address of 10.0.0.2 will process it and send an ARP reply message, listing its MAC address. Host A will receive the reply and the communication between the two devices can be established. ARP requests are sent to the Layer 2 broadcast address of FF:FF:FF:FF:FF:FF (all 1s in binary). The ARP reply is an unicast message sent only to the host that sent the ARP request. Hosts store the ARP results, keeping the information in their ARP cache. Each time a host needs to send a packet to another host on the LAN, it first checks its ARP cache for the correct IP address and matching MAC address. The addresses will stay in the cache for a couple of minutes. On Windows, you can display the content of the ARP cache by using the arp -a command:
Some sources mention ARP as a Layer 2 protocol, while other place ARP at Layer 3.
IPv4 header An IPv4 header is a prefix to an IP packet that contains information about the IP version, length of the packet, source and destination IP addresses, etc. It consists of the following fields:
Here is a description of each field: Version - the version of the IP protocol. For IPv4, this field has a value of 4. Header length - the length of the header in 32-bit words. The minumum value is 20 bytes, and the maximum value is 60 bytes. Priority and Type of Service - specifies how the datagram should be handled. The first 3 bits are the priority bits. Total length - the length of the entire packet (header + data). The minimum length is 20 bytes, and the maximum is 65,535 bytes. Identification - used to differentiate fragmented packets from different datagrams.
Flags - used to control or identify fragments. Fragmented offset - used for fragmentation and reassembly if the packet is too large to put in a frame. Time to live - limits a datagram’s lifetime. If the packet doesn’t get to its destination before the TTL expires, it is discarded. Protocol - defines the protocol used in the data portion of the IP datagram. For example, TCP is represented by the number 6 and UDP by 17. Header checksum - used for error-checking of the header. If a packet arrives at a router and the router calculates a different checksum than the one specified in this field, the packet will be discarded. Source IP address - the IP address of the host that sent the packet. Destination IP address - the IP address of the host that should receive the packet. Options - used for network testing, debugging, security, and more. This field is usually empty. Consider the following IP header, captured with Wireshark:
Notice the fields in the header: the IP version is IPv4, the header length is 20 bytes, the upper-level protocol used is TCP, the TTL value is set tu 128, etc.
Chapter 5 - Subnetting What is subnetting? Subnet mask explained How to create subnets
What is subnetting? Subnetting is the practice of dividing a network into two or more smaller networks. It increases routing efficiency, enhances the security of the network and reduces the size of the broadcast domain. Consider the following example:
In the picture above we have one huge network: 10.0.0.0/24. All hosts on the network are in the same subnet, which has following disadvantages: a single broadcast domain - all hosts are in the same broadcast domain. A broadcast sent by a device on the network will be processed by all hosts. network security - each device can reach any other device on the subnet, which can present security problems. organizational problems - in a large networks, different departments are usually grouped into different subnets. For example, you can group all devices from the Accounting department in the same subnet and then give access to sensitive financial data only to hosts from that subnet. The network pictured above could be subnetted like this:
Now, two subnets were created for different departments: 10.0.0.0/24 for Accounting and 10.1.0.0/24 for Marketing. Devices in each subnet are in a different broadcast domain.
Subnet mask explained
An IP address is divided into two parts: the network part and the host part. For example, an IP address from the Class A consists of 8 network bits and 24 host bits. This is so because the default subnet mask for a class A IP address is 8 bits (or, written in dotted decimal notation, 255.0.0.0). What does this mean? Well, just like an IP address, a subnet mask also consists of 32 bits. It is used by computers to determine the network part and the host part of an IP address. The 1s in the subnet mask represent a network part, the 0s a host part. Computers works only with bits. The binary AND operation is used to determine a network range:
Here is an example. Let’s say that we have the IP address of 10.0.0.1, with the default subnet mask of 255.0.0.0. First, we need to convert the IP address to binary: IP address - 10.0.0.1 = 00001010.00000000.00000000.00000001 Subnet mask - 255.0.0.0 = 11111111.00000000.00000000.00000000 Computers use the binary AND operation to determine the network number:
In the picture above you can see that the network part of the IP address (10) has been determined. The computer can now determine the size of the network. Only IP addresses that begins with 10 will be in the same network. In this case, the range of addresses in this network is 10.0.0.0 – 10.255.255.255. A subnet mask is always be a series of 1s, followed by a series of 0s.
How to create subnets There are a couple of ways to create subnets. In this article we will subnet a class C address 192.168.0.0 that, by default, has 24 subnet bits and 8 host bits. Before we start subnetting, we have to ask ourselves these two questions:
1. How many subnets do we need? 2x = number of subnets. x is the number of 1s in the subnet mask. With 1 subnet bit, we can have 21 or 2 subnets. With 2 bits, 22 or 4 subnets, with 3 bits, 23 or 8 subnets, etc. 2. How many hosts per subnet do we need? 2y – 2 = number of hosts per subnet. y is the number of 0s in the subnet mask. An example will help you understand the subnetting concept. Let’s say that we need to subnet a class C address 192.168.0.0/24. We need two subnets with 50 hosts per subnet. Here is our calculation: 1. Since we need only two subnets, we need 21 subnet bits. In our case, this means that we will take one bit from the host part. Here is the calculation: First, we have a class C address 192.168.0.0 with the subnet mask of 24. Let’s convert them to binary: 192.168.0.0 = 11000000.10101000.00000000.00000000 255.255.255.0 = 11111111.11111111.11111111.00000000 We need to take covert a single zero from the host part of the subnet mask. Here is our new subnet mask: 255.255.255.128 = 11111111.11111111.11111111.10000000 Remember, the ones in the subnet mask represent the network. 2. We need 50 hosts per subnet. Since we took one bit from the host part, we are left with seven bits for the hosts. Is it enough for 50 hosts? The formula to calculate the number of hosts is 2y - 2, with y representing the number of host bits. Since 27 - 2 is 126, we have more than enough bits for our hosts. 3. Our network will look like this: 192.168.0.0/25 - the first subnet has the subnet number of 192.168.0.0. The range of IP addresses in this subnet is 192.168.0.0 - 192.168.0.127. 192.168.0.1/25 - the second subnet has the subnet number of 192.168.0.128. The range of IP addresses in this subnet is 192.168.0.128 - 192.168.0.255.
Chapter 6 - Cisco IOS Cisco Internetwork Operating System (IOS) Access IOS Power on IOS device Command modes in IOS Get help in IOS Display IOS command history
Cisco Internetwork Operating System (IOS) Cisco Internetwork Operating System (IOS) is an operating system used on Cisco devices, such as routers and switches. It is a multitasking operating system that implements and controls logic and functions of a Cisco device. Cisco IOS uses a monolithic architecture, which means that it runs as a single image and all processes share the same memory space. To configure a Cisco device running IOS, the command-line interface (CLI) is used. The CLI comes with a predefined number of commands and can be used to configure routing, switching, internetworking, and any other feature supported by a Cisco device that is being configured. The CLI is usually accessed from a remote computer running Telnet or SSH. Older versions of Cisco switches ran CatOS, a discounted version of a CLI-based operating sytem. IOS has three modes of operation, each with its own set of commands. The modes are: user exec mode - when you access an IOS device (using Telnet, SSH, or console access method), you are initially placed in this mode. This mode is mostly used to view statistics and run commands like ping or telnet. It is represented with the > character after the hostname (for example Router_HQ>). privileged exec mode – this mode is accessed by typing the enable command in the user exec mode. This mode is called privileged because it allows you to execute more powerful commands, such as reload. It is represented with the # character after the hostname (for example Router_HQ#). global configuration mode - this mode is accessed by typing the configure terminal command from the privileged exec mode. It is used to make global changes to the device and change its configuration. It is represented with the config keyword after the hostname (for example Router_HQ(config)). The global configuration mode can have many submodes. For example, if you want to configure an interface on the device, you will need to enter the interface submode. Here is an example IOS session on a Cisco router:
Access IOS
There are three methods to access an IOS device: the console, Telnet, and SSH. Telnet and SSH enable access using the TCP/IP network on which the device resides, while the console access requires the physical access to the device. Here is a brief description of each method: the console access - typically used for the initial IOS configuration, this type of access uses a physical port on an IOS device to establish the connection. The physical port is usually located at the back of the device and is can be connected to a serial port on the PC using a rollover cable (image source: Cisco):
the Telnet access - this type of access doesn’t require that you have the physical access to the device. Instead, you can access and configure the device over the TCP/IP network. To use Telnet, your PC needs to have a Telnet client installed. The IOS device needs to be configured as a Telnet server and have an IP address. Note that Telnet sends all data in clear text, so this method of access is not widely used anymore. the SSH access - like Telnet, this access type enables you to configure an IOS device remotely from your PC, but it adds an extra layer of security by encrypting all communications between devices. Your PC needs to have an SSH client installed (e.g. Putty), and the IOS device that is being accessed needs to be configured as an SSH server.
Power on IOS device When you first power-on a newly purchashed Cisco device, it will perform a power-on self-test (POST) to discover the hardware components and verify that all components work properly. If the POST is successful, the device will enter the setup mode. This mode will
present a step-by-step dialog to help you configure some basic parameters, such as the device hostname, passwords, interface IP address, etc. To enter the setup mode, power on your device and type yes when prompted to make a selection:
The dialog guides you through the initial configuration of your device and will create an initial configuration file. The setup mode is useful when you are unfamiliar with the IOS CLI, but once you learn the basics of CLI, you probably won’t use this mode ever again. You can enter the setup mode at any time from the command line by typing the setup command from the privileged mode. To exit the setup mode without saving any changes, press CRTL+C.
Command modes in IOS We’ve already learned that IOS has three main command modes: the user exec, privileged exec, and the global configuration modes. Each of these modes serves a different purpose and has its own set of commands. In this lessen we will describe each mode. User exec mode
The user exec mode is the default mode for the CLI. This is the prompt you are placed in when you access the device using the Telnet, SSH, or cable access method. This mode is the least privileged mode in IOS and it is used mainly to view statistics and perform basic network tests using tools such as ping or traceroute. The prompt for this mode is the device hostname, followed by an angle bracket (>):
To view the list of commands available in a mode, use the ? character. Privileged exec mode The privileged exec mode allows you to execute all exec mode command available. It is accessed by typing the enable command from the user exec mode and can be password protected. In this mode, you can save the device configuration, show interface statistics, and even reboot the device. The prompt for this mode is the device hostname followed by the pound sign (#):
Note that we have used the enable command from the user exec mode to enter the privileged exec mode. We were then asked to provide the password. Notice how the prompt has changed from > to #. Global configuration mode The commands in the global configuration mode usually apply to features that affect the system as a whole (hence the name global). In this mode you can make global changes to the device your are configuring, such as configure a new hostname, set up banners, passwords, configure authentication, etc. You can access this mode by typing the configure terminal command from the privileged exec mode. The prompt for this mode is the device hostname, followed by the term config in parenthesis:
Note that we’ve used the configure terminal command from the privileged exec mode to enter the global configuration mode. The prompt has changed from > to (config). Configuration modes and submodes From the global configuration modes you can access various configuration modes or submodes. For example, to configure an interface on your device, you would have to access the mode of that interface. The interface mode contain commands relevant to the interface being configured. For example, to access the interface mode for the Fast Ethernet interface on a Cisco router, type the Interface FastEthernet 0/0 command from the global configuration mode:
Notice how the prompt changeded to (config-if). To get back to the global configuration mode, type the exit command.
Get help in IOS You’ve probably noticed that you can use the question mark to display a list of commands available in the prompt you are in:
If the output spans more than one page, press the spacebar to display the following page of commands, or press Enter to go one command at a time. To quit the output, press q. To display only commands that start with a particular character or a string of characters, type the letters and then press the question mark:
In the picture above you can see that we’ve displayed all commands that start with de. If the command is more than one word long, you can use the question mark to display the next the command in a string:
In the picture above you can see that we’ve displayed all commands that can follow the command debug. We then displayed all commands that can follow the commands debug eigrp. You can also autocomplete a command. Just type the first few characters and press Tab. If there is only a single match, IOS will complete the command. You don’t have to type an entire word to finish a command. Just can type just the first letter or a couple of letters, and if there is only a single match, IOS will understand what are you trying to accomplish. For example, you can type sh ip int b instead of a longer version, show ip interface brief:
Note that we were able to execute the command above because each set of characters had only one match in the list of commands. If we’ve typed sh ip in b instead, IOS would not have understood our intention:
The % Ambiguous command: “show ip in b” was displayed because the third keyword, in, has more than one meaning (inspect or interface).
Display IOS command history Cisco IOS maintains a record of commands issued by the user. You can view the list of commands that you have entered before with the show history command. By default, the show history command displays the last 10 commands issued:
You can also recall commands by using the arrow keys: the up arrow shows the last command entered, while the down arrow shows the previously entered commands. To display the current size of the terminal history size, you can use the show terminal command:
You can change a number of commands saved in the history buffer for the current terminal session. The command to do so is terminal history size NUMBER. It is invoked from the user exec or privileged exec mode:
Chapter 7 - IOS commands Configure the hostname in IOS Configure banners in IOS Configure passwords in IOS service password-encryption command Configure descriptions in IOS Run privileged commands in global config mode Interfaces on an IOS device Configure an IP address for an interface Pipe function in IOS Memory on a Cisco device Configuration files on an IOS device IOS show command Boot sequence of a Cisco device Back up IOS configuration Configure DHCP server on a Cisco router Configure NTP on a Cisco device Use Cisco Discovery Protocol (CDP) Mapping hostnames to IP addresses Configure DNS on a Cisco device Use extended ping traceroute command in IOS debug command in IOS Use telnet Show running processes
Configure the hostname in IOS You can use the global configuration mode hostname command to configure an IOS device hostname. The hostname you specify is only locally significant, meaning that it doesn’t affect the DNS name resolution process. Generally, it is a good idea to name your device to reflect its physical location. Here are the steps to change an IOS device’s hostname: 1. Log in to your IOS device and enter the privileged exec mode by entering the enable command. Provide the correct username and password if required:
2. Enter the global configuration mode by typing the configure terminal command (or the shortcut conf t) in the privileged exec mode:
3. To change the hostname, type the hostname command followed by the name you would like to configure. Notice how the prompt has changed:
Hostnames should follow the ARPANET rules. They should start with a letter, end with a letter or digit, contain only letters, digits, and hyphens, and be 63 characters or fewer.
Configure banners in IOS Banners are displayed to users accessing the IOS device. They often contain some legal information, such as informing a person that only authorized users are allowed to access the device. The most widely used banners are the Message Of The Day (MOTD) banners. They are shown before the login prompt to users accessing the device. Because this banner is displayed to all terminals connected, it is useful for sending messages that affect all users (such as the system shutdowns).
The MOTD banner is configured in the global configuration mode by using the banner motd DELIMITING_CHARACTER TEXT DELIMITING_CHARACTER command. The delimiting character informs the device that the message is done and can be anything you like (it is usually a pound sign - #). Here is an example:
The banner above will be displayed before the login prompt to all users connecting to the device:
You can also configure a login banner. This banner will appear after the MOTD banner but before the login prompt. It is configured using the global configuration command banner login DELIMITING_CHARACTER TEXT DELIMITING_CHARACTER. Another type of a banner you can configure is the exec banner. This banner is displayed after the user has been authenticated. The global configuration command banner exec DELIMITING_CHARACTER TEXT DELIMITING_CHARACTER is used to create the exec banner. The exec banner is displayed to the user after the authentication process.
Configure passwords in IOS You can define four types of passwords in order to prevent unauthorized access to an IOS device: 1. console password – by default, the console access method doesn’t require a password. You can change that using the following commands: DEVICE(config) line console 0 – enters the console port configuration mode. DEVICE(config-line) password PASSWORD – specifies the password. DEVICE(config-line) login - allows a remote access to a device.
Note that the user is now forced to enter the password to access the device through the console port:
2. telnet password – the telnet access is disabled by default on IOS devices. To enable it, enter the following commands: DEVICE(config) line vty FIRST_VTY LAST_VTY - IOS devices typically have 16 VTY lines. This means that 16 concurrent Telnet or SSH sessions can be established. The nubmering starts from 0, so this line usually looks like this: line vty 0 15 DEVICE(config-line) password PASSWORD DEVICE(config-line) login
3. enable password – you can configure an IOS device to require a password before entering the privileged exec mode. This can prevent an unauthorized user from entering the global configuration mode and changing the configuration of the device. Note that the configured password is stored in the device configuration in clear-text. The enable password is set using the following command: DEVICE (config) enable password PASSWORD
The user will be prompted to provide the password when trying to access the privileged exec mode:
4. enable secret password – this command serves the same purpose as the enable password command, but with one major difference – the configured password is stored in encrypted form. The following command is used to configure the enable secret password: DEVICE(config) enable secret PASSWORD
If you enter the enable secret command, it takes precedence over the enable password command.
service password-encryption command All passwords configured on an IOS device, with the exception of the passwords configured with enable secret password, are stored in clear-text in the device configuration file. This means that all that attacker needs to do to find out the passwords is to run the show running-config command:
Notice how console and VTY passwords are displayed in clear-text. To encrypt them, you can use the service password-encryption global configuration command:
Notice how passwords are now stored in encrypted form:
Although somewhat useful, this method of password encryption is not considered to be especially secure, since there are tools that can crack it. Use the service passwordencryption command with additional security measures.
Configure descriptions in IOS
Adding a description to a port doesn’t provide any extra functionality, but it is useful for administrative purposes, since it will help you to remember the port function. A description of an interface is locally significant and can be up to 240 characters long. It can be set using the description command from the interface submode: DEVICE(config) interface Fa0/1 DEVICE(config-if) description WAN to London
The description is displayed in the output of the show running-config command:
To erase the description, use the no description interface mode command (or the shortcut no desc):
Run privileged commands in global config mode Beginning with the IOS version 12.3, privileged-exec mode commands (such as show running-configuration, show interface status, etc.) can be executed within the global configuration mode and its submodes. This allows you to execute privileged-exec mode commands without needing to exit the current configuration mode. Here is an example that explains the usefulness of this feature:
In the example above you can see that we’re currently in the interface mode. We want to get more information about the interface with the show interface Fa0/1 command, but we got an error because the command is not available in this mode. However, if we use the do keyword in front of the command, the command will succeed:
The command was now found and executed because of the do keyword. Notice that we’re still in the interface submode and we can continue with the interface configuration.
Interfaces on an IOS device Cisco uses the term interface to refer to physical ports on an IOS device. Interfaces can be configured with different settings, depending on the type of the interface and whether you are configuring an interface on a router or on a switch. For example, the Cisco 7201
Router has four GE physical ports (image source: Cisco):
To display the router interfaces in IOS, use the show ip int brief command from the privileged exec mode:
Consider the output for the Fa0/0 interface:
Here is a brief description of each column: Interface – displays the type of the interface, in this case Fast Ethernet 0/0. The first zero specifies the physical slot on the router, while the second specifies the port number. IP-Address – displays the interface’s IP address. OK? – YES in this column signifies that the IP address is currently valid. Method – manual means that the interface has been manually configured. DHCP in this column means that the interface has been configured using DHCP. Status – up indicates that the interface is administratively up. Protocol – up indicates that the interface is operational. To configure a specific interface, use the interface TYPE SLOT/PORT command from the global config mode. This puts us in the interface submode, where we can configure various interface options:
In the example above you can see that we’ve configured the speed of the interface. By default, all ports on a Cisco switch are up and running as soon as you power-on the
device. This means that all you need is to connect your devices and the switch and you are good to go. This isn’t the case with Cisco routers, however. You need to manually enable each interface on a router with the no shutdown interface mode command:
Configure an IP address for an interface Cisco routers are almost useless without an IP address configured on one or more of their interfaces. To configure an IP address for an interface, you can use the ip address ADDRESS SUBNET MASK interface mode command:
In the picture above you can see that we have configured the Fa0/0 interface with the IP address of 192.168.5.44. We also had to specify the subnet mask: 255.255.255.0. If you run the show ip interface brief privileged mode command, you should see the IP address you’ve just configured:
Don’t forget to enable the interface with the no shutdown command. Also note that you can’t configure an IP address on a Layer 2 switch interface; IP addresses are only configured on router interfaces. To remove an IP address from an interface, just use the keyword no in front of the ip address command:
Pipe function in IOS Cisco IOS supports the use of the pipe function (represented by the | character) to filter the output of the show commands. The pipe function takes the output of the command and sends it to another function, such as begin or include. This way, you can filter the output to find the section of the output that interests you. Here are a couple of examples:
In the picture above you can see that we’ve entered the show running-config | begin interface command. This command starts the output from the first occurence of the word interface. Another example, this time with include:
As you can see from the example above, the include function displays only lines that include the word password.
To display only the section of the output about a certain feature, use the section function:
You can see in the example above that the command displayed only the vty section of the running configuration. Cisco Packet Tracer doesn’t support the pipe function. The example sabove were created in GNS3.
Memory on a Cisco device Cisco devices usually have four types of memory: ROM (Read-only memory) – used to store the bootstrap program. This program is loaded when the device first powers on and it is used to find the Cisco IOS image and manage the process of loading the IOS into RAM. RAM (Random access memory) – used to store the working memory, including the running configuration of an IOS device. This type of memory loses its content when the device loses power. NVRAM (Nonvolatile RAM) – used to store the startup configuration file. This type of memory retains its content even after the device loses power. Flash memory - used to store IOS software images and other files (e.g. backup configuration files). It can be a chip inside the device or a removable memory card. This type of memory retains its content even after the device loses power. To display the content of the flash memory on your device, use the show flash: command:
Configuration files on an IOS device IOS devices store configuration commands in a configuration file. The two main configuration files are:
the startup config – used to store the initial configuration that will be used when you power-on or reboot the device. The startup configuration file is stored NVRAM (Nonvolatile RAM), so it is retained even after the device loses power. To display the startup configuration of your device, run the show startup-config command (the output has been truncanted):
the running config – used to store the current configuration. Every configuration command that you enter will be immediately stored in the running configuration file. This file is stored in RAM, so all configured command will be lost if the device is restarted. To display the running (current) configuration of your device, run the show running-config command:
To better understand the difference between these two types of configurations, consider the following example:
In the picture above you can see that we’ve configured an IP address to the router Fa0/0 interface. This configuration is stored in the running configuration file. To verify that the IP address is indeed applied to the interface, we’ve then run the show ip interface brief command. But consider what happens if we reboot the device and run the show ip interface brief command again:
Because the running configuration was lost when the device was restarted, no IP address is configured to the interface. To retain the configuration, we need to run the copy runningconfig startup-config command to copy the running configuration into the startup configuration:
All configuration changes will be retained, even after the device loses power. So remember to always store your running configuration into the startup configuration before restarting the device. To store the running configuration to the startup configuration, you can also use the write memory command (or the shortcut wr).
IOS show command We’ve already used a handful of show commands (show running-configuration, show ip interface brief, show history, etc.) in the previous lessons, so you should be aware of this command. The show command can accept a lot of parameters:
Here is a brief description of the most commonly used show commands: show running-config - displays the running (current) configuration of your device:
show startup-config - displays the startup configuration of your device:
show history – shows the command history:
show ip interface brief - provides information about the interfaces on a router, including the logical (IP) address and status:
show interface INTERFACE – displays the status of the specified interface:
show version – displays information about the device, such as the IOS version running on the device, number of interfaces, device model, time of the last reboot, amount of memory available on the device, etc:
Boot sequence of a Cisco device The IOS boot sequence is a process performed after an IOS device is powered on. The IOS device performs a power-on self-test (POST) to test its hardware components and choose an IOS image to load. The boot sequence comprises of the following steps: 1. The device performs the power-on self-test (POST) process to discover and verify its hardware components. 2. If the POST test is successful, the bootstrap program is copied from ROM into RAM. 3. The bootstrap program decides which IOS image to load from the flash memory into RAM, and then loads the chosen IOS. 4. IOS finds the startup configuration file, usually located in NVRAM, and loads it into RAM as the running configuration.
Back up IOS configuration It is a good idea to have a backup copy of your configuration. IOS configurations are usually copied to a TFTP server using the copy command. You can backup both the startup configuration and the running configuration of your device. The copy commands accepts two parameters: the first parameter is the from location, and the second it the to location. TFTP is a client-server network protocol used to send and receive files. To backup files to a TFTP server, you will have to set it up first. You can use the Packet Tracer to do so; just add a Server to your topology, assign it an IP address and enable the TFTP service:
To backup the startup configuration to a TFTP server, you can use the copy startup-config tftp:command:
To restore the configuration, just switch the order of the parameters: copy tftp startupconfig:
Notice that you will have to specify the filename, along with the IP address of the TFTP server.
Configure DHCP server on a Cisco router Dynamic Host Configuration Protocol (DHCP) is an application layer protocol used to distribute network configuration parameters, such as IP addresses, subnet masks, default gateways, etc. to devices on a TCP/IP network. DHCP employs a client-server
architecture; a DHCP client is configured to request network parameters from a DHCP server. A DHCP server is configured with a pool of available IP addresses and assigns one of them to the DHCP client. A Cisco router can be configured as a DHCP server. Here is how you can do that: 1. Exclude addresses from being assigned by DHCP by using the ip dhcp excludedaddress FIRST_IP LAST_IP 2. Create a new DHCP pool by using the ip dhcp pool NAME command. 3. Define a subnet that will be used to assign IP addresses to hosts by using the network SUBNET SUBNET_MASK command. 4. Define the default gateway by using the default-router IP command. 5. Define the DNS server by using the dns-server IP address command. 6. (Optional, not available on all routers) Define the DNS domain name by using the ip domain-name NAME command. 7. (Optional) Define the lease duration by using the lease DAYS HOURS MINUTES command. If you don’t specify this parameter, the default lease time of 24 hours will be used.
In the example above you can see that we’ve configured the DHCP server with the following parameters: the IP addresses from the 192.168.5.0 - 192.168.5.25 range will not be assigned to hosts the DHCP pool was created and named HQ_DHCP_SERVER the IP addresses assigned to the hosts will be from the 192.168.5.0/24 range the default gateway’s IP address is 192.168.5.1 the DNS server’s IP address is 192.168.5.1 To view information about currently leased addresses, you can use the show ip dhcp binding command:
In the picture above you can see that we have one DHCP client with the IP address of 192.168.5.26.
Configure NTP on a Cisco device Network Time Protocol (NTP) is an application layer protocol used for clock
synchronization between computers on a TCP/IP network. The goal of NTP is to ensure that all devices on a network agree on the time, since even a small difference can create problems. NTP uses a client-server architecture; one host is configured as the NTP server. All other hosts on the network are configured as NTP clients. Cisco routers and switches can be configured as both NTP clients and NTP servers. To configure your device as an NTP client, use the following command: DEVICE(config)# ntp server IP_ADDRESS
To define a version of NTP, add the version NUMBER keywords at the end of the command (for example, ntp server 192.168.5.27 version 3). To verify NTP functionality, use the show ntp status command:
To configure your device as an NTP server, use the following command: DEVICE(config)#ntp master
Use Cisco Discovery Protocol (CDP) Cisco Discovery Protocol (CDP) is a proprietary protocol from Cisco that is used to discovers basic information about the locally attached routers and switches. With CDP, an administrator can gather hardware and protocol information about neighbor devices, which can be helpful when troubleshooting or documenting the network. To discover information, Cisco devices send CDP messages out each of their interfaces. These messages contain information about the device that sent the CDP message, such as the hostname, network and data link addresses, the device model, IOS version, etc. To display information about directly connected devices, use the show cdp neighbor command:
As you can see from the example above, there is one directly connected device. Here is a description of each field of the output: Device ID - the hostname of the directly connected device. In this case the hostname
is HQ_SWITCH. Local Interface - the local interface on which the CDP messages were received (Fa0/1 in this case). Holdtime - the amount of time the local device will hold the information before discarding it if no more CDP packets are received. Capability - the capability of the directly connected device - is it a router or a switch? In this case the letter S indicates that the directly connected device is a switch. The letter R would indicate a router. Platform - the model and OS level running on the neighbor, 2950 series switch in this case. Port ID - the neighbor device’s interface on which the CDP packets were sent, in this caase Fa0/5. To get even more information about your neighbors, use the show cdp neighbors detail command:
IEEE has developed a vendor-neutral link layer protocol called Link Layer Discovery Protocol (LLDP) as an alternative to CDP.
Mapping hostnames to IP addresses You can define static hostname-to-address mappings on your IOS device in order to provide name resolution. This is usually done in environments without a DNS server. The mappings are defined by using the global configuration command ip host HOSTNAME IP_ADDRESS, like in this example:
In the example above we’ve defined an IP address of 192.168.5.27 for the hostname HQ_SERVER. To display the hostname-to-address mappings, run the show hosts command:
To verify that the hostnames are being resolved, we will ping the other device using the hostname:
You can see that the other device has responded, which means that the name resolution was successful. The drawback of this method of name resolution is that you need to create static hostname-to-address mapping on each device in order to be able to resolve names. If possible, use DNS instead.
Configure DNS on a Cisco device DNS is used to resolve hostnames to IP addresses. If you have a DNS server on your network, you can configure your Cisco IOS device to use it for name resolution. Here are the steps: 1. (Optional) If you’ve previously disabled DNS lookups on your device, you need to reenable it with the ip domain-lookup command. 2. Specify the IP address of your DNS server by using the ip name-server command. You can specify up to six DNS servers. 3. (Optional) Specify the domain name to append to the hostname you type in by using the ip domain-name command.
In the picture above you can see that we’ve specified the IP address of our DNS server. Let’s try to ping a host named fileshare using its hostname:
Use extended ping The ping command is used to test the accessibility of devices on a TCP/IP network. Cisco IOS also supports the extended ping command that enables you to perform a more advanced check of the host reachability and network connectivity. For example, with the extended ping command, you can define the source IP address as any IP address on the router, number of ping packets, different timeout interval, etc. The extended ping command is invoked from the privileged exec mode by typing ping and pressing Enter. The following parameters can be modified: Protocol [ip] - specify the protocol, such as appletalk, clns, ip, novell, apollo, vines, decnet, or xns. The default is ip. Target IP address - specify the IP address or hostname of the host you want to ping. Repeat count - specify the number of ping packets that will be sent to the destination address. The default is 5. Datagram size - specify the size of the ping packet (in bytes). The default is 100 bytes. Timeout in seconds - specify the timeout interval. The default is 2 seconds. The echo reply needs to be received before the timeout expires, in order for ping to be successful. Extended commands - specify whether or not a series of additional commands will appear. The default is no. Source address or interface - specify the interface or IP address of the router to use as a source address for the ping packets. Type of service - specifies the Type of Service (ToS). This is the Internet service’s quality selection. The default is 0. Set DF bit in IP header? - specify whether or not the Don’t Fragment (DF) bit will be set on the ping packet. If yes is entered, the Don’t Fragment option does not allow this packet to be fragmented. The default is no. Validate reply data? - specify whether or not to validate the reply data. The default is no. Data pattern - specify the data pattern. Data patterns are used to troubleshoot framing errors and clocking problems on serial lines. The default is [0xABCD]. Loose, Strict, Record, Timestamp, Verbose - specify the IP header options.
Sweep range of sizes - specify the sizes of the ping echo packets that are sent. This parameter is used to determine the minimum sizes of the MTUs configured on the nodes along the path to the destination address. The default is no. The extended ping command is most often used to change the source IP address of the ping echo packets. Consider the following example:
By default, routers choose the IP address of the outgoing interface as the source IP address for ping echo packets. This means that R2 will use the IP address of the Fa0/1 interface as the source IP address for its ping packets (10.0.0.1). We can run the extended ping command to change the source IP address to the IP address of the R2 Fa0/0 interface (192.168.5.1). This is done to ensure that R1 knows about the 192.168.5.1 network (in other words, that it knows where to send packets destined for the 192.168.5.1/24 network):
In the picture above you can see that echo replies were received. This means that R1 knows that the packets destined for the 192.168.5.0 should be send out its Fa0/0 interface.
traceroute command in IOS The traceroute command in Cisco IOS is used to identify the path used by a packet to reach its target. It identifies the routers in the path from the source host to destination host
and it can be useful when troubleshooting network problems. Using this command you can figure out which router in the path to an unreachable target should be examined more closely as the probable cause of the network’s failure. Consider the following example:
In the picture above we have a network of four routers. The network is functional. Consider what happens when we issue the traceroute command on R1 to the IP address of the router R4 Fa0/0 interface (172.16.0.2):
You can see that the traceroute command has listed the IP addresses of all of the routers in the path. Now consider what happens if R3 fails:
Note that there is no response from R3 (192.168.5.2). Using this information, we can assume that there is a problem with R3 and investigate the matter. The !H in the output indicates that the host is unreachable. Other character that can appear in the traceroute output are: number of miliseconds - the round-trip time in milliseconds. * - the probe has timed out. A - administratively prohibited (for example, with an access-list). Q - source quench (the destination is too busy). I - user interrupted test. U - port is unreachable.
N - the network is unreachable. P - the protocol is unreachable. T - timeout. ? - unknown packet type.
debug command in IOS The debug command is used to display information about the device operations, generated or received traffic, and any error messages. The information are provided in real-time until the user disables debugging or the device is reloaded. The debug operation takes a lot of CPU time and should not be used often in production environments. It is meant to be used as a troubleshooting tool for only a short period of time. You can choose to debug only specific events - for example, EIGRP information, received ICMP messages, etc. Consider the following example:
In the picture above you can see that we’ve enabled debugging only for the ICMP events, such as pings. In this example you can see that R1 has responded to the device with the IP address of 10.0.0.1 with five ping reply packets. To disable debugging of the ICMP events, simply re-enter the command with the no keyword in front of it:
You can enable debugging of everything happening on your device by issuing the debug all command (do not use this command on production devices, since it can produce a lot of output and cause your device to crash!):
To disable this command, type the undebug all command (or the un all shortcut).
Use telnet Telnet is an application protocol that allows a user to communicate with a remote device. A user on a client machine can use a software (a Telnet client) to access a command-line interface of another, remote machine running a Telnet server program. The Cisco IOS offers both a Telnet client and a Telnet server. You can use the built-in telnet client to access a remote device. This can be done by invoking the telnet IP_ADDRESS command:
In the picture above you can see that we’ve used the telnet command on R2 to telnet into R1 (notice that the prompt has changed from R2# to R1>). All issued commands will be executed on R1. To suspend a Telnet session and return to the CLI of your device, press Ctrl+Shift+6 and then X. To return to the Telnet session you’ve suspended, press Enter twice. To close a
telnet session, type the exit command. The telnet server is disabled by default on IOS devices. To enable it, enter the following commands: DEVICE(config) line vty FIRST_VTY LAST_VTY - IOS devices typically have 16 VTY lines. This means that 16 concurrent Telnet or SSH sessions can be established. The nubmering starts from 0, so this line usually looks like this: line vty 0 15 DEVICE(config-line) password PASSWORD - sets the password for the telnet access. DEVICE(config-line) login - allows a remote access to a device.
Show running processes If your IOS device is suffering from high CPU usage, you can use the show processes command to display all running processes and determine the cause of problem. This command gives you a list of active processes, along with their corresponding process ID, priority, CPU time used, number of times invoked, etc:
The first line of the output shows the CPU utilization for the last 5 seconds, 1 minute, and 5 minutes. Here is a description of other columns in the output: PID - the Process ID. Q - the process queue priority. Possible values are: C (critical), H (high), M (medium), and L (low). Ty - scheduler test (status). Possible values are: * (currently running) E (waiting for an event) S (ready to run, voluntarily relinquished processor) rd (ready to run, wakeup conditions have occurred) we (waiting for an event)
sa (sleeping until an absolute time) si (sleeping for a time interval) sp (sleeping for a time interval (alternate call) st (sleeping until a timer expires) hg (hung; the process will never execute again) xx (dead: the process has terminated, but has not yet been deleted) PC - current program counter. Runtime - CPU time the process has used. Invoked - number of times the process has been invoked. microSecs - CPU time for each process invocation. Stacks - low water mark or Total stack space available, shown in bytes. TTY - terminal that controls the process. Process - the name of the process.
Chapter 8 - IP routing IP routing explained Routing table explained Directly connected routes Static routes Dynamic routes Types of routing protocols Administrative distance (AD) explained Routing metric explained
IP routing explained The term IP routing refers to the process of taking a packet from one host and sending it to another host on a different network. The routing process is the usually done by devices called routers. You probably have this device at home, providing you with the Internet access. Routers examine the destination IP address and make their routing decisions accordingly. To determine out which interface the packet will be forwarded, routers use routing tables which list all networks for which routes are known. Consider the following example:
In the example above we have a simple network of two computers and a router. Host A wants to communicate with Host B. Because hosts are on different subnets, Host A sends its packet to the default gateway (the router). The router receives the packet, examines the destination IP address, and looks up into its routing table to figure out which interface the packet will be sent. It then sends the packet to Host B. A default gateway is a router that connects hosts to other networks. Hosts on a LAN are configured to send all packets destined for remote networks to the default gateway. Here is the routing table on R1:
Notice how the packets destined for the 10.0.0.0/8 network will be sent out the Fast Ethernet 0/1 interface. The router knows this information because routing tables are automatically populated with directly connected routes (in fact, the letter C indicates that the route is a directly connected route). Routes can also be statically configured or learned using routing protocols.
Routing table explained Routers examine the destination IP address of a received packet and make routing decisions accordingly. To determine out which interface the packet will be sent, routers use routing tables. A routing table lists all networks for which routes are known. Each router’s routing table is unique and stored in the RAM of the device. When a router receives a packet that needs to be forwarded to a host on another network, it examines its destination IP address and looks for the routing information stored in the routing table. Each entry in the routing table consists of the following entries: the network and the subnet mask - specifies a range of IP addresses. the remote router - the IP address of the router used to reach that network. the outgoing interface - the outgoing interface the packet should go out to reach the destination network. Consider the following example:
In the example above we have a network of two computers and a router. Host A wants to communicate with Host B. Because hosts are on different subnets, Host A sends its packet to the default gateway (the router). The router receives the packet, examines the destination IP address, and looks up into its routing table to figure out which interface the packet will be sent out. The show ip route command can be used to show the routing table of the router:
This is the entry that will be used to route the packet:
The line above specifies that each packet destined for the 10.0.0.0/8 network will be sent out the Fa0/1 interface. Here is a description of each field: C - stands for connected. Each directly connected network is automatically added to the routing table. 10.0.0.0/8 - indicates the range of the IP addresses for which the route will be used, in this case, all IP addresses from the following range: 10.0.0.0 - 10.255.255.255. FastEthernet0/1 - indicates the interface the packet will be sent out, in order to reach the destination network. There methods are used to populate a routing table: directly connected networks are added automatically using static routing using dynamic routing Note that the routing tables are not specific for Cisco devices. Even your Windows operating system has a routing table that can be displayed using the route print command:
Directly connected routes Directly connected networks are added to the router’s routing table if the interface
connected to the network has an IP address configured and is in the up and up state. Connected routes always take precedence over static or dynamically discovered routes because they have the administrative distance value of 0 (the lowest possible value). The administrative distance is the first critera that a router uses to determine which route to use if two protocols provide route information for the same destination. Because the directly connected routes have the lowest possible administrative distance value, they will always be placed in the routing table. We will learn about the administrative distance in the later lessons. Consider the following example network:
In the picture above you can see that both routers are directly connected to two networks. Here is the routing table of R1:
The routing table of R2:
In the pictures above you can see that both routers know about the 172.16.0.0/24 network because they are both directy attached to that network. R1 also knows about the 10.0.0.0/24, while R2 knows about the 192.168.0.0/24. Note that, however, R1 doesn’t know about the 192.168.0.0/24 network; R2 doesn’t know about the 10.0.0.0/24. In fact, if R1 receives the packet destined for the 192.168.0.0/24 network, it will discard it because it doesn’t have any information about that network in its routing table and doesn’t know where to route the packets. In the examples above we’ve used the show ip route connected command to display only the directly connected routes in the routing table.
Static routes Static routes are manually added to a routing table through direct configuration. Using a static route, a router can learn about a route to a remote network that is not directly attached to one of its interfaces. Note that, however, static routes are not widely used today, since you have to configure each static route manually on each router in the network. Static routes are configured in the global configuration mode using the ip route DESTINATION_NETWORK SUBNET_MASK NEXT_HOP_IP_ADDRESS command. The
NEXT_HOP_IP_ADDRESS parameter is the IP address of the next-hop router that will receive packets and forward them to the remote network. The router with the next-hop IP address must be on a directly connected network. Consider the following example:
Let’s take a look at the routing table on R1:
Note that R1 knows about the two directly connected networks: 10.0.0.0/24 and 172.16.0.0/24. What it doesn’t know about, however, is the 192.168.0.0/24 network directly attached to R2. Let’s try to ping a host in that network:
The ping command fails because R1 doesn’t know where to send the packets. However, we can specify a static route that will rectify this problem: With the command above, we’ve instructed R1 to send all packets destined for the 192.168.0.0/24 network to the IP address of 172.16.0.2 (the IP address of the Fa0/1 interface on R2). Let’s try to ping that same host again:
Because R1 now knows where to send packets, the ping command is successful.
Dynamic routes Dynamic routes are routes learned by using dynamic routing protocols. Routing protocols are configured on routers with the purpose of exchanging routing information. There are many benefits of using routing protocols in your network, including: unlike static routing, you don’t need to manually configure every route on each router in the network. You just need to configure the networks to be advertised on a router directly connected to them. if a link fails and the network topology changes, routers can advertise that some routes have failed and pick a new route to that network. The disadvantage of using routing protocols in your network is that they will cost you more in terms of the CPU and bandwidth usage. Routing protocols are also usually more complex to implement. Consider the following example:
In the picture above you can see that R1 can reach the 10.0.0.0/24 network in two ways: through R2 and R3. Both R2 and R3 advertise their routes using a routing protocol to R1. Let’s say that the route through R2 is the better route that the one going through R3. R1 will accept that route and place it in its routing table. All packets destined for the 10.0.0./24 network will go through R2. Now consider what happens if the link between R2 and R4 fails:
R2 will inform R1 that the link used to reach the 10.0.0.0/24 network has failed and that the route should not be used anymore. But there is another route to 10.0.0.0/24, going through R3; R1 will place that route in its routing table and use it for the packets destined for the 10.0.0.0/24 subnet. R2 will also update its routing table and use the route R1 > R3 > R4 to reach the 10.0.0.0/24 subnet.
Types of routing protocols Routing protocols can be divided in two types: 1. Interior Gateway Protocols (IGPs) - routing protocols used to exchange routing information with routers in the same autonomous system (AS). An AS is a single network or a collection of networks under the administrative control of a single organization. For example, the network of a company is probably a single AS, while the network of an ISP is a different AS. All routers inside the same AS share the same routing-table information. Consider the following example:
Some of the examples of IGPs are Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Intermediate System to Intermediate System (IS-IS), and Enhanced Interior Gateway Routing Protocol (EIGRP). Interior gateway protocols are further divided into two types: distance-vector routing protocols and link-state routing protocols. 2. Exterior Gateway Protocols (EGPs) - routing protocols used to exchange routing information between different routers in different autonomous systems. The only widely used EGP today is Border Gateway Protocol (BGP). BGP is not covered on the CCNA level, but remember that it is used to exchange routes between Internet routers. Routers used to be called gateways, hence the word Gateway in the name of the routing protocols types.
Administrative distance (AD) explained The administrative distance (AD) is a number used to rate the trustworthiness of the routing information received from a neighbor router. It is used when a router must choose between routes learned using different routing protocols. Each routing protocol has a default AD value. The route learned using the routing protocol with a lower AD number will be placed in the routing table. An administrative distance is a number between 0 and 255, with the lower number being better. The AD of 0 indicates the most trusted route (the directly connected network). The AD of 255 means that the route will not be trusted. Here are the default AD values for a different routing protocols: Connected interface - 0 Static route - 1 EIGRP - 90 OSPF - 110 RIP - 120 External EIGRP - 170 Unknown - 255 Consider the following example:
Routing metric explained If a routers learns about multiple different paths to the same network from the same routing protocol, a measure called metric is used to decide which route will be placed in the routing table. Just like with the administrative distance, the lower number represents the better route. Each routing protocol has its own way to calculate the metric; Routing Information Protocol (RIP) uses hop counts, OSPF uses a parameter called cost, EIGRP uses bandwidth and the delay to compute the metrics, etc. Note that metrics of different routing protocols can not be directly compared - an EIGRP route might have a metric of 4.042.334, while a RIP route can have a metric of 3. If two routes have the same AD as well as the same metrics, the routing protocol will load-balance to the remote network, meaning that data will be sent down each link. To understand the importance of routing metrics, consider the following example:
Let’s say that all routers are running RIP. R1 receives two possible routes to the 10.0.0.0/24 network; one going through R2, and one going through R3 and R4. Both routes are RIP routes and have the same administrative distance, so the metric is used to determine the best route. The RIP metric is hop count, which is simply a number of routers between the source and destination. In this case, the route going through R2 will have a metric of one, because only one router is in the path to the 10.0.0.0/24 network. The route going through R3 and R4 will have a metric of two. The first route will be placed in the routing table and used for packets sent to the 10.0.0.0/24 subnet. RIP was removed from the CCNA curriculum, so if you are studying strictly to pass the CCNA exam, feel free to skip this lesson.
Chapter 9 - RIP RIP (Routing Information Protocol) overview RIP configuration Split horizon explained Route poisoning explained Holddown timer explained
RIP (Routing Information Protocol) overview RIP (Routing Information Protocol) is one of the oldest distance vector protocol routing protocols, invented in the 1980s. It uses the hop count (the number of routers between the source and destination network) as the metric and is very simple to configure. Two versions of the protocols were developed: RIP version 1 - supports only classful routing and doesn’t send subnet masks in routing updates. Uses broadcasts for updates. RIP version 2 - supports classless routing and sends subnet masks in routing updates. This version uses the multicast address of 224.0.0.9 to send routing updates. There is also a version of RIP developed for IPv6 networks called RIPng. RIP has a default administrative distance of 120. It sends the entire routing table every 30 seconds, which can consume a lot of network bandwidth. The hop count limit is 15. Any route with a higher hop count will be marked as unreachable. To better understand how RIP works, consider the following example:
We’ve configured RIP on all routers in the network. R1 will receive two possible routes to the 10.0.0.0/24 network; one going through R2, and one going through R3 and R4. Both routes are RIP routes and have the same administrative distance, so the metric is used to determine the best route. Of course, the RIP considers a hop count as the metric. In this case the route going through R2 will have a metric of 1, because there is only one router in the path to the 10.0.0.0/24 network. The route going through R3 and R4 will have a metric of 2. The first route will be placed in the routing table and used for packets sent to the 10.0.0.0/24 subnet. RIP lacks some more advanced features of the newer routing protocols like OSPF or EIGRP and it is not widely used in modern networks.
RIP configuration
RIP is a very simple routing protocol and its configuration is pretty straighforward. You just need to enable RIP on the router and define which network to advertise. Here is how it is done: (config) router rip - enables RIP on the device. (config-router) version 2 - specifies that the version 2 of the protocol will be used. (config-router) network NETWORK_ID - defines the network which will be advertised. This command takes a classful network as a parameter and activates RIP on the interfaces whose addresses fall within the specified classful networks. Consider the following example network:
In the picture above you can see that we have a small network of two routers and a single computer. R2 is directly connected to the 10.0.0.0/24 network. We want to advertise that network to R1 using RIP. Here are the configuration steps: 1. On R1, we need to enable RIP and activate it on the interface connected to the 192.168.0.0/24 network:
2. On R2, we need to enable RIP, activate it on the interface connected to the 192.168.0.0 network and advertise the 10.0.0.0/24 network:
3. To verify if RIP is indeed advertising routes, we can use the show ip route command on R1:
4. You can see that R1 knows about the 10.0.0.0/24 network. The letter R indicates that the route was learned using RIP. Note the administrative distance of 120 and the metric of 1 [120/1]. Remember that the network command does two things: advertises the defined network in RIP. activates RIP on the interfaces whose addresses fall within the specified classful networks.
Split horizon explained Distance vector protocols are susceptible to routing loops. Routing loops occur when a packet is continually routed through the same routers over and over, in an endless circle. Because they can render a network unusable, distance vector routing protocols (such as RIP and EIGRP) employ several different mechanisms to prevent routing loops. Split horizon is one of the methods used by distance vector routing protocols to avoid routing loops. The principle is simple - a router will not advertise a route back onto the interface from which it was learned. Split horizon is enabled on interfaces by default. To consider what could happen without the split horizon mechanism, take a look at the following example:
We have a network of three routers. All routers are running RIP, a distance vector protocol. R3 is directly connected to the 10.0.0.0/24 network and advertises that network using RIP to R2. R2 receives the routing update, places the route in its routing table and informs R1 about the 10.0.0.0/24. Because the split horizon mechanism is enabled by default on all interfaces, R1 will not advertise to R2 that it has the route to 10.0.0.0/24. Now consider what would happen if the split horizon mechanism didn’t prevent R1 to advertise the route back to R2. R1 would advertise to R2 that it has a route to reach the 10.0.0.0/24. Let’s say that the link between the R2 and R3 fails. Since R2 received a route
to that network from R1, it will send all packets destined for the 10.0.0.0/24 network to R1. But R1 thinks that R2 has a route to reach that network (it doesn’t know that the link between R2 and R3 failed) and sends the packets back to R2, thereby creating a routing loop.
Route poisoning explained Another method employed by distance vector routing protocols to prevent routing loops is route poisoning. When a router detects that one of its directly connected routes has failed, it will advertise a failed route with an infinite metric (“poisoning the route”). Routers who receive the routing update will consider the route as failed and remove it from their routing tables. Each routing protocol has its own definition of an infinite metric. In the case of RIP the infinite metric is 16. To better understand how route poisoning works, consider the following example:
We have a network of two routers. Both routers are running RIP. R2 has advertised the 10.0.0.0/24 network to R1. Now consider what happens when the network 10.0.0.0/24 fails: 1. R2 removes the route to 10.0.0.0/24 from its routing table. 2. R2 advertises the 10.0.0.0/24 network with an infinitive metric (16) to R1 (“route poisoning”). 3. R1 receives the update and knows that the network has failed. It will remove the route from its routing table.
Holddown timer explained Another feature used by distance vector routing protocols (such as RIP) to prevent routing loops is the holddown timer. This feature prevents a router from learning new information about a failed route until the timer expires. Here is how it works: 1. a router receives an information that a route is unreachable and starts the holddown timer. 2. until the holddown timer expires (180 seconds by default in RIP), the router will disard any routing updates that indicate the route is reachable. 3. only routing updates about the failed route that will be processed are the ones sent
by the same router that originally advertised the route. Consider the following example:
We have a network of two routers. Both routers are running RIP and R2 has advertised the 10.0.0.0/24 network to R1. Consider what happens if the network fails: 1. R2 advertises the 10.0.0.0/24 network with the infinitive metric (16) to R1, indicating that the network is no longer accessible. 2. R1 receives the routing update, marks the route as unreachable, and starts the holddown timer.
3. During the holddown period, R1 will not process any routing update about that route received from other routers. Only updates from R2 will be processed:
Note that the IP address 192.168.0.2 listed above is the IP address of the interface on R2 that is directly connected with R1.
Chapter 10 - EIGRP EIGRP overview EIGRP neighbors EIGRP tables Reported and feasible distance explained Successor and feasible successor explained EIGRP configuration Wildcard mask explained EIGRP and wildcard masks Reliable Transport Protocol (RTP) Diffusing Update Algorithm (DUAL) EIGRP auto-summary EIGRP manual summarization
EIGRP overview EIGRP (Enhanced Interior Gateway Routing Protocol) is an advanced distance vector routing protocol. It is sometimes referred to as a hybrid routing protocol because it has characteristics of both distance-vector and link-state routing protocols. EIGRP replaced Interior Gateway Routing Protocol (IGRP), an older proprietary Cisco routing protocol. EIGRP was also a proprietary protocol, but Cisco decided in 2013 to convert it to an open standard. This routing protocol is mostly used on Cisco devices and all routers in the network must support it. The following features make EIGRP especially helpful in large and complex networks: support for classless routing and VLSM (Variable Length Subnet Masking). routes can be summarized on any router in the network. incremental routing updates. support for load-balancing. support for the MD5 authentication. support for IPv4 and IPv6. EIGRP uses Cisco’s Reliable Transport Protocol (RTP) to send messages and uses the multicast address of 224.0.0.10. The default administrative distance of EIGRP is 90, which is less than the default administrative distances of RIP and OSPF, which means that EIGRP routes will be preferred over RIP and OSPF routes. The metric is calculated using bandwidth, delay, reliability and load. By default, only bandwidth and delay are considered when calulating metric, while reliability and load are set to zero.
EIGRP neighbors Routers that run EIGRP must become neighbors before exchanging routing information. To dynamically discover neighbors on the directly attached networks, EIGRP routers use the multicast address of 224.0.0.10 to send Hello packets every couple of seconds. To become neighbors, the following parameters must match on both routers: ASN (Autonomous System Number) subnet K values (components of metric) Let’s examine each of these parameters in detail: ASN (Autonomous System Number) - EIGPR uses the concept of autonomous systems. An autonomous system is simply a group of EIGRP-enabled routers that should become EIGRP neighbors and exchange routes. An AS is defined on a router
by using the router eigrp AS_NUMBER global configuration command. In order to become neighbors, all routers must be configured with the same AS number. subnet - interfaces on both routers must be in the same subnet. K values - each router must be configured with the same K values used to calculate the metric. By default, the only parameters used to calculate an EIGRP metric are bandwidth and delay. If a network administrator wants to use other parameters (load and reliability) to calculate a metric, the change has to be made on both routers. Otherwise, the mismatched K-values will prevent routers to become neighbors. Consider the following example:
We have a simple network of two routers. Both routers are running EIGRP, with the ASN of 1. Because the interfaces on both routers are in the same subnet and the K-values match, the routers will become neighbors:
The information about EIGRP neighbors are stored in the neighbor table. We can display the content of this table by running the show ip eigrp neighbors command:
Here is a brief description of each column H - the sequential numbering of established neighbor adjacencies. The first neighbor will have a value of 0, the second neighbor a value of 1 and so on. Address - the IP address of the EIGRP neighbor. Interface - the interface on the local router on which the Hello packets were received. Hold (sec) - the holddown timer. It specifies how long will EIGRP wait to hear from the neighbor before declaring it down. Uptime - the time in hours:minutes: seconds since the local router first heard from
the neighbor. SRTT (ms) - Smooth round-trip time. The time it takes to send an EIGRP packet and receive an acknowledgment from the neighbor. RTO - Retransmission timeout in milliseconds. This is the time that EIGRP will wait before retransmitting a packet from the retransmission queue to a neighbor. Q Cnt - the number of EIGRP packets (Update, Query or Reply) in the queue that are awaiting transmission. Should be 0. Seq Num - the sequence number of the last update, query, or reply packet that was received from the neighbor.
EIGRP tables Each EIGRP router uses three to store routing information: Neighbor table - stores information about EIGRP neighbors. Before exchanging routes, routers need to establish a neighbor relationship. Information such as the IP address of the neighbor, the local interface on which the Hellos were received, the holddown timer, and Smooth round-trip time are kept in this table. Topology table - stores routing information learned from neighbor routing tables. This table stores every EIGRP route inside the autonomous system. The topology table also holds the metrics for each of the listed EIGRP routes, the feasible successor and the successors. Routing table - stores only the best routes to reach a remote network. Consider the following example network:
We have a network of three routers, all running EIGRP. The routers have established neighbor relationships and the routes have been exchanged. Let’s display the neighbor table on R1 using the show ip eigrp neighbors command:
You can see that R1 has established two neighbor relationships. The information such as the neighbor’s IP address, the local interface, the holddown timer, are displayed. Now let’s display the topology table on R1 using the show ip eigrp topology command:
We will explain the concept of successor and feasible successor in the next sections. For now, just remember that this table contains all routes learned by EIGRP. Notice how there are two possible routes to the 172.16.0.0/16 network, one via 10.0.0.2 and the other via 192.168.0.2. The routing table looks like this:
Note that there is only one route to the 172.16.0.0/16 network - the best route, via 10.0.0.2.
Reported and feasible distance explained In EIGRP, a local router calculates the metric for each route, but also considers the nexthop router’s metric for that same destination subnet. These metric have their own names: Reported (advertised) distance (RD or AD) - the metric advertised by the neighboring router for a specific route. This is the metric of the route used by the neighboring router to reach that specific destionation network. Feasible distance (FD) - the local router’s metric of the best route to reach a specific network. The metric is calculated using the metric reported by the neighbor (the advertised distance) plus the metric to the neighbor reporting the route. The route with the lowest FD will be placed in the routing table. We will try to expain these two metrics with an example:
We have a small network of two routers. Both routers are running EIGRP and the neighbor relationship has been established. R2 is directly connected to the 192.168.0.0/24 subnet and advertises that subnet using EIGRP to R1. The R2’s metric to reach that network is 28160. R1 will use that metric to calculate its own metric to reach the 192.168.0.0/24 subnet. These values are stored in the R1’s topology table:
Notice the numbers in parentheses (30720/28160). The first number (30720) represents the feasible distance (the metric) of R1 to reach the 192.168.0.0/24 subnet. The second number (28160) represents the advertised distance - the metric of R2 to reach that subnet.
Successor and feasible successor explained Two terms that you will often encounter in the EIGRP world are the successor and feasible successor. Here are the definitions of these two terms: successor - the route with the best metric to reach a particular network. This route will be placed in the routing table. feasible successor - alternative routes to a particular network that can be used immediately if the currently best route (the successor) fails, without causing a routing loop. These routes are stored in the EIGRP topology table. Not all alternative routes to a particlar network will become feasible successors. In order for a route to become a feasible successor, the following condition must be met: the neighbor’s advertised distance (AD) for the route must be less than the successor’s feasible distance (FD). The definition above can be more easily understood with an example:
We have a network of five routers, all running EIGRP. R5 has advertised the 10.0.0.0/24 subnet. R1 has three paths to reach the 10.0.0.0/24 subnet: R2 > R5 - let’s say that this is the best route (the successor route). This route will be placed in R1’s routing table, with the metric of 30. R3 > R2 > R5 - for a route to become a feasible successor, the neighbor’s advertised distance (AD) for the route must be less than the successor’s feasible distance (FD). This is not the case here - R3 has advertised the metric of 50 to reach 10.0.0.0/24, which is greater that the feasible distance of R1 (30). R4 > R5 - this route will become a feasible successor route, since R4’s advertised distance is less than the successor’s feasible distance (25 < 30). This route will be placed in R1’s topology table and can be used immediately if the best route fails.
EIGRP configuration EIGRP can be configured using only two commands: 1. (config) router eigrp ASN - starts EIGRP on the router. In order to become EIGRP neighbors, routers must be configured with the same AS number. You can use any number between 1 and 65,535. 2. (config-router) network SUBNET [WILDCARD_MASK] - a network command does two things: for each interface matched by the network command, EIGRP tries to discover neighbors on that interface. the subnet connected to the interface matched by the network command will be advertised.
By default, the network command accepts a classful network number as a parameter. Consider the following example:
We have a simple network of two routers. Here is how we can configure EIGRP on both routers: 1. on R1, we need to enable EIGRP with the ASN of 1 and use the network command to match the interface direcly connected to the 10.0.0.0/24 network:
2. on R2, we need to enable EIGRP with the ASN of 1, use the network command to match the interface direcly connected to the 10.0.0.0/24 network, and advertise the 192.168.0.0/24 network:
To confirm that the EIGRP neighbor relationship has been established, we can use the show ip eigrp neighbors command:
In the picture above you can see that R1 has a single neighbor with the IP address of 10.0.0.2. To verify that R1 has received a route to reach the 192.168.0.0/24 network, we can use the show ip route eigrp command:
Wildcard mask explained
Wildcard masks are used to specify a range of network addresses. They are usually used with routing protocols (such as EIGRP and OSPF) and access lists. Just like a subnet mask, a wildcard mask is 32 bits long. It is a sort of inverted subnet masks, with the zero bits indicating that the corresponding bit position must match the same bit position in the IP address. The one bits indicate that the corresponding bit position does not have to match the bit position in the IP address. The following example will help you understand the concept behind wildcard masks:
In the picture above you can see a network with three hosts and a router. The router is directly connected to three subnets. Let’s say that we want to advertise only the 10.0.1.0/24 subnet in EIGRP. We can use the wildcard mask of 0.0.0.255 in the following network command to do this: R1(config-router)#network 10.0.1.0 0.0.0.255 Why the wildcard mask of 0.0.0.255? To explain why, first we need to convert the IP address and wildcard mask to binary: 10.0.1.0 = 00001010.00000000.00000001.00000000 0.0.0.255 = 00000000.0000000.00000000.11111111 The zero bits of the wildcard mask have to match the same position in the IP address in order for the network to be included in the network command: 00001010.00000000.00000001.00000000 00000000.00000000.00000000.11111111 As you can see from the output above, the last octet doesn’t have to match, because the wildcard mask bits are all ones. The first 24 bits have to match, because of the wildcard mask bits of all zeros. So, in this case, wildcard mask will match all addresses that begins with 10.0.1.x (10.0.1.0 - 10.0.1.255). In our case, we have only a single network that will
be matched - 10.0.1.0/24. What if we want to include both 10.0.0.0/24 and 10.0.1.0/24 subnets? Well, we need to use the wildcard mask of 0.0.1.255. Here is why: 10.0.0.0 = 00001010.00000000.00000000.00000000 10.0.1.0 = 00001010.00000000.00000001.00000000 0.0.1.255 = 00000000.00000000.00000001.11111111 From the output above you can see that, with the wildcard mask of 0.0.1.255, only the first 23 bits have to match. That means that all addresses in the range of 10.0.0.0 – 10.0.1.255 will be matched. So, in our case, both IP addresses have been matched. The wildcard mask of all zeros (0.0.0.0) means that the entire IP address have to match in order for a statement to execute. For example, if we want to match only the IP address of 192.168.0.1, the command to use is network 192.168.0.1 0.0.0.0. A wildcard mask of all ones (255.255.255.255) means that no bits have to match. This basically means that all addresses will be matched.
EIGRP and wildcard masks The network command in EIGRP uses a classful network as the parameter by default, which means that all interfaces inside the classful network will participate in the EIGRP process. We can enable EIGRP only for specific networks using wildcard masks. The syntax of the command is: (router-eigrp)#network IP_ADDRESS WILDCARD_MASK Consider the following example:
In the picture above you can see a network with three hosts and a router. The router is directly connected to three subnets. Let’s say that we want to advertise only the
10.0.0.0/24 subnet in EIGRP. We can use the wildcard mask of 0.0.0.255 to do this:
Using the show ip protocols command, we can verify that the network 10.0.0.0/24 is included in EIGRP:
Reliable Transport Protocol (RTP) EIGRP sends messages without UDP or TCP; instead, a Cisco’s protocol called Reliable Transport Protocol (RTP) is used for communication between EIGRP-speaking routers. As the name implies, reliability is a key feature of this protocol, and it is designed to enable quick delivery of updates and tracking of data reception. Five different packets types are used by EIGRP: Update - contains route information. When these are sent in response to metric or topology changes, reliable multicasts are used. In the event that only one router needs an update, like when a new neighbor is discovered, it’s sent via unicasts. Query - a request for specific routes and always uses the reliable multicast method. Routers send queries when they realize they’ve lost the path to a particular network and are searching for alternative paths. Reply - sent in response to a query via the unicast method. Replies can include a specific route to the queried destination or declare that there’s no known route.
Hello - used to discover EIGRP neighbors. It is sent via unreliable multicast (no acknowledgment is required). Acknowledgment (ACK) - sent in response to an update and is always unicast. ACKs are not sent reliably. The acronym RTP is also used for a different, unrelated protocol - Real-time Transport Protocol (RTP), used for VoIP communication.
Diffusing Update Algorithm (DUAL) EIGRP uses Diffusing Update Algorithm (DUAL) for selecting and maintaining the best route to each remote network. DUAL is also used for the following tasks: discover a backup route if there’s one available. support for variable length subnet masks (VLSMs). perform dynamic route recoveries. query neighbors for unknown alternate routes. send out queries for an alternate route. EIGRP stores all routes advertised by all neighbors. The metric of these routes is used by DUAL to select efficient loop free paths. DUAL selects routes that will be inserted into a routing table. If a route fails, and there is no feasible successor, DUAL chooses a replacement route, which usually takes a second or two. The following requirements must be met for DUAL to work properly: EIGRP neighbors must discovered. all transmitted EIGRP messages should be received correctly. all changes and messages should be processed in the order in which they’re detected.
EIGRP auto-summary In EIGRP, the auto-summary feature is enabled by default. This means that EIGRP will automatically summarize networks at their classful boundaries. The auto-summary feature can be useful, but it can also cause problems with discontiguous networks (which are two or more subnetworks of a classful network connected together by different classful networks). Consider the following example:
In the example above we have a network of two routers and one host. Both routers are running EIGRP and have established the neighbor relationship. The router R1 has a directly connected subnet 10.5.10.0/24 that it advertises to R2. Because the auto-summary feature is turned on, R1 will summarize the subnet 10.5.10.0/24 and send the classful route 10.0.0.0/8 to R2. Here is the routing table on R2:
Note that R2 has a route to the classful network 10.0.0.0/8. R2 will therefore send all packets destined for any IP address inside the 10.0.0.0 - 10.255.255.255 range to R1. This can cause problems with discontiguous networks. That is why the auto-summary feature is usually turned off with the no auto-summary command:
Let’s take a look at the routing table on R2:
You can see in the picture above that R2 now has the more specific route. Note that the EIGRP neighbor relationship has to be re-established after the no auto-summary command was entered.
EIGRP manual summarization The manual summarization is a process of creating a summary route that will be used to represent multiple routes and can be used to reduce the sizes of routing tables in a network. EIGRP, unlike some other routing protocols such as OSPF, supports the manual summarization on any router within a network. The manual summarization in EIGRP is configured on the per-interface basis. The syntax of the command is: (config-if)ip summary-address eigrp ASN SUMMARY_ADDRESS SUBNET_MASK Consider the following example:
In the example above we have a network of three routers running EIGRP. R1 has two directly connected subnets: 10.5.10.0/24 and 10.20.15.0/24. Assuming that no automatic summarization is enabled, R1 will advertise these two networks to R2. Here is the routing table on R2:
Note that R2 has two routes to reach the 10.5.10.0/24 and 10.20.15.0/24 networks. To reduce the size of the R2’s routing table, we can advertise a summary route that will include both subnets. We will use the following command on the Fa0/1 interface on R1:
R1 should now send only a single route (10.0.0.0) for both subnets. We can verify that by running the show ip route command on R2:
Notice how R2 now has only a single route to reach both subnets. In the example above, the ip summary command included two subnets directly connected to R1, but also plenty of other addresses that are not in these subnets. The range of the summarized addresses is 10.0.0.0 – 10.255.255.255, so R2 will send all packets destined for these addresses to R1. This could cause some problems if these addresses exist somewhere else in the network.
Chapter 12 - OSPF OSPF overview OSPF neighbor discovery OSPF neighbor states OSPF areas explained Link-state advertisement (LSA) Types of LSAs (Link-state advertisements) Configure OSPF Configure multiarea OSPF Designated router and backup designated router OSPF clear text authentication OSPF MD5 authentication OSPF route summarization
OSPF overview OSPF (Open Shortest Path First) is perhaps the most popular link state routing protocol. It is an open standard so it can be run on routers produced by different vendors, which is in contrast to EIGRP, a Cisco proprietary protocol that can be run only on Cisco devices. OSPF is classless and supports features such as VLSM, manual route summarization, incremental updates, equal cost load balancing, etc. As the metric, OSPF uses a single parameter - the interface cost. OSPF uses the multicast addresses of 224.0.0.5 and 224.0.0.6 are for the communication between OSPF-enabled routers. The default administrative distance for OSFP routes is 110. Routers running OSPF need to establish the neighbor relationship before exchanging routing updates. Since OSPF is a link state routing protocol, neighbors don’t exchange routing tables; instead, they exchange information about network toplogy. Each OSFP router then runs the SFP algorithm to calculate the best routes and adds those to the routing table. Since each router knows the entire topology of a network, a chance for a routing loop to occur is minimal. OSPF routers stores routing and topology information in three tables: neighbor table - stores information about OSPF neighbors. topology table - stores the topology structure of the network. routing table - stores the best routes.
OSPF neighbor discovery Routers running OSPF need to establish a neighbor relationship before exchanging routing updates. OSPF neighbors are dynamically discovered by sending Hello packets out each OSPF-enabled interface on a router. Hello packets are sent to the multicast IP address of 224.0.0.5. If the two neighbors have compatible OSPF parameters listed in the Hello packets, the neighbor relationship will be formed. By default, Hello packets are sent out every 10 second on an Ethernet network (this interval is known as the Hello interval). A Dead interval is four times the value of the Hello interval, so if a router on an Ethernet network doesn’t receive at least one Hello packet from an OSFP neighbor for 40 seconds, the routers will declares that neighbor to be down. The following fields in the OSPF Hello packets must be the same on both routers in order for routers to become neighbors: subnet area id hello and dead interval timers authentication area stub flag MTU
The neighnbor discovery process is explained in the following example:
Routers R1 and R2 are directly connected and run OSPF. Both routers will start sending Hellos to each other in order to establish a neighbor relationship. If the routers have compatible OSPF parameters, the neighbor relationship will be formed. Each OSPF router is assigned a router ID. A router ID is determined by using one of the following methods: using the router-id command under the OSPF process. using the highest IP address of the router’s loopback interfaces. using the highest IP address of the router’s physical interfaces.
OSPF neighbor states Before establishing a neighbor relationship, OSPF routers go through several state changes (up to eight possible states): 1. Down state - no Hellos have been received on the interface. All OSPF routers begin in this state. 2. Attempt state - neighbors must be manually configured. This state is used only in nonbroadcast multi-access (NBMA) networks. 3. Init state - a router has received a Hello message from the other OSFP router, but the two-way conversation has not yet been established. 4. 2-way state - the neighbor has received the Hello message and replied with a Hello message of his own. 5. Exstart state - beginning of the LSDB exchange between both routers. Routers will start to exchanging link state information. 6. Exchange state - DBD (Database Descriptor) packets are exchanged. DBDs contain LSAs headers. Routers will use this information to see what LSAs need to be exchanged. 7. Loading state - one neighbor sends LSRs (Link State Requests) for every network it doesn’t know about. The other neighbor replies with the LSUs (Link State Updates) which contain information about requested networks. After all the requested information have
been received, other neighbor goes through the same process. 8. Full state - both routers have synchronized the link state database and are fully adjacent with each other. OSPF routing can now begin.
OSPF areas explained OSPF uses areas to simplify administration and optimize traffic and resource utilization. An area is simply a logical grouping of contiguous networks and routers. All routers in the same area have the same topology table and don’t know about routers in the other areas. The main benefits of using areas in an OSPF network are: the routing tables on the routers are reduced. less time is required to run the SFP algorithm, since routers need to recalculate their link-state database only when there’s a topology change within their own area. routing updates are reduced. Each area in an OSPF network must be connected to the backbone area (also known as area 0). All routers inside an area must have the same area ID in order to become OSPF neighbors. A router that has interfaces in more than one area (area 0 and area 1, for example) is known as an Area Border Router (ABR). A router that connects an OSPF network to other routing domains (to an EIGRP network, for example) is called an Autonomous System Border Routers (ASBR). Consider the following example to better understand the concept of areas:
All routers pictured above are running OSPF. You can see that one router is an ABR (Area Border Router) because it has interfaces in two areas, namely area 0 and area 1. One router is an ASBR (Autonomous System Border Routers), because it connects the OSFP network to another routing domain (an EIGRP domain in this case). The role of an ABR is to forward routing information from one area to the other. The role of an ASBR is to connect an OSPF routing domain to another external network (e.g. Internet, EIGRP network…).The manual route summarization is possible only on ABRs and ASBRs.
Link-state advertisement (LSA) The LSAs (Link-State Advertisements) are used by routers running OSPF to exchange topology information. An LSA contains routing and topology information that describe a part of an OSPF network. Routers exchange LSAs and learn the complete topology of the network until all routers have the exact same topology database. When two neighbors decide to exchange routes, they send each other a list of all LSAa in their respective topology database. Each router then checks its topology database and sends a Link State Request (LSR) requesting all LSAs not found in its topology table. The other router responds with the Link State Update (LSU) that contains all LSAs requested by the neighbor. To better understand how LSAs are used in OSPF, consider the following example:
In the example above we have a two routers and a single computer. After configuring OSPF on both routers, routers exchange LSAs to describe their respective topology database. Router R1 sends an LSA header for its directly connected subnet 10.0.0.0/24. Router R2 check its topology database and determines that it doesn’t have information about that network. Router R2 then sends Link State Request message requesting further information about that subnet. Router R1 responds with Link State Update which contains information about subnet 10.0.0.0/24 (such as the next hop address, cost…).
Types of LSAs (Link-state advertisements) There are several different LSA types in OSPF: Type 1 LSA - also known as router link advertisement (RLA), a Type 1 LSA is sent by every router to other routers in its area. It contains the router ID (RID), interfaces, IP information, and current interface state. Note that Type 1 LSAs are flooded only across their own area. Type 2 LSA - also known as network link advertisement (NLA), a Type 2 LSA is generated by designated routers (DRs) to send out information about the state of other routers that are part of the same network. Type 2 LSAs are flooded across their own area only. Type 3 LSA - also known as summary link advertisement (SLA), a Type 3 LSA is generated by area border routers (ABRs) and sent toward the area external to the one where they were generated. It contains the IP information and RID of the ABR that is advertising an LSA Type 3. Type 4 LSA - informs the rest of the OSPF domain how to get to the ASBR. The link-state ID includes the router ID of the described ASBR. Type 5 LSA - also known as AS external link advertisements, a Type 5 LSA is sent by autonomous system boundary routers (ASBRs) to advertise routes that are external to the
OSPF autonomous system and are flooded everywhere.
Configure OSPF The OSPF basic configuration is very simple and requires only two steps: enable OSPF on a router using the router ospf PROCESS-ID global configuration command. define on which interfaces OSPF will run and what networks will be advertised with the network IP_ADDRESS WILDCARD_MASK AREA command in the OSPF configuration mode. The OSPF process number doesn’t have to be the same on all routers in order for routers to establish a neighbor relationship, but the area parameter has to be the same on all neighboring routers in order for routers to become neighbors. Let’s get started with some basic OSPF configuration. Here is our example network:
We have a network of two routers and two hosts. To configure routers to use OSPF and exchange topology information, we first need to enable OSPF on both routers. We then need to define which networks will be advertised into OSPF. This can be done by using the following set of commands on R1 and R2:
The network commands entered on two routers include their directly connected subnets. We can verify that the routers have have established a neighbor relationship by typing the show ip ospf neighbor command on R1:
To verify that the topology information were exchanged, we can use the show ip route ospf command on R1:
Note that the OSPF routes are marked with the O character. In the output above you can see that R1 has learned about the network 192.168.0.0/24.
Configure multiarea OSPF OSPF uses areas to simplify administration and optimize traffic and resource utilization. An area is simply a logical grouping of contiguous networks and routers. All routers in the same area have the same topology table and don’t know about routers in the other areas. In this lesson we will describe how you can configure a multiarea OSPF. Consider the following multiarea OSPF network:
In the network we have three routers and two hosts. We need to configure OSPF with routers in two areas - area 0 and 1. R2 should connect two areas, which will make him an ABR (Area Border Router). Here is the OSPF configuration on R1:
We have used the router-id 1.1.1.1 command to manually specify the router ID that R1 will use. Configuration of R3 looks similar, but with the difference in area number, since R3 is in area 1:
What about R2? Because R2 is an ABR, we need to establish neighbor relationship with both R1 and R3. To do that, we need to specify different area ID for each neighbor relationship, 0 for R1 and 1 for R2. We can do that using the following commands:
R2 should establish a neighbor relationship with both R1 and R3. We can verify that by using the show ip ospf neighbor command on R2:
To verify if directly connected subnets are really advertised into the different area, we can use the show ip route ospf command on both R1 and R3:
The characters IA in front of the routes indicate that these routes reside in a different area. Since they reside in different areas, R1 and R3 will never establish a neighbor relationship.
Designated router and backup designated router Based on the network type, OSPF router can elect one router to be a designated router (DR) and one router to be a backup designated router (BDR). For example, on multiaccess broadcast networks (such as LANs) routers defaults to elect a DR and BDR. DR and BDR are elected to minimize the number of adjacencies formed and to serve as the central point for exchanging OSPF routing information. However, on point-to-point links, the DR and BDR are not elected since only two routers are directly connected. Each non-DR or non-BDR router will exchange routing information only with the DR and BDR, instead of exchanging updates with every router on the network segment. DR will then distribute topology information to every other router inside the same area. The backup designated router (BDR) serves as a hot standby for the DR. It receives all routing updates from OSPF adjacent routers, but it will not disperse LSA updates. To send routing information to a DR or BDR, the multicast address of 224.0.0.6 is used. A DR sends routing updates to the multicast address of 224.0.0.5. If the DR fails, the BDR will take its role of redistributing routing information. Each router on a network segment establishes a full neighbor relationship with the DR and BDR. Non-DR and non-BDR routers establish a two way neighbor relationship. On LANs, DR and BDR have to be elected. Two rules are used to elect a DR and BDR: 1. the router with the highest OSPF priority will become a DR. By default, all routers have a priority of 1. 2. if there is a tie, the router with the highest router ID wins the election. The router with the second highest OSPF priority or router ID will become a BDR. Consider the following example:
All routers in the network above are running OSPF and are in the same area (area 0). Let’s say that the routers R1 and R2 have been elected as DR and BDR because they have the highest and the second highest router ID. If the R4’s directly connected subnet fails, R3 informs only R1 and R2 (the DR and BDR for the segment) of the network change. R1 (the DR) then informs all other non-DR and non-BDR routers of the change in topology (in this case, only the router R3). We can verify that R1 and R2 are indeed the DR and BDR of the segment by typing the show ip ospf neighbors command on R3:
You can influence the DR and BDR election process by manually configuring the OSPF priority. This can be done using the ip ospf priority VALUE interface command.
OSPF clear text authentication OSPF can authenticate all messages exchanged between neighbors. Messages are authenticated to prevent a rogue router from injecting false routing information and possibly causing a Denial-of-service attack. Note that with the OSPF authentication turned on, routers must pass the authentication process in order to become OSPF neighbors. Two types of authentication can be used in OSPF: clear text authentication – clear text passwords are used. MD5 authentication – MD5 authentication is used. This type of authentication of more secure.
To configure the clear text authentication, the following commands are required: configure the OSPF password on the interface using the ip ospf authentication-key PASSWORD interface command. configure the interface to use the OSPF clear text authentication by using the ip ospf authentication interface command. Here is an example network:
We have a simple network of two routers. Both routers are running OSPF. To enable the clear text authentication and set up the password of secret, we need to enter the following commands on R1:
The same commands have to be entered on R2:
To verify that the clear text authentication is indeed enabled, we can use the show ip ospf interface INTERFACE command on either router:
OSPF MD5 authentication The OSPF MD5 authentication is more secure than the plain text authentication. This method uses the MD5 algorithm to compute a hash value from the contents of the OSPF packet and a password. This hash value is transmitted in the packet. The receiver, which knows the same password, calculates its own hash value. If the message is unchanged, the hash value of the receiver should match the hash value of the sender which is transmitted with the message. Configuring OSPF MD5 authentication is very similar to configuring clear-text authentication. Two commands are required: configure the MD5 value on an interface using the ip ospf message-digest-key 1 md5 VALUE interface command to configure the interface to use MD5 authentication by using the ip ospf authentication message-digest interface command Here is our example network:
As you can see in the picture above, we have a simple network of two routers. Both routers are running OSPF. To enable the MD5 authentication and set up the password of
secret, we need to enter the following commands on R1:
The same commands need to be entered on the neighboring router as well. We can verify that R1 is using OSPF MD5 authentication by using the show ip ospf INTERFACE command:
OSPF authentication type can also be enabled on an area basis, instead of configuring OSPF authentication type per interface basis. This can be done by using the area AREA_ID authentication [message-digest] command under the OSPF configuration mode. If you omit the message-digest keyword, a clear-text authentication will be used for that area. All interfaces inside the area will use OSPF authentication.
OSPF route summarization Unlike EIGRP, OSPF doesn’t support automatic summarization. Also, unlike EIGRP, where you can summarize routes on every router in an EIGRP network, OSFP can summarize routes only on ABRs and ASBRs. Route summarization helps minimizes OSPF traffic and reduces route computation. The following command is used for summarization in OSPF: (config-router) area AREA_ID range IP_ADDRESS SUBNET_MASK To better understand OSPF summarization, consider the following example:
In the example above we have a network of three routers and two hosts. All three routers are running OSPF and are exchanging information. Before OSPF summarization is configured, the router R3 inside the area 1 has two entries for the subnets 10.0.0.0/24 and 10.0.1.0/24 in its routing table:
We can summarize these two subnets on R2 so that R3 would have only one route for both subnets. To do that, the following command can be used on R2:
Now, R3 will have only a single entry in its routing table for R1’s directly connected subnets:
Be careful when summarizing routes. In this case, the router R3 thinks that R2 has routes for all subnets in the range 10.0.0.0 - 10.0.255.255. When summarizing, try to be as specific as possible.
Chapter 13 - Layer 2 switching Layer 2 switching How switches learn MAC addresses How switches forward frames Port security feature Assign the switch IP address Assign static MAC address
Layer 2 switching Layer 2 switching (also known as the Data Link layer switching) is the process of using devices’ MAC addresses to decide where to forward frames in a LAN. Layer 2 switching is efficient because there is no modification to the data packet, only to the frame encapsulation of the packet. In a typical LAN, all computers are connected to one central device. In the past, the device was usually a hub. But hubs have many disadvantages; they are not aware of traffic that passes through them, they create only a single collision domain, etc. To overcome these problems, bridges were created. They were better than hubs because they created multiple collision domains, but they had limited number of ports. Finally, switch were created and are still widely used in modern LANs. Switches have more ports than bridges and can inspect incoming traffic and make forwarding decisions accordingly. Layer 2 switches are much faster than routers because they don’t take up time looking at the Network layer header information. Instead, they look at the frame’s hardware addresses to decide whether to forward, flood, or drop the frame. Here are the major advantages of Layer 2 switching: Hardware-based bridging (using ASICs) Wire speed Low latency Low cost Switches usually perform these three functions: Address learning - switches learn MAC addresses by examining the source MAC address of each frame received by the switch. Forward/filter decisions - switches decide whether to forward or filter a frame, based on the destination MAC address. Loop avoidance - switches use Spanning Tree Protocol (STP) to prevent network loops while still permitting redundancy.
How switches learn MAC addresses As you probably already know, each network card has a unique identifier called Media Access Control (MAC) address. MAC addresses are used in LANs for communication between devices on the same network segment. Devices that want to communicate need to know the MAC address of other device before sending out packets. Switches also use MAC addresses to make accurate forwarding and filtering decision. When the switch receives a frame, it associates the media access control (MAC) address of the sending device with the interface on which it was received. The table that stores such associations is know as the MAC address table. This table is stored in the volatile memory, so associations will be erased after the switch is restarted.
You can also enter a MAC address manually into the table. These static entries are retained even after the switch is rebooted. To better understand how switches learn MAC addresses, consider the following example:
When SW1 is first powered on, the MAC address table will be empty:
But, when Host A sends a frame to Host B, the switch will add the HostA’s MAC address to its MAC address table, associating it with the interface Fa0/1. The switch will also learn the Host B’s MAC address when Host B responds to Host A and associate it with its interface Fa0/2:
How switches forward frames When a frame arrives at a switch interface, the switch looks for the destination hardware (MAC) address in its MAC table. If the destination MAC address is found in the table, the frame is only sent out of the appropriate interface. The frame won’t be transmitted out any interface. However, if the destination MAC address isn’t listed in the MAC table, then the frame will
be sent (flooded) out all active interfaces, except the interface it was received on. If a device answers the flooded frame, the MAC table is then updated with the corresponding interface. We will explain the switch forwarding process using the following example network:
Host A is trying to communicate with Host B and sends a frame. The frame arrives at the switch, which looks for the destination MAC address in its MAC address table:
Since the MAC address is listed in the MAC address table, the switch forwards the frame only to the port that connected to the frame’s destination (Fa0/2 in our case). Note that, however, if the MAC address was not found, the switch would flood the frame out all other ports (Fa0/2, Fa0/3, Fa0/4), except the port the frame was received on (Fa0/1). The Host B would receive the flooded frame and respond to Host A. The switch would then receive this frame on the port Fa0/2 and place the source hardware address in its MAC address table.
Port security feature All interfaces on a Cisco switch are turned on by default. This means that an attacker could connect his laptop to your network through a wall socket and potentially perform an attack on your network. Luckily, there is a feature on Cisco switches called port security that can help you mitigate the threat. With port security, you can associate specific MAC addresses with specific interfaces on your switch. This enables you to restrict access to an interface so that only the authorized devices can use it. If an unathorized device is connected, you can decidethe action that the switch will take, such as discarding the traffic, sending an alert, or shutting down the port. Three steps are required to configure port security: defining the interface as an access interface using the switchport mode access interface subcommand. enabling port security using the switchport port-security interface subcommand. defining which MAC addresses are allowed to send frames through this interface using the switchport port-security mac-address MAC_ADDRESS interface subcommand or using the switchport port-security mac-address sticky interface subcommand. The sticky keyword instruct the switch to dynamically learn the MAC address of the currently connected host. Two steps are optional: defining the action that the switch will take when a frame from an unathorized device is received. This is done using the port security violation {protect | restrict | shutdown} interface subcommand. All three options discard the traffic from the unauthorized device. The restrict and shutdown options send a log messsages when a violation occurs. Shutdown mode also shuts down the port. defining the maximum number of MAC addresses that can be received on the port using the switchport port-security maximum NUMBER interface submode command Here is a simple example:
Host A is connected to Fa0/1 on SW1. To enable port security on Fa0/1, we need to define the port as an access port, enable port security and define which MAC addresses are allowed to send frames through this interface. We can do this with the following set of commands:
Using the show port-security interface fa0/1 command on SW1, we can see that the switch has learned the MAC address of Host A:
By default, the maximum number of allowed MAC addresses is one. Consider what
happens if we connect a different host to the same port:
By default, if a security violation occurs, the switch will shut down the offending port. In the picture above, you can see the status code of err-disabled on Fa0/1, which means that the security violation has occured on the port. To enable the port, you need to enter the shutdown and no shutdown interface subcommands.
Assign the switch IP address By default, Cisco switches perform Ethernet frames forwarding without any configuration. This means that you can buy a Cisco switch, plug in the right cables to connect various devices to the switch, power it on, and the switch should work. However, to perform switch managent over the network or use protocols such as SNMP, your switch will need to have an IP address. The IP address is configured under a logical interface, known as the management domain or VLAN. Usually, the default VLAN 1 acts like the switch’s own NIC for connecting into a LAN to send IP packets. Here are the steps to configure an IP address under VLAN 1: enter the VLAN 1 configuration mode with the interface vlan 1 global configuration command. assign an IP address with the ip address IP_ADDRESS SUBNET_MASK interface subcommand. enable the VLAN 1 interface with the no shutdown interface subcommand. (Optional) use the ip default-gateway IP_ADDRESS global configuration command to configure the default gateway. (Optional) Add the ip name-server IP_ADDRESS global configuration command to configure the DNS server. Here is a simple example:
We have a simple network of a single host and a switch. We can assign the switch with an IP address to enable IP communication between the two devices:
To verify the IP address set on a switch, we can use the show int vlan 1 command:
We can now ping SW1 from Host A:
Assign static MAC address Although Cisco switches dynamically build the MAC address table by using the MAC source address of the received frames, you can also specify a static address to add to the MAC address table. The static MAC entries are retained even if the switch is restarted. To configure a static MAC address, the following command is used: mac-address-table static MAC_ADDRESS vlan ID interface INTERFACE For example, the following set of commands will assign the MAC address of 1111.1111.1111 permanently to the interface Fa0/2, VLAN 1: To verify the configuration, we can use the show mac address table command:
To delete the static entry from the MAC address table, re-enter the command with the keyword no in front of the command.
Chapter 14 - VLANs VLANs explained Access and trunk ports explained Frame tagging explained Inter-Switch Link (ISL) overview 802.1q overview Configure VLANs Configure trunk ports Configure allowed VLANs on trunk Routing between VLANs Configure router on a stick
VLANs explained VLANs (Virtual LANs) are logical grouping of devices in the same broadcast domain. VLANs are configured on switches by placing some interfaces into one broadcast domain and some interfaces into another. VLANs can be spread across multiple switches. Each VLAN is treated like its own subnet or broadcast domain, which means that frames broadcast onto the network are only switched between the ports within the same VLAN. Here are the main reasons why you should use VLANs in your network: VLANs increase the number of broadcast domains while decreasing their size. VLANs reduce security risks by reducing the number of hosts that receive copies of frames that the switches flood. you can keep hosts that hold sensitive data on a separate VLAN to improve security. you can create more flexible network designs that group users by department instead of by physical location. network changes are achieved with ease by just configuring a port into the appropriate VLAN. To understand the benefits of using VLANs in a network, consider the following topology:
As you can see from the picture above, we have a network of two switches and six hosts. All hosts are in the same VLAN, namely VLAN 1. A broadcast sent from Host A will reach all devices on the network, creating unnecessary traffic and increasing security risk. We can create VLANs on both switches and place the interfaces accordingly. This will ensure that broadcasts are received only be hosts inside the same VLAN:
To reach hosts in another VLAN, a router is needed.
Access and trunk ports explained Each port on a Cisco switch can be configured as either an access or a trunk port. The type of a port specifies how the switch determines the incoming frame’s VLAN. Here is a description of these two port types: access port - a port that can be assigned to a single VLAN. The frames that arrive on an access port are assumed to be part of the access VLAN. This port type is configured on switch ports that are connected to devices with a normal network card, for example a host on a network. trunk port - a port that is connected to another switch. This port type can carry traffic of multiple VLANs, thus allowing you to extend VLANs across your entire network. Frames are tagged by assigning a VLAN ID to each frame as they traverse between switches. The following picture illustrates the difference between access and trunk ports:
As you can see from the picture above, the ports on the switches that connect to hosts are configured as access ports. The ports between switches are configured as trunk ports.
Frame tagging explained Frame tagging is used to identify the VLAN that the frame belongs to in a network with multiple VLANs. The VLAN ID is placed on the frame when it reaches a switch from an access port, which is a member of a VLAN. That frame can then be forwarded out the trunk link port. Each switch can see what VLAN the frame belongs to and can forward the frame to corresponding VLAN access ports or to another VLAN trunk port. Before forwarding a tagged frame to an end host, the switch will remove the VLAN ID and the VLAN membership information, since end host devices don’t understand tagging. Two trunking protocols are usually used today for frame tagging: Inter-Switch Link (ISL) - Cisco’s proprietary VLAN tagging protocol. IEEE 802.1q - IEEE’s VLAN tagging protocol. Since it is an open standard, it can be used for tagging between switches from different vendors. Consider the following example to understand the concept of frame tagging:
There are two VLANs in the toplogy pictured above: VLAN 5 and VLAN 10. Host C sends a broadcast packet to switch SW1. Switch SW1 receives the packet, tags the packet with the VLAN ID of 5 and sends it to SW2. SW2 receives the packet, looks up at the VLAN ID, and forwards the packet only out the port in VLAN 5. Host A and host B will not receive the packet because they are in different VLAN (VLAN 10).
Inter-Switch Link (ISL) overview Inter-Switch Link (ISL) is a Cisco proprietary protocol for frame tagging. Since it is a propriatery protocol, it can be used only between Cisco switches. It supports up to 1000 VLANs and can be used over Fast Ethernet and Gigabit Ethernet links only. ISL works by encapsulating an Ethernet frame in an ISL header and trailer. The encapsulated frame remains unchanged. The VLAN ID is included in the ISL header. Original frame:
ISL encapsulates the frame:
ISL is considered to be deprecated, and some newer Cisco switches don’t even support it. 802.1q is commonly used instead.
802.1q overview 802.1q is a VLAN tagging protocols developed by IEEE (Institute of Electrical and Electronics Engineers). Since it is an open standard, it can be used between switches from different vendors, so if you’re trunking between a Cisco switch and a different brand of switch, you’ve can use 802.1q for the trunk to work. Unlike ISL, which encapsulates the whole frame in an ISL header and trailer, 802.1q inserts an extra 4-byte 802.1q VLAN field into the original frame’s Ethernet header. The 802.1q field includes the 12-bit VLAN ID field, which specifies the VLAN to which the frame belongs. 802.1q tagged frame can carry information for 4,094 VLANs. Original frame:
802.1Q frame:
802.1q defines one special VLAN ID on each trunk as the native VLAN (by default VLAN 1). 802.1q does not add an 802.1Q header to frames in the native VLAN. When the switch on the other side of the trunk receives a frame that does not have an 802.1q header, the receiving switch knows that the frame is part of the native VLAN. Because of this behavior, both switches must agree on which VLAN is the native VLAN.
Configure VLANs By default, all ports on a Cisco switch are assigned to the VLAN 1. VLAN 1 is the native VLAN of all Cisco switches and it can not be changed, deleted, or renamed. To verify that indeed all ports on a switch are in the VLAN 1 by default, you can use the show vlan command:
In the picture above you can see that all of the 24 ports on the switch are in the VLAN 1. It’s really easy to create a VLAN on a Cisco switch. Simply use the vlan ID command from the global configuration mode. You can also optionally use the name VLAN_NAME command from the VLAN submode to name your VLAN:
After you’ve created a new VLAN, you can configure a port to belong to that VLAN with the switchport access vlan ID interface submode command. It is also recommended to configure the port as an access (non-trunk) port using the switchport mode access command:
In the picture above you can see that the Fa0/5 port on SW1 was configured as an access port and assigned to VLAN 2. To verify this, you can use the show vlan command again:
Configure trunk ports To enable inter-switch VLAN communication, you need to configure switches to use VLAN trunking on the links between them. To configure a trunk port, the switchport mode trunk interface mode command is used. This type of interface can carry traffic of multiple VLANs. If your switches support both ISL and 802.1q frame tagging protocols, you also need to use the switchport trunk encapsulation {dot1q | isl} command to define the type of trunking. Consider the following example:
Ports Fa0/10 and Fa0/11 on SW1 and Fa0/5 and Fa0/6 on SW2 are connected to end hosts and should be configured as access ports. However, the link between the switches needs to carry traffic of multiple VLANs and must be configured as trunk. Here is how we can configure ports on SW1 and SW2 to support trunking: SW1:
SW2:
Now the link between SW1 and SW2 can carry traffic from both VLANS - VLAN5 and VLAN10. You can verify that an interface is indeed a trunk interface by using the show interface Fa0/1 switchport command on SW1:
Because the switches we’ve used in the example above don’t support the Inter-Switch Link (ISL) protocol, there was no need to define the type of trunking with the switchport trunk encapsulation {dot1q | isl} command. 802.1q is the only supported trunking protocol on newer Cisco devices.
Configure allowed VLANs on trunk By default, all VLANs are allowed across the trunk link. We can verify that using the show interfaces trunk command:
You can prevent traffic from certain VLANs from traversing a trunked link using the following interface mode command: switchport trunk allowed vlan {add | all | except | remove} vlan-list For example, to prevent traffic from VLAN 5 to traverse the trunk link, you can use the
following command:
To verify that the traffic from VLAN 5 will indeed be blocked from traversing a trunked link, use the show interfaces trunk command again:
The all option in the switchport trunk allowed vlan command means all VLANs, so you can use it to reset the switch to its original default setting (permitting all VLANs on the trunk).
Routing between VLANs Each VLAN is its own subnet and broadcast domain, which means that frames broadcast onto the network are only switched between the ports within the same VLAN. For interVLAN communication, a layer 3 device (usually a router) is needed. This layer 3 device needs to have an IP address in each subnet (VLAN) and have a connected route to each of those subnets. The hosts in each subnet can use the router’s IP addresses as their default gateway. Three options are available for routing between VLANs: 1. Use a router, with one router LAN interface connected to the switch for each and every VLAN. Since you need one Ethernet interface on your router to connect to each VLAN, this option is not really scalable and rarely used today.
2. Use one router interface with trunking enabled. This option is called router on a stick (ROAS) and allows all VLANs to communicate through a single interface.
3. Use a Layer 3 switch, a device that performs both the switching and routing operations.
Configure router on a stick To enable inter-VLAN communication, you can divide a single physical interface on a router into logical interfaces that will be configured as trunk interfaces. This scenario is called router on a stick (ROAS) and allows all VLANs to communicate through a single physical interface. The physical interface is divided into logical interfaces (also known as subinterfaces), one for each VLAN. A subinterface is created with the interface TYPE NUMBER.SUBINTERFACE command. The subinterface number begins with the period and it is usually the same as the VLAN the subinterface will be in. For example, the command interface Gi0/0.1 creates a subinterface .1 under the physical Gi0/0 port. To configure trunking on a router, the following commands are used: (config)# interface TYPE NUMBER.SUBINTERFACE - creates the subinterface and enters the subinterface command mode. (config-subif)# encapsulation dot1q VLAN_ID - sets the subinterface to trunk and associates it with a specific VLAN. (config-subif)# ip address IP_ADDRESS SUBNET_MASK - sets the IP address for the subinterface.
Consider the following example network:
We have a simple network of three hosts, a switch and a router. Each host is in a different VLAN, so we need to divide the physical router’s interface Fa0/0 into logical interfaces, one for each VLAN. But first, here is the switch configuration:
Notice how we’ve configured the Fa0/1 port on a switch (the port connected to the router’s Fa0/0 interface) as a trunk port. Now, let’s configure the router:
In the picture above you can see that the router’s physical interface Fa0/0 was divided into three subinterfaces that were then configured as trunk interfaces and given the IP addresses.
Chapter 15 - VLAN Trunking Protocol (VTP) VLAN Trunking Protocol (VTP) overview VTP modes explained Configure VTP
VLAN Trunking Protocol (VTP) overview VTP (VLAN Trunking Protocol) is a Cisco proprietary messaging protocol used by Cisco switches to exchange VLAN information. VTP synchronizes VLAN information (such as VLAN ID or VLAN name) with switches inside the same VTP domain, which greatly simplifies network administration. A VTP domain is simply a set of trunked switches with the matching VTP settings (domain name, password and VTP version). All switches inside the same VTP domain share their VLAN information with each other. To better understand the benefit of using VTP in your network, consider an example network with 100 switches. Without VTP, to create a VLAN on each switch, you would have to manually enter the VLAN creation commands on each switch! VTP enables you to create the VLAN only on a single switch. That switch can then propagate information about that VLAN to each switch in the same VTP domain, and cause other switches to create that VLAN too. Likewise, if you want to delete a VLAN, you only need to delete it on a single switch, and the change is automatically propagated to every other switch inside the same VTP domain. The following network topology expains the concept more thoroughly.
In the picture above you can see a network of three switches. We have created a new VLAN on SW1. SW1 sends a VTP update to SW2, which in turn sends its VTP update to SW3. Now all three switches should have the same VLAN created. VLAN Trunking Protocol (VTP) is somewhat confusingly named, since it doesn’t provide VLAN trunking capabilities. Remember that VTP isn’t used for trunking - protocols such as 802.1q and ISL enable trunking.
VTP modes explained Each Cisco switch can operate in one of the three VTP modes: VTP server mode - the default mode for Cisco switches. A switch operating in this mode can create, modify, and delete VLANs. You can also specify other VTP configuration parameters on a VTP server, such as VTP version and VTP pruning, for the entire VTP domain. A VTP server switch will propagate VLAN changes. To configure a switch as a VTP server, use the vtp mode server global configuration command.
VTP client mode - a switch operating in this mode can’t change its VLAN configuration. You cannot create, change, or delete VLANs on a VTP client. Received VTP updates will be processed and forwarded. To configure a switch as a VTP server, use the vtp mode client global configuration command. VTP transparent mode - a switch opering in this mode doesn’t participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements, but it does forward received VTP advertisements. You can create and delete VLANs on a VTP transparent switch, but the changes will not be sent to other switches. To configure a switch to use the VTP transparent mode, use the vtp mode transparent global configuration command. You can’t completely disable VTP on Cisco switches; the best you can do to disable VTP is to place your switch in the VTP transparent mode.
Configure VTP With VTP, it is possible to make configuration changes centrally on one or more switches and have those changes automatically advertised to all the other switches in the same VTP domain. In a typical LAN, some switches are configured as VTP servers and other switches are configured as VTP clients. A VLAN created on a VTP server switch is automatically advertised to all switches inside the same VTP domain. To exchange VTP messages, the following requirements must be met: a switch has to be configured as either a VTP server or VTP client. VTP domain name has to be the same on both switches. VTP versions have to match. if present, VTP domain password has to be the same. the link between the switches has to be configured as a trunk link. Consider the following example network:
We have a network of three switches connected via trunk links. On SW1, we will configure the VTP domain name using the vtp domain NAME command and the VTP password using the vtp password PASSWORD commands:
The default VTP mode on Cisco switches is the server mode, so the command vtp mode server wasn’t needed in the SW1 configuration pictured above. Now we need to configure SW2 and SW3 as VTP clients. We can do it using the following set of commands:
The configuration on SW3 looks similar:
Now, when we create a new VLAN (VLAN 30) on SW1, the VTP update should be sent to SW2 and SW3. The new VLAN should be created automatically on SW2 and SW3:
On SW1, we will create a new VLAN:
SW2 and SW3 will create the VLAN 30 automatically. We can use the show vlan command on both switches to verify this: SW2:
SW3:
To display the VTP configuration information, you can use the show vtp status command:
Chapter 16 - Access Control Lists (ACLs) What is ACL (Access Control List)? Standard ACLs Extended ACLs
What is ACL (Access Control List)? An Access Control List (ACL) is a set of rules that is usually used to filter network traffic. ACLs can be configured on network devices with packet filtering capatibilites, such as routers and firewalls. ACLs containts a list of conditions that categorize packets and help you determine when to allow or deny network traffic. They are applied on the interface basis to packets leaving or entering an interface. Two types of ACLs are available on a Cisco device: standard access lists - allow you to evaluate only the source IP address of a packet. Standard ACLs are not as powerful as extended access lists, but they are less CPU intensive for the device. extended access lists - allow you to evaluate the source and destination IP addresses, the type of Layer 3 protocol, source and destination port, and other parameters. Extended ACLs are more complex to configure and require more CPU time than the standard ACLs, but they allow more granular level of control. To understand the benefits of using ACLs in your network, consider the following network topology:
Let’s say that Server holds some important documents that need to be available only to the administrator. We can configure an access list on R1 to enable access to Server only for the administrator’s workstation. Any other traffic going to Server will be blocked. This
way, we can ensure that only authorized user can access sensitive files on Server. ACLs are not used exclusively for packet filtering. They are also used to match packets for Network Address Translation (NAT), to match packets to make quality of service (QoS) decisions, and other purposes.
Standard ACLs Standard access control lists (ACLs) allow you to evaluate only the source IP address of a packet. Standard ACLs are not as powerful as extended access lists and can’t distinguish between the types of IP traffic, but they are less CPU intensive for the device. Before configuring standard ACLs, here are a few things to have in mind when working with ACLs (both standard and extended): ACLs can contain multiple statements. The packet is always compared with each line of the access list in sequential order - it starts with the first line of the access list, move on to line 2, then line 3, etc. The packet is compared with lines of the access list only until a match is made. Once the condition is met, the packet is acted upon and no further comparisons take place. There is an implicit deny all at the end of each access list. This means that if a packet doesn’t match the condition on any of the lines in the access list, the packet will be discarded. ACLs need to be applied to an interface on the device where you want the traffic filtered. You must also specify which direction of traffic you want the access list applied to. Two directions are available: inbound - ACL is applied to the traffic coming into the interface. outbound - the ACL is applied to the traffic leaving the interface. To create a standard access list, the following command is used in the router’s global configuration mode: R1(config)# access-list ACL_NUMBER permit|deny IP_ADDRESS WILDCARD_MASK The ACL number for the standard ACLs has to be between 1–99 and 1300–1999. You can also use the host keyword to specify the host you want to permit or deny: R1(config)# access-list ACL_NUMBER permit|deny host IP_ADDRESS Once the access list is created, it needs to be applied to an interface. You do that by using the ip access-group ACL_NUMBER in|out interface subcommand. The in keyword specifies that the ACL will be applied to the the traffic coming into the interface, while the out keyword specifies that the ACL will be applied to the traffic leaving the interface. Let’s now configure standard ACLs. Consider the following network topology:
Server (192.168.0.5/24) holds some important documents that need to be available only to the administrator (10.0.0.5/24). We can configure an access list on R1 to enable access to Server only for the administrator’s workstation. Any other traffic going to Server should be blocked. First, we need to allow traffic from the administrator’s workstation to the Server. We can use the following command on R1: The command above permits traffic from the administrator’s IP addresses (10.0.0.5). We will deny access to the user with the IP address of 172.16.0.10 using the following command: Next, we need to apply the access list to an interface. It is recommended to place the standard access lists as close to the destination as possible. In our case, this is the Fa0/1 interface on R1. Since we want to evaluate all packets trying to exit out Fa0/1, we will specify the outbound direction:
The command above will force the router to evaluate all packets trying to exit out Fa0/1. If the administrator tries to access Server, the traffic will be allowed, because of the first
statement (access-list 1 permit 10.0.0.5 0.0.0.0). However, if User tries to access Server, the traffic will be forbidden because of the second ACL statement (access-list 1 deny 172.16.0.10 0.0.0.0). Remember, the standard ACLs evalute only the source IP address of a packet. At the end of each ACL there is an implicit deny all statement. That means that all traffic not specified in earlier ACL statements will be forbidden.
Extended ACLs Extended ACLs allow you can be more precise in the packet filtering. You can evaluate the source and destination IP addresses, the type of the layer 3 protocol, source and destination port, and other parameters. Extended access lists are harder to configure and require more processor time than the standard access lists, but they enable a much more granular level of control. Two steps are required to configure extended ACLs: 1. configure an extended ACL using the following command: R1(config) access list ACL_NUMBER permit|deny PROTOCOL SOURCE_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] DESTINATION_ADDRESS WILDCARD_MASK [PROTOCOL_INFORMATION] 2. apply an access list to an interface using the following command: R1(config) ip access-group ACL_NUMBER in | out Extended access lists numbers are in ranges from 100 to 199 and from 2000 to 2699. To better understand the usefulness of extended ACLs, consider the following example.
We want to enable the administrator’s workstation (10.0.0.1/24) unrestricted access to Server (192.168.0.1/24). We will also deny any type of access to the user’s workstation (10.0.0.2/24). First, we will create a statement that will permit the administrator’s workstation access to Server:
Now, we need to create a statement that will deny the user’s workstation access to Server:
Lastly, we need to apply the access list to the Fa0/0 interface on R1:
You should always place extended ACLs as close to the source as possible. The command above will force the router to evaluate all packets trying to enter Fa0/0. If the administrator tries to access Server, the traffic will be allowed, because of the first statement. However, if User tries to access Server, the traffic will be forbidden because of the second ACL statement.
What if we need to allow traffic to Server only for certain services? For example, what if Server was an web server and users should be able to access the web pages stored on Server? Well, we can allow traffic to Server only to certain ports (in this case, port 80), and deny any other type of traffic. Consider the following example:
On the right side, we have a Server that serves as a web server, listening on port 80. We need to permit User to access web sites on S1 (port 80), but we also need to deny other type of access. First, we need to allow traffic from User to the Server port of 80. We can do that using the following command:
By using the tcp keyword, we can filter packets by source and destionation ports. In the example above, we have permited traffic from 10.0.0.2 to 192.168.0.1 on port 80. The last part of the statement, eq 80, specifies the destination port of 80. Since at the end of each access list there is an implicit deny all statement, we don’t need to define any more statement. After applying an access list, every traffic not originating from 10.0.0.2 and going to 192.168.0.1:80 will be denied. We need to apply our access list to the interface:
We can verify whether our configuration was successful by trying to access Server from the User’s workstation using different types of traffic. For example, ping will fail:
Telnet to the port 21 will fail:
However, we will be able to access Server on port 80 using our browser:
Chapter 17 - Network Address Translation (NAT) NAT definition Static NAT configuration Dynamic NAT PAT configuration
NAT definition NAT (Network Address Translation) is a process of changing the source and destination IP addresses and ports. The main goal of NAT is to limit the number of public IP addresses a company needs and to hide private network address ranges. The NAT process is usually done by routers or firewalls. NAT allows a host without a public, globally unique IPv4 address to communicate with other hosts on the Internet. The hosts might be using private addresses or even addresses assigned to another organization, which helps reduce the need for public IPv4 addresses. Here is an explanation of NAT:
Host A wants to access the server S1 on the Internet. Because Host A uses private IP addressing, the source address of the request has to be changed by the router because private IP addresses are not routable through Internet. Router R1 receives the request, changes the source IP address to its public IP address and sends the packet to the server on the Internet. Server S1 receives the packet and replies to router R1. Router R1 receives the packet, changes the destination IP addresses to the private IP address of Host A and sends the packet to Host A. There are three types of NAT: 1. Static NAT - translates one private IP address to a public one. The public IP address is always the same. 2. Dynamic NAT - private IP addresses are mapped to the pool of available public IP addresses. 3. Port Address Translation (PAT) - one public IP address is used for all internal devices, but a different port is assigned to each private IP address. This type is also known as NAT Overload.
Static NAT configuration With static NAT, routers or firewalls translate one private IP address to one public IP address. Each private IP address is mapped to a single public IP address. This is the reason why this type of NAT is not used very often - it requires one public IP address for each
private IP address. Three steps are required to configure static NAT: 1. configure private/public IP address mapping using the ip nat inside source static PRIVATE_IP PUBLIC_IP command 2. configure the router’s inside interface using the ip nat inside command 3. configure the router’s outside interface using the ip nat outside command Consider the following example:
Host A requests a web resource from S1. Host A uses its private IP address when sending the request to the router R1, which serves as a default gateway. Router R1 receives the request, changes the private IP address to the public one and sends the request to S1. S1 responds to R1. R1 receives the response, looks up in its NAT table and changes the destination IP address to the private IP address of Host A. Here is how we can configure static NAT in the example above:
The first command was used to configure a static mapping between Host A’s private IP address of 10.0.0.100 and router’s R1 public IP address of 155.4.12.1. We’ve then defined the inside and outside interfaces. To verify NAT, we can use the show ip nat translations command:
In the picture above, you can see that the translation has been made between the Host A’s private IP address (Inside local) to the R1’s public IP address (Inside global). Outside global represents an address of a host on the Internet. Outside local also represents the outside host.
Dynamic NAT Unlike with static NAT, where you had to manually define a static mapping between a private and a public address, dynamic NAT allows you to map a private IP address to an IP address from out of a pool of public IP addresses. The router will dynamically pick an unassigned address from the pool. The dynamic entry will stay in the NAT translations table as long as the traffic is exchanged. After a period of inactivity, the entry wll time out and the global IP address will be available for new translations. With dynamic NAT, you specify two sets of addresses on your Cisco device: the inside addresses that will be translated. a pool of public IP addresses. To configure dynamic NAT, the following commands are required: 1. configure the router’s inside interface using the ip nat inside command. 2. configure the router’s outside interface using the ip nat outside command. 3. configure an access list that has a list of the inside source addresses that should be translated. 4. configure the pool of global IP addresses using the ip nat pool NAME FIRST_IP LAST_IP netmask SUBNET_MASK command. 5. enable dynamic NAT with the ip nat inside source list ACL_NUMBER pool NAME global configuration command Consider the following example:
Host A requests a web resource from S1. Host A uses its private IP address when sending the request to router R1. Router R1 receives the request, changes the private IP address to one of the global addresses in the pool and sends the request to S1. S1 responds to R1. R1 receives the response, looks up in its NAT table and changes the destination IP address to the private IP address of Computer A. Here is how we can configure dynamic NAT for the network pictured above: First, configure the router’s inside and outside NAT interfaces:
Next, we need to configure an ACL that has a list of the inside source addresses that will be translated: Now we need to configure the pool of global (public) IP addresses:
The pool configured above consists of 3 addresses: 155.4.12.1, 155.4.12.2, and 155.4.12.3. Next, we need to enable dynamic NAT:
The command above tells the router to translate all addresses specified in the access list 1 to the pool of global addresses named MY POOL. To verify NAT, we can use the show ip nat translations command:
In the picture above, you can see that the translation has been made between the Host A’s private IP address (Inside local) to the first available public IP address from the pool (Inside global). Just like static NAT, dynamic NAT is rarely used in today’s networks, unless it is for something like statically mapping a server to an public IP address.
PAT configuration With Port Address Translation (PAT), one public IP address is used for all internal devices, but a different port is assigned to each private IP address. This type of NAT is also known as NAT Overload. This is the typical form of NAT used in today’s networks and is supported by most consumer-grade routers. PAT allows you to support many hosts with only a few public IP addresses. It works by creating the dynamic NAT mapping, in which an global (public) IP address and a unique port number are selected. The router keeps a NAT table entry for every unique combination of private IP address and port, with translation to the global address and a unique port number. The following example will help you understand the concept behind PAT:
As you can see in the picture above, PAT used unique source port numbers on the inside global IP address to distinguish between translations. For example, if the host with the IP address of 10.0.0.101 wants to access S1 on the Internet, the host’s private IP address will be translated by R1 as 155.4.12.1:1056 and the request will be sent to S1. S1 will respond to 155.4.12.1:1056. R1 will receive that response, look up in its NAT translation table, and forward the request to the host. To configure PAT, the following commands are required: 1. configure the router’s inside interface using the ip nat inside command. 2. configure the router’s outside interface using the ip nat outside command. 3. configure an access list that has a list of the inside source addresses that should be translated. 4. enable PAT with the ip nat inside source list ACL_NUMBER interface TYPE overload global configuration command. Here is how we would configure PAT for the network picture above. First, we will define the outside and inside interfaces:
Next, we will define an access list that will include all private IP addresses we would like
to translate: Note that the access list defined above includes all IP addresses from the 10.0.0.0 10.0.0.255 range. Now we need to enable NAT and refer to the ACL created in the previous step and to the interface whose IP address will be used for translations: To verify the NAT translations, we can use the show ip nat translations command:
Notice how the same IP address (155.4.12.1) has been used to translate two private IP addresses (10.0.0.100 and 10.0.0.101).
Chapter 18 - IPv6 IPv6 overview IPv6 address format IPv6 address types IPv6 global unicast address IPv6 unique local address IPv6 link-local addresses IPv6 EUI-64 calculation Configure IPv6 on a Cisco router
IPv6 overview IPv6 is the newest version of the IP protocol. It was developed to overcome many deficiencies of IPv4, most notably the problem of IPv4 address exhaustion. Unlike IPv4, which has only about 4.3 billion (232) available addresses, IPv6 allows for 3.4 × 1038, which is over 10,000,000,000,000,000,000,000,000,000 times as many addresses as IPv4. IPv6 defines the same general functions as IPv4, but with different methods of implementing them. The IPv6 header and address structure has been completely changed, and many of the features that were basically just afterthoughts and addendums in IPv4 are included as full-blown standards in IPv6. Of course, to support IPv6 routing, routers must understanding IPv6 addresses and routing. Here is a list of the most important IPv6 features Large address space: IPv6 uses 128-bit addresses, which means that for each person on the Earth there are 48,000,000,000,000,000,000,000,000,000 addresses! Enhanced security: IPSec (Internet Protocol Security) is built into IPv6 as part of the protocol . This means that two devices can dynamically create a secure tunnel without user intervention. Header improvements: the packed header used in IPv6 is simpler than the one used in IPv4. The IPv6 header is not protected by a checksum so routers do not need to calculate a checksum for every packet. No need for NAT: since every device has a globally unique IPv6 address, there is no need for NAT. Stateless address autoconfiguration: IPv6 hosts can automatically configure themselves with an IPv6 address.
IPv6 address format An IPv6 address is 128 bits long, much larger than a 32-bit IPv4 address. Also, unlike IPv4, which uses a dotted-decimal format with each byte ranges from 0 to 255, IPv6 uses eight groups of four hexadecimal digits separated by colons. Here is an example IPv6 address: 2340:0023:AABA:0A01:0055:5054:9ABC:ABB0 As you can see from the IPv6 address listed above, there are letters in the address. If you are not familiar with the hexadecimal - binary conversion, here is a table that will help you:
IPv6 address shortening The IPv6 address listed above looks daunting, right? Well, there are two conventions that can help you shorten what must be typed an IPv6 address: 1. a leading zero can be omitted For example, the address listed above (2340:0023:AABA:0A01:0055:5054:9ABC:ABB0) can be shorten to 2340:23:AABA:A01:55:5054:9ABC:ABB0. 2. successive fields of zeroes can be represented as two colons (::) For example, the IPv6 address of 2340:0000:0000:0000:0455:0000:AAAB:1121 can be shorten as 2340::0455:0000:AAAB:1121 You can shorten an address this way only for one such occurrence. The reason is obvious – if you had more than occurence of double colon you wouldn’t know how many sets of zeroes were being omitted from each part. Here are a couple of more examples of IPv6 address shortening: Long version - 1454:0045:0000:0000:4140:0141:0055:ABBB Shortened version - 1454:45::4140:141:55:ABBB Long version - 0000:0000:0001:AAAA:BBBC:A222:BBBA:0001 Shortened version - ::1:AAAA:BBBC:A222:BBBA:1
IPv6 address types As you probably know, there are three types of IPv4 addresses: unicast, multicast, and broadcast. In IPv6, broadcast addresses have been eliminated and replaced with anycast and multicast addresses. Here is a list of all address types in IPv6: unicast - represents a single interface. Packets addressed to a unicast address are delivered to a single interface. multicast - represents a dynamic group of hosts. Multicast addresses in IPv6 have a
similar purpose as their counterparts in IPv4 and packets sent to these addresses are delivered to all interfaces tuned into the multicast address. anycast - identifies one or more interfaces. For example, servers that support the same function can use the same unicast IP address. Packets sent to that IP address are forwarded to the nearest server. Anycast addresses are often used for load-balancing. Known as one-to-nearest address. There are three types of unicast addresses in IPv6: global unicast - publicly routable IPv6 addresses that work just like public IPv4 addresses. link local - similar to the IPv4 addresses from the Automatic Private IP Address (APIPA) range, these addresses are meant to be used only within a network segment that a host is connected to. Routers will not forward packets destined to a link-local address to other links. A link-local IPv6 address must be assigned to every network interface on which the IPv6 protocol is enabled. unique local addresses - similar to IPv4 private addresses, IPv6 unique local addresses should be used inside an organization and are not meant to be routed on the Internet.
IPv6 global unicast address IPv6 global unicast addresses are similar to IPv4 public addresses. A company that needs IPv6 addresses asks for a registered IPv6 address block, which is assigned as a global routing prefix. These addresses are routable on the Internet and only that company will use them. Global unicast addresses start with 2000::/3 (hex 2 or 3). They consists of two parts: subnet ID – 64 bits long. Contains the site prefix (obtained from a Regional Internet Registry) and the subnet ID (subnets within the site). interface ID – 64 bits long. It acts like the IPv4 host field and is typically composed of a part of the MAC address of the interface. Here is a graphical representation of the two parts of an IPv6 global unicast address:
IPv6 unique local address Unique local IPv6 addresses have the same function as private addresses in IPv4 - to allow communication throughout a site while being routable to multiple local networks. They are not registered with any numbering authority and cannot be routed to the Internet. Unique local IPv6 addresses begin with FD00::/8. A unique local IPv6 address is constructed by appending a randomly generated 40-bit hexadecimal string to the FD00::/8 prefix. The subnet field and interface ID are created in
the same way as with global unicast IPv6 addresses. Here is a graphical representation of an unique local IPv6 address:
The original IPv6 RFCs defined a private address class called site local. This class has been deprecated and replaced with unique local addresses.
IPv6 link-local addresses Link-local IPv6 addresses have a smaller scope as to how far they can travel: only within a subnet that a host is connected to. IPv6-enabled routers will not forward packets destined to a link-local address to other links. A link-local IPv6 address must be assigned to every network interface on which the IPv6 protocol is enabled. A host can automatically derive its own link local IP address or the address can be manually configured using IOS commands. Link-local addresses have a prefix of FE80::/10. They are not used for normal IPv6 packet flows that contain data for applications. Instead, these addresses are used by some overhead protocols (such as NDP) and for routing. Here is a graphical representation of a link local IPv6 address:
IPv6 EUI-64 calculation The second part of an IPv6 unicast address (used to identify a host’s network interface) is usually a 64-bit interface identifier. An interface ID is created by inserting the hex number FFFE in the middle of the MAC address of the network card. Also, the 7th bit in the first byte is flipped to a binary 1. The interface ID created this way is known as the modified extended unique identifier 64 (EUI-64). Here are the rules that a router uses to create the interface ID: 1. Split the MAC address in two halves (6 hex digits each). 2. Insert FFFE in between the two, making the interface ID. 3. Invert the seventh bit of the interface ID. For example, if the MAC address of a nework card is 00:BB:CC:DD:11:22, the interface ID would be 02BBCCFFFEDD1122. Why is that so? Well, the router will first flip the seventh bit from 0 to 1. MAC addresses are in hex format. The binary format of the MAC address looks like this:
hex - 00BBCCDD1122 binary - 0000 0000 1011 1011 1100 1100 1101 1101 0001 0001 0010 0010 The router will flip the seventh bit: binary - 0000 0010 1011 1011 1100 1100 1101 1101 0001 0001 0010 0010 This will result in the following hexadecimal address: hex - 02BBCCDD1122 Next, the router will insert FFFE in the middle of the address listed above: hex - 02BBCCFFFEDD1122 So, the interface ID will be 02BB:CCFF:FEDD:1122. For interfaces that don’t have a MAC address (e.g. serial interfaces), the router chooses the MAC of the lowest-numbered interface that has a MAC.
Configure IPv6 on a Cisco router By default, the IPv6 routing is not enabled on Cisco routers. There are several methods for configuring IPv6 addresses on a router. We will assign a global IPv6 address to the interface using the EUI-64 option. A link local address will then be created automatically. Here are the steps: enable IPv6 routing on a Cisco router using the ipv6 unicast-routing global configuration command. configure an IPv6 global unicast address on an interface using the ipv6 address ADDRESS/PREFIX_LENGTH eui-64 command. Here is an example IPv6 configuration:
A link local address will be created automatically. To verify IPv6 addressing, we can use the show ipv6 interface fa0/0 command:
From the command output we can verify two things: 1. the link local IPv6 address has indeed been automatically configured.
2. the global IPv6 address has been created using the modified EUI-64 method (using the MAC address of the interface - 0050.0fdc.0401).
