Beruflich Dokumente
Kultur Dokumente
1. About The
Company..
2. OSI and TCP/IP Network
Model
3. How to connect with Cisco devices in
windows...
4. Cisco devices hardware component and booting
process.
5. How to reset Router
password
6. Packet Tracer installation
.
7. Cisco IOS Access
Modes
8. Administration of Cisco
devices.
9. Back up and Restore of Network
Devices
10. How to update Cisco
IOS
11. Switching
..
12. Methods of
Switching
..
13. Virtual
LAN
leaders such as like Microsoft, Daikin, Actis, Intuit, Huawei and Shinsei in their critical
security needs.
With physical presence in 73 cities, over 320 dedicated greenfield engagements and a
dedicated team of 1250 security researchers, product developers, deployment and
maintenance specialists ; we have been adjudged as the 4th largest company globally
serving the critical infrastructure security solutions market.
Emerging threat to safety and security requires new ideas, new solutions and new
technology. Its not about hiring more security guards. Its about connecting knowledge.
Appin Security Group creates smart solutions by linking the intelligence from multiple
systems. Overcoming technology boundaries creates a more robust, more flexible, and more
responsive solution. Appin Security Group has a robust portfolio of solutions specially
designed for your unique critical environment.
Greatness is a pursuit- a very honorable one. And leadership is a continually evolving science.It is the uni
The Appin Technology Lab, the custodian of your framework, is Informationage security and solutions com
Detection,Verification and Resolution
The sure-shot way to stamp out the potential for damage and loss to your set-up is to diagnose, and then
Carving a Niche
Appin's journey has been its destination. In our earnest endeavor to satisfy our patrons, we have left no st
The Appin Technology Lab holds the peerless merit of providing critical information security consulting & n
We secure the President's House, Nuclear power plants,Commonwealth Games,Delhi Metro Rail
We are also a security solutions provider to over 1300 websites that are audited and monitored by the Ap
Appin Technology Lab currently a network of 110+ training labs provides comprehensive training in Info
form and have a call back from our counselor and receive directions to the nearest center, or read more a
Gone are the days when a company was restricted to doing business only in their own backyards.A truly g
Stay Secure
There is always a profound fear of insecurity and unrelenting threats to an organizations stability and its s
Human element
Its our vibrant entrepreneurial culture that makes it all click, with human values a central component of ou
We are group of dedicated,hardworking,ordinary people who have teamed together to accomplish extraor
The OSI reference model is the primary model for network communications. The early development of LANs,
MANs, and WANs was confused in many ways. The early 1980s saw great increases in the number and sizes of
networks. As companies realized that they could save money and gain productivity by using networking technology,
they added networks and expanded existing networks as rapidly as new network technologies and products were
introduced.
In 1984, the International Organization for Standardization (ISO) developed the OSI Reference Model to
describe how information is transferred from one networking component to another, from the point when a user
enters information using a keyboard and mouse to when that information is converted to electrical or light signals
transferred along a piece of wire (or radio waves transferred through the air).
ISO developed the seven-layer model to help vendors and network administrators gain a better understanding of
how data is handled and transported between networking devices, as well as to provide a guideline for the
implementation of new networking standards and technologies. To assist in this process, the OSI Reference Model
separates the network communication process into seven simple layers.
Dividing the network into these seven layers provides these advantages:
Reduces complexity:
It breaks network communication into smaller, simpler parts. It divides the network communication process into
smaller and simpler components, thus aiding component development, design, and troubleshooting.
Facilitates modular engineering:
It allows different types of network hardware and software to communicate with each other.
Interoperability between Vendors
It allows multiple-vendor development through standardization of network components. Defines the process for
connecting two layers together, promoting interoperability between vendors It Allows vendors to compartmentalize
their design efforts to fit a modular design, which eases implementations and simplifies troubleshooting
Ensures interoperable technology:
It prevents changes in one layer from affecting the other layers, allowing for quicker development.
Accelerates evolution:
It provides for effective updates and improvements to individual components without affecting other components or
having to rewrite the entire protocol.
Simplifies teaching and learning:
It breaks network communication into smaller components to make learning easier. Provides a teaching tool to help
network administrators understand the communication process used between networking components
The OSI reference model consists of seven layers: physical, data-link, network,
transport, session, presentation, and application.
The OSI model layers usually do not correspond exactly to the protocol stack running
on an actual system.
The network and transport layer protocols work together to provide a cumulative
end-to-end communication service.
The functions of the session, presentation, and application layers are often combined
into a single application layer protocol.
OSI Reference Model
Each OSI layer contains a set of functions performed by programs to enable data to travel from a source to a
destination on a network. In our pervious Example I told you the advantage of OSI model.
advantage of OSI model
In this Example I will provide brief descriptions of each layer in the OSI reference model.
Application Layer
The application layer is the OSI layer that is closest to the user. This layer provides network services to the user's
applications. It differs from the other layers in that it does not provide services to any other OSI layer, but only to
applications outside the OSI reference model. Applications layer provide a platform to access the data of remote
computer.
The application layer protocols that you should know are as follows:
DNS (Domain Naming System) Translates a website name (easy for people) to
an IP address (easy for computers).
DHCP (Dynamic Host Configuration Protocol) Assigns IP, mask, and DNS
server (plus a bunch of other stuff) to hosts.
Telnet Provides a remote terminal connection to manage devices to which you are
not close enough to use a console cable.
presentation layer
The presentation layer is responsible for formatting data so that application-layer protocols (and then the users) can
recognize and work with it. Presentation layer format the file extensionssuch as .doc, .jpg, .txt, .avi, and so on.
you realize that each of these file types is formatted for use by a particular type of application. The presentation
layer taking the application layer data and marking it with the formatting codes so that it can be viewed reliably
when accessed later. If necessary, the presentation layer might be able to translate between multiple data formats by
using a common format.
The Session Layer
The session layer establishes, manages, and terminates sessions between two communicating hosts. It provides its
services to the presentation layer. The session layer also synchronizes dialogue between the presentation layers of
the two hosts and manages their data exchange. For example, web servers have many users, so many communication
processes are open at a given time. Therefore, keeping track of which user communicates on which path is
important.
Transport Layer
The transport layer is possibly the most important layer for exam study purposes. A lot is going on here, and it is
heavily tested.
The transport layer's main jobs
It can provide for the reliable or unreliable delivery of data across this connection.
Transport layer use two protocols for sending data TCP and UDP.
TCP
TCP is connection oriented protocols. Connection-oriented transmission is said to be reliable. Thinks TCP as registry
AD facility available in Indian post office. For this level of service, you have to buy extra ticket and put a bunch of
extra labels on it to track where it is going and where it has been. But, you get a receipt when it is delivered, you are
guaranteed delivery, and you can keep track of whether your shipment got to its destination. All of this costs you
morebut it is reliable!
UDP
UDP is connection less protocols. Connection-less transmission is said to be unreliable. Now, don't get too wrapped
up in the term "unreliable" this doesn't mean that the data isn't going to get there; it only means that it isn't
guaranteed to get there. Think of your options when you are sending a postcard, put it in the mailbox, and chances
are good that it will get where it's supposed to gobut there is no guarantee, and stuff does go missing once in a
while. On the other hand, it's cheap.
Reliability
When reliability is necessary, it should cover these four items:
Avoiding congestion
descriptions
01023
102449151
4915265535
10
UDP
FTP
20, 21
DNS
53
Telnet
23
DHCP
67,68
SMTP
25
TFTP
69
DNS
53
NTP
123
HTTP
80
SNMP
161
POP
110
NNTP
119
HTTPS
443
Network Layer
The network layer provides a logical topology and layer-3 addresses. Routers function at the network layer. This
layer is responsible for three main functions:
Finds paths, based on the network numbers of logical addresses, to reach destination
devices
Connects different data link types together, such as Ethernet, FDDI, Serial, and Token
Ring
IP packet
Where the transport layer uses segments to transfer information between machines, the Internet layer uses
datagram's. Datagram is just another word for packet.
The IP protocol is mainly responsible for these functions:
Connectionless data delivery: best effort delivery with no data recovery capabilities
11
Two types of packets are used at the Network layer: data and route updates.
Data packets
Used to transport user data through the internetwork. Protocols used to support data traffic are called routed
protocols; examples of routed protocols are IP and IPv6.
Route update packets
Used to update neighboring routers about the networks connected to all routers within the internetwork. Protocols
that send route update packets are called routing protocols; examples of some common ones are RIP, RIPv2, EIGRP,
and OSPF. Route update packets are used to help build and maintain routing tables on each router.
IP Classes
12
Description
IP
IPX
ICMP
Internet Connection Management Protocol. Incorporates Ping and Traceroute, which are
layer 3 link-testing utilities.
OSPF, IGRP,
EIGRP, RIP,
ISIS
Dynamic routing protocols that learn about remote networks and the best paths to them
from other routers running the same protocol.
ARP, RARP
Address Resolution Protocol (and Reverse ARP). ARP learns what MAC address is
associated with a given IP address. Reverse ARP learns an IP address given a MAC
address.
Defining how the network layer protocol is encapsulated in the data link layer frame
13
Defines hardware (MAC) addresses as well as the communication process that occurs
within a media.
The first six hexadecimal digits of a MAC address form the OUI.
You can have the same MAC address in different broadcast domains (virtual LANs).
Ethernet II does not have any sub layers, while IEEE 802.2/3 has two: LLC and MAC.
Ethernet II has a type field instead of a length field (used in 802.3). IEEE 802.2
defines the type for IEEE Ethernet
Physical Layer
The Physical layer communicates directly with the various types of actual communication media. Different kinds of
media represent these bit values in different ways. Some use audio tones, while others utilize state transitions
changes in voltage from high to low and low to high. Specific protocols are needed for each type of media to explain
the proper bit patterns to be used, how data is encoded into media signals, and the various qualities of the physical
medias attachment interface.
14
The access layer provides the user's initial access to the network, which is typically via switches or hubs.
TCP/IP protocol
The TCP/IP protocol stack has four layers. Note that although some of the layers in the TCP/IP protocol stack have
the same names as layers in the OSI reference model, the layers have different functions in each model, as is
described in the following list:
Application layer:
The application layer handles high-level protocols, including issues of representation, encoding, and dialog control.
The TCP/IP model combines all application-related issues into one layer and ensures that this data is properly
packaged for the next layer.
Transport layer:
The transport layer deals with QoS issues of reliability, flow control, and error correction. One of its protocols, TCP,
provides for reliable network communications.
Internet layer:
The purpose of the Internet layer is to send source datagrams from any network on the internetwork and have them
arrive at the destination, regardless of the path they took to get there.
Network access layer:
The name of this layer is broad and somewhat confusing. It is also called the host-to-network layer. It includes the
LAN and WAN protocols and all the details in the OSI physical and data link layers.
15
In this lab scenario I will demonstrate that how can you connect with a Cisco router. To connect physical Cisco
device you need a console cable. Attach cable to com port on computer and other end to console port of Cisco
devices.
Console Port
When you first obtain a new Cisco device, it won't be configured. That is to say, it will not do any of the customized
functions you might need; it does not have any IP addresses, and it is generally not going to do what you paid for.
Routers need basic configuration to function on a network. The console port is used for local management
connections. This means that you must be able to physically reach the console port with a cable that is typically
about six feet long. The console port looks exactly like an Ethernet port.
Once you have proper console cable follow this path
Now on computer click on stat button ==> program = = > accessories == >
communications == > hyper terminal == > location information == > cancel == >
Confirm cancel == > yes == > hyper terminal == > OK Connection Descriptions
== > Vinita == > OK == > location information == > confirm cancel == > yes ==
> hyper terminal == > connect to == > OK == > Port Settings == > Do setting as
Given Below and press OK.
16
If you still have problem in configuring hyper terminal or you do not have hyper terminal options in accessories you
can use this tiny software. With this software you connect with any devices that support Telnet, SSH, Rlogin,
17
console connections. This is ready to use software. Download it and execute it. Select Serial sub key from Session
Cable
Device B
Crossover
Straight-through
Switch port
Crossover
Computer NIC
Console of router/switch
Rollover
Switch port
Crossover
Switch port
Computer NIC
Crossover
Computer NIC
Computer NIC
Straight-through
Switch port
18
c1841
The c1841 refers to the name of the platform on which the image will run. This is
important because different router models have different processors, and an image
compiled for one processor or router model will typically not run on a different model.
advipservicesk9
The advipservicesk9 refers to the features included in this IOS version, commonly
referred to as the feature set. In this example, the IOS is the advanced IP services
and the k9 refers to the inclusion of encryption support.
mz or z
The mz or z means that the image is compressed and must be uncompressed before
loading/running. If you see l (the letter l, not the number 1) here, this indicates where
the IOS image is run from. The l indicates a relocatable image and that the image can
be run from RAM. Remember that some images can run directly from flash,
depending on the router model.
124-6.T7
The 124-6.T7 indicates the software version number of the IOS. In this instance, the
version is 12.4(6)T7. Images names with T indicate new features, and without the T
the mainline (only bug fixes are made to it).
.bin
The .bin at the end indicates that this is a binary image.
Platform
Feature set
Version
Memory Locations
Code
Location
19
Code
Compression
Compression Identifiers
Connections
Cisco's networking products support two types of external connections:
ports (referred to as lines) and interfaces.
Out-of-band management (which you do by console ports) does not affect the bandwidth flowing through your
network, while in-band management(which is doen by interface) does
Console Port
Almost every Cisco product has a console port. This port is used to establish an out of- band connection in order to
access the CLI to manage your Cisco device. Most console connections to Cisco devices require an RJ-45 rollover
cable and an RJ-45-to-DB9 terminal adapter.
The rollover cable pins are reversed on the two sides.
Com port setting
Speed
9600 bps
Data bits
Stop bits
None
20
Cabling Devices
A straight-through cable is used for DTE-to-DCE connections.
Crossover cables should by used when you connect a DTE to another DTE or a DCE
to another DCE.
A hub to a switch
Console
The console port is used for local management connections. This means that you must be able to physically reach
the console port with a cable. The console port looks exactly like an Ethernet port. It uses the same connector, but it
has different wiring and is often identified with a light blue label "CONSOLE."
Aux Port
The AUX port is really just another console port that is intended for use with a modem, so you can remotely connect
and administer the device by phoning it. However using aux port for configuration create some security issues, so
21
make sure that you get advice on addressing those before setting this up.
Ethernet Port
An Ethernet port (which might be a FastEthernet or even a GigabitEthernet port, depending on your router model) is
intended to connect to the LAN. Some routers have more than one Ethernet or FastEthernet port; it really depends
on what you need and of course what you purchase. The Ethernet port usually connects to the LAN switch with a
22
straight-through cable.
Serial Port
A Cisco serial port is a proprietary design, a 60-pin D-sub. This connector can be configured for almost any kind of
serial communication. You need a cable that has the Cisco connector on one end and the appropriate type of
23
Bootstrap program Brings the router up and determines how the IOS image and
configuration files will be found and loaded.
Mini-IOS A stripped-down version of the IOS that contains only IP code. This should
be used in emergency situations where the IOS image in flash can't be found and
you want to boot up your router and load in another IOS image. This stripped-down
IOS is referred to as RXBOOT mode.
RAM
RAM is like the memory in your PC. On a router, it (in most cases) contains the running IOS image; the active
configuration file; any tables (including routing, ARP, CDP neighbor, and other tables); and internal buffers for
temporarily storing information, such as interface input and output buffers. The IOS is responsible for managing
memory. When you turn off your router, everything in RAM is erased.
Flash
24
Flash is a form of nonvolatile memory in that when you turn the router off, the information stored in flash is not lost.
Routers store their IOS image in flash, but other information can also be stored here. Note that some lower-end
Cisco routers actually run the IOS directly from flash (not RAM). Flash is slower than RAM, a fact that can create
performance issues.
NVRAM
NVRAM is like flash in that its contents are not erased when you turn off your router. It is slightly different, though,
in that it uses a battery to maintain the information when the Cisco device is turned off. Routers use NVRAM to
store their configuration files. In newer versions of the IOS, you can store more than one configuration file here.
Router Boot up Process
A router typically goes through five steps when booting up:
The router loads and runs POST (located in ROM), testing its hardware
components, including memory and interfaces.
The bootstrap program finds and loads an IOS image: Possible locations: flash, a TFTP server, or the Mini-IOS in ROM.
Once the IOS is loaded, the IOS attempts to find and load a configuration
file, stored in NVRAM
After the configuration is loaded, you are presented with the CLI interface.
you are placed into is User EXEC mode.
Setup Mode
Cisco devices include a feature called Setup mode to help you make a basic initial configuration. Setup mode will
run only if there is no configuration file in NVRAMeither because the router is brand-new, or because it has been
erased. Setup mode will ask you a series of questions and apply the configuration to the device based on your
answers. You can abort Setup mode by typing CTRL+C or by saying "no" either when asked if you want to enter the
initial configuration dialog or when asked if you want to save the configuration at the end of the question.
Configuration register
The configuration register is a special register in the router that determines many of its boot up and running options,
including how the router finds the IOS image and its configuration file. The configuration register is a four-character
hexadecimal value that can be changed to manipulate how the router behaves at bootup. The default value is
0x2102.
The characters "0x" indicate that the characters that follow are in hexadecimal. This makes it clear whether the value
is "two thousand one hundred and two" or, as in this case, "two one zero two hexadecimal".
The fourth character in the configuration register is known as the boot field. Changing the value for this character
will have the following effects:
25
0x2102 through 0x210F = Load the first valid IOS in flash; values of 2
through F for the fourth character specify other IOS image files in flash.
The third character in the configuration register can modify how the router loads the configuration file. The setting
of 0x2142 causes the router to ignore the startup-config file in NVRAM (which is where the password is stored) and
proceed without a configurationas if the router were brand new or had its configuration erased.
26
27
Packet Tracer
Packet tracer is tiny software developed by Cisco System. With packet tracer you can do entire practical of Cisco
Routers and switches . Beside packet tracer there are lot of simulator software are available on internet. But most of
them will cost you around 150$. In this Example from our free CCNA study guide series we will guide you that how
can you install packet tracer.
Packet Tracer offers a broad range of opportunities for instructors to demonstrate networking concepts. Although
Packet Tracer is not a substitute for real equipment, it allows students to practice using a model of the Cisco Internet
work Operating System (IOS) command line interface and provides visual, drag-and-drop problem solving using
virtual networking devices. This hands-on capability is a fundamental component of learning how to configure
routers and switches from the command line. Students can see how to configure and connect networking hardware
while confirming systems design. Instructors can create their own self-evaluated activities that present immediate
feedback to students on their proficiency in completing assignments.
Packet tracer
Download packet tracer from any of these location
http://uploading.com/files/ac18cbf4/c.pt_5.2.rar
28
User EXEC
Provides basic access to the IOS with limited command availability (basically simple
monitoring and troubleshooting commands)
Privilege EXEC
Provides high-level management access to the IOS, including all commands available
at User EXEC mode
Configuration
Allows configuration changes to be made to the device
User EXEC Mode
Your initial access to the CLI is via the User EXEC mode, which has only a limited number of IOS commands you
can execute. Depending on the Cisco devices configuration, you might be prompted for a password to access this
mode.
This mode is typically used for basic troubleshooting of networking problems. You can tell that you are in User
EXEC mode by examining the prompt on the left side of the screen:
Router>
29
If you see a > character at the end of the information, you know that you are in User EXEC mode. The information
preceding the > is the name of the Cisco device.
For instance, the default name of all Cisco routers is Router, whereas the 2960 switchs User EXEC prompt looks
like this: Switch>. These device names can be changed with the hostname command.
Privilege EXEC Mode
Once you have gained access to User EXEC mode, you can use the enable command to access Privilege EXEC
mode:
Router> enable
Router#
Once you enter the enable command, if a Privilege EXEC password has been configured on the Cisco device, you
will be prompted for it. Upon successfully authenticating, you will be in Privilege EXEC mode. You can tell that
you are in this mode by examining the CLI prompt. In the preceding code example, notice that the > changed to a #.
When you are in Privilege EXEC mode, you have access to all of the User EXEC commands as well as many more
advanced management and troubleshooting commands. These commands include extended ping and trace abilities,
managing configuration files and IOS images, and detailed troubleshooting using debug commands. About the only
thing that you cant do from this mode is change the configuration of the Cisco devicethis can be done only from
Configuration mode. If you wish to return to User EXEC mode from Privilege EXEC mode, use the exit command:
Router# exit
Router>
Again, by examining the prompt, you can tell that you are now in User EXEC mode.
Configuration Modes of Cisco IOS Software
From privileged EXEC mode, you can enter global configuration mode using the
configure terminal command.
From global configuration mode, you can access specific configuration modes, which include, but are not limited to,
the following:
Interface:
Supports commands that configure operations on a per-interface basis
Subinterface:
Supports commands that configure multiple virtual interfaces on a single physical
interface
Controller:
Supports commands that configure controllers (for example, E1 and T1 controllers)
Line:
Supports commands that configure the operation of a terminal line (for example, the
console or the vty ports)
Router:
Supports commands that configure an IP routing protocol
30
If you enter the exit command, the router backs out one level, eventually logging out. In general, you enter the exit
command from one of the specific configuration modes to return to global configuration mode. Press Ctrl+Z or
enter end to leave configuration mode completely and return to the privileged EXEC mode.
Commands that affect the entire device are called global commands.
The hostname and enable password commands are examples of global commands.
Commands that point to or indicate a process or interface that will be configured are called major commands.
When entered, major commands cause the CLI to enter a specific configuration mode.
Major commands have no effect unless you immediately enter a subcommand that supplies the configuration entry.
For example, the major command interface serial 0 has no effect unless you follow it with a subcommand that tells
what is to be done to that interface.
Router Modes
Router>
User mode
Router#
Router(config)#
Router(config-if)#
Interface mode
Router(config-subif)#
Subinterface mode
Router(config-line)#
Line mode
Router(config-router)#
31
To back up your IOS, you will use the copy command from within privileged EXEC mode. The syntax of this
command is copy <from><to>. Thus, if you want to copy an IOS from your IOS to a TFTP server, the syntax would
be copy tftp flash. After executing this command, you will be prompted with a number of questions asking for such
things as the IOS filename and IP address of the TFTP server.
To restore or upgrade your IOS from a TFTP server to a router, the syntax would be copy tftp flash.
Remember the following troubleshooting steps if you are having difficulties using TFTP:
Verify cable configurations. You should use a crossover cable between a router and a
server or, if you have a switch, use a straight-through cable from the router to the
switch and from the switch to the server.
Verify that your router is on the same subnet as your TFTP server.
If you are using a Linux TFTP server, make sure that you first use the touch
command to create a zero-byte file with the name of the IOS image; otherwise, the
file will not copy to the TFTP server.
Being a Cisco Associate you should be able to take back and restore of networks critical resources. Cisco devices
use Tftp server for this purpose. In real life you should keep daily back up of Cisco IOS and running configuration.
In lab we can do the same practical on packet tracker.
32
As you can see in diagram we have a TFTP server connected with router from cross cable. A pc is connected with
router from console cable. IP address on Server is 10.0.0.2 and 10.0.0.1 on routers fast Ethernet port 0/0 is already
configured.
Now your task is to take the back of running configuration on tftp server. So we
can retrieve it in any situations.
Double click on pc0 click on Desktop tab select terminal click on terminal
configuration ( Do not change default setting). Click on ok This will emulate
Router on screen
33
R1>enable
R1#copy running-config tftp:
Address or name of remote host []? 10.0.0.2
Destination filename [R1-confg]?
.!!
[OK - 359 bytes]
359 bytes copied in 3.078 secs (0 bytes/sec)
R1#
Now we have taken the backup of running configuration. To verify it click on
Server and select config tab and click on TFTP and scroll down. At the end of
window you can see the backup files.
As you can see in image we have successfully taken the backup. Now open again
terminal in PC0 and remove the startup configuration. And reload the router.
34
R1>enable
R1#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
R1#reload
Proceed with reload? [confirm]
Now router will restart and as we have already discussed in our pervious Example Booting process of Cisco devices,
that router load its running configuration from NARAM. And we have deleted the contain for NAVRAM (Startupconfiguration) so it will launch default startup program. Write No and press enter.
Now you will see default router prompt. We have to do some basic setting before
connecting the TFTP Server.
Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#
we have done the essential configuration to connect the tftp server. Now restore
the configuration back to router
Router#copy tftp running-config
Address or name of remote host []? 10.0.0.2
Source filename []? R1-confg
Destination filename [running-config]?
Loading R1-confg from 10.0.0.2: !
[OK - 359 bytes]
359 bytes copied in 0.032 secs (11218 bytes/sec)
R1#
At this point the configuration is in RAM so you will lost it on reboot so copy it in
NVRAM.
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
R1#
35
Being a CCNA certified associate you should also be capable to update the IOS of Cisco devices. This process
include the serious risk of getting defective of device. So dont do it on live device until you became perfect on
simulator.
Create this topology and load it in packet tracer
IP and other setting is already configured on Server and Router. We have new IOS
stored on TFTP Server. Double click on pc0 click on Desktop tab select terminal
click on terminal configuration ( Do not change default setting). This will emulate
Router on screen.
First step toward the updating of IOS is to check the available space in flash
R1>enable
R1#sh flash
System flash directory:
File Length
Name/status
1
33591768 c1841-advipservicesk9-mz.124-15.T1.bin
[33591768 bytes used, 30424616 available, 64016384 total]
63488K bytes of processor board System flash (Read/Write)
R1#
As you can see in output we have 30424616 bytes free available. We can
download new IOS in flash from TFTP Server. To load new IOS
R1#copy tftp flash
Address or name of remote host []? 10.0.0.2
Source filename []?c1841-ipbasek9-mz.124-12.bin
Destination filename [c1841-ipbasek9-mz.124-12.bin]?
.
Loading c1841-ipbasek9-mz.124-12.bin from 10.0.0.2: !!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 16599160 bytes]
16599160 bytes copied in 5.989 secs (620180 bytes/sec)
As you can see in output we have downloaded new IOS now we can remove old IOS
R1#delete flash:c1841-advipservicesk9-mz.124-15.T1.bin
36
Switching
37
SYSTEM
Color
Description
Green
Amber
Off
Green
Amber
The RPS is installed but is not operational. Check the RPS to ensure that it
hasn't failed.
Flashing amber
Both the internal power supply and the external RPS are installed, but the RPS is
providing power.
Off
RPS
38
For your initial access to the switch, make sure you plug the rollover cable into the switchs console port and the
other end into the COM port of your computer. Start up a terminal emulation program such as HyperTerminal.
Switch have same hardware component that router have. And follow the same booting process. To know more about
Cisco Devices booting process read our pervious Example
Cisco devices hardware devices and booting process
System Configuration Dialog
If no configuration is found, the IOS will run the setup script, commonly called the System Configuration Dialog.
This script asks you questions to help it create a basic configuration on the switch. When posing questions, the setup
script uses brackets ([ and ]) to indicate default values. Leaving these answers blank (that is, not supplying an
answer) results in the script accepting the value indicated in brackets for the configuration component. In the script,
you can configure the switchs hostname, set up a Privilege EXEC password, assign a password for the virtual type
terminals (VTYs), and set up an IP address for a VLAN interface to manage the switch remotely.
Heres an example of this script:
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic of switching
Bridges and switches are layer 2 devices that segment (break up) collision domains. A collision domain basically
includes all the devices that share a media type at layer 1.
Bridges
Switches
Form of switching
Software
Hardware
39
Method of switching
Store and
forward
port
2-20
100 plus
Duplex
Half
Collision domains
1 per port
1 per port
Broadcast domains
per vlan
STP instances
Methods of Switching
Store and Forward
Store and Forward is the basic mode that bridges and switches use. It is the only mode that bridges can use, but
many switches can use one or more of the other modes as well, depending on the model. In Store-and-Forward
switching, the entire frame is buffered (copied into memory) and the Cyclic Redundancy Check (CRC), also known
as the FCS or Frame Check Sequence is run to ensure that the frame is valid and not corrupted.
Cut Through
Cut Through is the fastest switching mode. The switch analyzes the first six bytes after the preamble of the frame to
make its forwarding decision. Those six bytes are the destination MAC address, which, if you think about it, is the
minimum amount of information a switch has to look at to switch efficiently. After the forwarding decision has been
made, the switch can begin to send the frame out the appropriate port(s), even if the rest of the frame is still arriving
at the inbound port. The chief advantage of Cut-Through switching is speed; no time is spent running the CRC, and
the frame is forwarded as fast as possible
Fragment-free
Switching will switch a frame after the switch sees at least 64 bytes, which prevents the switching of runt frames.
This is the default switching method for the 1900 series. 2950 doesnt support cut-through Fragment-Free switching
is sometimes called "runtless" switching for this reason. Because the switch only ever buffers 64 bytes of each
frame, Fragment Free is a faster mode than Store and Forward, but there still exists a risk of forwarding bad frames,
so the previously described mechanisms to change to Store and Forward if excessive bad CRCs are received are
often implemented as well.
40
Virtual LAN
A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span
multiple physical segments.
Advantages of VLANs:
VLAN Connections
two types of connections: access links and trunks.
Access-Link Connections An access-link connection is a connection between a switch and a device with a normal
Ethernet NIC, where the Ethernet frames are transmitted unaltered.
Trunk Connections trunk connections are capable of carrying traffic for multiple VLANs. Cisco supports two
Ethernet trunking methods:
41
ISL is Cisco-proprietary trunking method that adds a 26-byte header and a 4-byte trailer to the original Ethernet
frame. Ciscos 1900 switch supports only ISL
802.1Q is a standardized trunking method that inserts a four-byte field into the original Ethernet frame and
recomputed the FCS. The 2950 only supports 802.1Q. 802.1Q trunks support two types of frames: tagged and
untagged.
A tagged frame contains VLAN information, and only other 802.1Q-aware devices
on the trunk will be able to process this frame
By default, all VLANs are permitted across a trunk link. Switch-to-Switch trunk
links always require the use of a crossover cable, never a straight-through cable.
42
[Output is omitted]
Three command can be used to logout from terminal use any one
Switch>enable
Switch#disable
Switch>exit
Switch con0 is now available
Press RETURN to get started.
Show version command will tell about the device platform and detected interface
and ios name
Switch>enable
Switch#show version
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version
12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team
ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX,
RELEASE SOFTWARE (fc4)
System returned to ROM by power-on
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with
21039K bytes of memory.
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
43
[Output is omitted]
show mac address command will show all detected mac address dynamically and
manually
Switch#show mac-address-table
Mac Address Table
------------------------------------------Vlan
----
Mac Address
-----------
Type
--------
Ports
-----
1
0001.643a.5501
DYNAMIC
Gig1/1
Run time configuration of ram can be any time by simple show run commands
Switch#show running-config
Building configuration...
Current configuration : 925 bytes
version 12.2
no service password-encryption
!
hostname Switch
[Output is omitted]
To view startup configuration [ Stored in NVRAM] use show start command
Switch#show startup-config
Current configuration : 925 bytes
version 12.2
no service password-encryption
!
hostname Switch
[Output is omitted]
show vlan command will give the detail overview of all vlan configured on switch
Switch#show vlan
VLAN Name
Status
Ports
---- -------------------------------- --------- ----------------------1
default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
[Output is omitted]
show interface command will show all detected interface with their hardware
description and configuration
Switch#show interfaces
FastEthernet0/1 is up, line protocol is up (connected)
Hardware is Lance, address is 0060.2f9d.9101 (bia 0060.2f9d.9101)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
44
Switch(config)#hostname Switch1
Set enable password to vinita and secret to nikki
Switch1(config)#enable password vinita
Switch1(config)#enable secret nikki
Set console password to vinita and enable it by login command, order of command
is important set password before you enable it
Switch1(config)#line console 0
Switch1(config-line)#password vinita
Switch1(config-line)#login
Switch1(config-line)#exit
Enable 5 telnet session [ vty0 - vty4] for router and set their password to vinita
Switch1(config)#line vty 0 4
45
Switch1(config-line)#password vinita
Switch1(config-line)#login
Switch1(config-line)#exit
Now set switch ip address to 192.168.0.10 255.255.255.0 and default gateway to
192.168.0.5
Switch1(config)#interface vlan1
Switch1(config-if)#ip address 192.168.0.10 255.255.255.0
Switch1(config-if)#exit
Switch1(config)#ip default-gateway 192.168.0.5
Set a description finance VLAN to interface fast Ethernet 1
Switch1(config)#interface fastEthernet 0/1
Switch1(config-if)#description finance VLAN
By default switch automatically negotiate speed and duplex but you can adjust it
manually
Switch1(config-if)#duplex full
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to downSwitch1
(config-if)#duplex auto
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Switch1(config-if)#duplex half
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Switch1(config-if)#duplex auto
Switch1(config-if)#speed 10
Switch1(config-if)#speed 100
Switch1(config-if)#speed auto
Switch1(config-if)#exit
Switch1(config)#exit
mac address table can be wiped out by clear commands
Switch1#show
Switch1#show mac-address-table
Mac Address Table
------------------------------------------Vlan
----
Mac Address
-----------
Type
--------
Ports
-----
1
0001.643a.5501
DYNAMIC
Gig1/1
Switch1#clear mac-address-table
Switch1#clear mac-address-table ?
dynamic dynamic entry type
Switch1#clear mac-address-table dynamic
To restart switch use reload command [ running configuration will be erased so
copy it first to startup configuration ]
Switch1#reload
Proceed with reload? [confirm]
46
To perform this activity Create this lab topology and load in packet tracer .
Switch Port Security
47
IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential
configurations you have connect with switch via console cable each time. That's very tedious as you have to go near
to switch each time.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.0.10 255.0.0.0
S1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
S1(config-if)#exit
S1(config)#ip default-gateway 10.0.0.1
Enable Telnet and password protect the line
You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning
privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords
can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords
are case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions,
noting that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered
from 0 through 4 and are referred to all at once as line vty 0 4.
S1(config)#line console 0
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#line vty 0 4
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#
Enable Switch port security
this feature set allows you (among several other options) to disable a port if more than one MAC address is detected
as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices
such as servers. You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port,
the port does not forward packets with source addresses outside the group of defined addresses.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security violation shutdown
48
S2(config-if)#exit
S2(config)#
You can verify port security.
Click on the red x button on the right hand portion of the PT window. This
will allow you to delete a connection in the topology. Place the x over the
connection between Server and S2 and click. The connection should
disappear.
Select the lightening bolt button on the bottom left-hand corner of the PT
window to pull up connection types. Click the copper straight-through
connection. Click the TestPC device and select the fastethernet port. Next,
click on S2 and select port Fa0/1.
From the command prompt of TestPC type the command ping 10.0.0.4. The
ping should fail.
In our pervious Example you learnt about the feature of switching. To read these Examples you can follow these
links.
In this tutorial I will demonstrate that how can you
Create VLAN
49
To complete these lab either create a topology as shown in figure or Create this file and load it in packet tracer
Advance switch configuration
PC configurations
Device
IP Address
s
VLAN
Connected With
PC0
10.0.0.2
VLAN10
Switch1 on F0/1
PC1
20.0.0.2
VLAN20
Switch1 on F0/2
PC2
10.0.0.3
VLAN10
Switch2 on F0/1
PC3
20.0.0.3
VLAN20
Switch2 on F0/2
PC4
10.0.0.4
VLAN10
Switch3 on F0/1
PC5
20.0.0.4
VLAN20
Switch3 on F0/2
VLAN
LINK
STATUS
VLAN10
Access
OK
50
VLAN20
Access
OK
VLAN 10,20
Trunk
OK
VLAN 10,20
Trunk
OK
VLAN 10,20
Trunk
OK
VLAN10
Access
OK
VLAN20
Access
OK
VLAN 10,20
Trunk
OK
VLAN 10,20
Trunk
OK
VLAN 10,20
Trunk
Blocked
VLAN 10,20
Trunk
OK
VLAN10
Access
OK
VLAN20
Access
OK
VLAN 10,20
Trunk
OK
VLAN 10,20
Trunk
Blocked
Task
You are the administrator at XYZ company have two department sales and management.
You have given three pc for sales and three pc in management. You created two VLAN. VLAN
10 for sales and VLAN20 for management. For backup purpose you have interconnected
switch with one extra connection. You have one router for intera VLAN communications.
Let's start configuration first assign IP address to all pc's
To assign IP address double click on pc and select ip configurations from desktop tab and give ip address as shown
in table given above
VLAN Trunking Protocol
Configure VTP Server
51
We will first create a VTP Server so it can automatically propagate VLAN information to other switch. Double click
on Switch1 and select CLI. Set hostname to S1 and create VTP domain name example and set password to vinita
( Remember password is case sensitive ).
Switch 1
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#vtp mode server
Device mode already VTP SERVER.
S1(config)#vtp domain example
Changing VTP domain name from NULL to example
S1(config)#vtp password vinita
Setting device VLAN database password to vinita
Configure VTP clients
Once you have created a VTP domain. Configure remaining Switch to Client mode.
Switch 2
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#vtp mode client
Setting device to VTP CLIENT mode.
S2(config)#vtp domain example
Changing VTP domain name from NULL to example
S2(config)#vtp password vinita
Setting device VLAN database password to vinita
S2(config)#
Switch 3
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S3
S3(config)#vtp mode client
Setting device to VTP CLIENT mode.
S3(config)#vtp domain example
Changing VTP domain name from NULL to example
S3(config)#vtp password vinita
Setting device VLAN database password to vinita
S3(config)#
Dynamic Trunking Protocol
Configure DTP port
All Switch ports remain by default in access mode. Access port can not transfer the trunk frame. Change mode to
trunk on all the port those are used to interconnect the switches
Switch 1
52
FastEthernet0/24,
FastEthernet0/24,
GigabitEthernet1/2,
GigabitEthernet1/2,
GigabitEthernet1/1,
GigabitEthernet1/1,
FastEthernet0/23,
FastEthernet0/23,
53
Switch 1
S1(config)#vlan 10
S1(config-vlan)#exit
S1(config)#vlan 20
S1(config-vlan)#exit
S1(config)#
As we have already configure VTP server in our network so we don't need to create VLAN on S2 or S3. We need
only to associate VLAN with port.
Assign VLAN membership
Switch 1
S1(config)#interface fastEthernet 0/1
S1(config-if)#switchport access vlan 10
S1(config-if)#interface fastEthernet 0/2
S1(config-if)#switchport access vlan 20
Switch 2
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport access vlan 10
S2(config-if)#interface fastEthernet 0/2
S2(config-if)#switchport access vlan 20
Switch 3
S3(config)#interface fastEthernet 0/1
S3(config-if)#switchport access vlan 10
S3(config-if)#interface fastEthernet 0/2
S3(config-if)#switchport access vlan 20
Now we have two working vlan. To test connectivity do ping form 10.0.0.2 to 10.0.0.3 and 10.0.0.4. if you get
successfully replay then you have successfully created VLAN and VTP server.
Spanning-Tree Protocol
In this configuration STP will block these ports F0/24 of S1 , F0/23 and F0/24 of S2 and F0/24 of S3 to avoid loop
at layer to two. Verify those ports blocked due to STP functions
Verify STP ports
Switch 2
S2#show spanning-tree active
VLAN0001
Spanning tree enabled protocol ieee
Root ID
Priority
32769
Address
0002.174D.7794
Cost
4
Port
26(GigabitEthernet1/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID
Priority
Address
Hello Time
54
Aging Time
20
Interface
Role Sts Cost
Prio.Nbr
---------------- ---- --- --------- -------Fa0/1
Desg FWD 19
128.1
Fa0/2
Desg FWD 19
128.2
Fa0/23
Desg FWD 19
128.23
Fa0/24
Altn BLK 19
128.24
Gi1/1
Desg FWD 4
128.25
Gi1/2
Root FWD 4
128.26
[Output is omitted]
S2#
You can test STP protocols status on S1 and S3also with
show spanning-tree active command
Type
--------------------------P2p
P2p
P2p
P2p
P2p
P2p
Router on Stick
At this point of configurations you have two successfully running VLAN but they will not connect each other. To
make intra VLAN communications we need to configure router . To do this double click on router and select CLI.
Configure intra VLAN
Router
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastEthernet 0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 10.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#interface fastEthernet 0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 20.0.0.1 255.0.0.0
Router(config-subif)#exit
To test connectivity between different vlan do ping form any pc to all reaming pc. it should be ping successfully. If
you have error Create this configured topology and cross check that where you have committed mistake.
In our last Example I show you that how can you connect Cisco router. In this Example I will show how can you can
configure router. For demonstration purpose I used packet tracer software. If you havent install packet tracer read
our pervious Example to download and install packet tracer. Link is given on the top side of left. Create a simple
topology by dragging dives on workspace as shown in figure.
55
Click inside the Router and select CLI and press Enter to get started. Setup mode
start automatically if there is no startup configuration present. The answer inside
the square brackets [ ], is the default answer. If this is the answer you want, just
press enter. Pressing CTRL+C at any time will end the setup process, shut down
all interfaces, and take you to user mode (Router>).
You cannot use setup mode to configure an entire router. It does only the basics. For example, you can only turn on
either RIPv1 or Interior Gateway Routing Protocol (IGRP), but not Open Shortest Path First Protocol (OSPF) or
Enhanced Interior Gateway Routing Protocol (EIGRP). You cannot create access control lists (ACL) here or enable
Network Address Translation (NAT). You can assign an IP address to an interface, but not to a subinterface. All in
all, setup mode is very limiting.
56
Router>?
From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration
mode type exit or <CTL>+z
Router>enable
Router#config terminal
Router(config)#exit
Router#
To view all commands available from this mode type ?and press enter This will give you the list of all available
commands for the router in your current mode. You can also use the question mark after you have started typing a
command. For example if you want to use a show command but you do not remember which one it uses 'show ?'
will output all commands that you can use with the show command.
Router#show ?
access-expression List access expression
access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More-Basic Global Configurations mode Commands
Configuring a Router Name
This command works on both routers and switches
Router(config)#hostname Lucknow
Lucknow(config)#
You could choose any descriptive name for your cisco devices
Configuring PasswordsThise command works on both routers and switches
Router(config)#enable password test
Router(config)#line console 0
Router(config-line)#password console
Router(config-line)#login
Router(config)#line vty 0 4
Router(config-line)#password telnet
57
Router(config-line)#login
Router(config)#line aux 0
Router(config-line)#password aux
Router(config-line)#login
CAUTION: The enable secret password is encrypted by default. The enable password is not. For this reason,
recommended practice is that you never use the enable password command. Use only the enable secret password
command in a router or switch configuration.
You cannot set both enable secret password and enable password to the same password. Doing so defeats the use of
encryption.
Configuring a Fast Ethernet Interface
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 192.168.20.1 255.255.255.0 Assigns address and subnet mask to interface
Router(config-if)#no shutdown
Turns interface on
Creating a Message of the Day Banner
58
Router#erase startup-config
59
Click inside the Router and select CLI and press Enter to get started.
--- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#description Student Lab LAN
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R1(config-if)#exit
R1(config)#banner motd # Next Schedule metting with is postponed #
R1(config)#banner login # Unauthorized access is prohibited !
Enter you user name and password #
R1(config)#ip host Lucknow 172.16.1.1
R1(config)#no ip domain-lookup
R1(config)#line console 0
R1(config-line)#exec-timeout 0 0
R1(config-line)#logging synchronous
R1(config-line)#password consloe
R1(config-line)#login
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password telnet
R1(config-line)#login
R1(config-line)#exit
% Unrecognized command
R1(config)#enable password test
R1(config)#enable secret vinita
R1(config)#exit
%SYS-5-CONFIG_I: Configured from console by console
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
R1#
60
In our last Example I show you that how can you connect Cisco router. In this Example I will show how can you can
configure router. For demonstration purpose I used packet tracer software. If you havent install packet tracer read
our pervious Example to download and install packet tracer. Link is given on the top side of left. Create a simple
topology by dragging dives on workspace as show in figure.
61
62
will show the global and interface-specific status of any layer 3 protocols
Router#show ip interface brief
Interface
Protocol
IP-Address
FastEthernet0/0
10.0.0.1
YES manual up
FastEthernet0/1
unassigned
Serial0/0/0
20.0.0.1
YES manual up
up
up
Vlan1
unassigned
YES manual administratively down down
Router#
This command will show brief descriptions about interface. This command mostly used in troubleshooting. There
may be three possible conditions of status.
UP :- interface is up and operational
DOWN :- physical link is detected but there are some problem in configurations.
Administratively down :- port is disable by shutdown command ( Default mode of any port on router.)
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
10.0.0.0/8 is directly connected, FastEthernet0/0
C
20.0.0.0/8 is directly connected, Serial0/0/0
D
30.0.0.0/8 [90/40514560] via 20.0.0.2, 00:02:55, Serial0/0/0
D
40.0.0.0/8 [90/41026560] via 20.0.0.2, 00:02:54, Serial0/0/0
D
50.0.0.0/8 [90/41029120] via 20.0.0.2, 00:02:50, Serial0/0/0
R1#
This command will give a detail about known route. Router will not forward packet if route is not shown here for
that packet. Routers routing decision is made by this routing table.
R1#show ip protocols
63
Router#show ?
access-expression List access expression
access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More--
64
Basic of routing
Routing is the process by which a packet gets from one location to another. To route a packet, a router needs to know
the destination address and on what interface to send the traffic out .When a packet comes into an interface (in
interface) on a router, it looks up the destination IP address in the packet header and compares it with its routing
table. The routing table, which is stored in RAM, tells the router which outgoing interface the packet should go out
to reach the destination network. There are three ways to control routing decisions on your router:
Static routes
Default routes
Dynamic routes
Static Routes
Use a static route when you want to manually define the path that the packet will take through your network. Static
routes are useful in small networks with rarely changing routes, when you have little bandwidth and do not want the
overhead of a dynamic routing protocol, or when you want to manually define all of your routes for security reasons.
Static routes are created in global configuration mode. The syntax for the static route is as follows:
65
Routed protocol:
Any network protocol that provides enough information in its network layer address to enable a packet to be
forwarded from one host to another host based on the addressing scheme, without knowing the entire path from
source to destination. Packets generally are conveyed from end system to end system. IP is an example of a routed
protocol.
Routing protocol:
Facilitates the exchange of routing information between networks, enabling routers to build routing tables
dynamically. Traditional IP routing stays simple because it uses next-hop (next-router) routing, in which the router
needs to consider only where it sends the packet and does not need to consider the subsequent path of the packet on
the remaining hops (routers). Routing Information Protocol (RIP) is an example of a routing protocol.
There are two types of routing protocols:
Exterior Gateway Protocols (EGP): These routing protocols are used to route
between autonomous systems. Border Gateway Protocol (BGP) is the EGP of choice in
networks today.
Metrics
Routing
Protocols
Metric
Description
RIP
Hop count
OSPF
Cost
EIGRP
Bandwidth
EIGRP
Delay
EIGRP
Load
EIGRP
MTU
EIGRP
Reliability
Autonomous Systems
An autonomous system (AS) is a group of networks under a single administrative control, which could be your
company, a division within your company, or a group of companies.
66
Not every routing protocol understands the concept of an AS. Routing protocols that understand the concept of an
AS are EIGRP, OSPF, IS-IS, and BGP. RIP doesnt understand autonomous systems, while OSPF does; but OSPF
doesnt require you to configure the AS number, whereas other protocols, such as EIGRP, do.
Administrative Distance
Administrative distance is the measure of trustworthiness that a router assigns to how a route to a network was
learned.
An administrative distance is an integer from 0 to 255. A routing protocol with a lower administrative distance is
more trustworthy than one with a higher administrative distance.
Administrative
Distance
Route Type
Static route
90
110
OSPF route
120
170
255
Unknown route (is considered an invalid route and will not be used)
Static routing occurs when you manually add routes in each router's routing table. There are advantages and
disadvantages to static routing, but that's true for all routing processes.
Static routing has the following advantages:
It adds security because the administrator can choose to allow routing access to
certain networks only.
The administrator must really understand the internetwork and how each router is
connected in order to configure routes correctly.
67
It's not possible in large networks because maintaining it would be a full-time job in
itself.
Show commands
In this Example we will recall all the topics you have learnt yet
and will try to implement these command in practically.
Create a topology as shown in figure on packet tracer or
68
Now configure PC-0 first.To configure pc double click on pc and select desktop
Now click on IP configurations
69
IP address 10.0.0.2
Subnet mask 255.0.0.0
Default Gateway 10.0.0.1
Follow the same process in PC-2 and set the ip address to
IP address 30.0.0.2
Subnet mask 255.0.0.0
Default Gateway 30.0.0.1
Now double click on 1841 Router 0 and select CLI
70
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R2(config-if)#exit
R2(config)#
Now we have connectivity between local segment and router's Ethernet port.
71
Routing Information Protocol (RIP) is a standards-based, distance-vector, interior gateway protocol (IGP) used by
routers to exchange routing information. RIP uses hop count to determine the best path between two locations. Hop
count is the number of routers the packet must go through till it reaches the destination network. The maximum
allowable number of hops a packet can traverse in an IP network implementing RIP is 15 hops.
it has a maximum allowable hop count of 15 by default, meaning that 16 is deemed unreachable. RIP works well in
small networks, but it's inefficient on large networks with slow WAN links or on networks with a large number of
routers installed.
In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When a
router receives a neighbor's RIP table, it uses the information provided to update its own routing table and then sends
the updated table to its neighbors.
Differences between RIPv1 or RIPv2
RIPv1
72
RIP supports up to six equal-cost paths to a single destination, where all six paths
can be placed in the routing table and the router can load-balance across them. The
default is actually four paths, but this can be increased up to a maximum of six.
Remember that an equal-cost path is where the hop count value is the same. RIP will
not load-balance across unequal-cost paths
RIPv2
RIPv2 supports authentication. You can restrict what routers you want to participate
in RIPv2. This is accomplished using a hashed password value.
RIP Timers
RIP uses four different kinds of timers to regulate its performance:
Route update timer
Sets the interval (typically 30 seconds) between periodic routing updates in which the router sends a complete copy
of its routing table out to all neighbors.
Route invalid timer
Determines the length of time that must elapse (180 seconds) before a router determines that a route has become
invalid. It will come to this conclusion if it hasnt heard any updates about a particular route for that period. When
that happens, the router will send out updates to all its neighbors letting them know that the route is invalid.
Holddown timer
This sets the amount of time during which routing information is suppressed. Routes will enter into the holddown
state when an update packet is received that indicated the route is unreachable. This continues either until an update
packet is received with a better metric or until the holddown timer expires. The default is 180 seconds.
Route flush timer
Sets the time between a route becoming invalid and its removal from the routing table (240 seconds). Before it's
removed from the table, the router notifies its neighbors of that route's impending failure. The value of the route
invalid timer must be less than that of the route flush timer. This gives the router enough time to tell its neighbors
about the invalid route before the local routing table is updated.
73
Router
FastEthernet 0/0
FastEthernet 0/1
Serial 0/0/0
R1
10.0.0.1
20.0.0.1
50.0.0.1
R2
30.0.0.1
40.0.0.1
50.0.0.2
PC
IP Address
PC
IP Address
PC0
20.0.0.2
PC1
20.0.0.3
PC2
40.0.0.2
PC3
40.0.0.3
PC4
10.0.0.2
PC5
10.0.0.3
PC6
30.0.0.2
PC7
30.0.0.3
Assign ip address to PC. Select pc and double click on it. select ip configurations
from desktop tab and set ip address given as in table.
To configure router double click on it and select CLI.To configure this topology .
74
(1841Router0) Hostname R1
To configure and enable rip routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R1(config-if)#exit
R1(config)#interface fastethernet 0/1
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed
state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 50.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#network 10.0.0.0
R1(config-router)#network 20.0.0.0
R1(config-router)#network 50.0.0.0
(2811Router1) Hostname R2
To configure and enable rip routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
R2(config-if)#exit
R2(config)#interface fastethernet 0/1
R2(config-if)#ip address 40.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
R2(config-if)#exit
75
In our pervious Example we discuss about the feature of RIP and configured a simple topology.
In this Example I will demonstrate an example of Rip Routingconfigurations. We will use four different series
router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in
figure.
IP RIP comes in two different versions: 1 and 2. Version 1 is a distance vector protocol and is defined in RFC 1058.
Version 2 is a hybrid protocol and is defined in RFCs 1721 and 1722. The CCNA exam now primarily focuses on
version 2. There are no major differences between RIPv1 or RIPv2 so far configurations concern. To read more
about differences between RIPv1 or RIPv2 or know about the characteristics read our pervious Example about RIP.
1841 Series Router0 (R1)
76
FastEthernet0/
Serial0/0/0
0
FastEthernet0/
Serial0/0/0
0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
FastEthernet0
Serial0/0/0
/0
IP address
30.0.0.2
40.0.0.1
Connected
With
FastEthernet0 R4 on Serial
/0
0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.1
20.0.0.2
Connected
With
R3 on
FastEthernet0/0
R1 on Serial
0/0/0
PC-PT PC0
PC-PT PC1
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI. To configure this
topology .
(1841Router0) Hostname R1
To configure and enable rip routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
77
78
R3(config-if)#bandwidth 64
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to down
R3(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to
up
R3(config)#router rip
R3(config-router)#network 30.0.0.0
R3(config-router)#network 40.0.0.0
R3(config-router)#exit
R3(config)#
(2811Router3) Hostname R4
To configure and enable rip routing on R4 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 40.0.0.2 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to
up
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
Router(config-if)#exit
R4(config)#router rip
R4(config-router)#network 40.0.0.0
R4(config-router)#network 50.0.0.0
R4(config-router)#exit
R4(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Pinging 50.0.0.2 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
50.0.0.2:
50.0.0.2:
50.0.0.2:
50.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=156ms
time=127ms
time=156ms
time=140ms
TTL=124
TTL=124
TTL=124
TTL=124
79
from
from
from
from
10.0.0.2:
10.0.0.2:
10.0.0.2:
10.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=140ms
time=141ms
time=157ms
time=156ms
TTL=124
TTL=124
TTL=124
TTL=124
80
EIGRP is the advance version of Ciscos earlier version IGRP. Before you learn more about EIGRP let be familiar
with IGRP.
Interior Gateway Routing Protocol (IGRP)
The Interior Gateway Routing Protocol (IGRP) is a Cisco-proprietary routing protocol for IP. it is a distance vector
protocol.
IGRP is Cisco proprietary uses bandwidth, delay, reliability, load, and MTU as its metrics (bandwidth and delay be
default).
IGRP's routing update period is every 90 seconds. Its hold-down period is 280 seconds, and its flush period is 630
seconds.
It also supports triggered updates and load balancing across unequal-cost paths.
IGRP requires an AS number in its router command; plus, when entering network numbers for the network
command, they are entered as the classful network number, as they are for RIP.
81
IGRP supports both equal- and unequal-cost paths for load balancing to single destination Equal-cost paths are
enabled by default, where IGRP supports up to six equal-cost paths (four by default) to a single destination in the IP
routing table. IGRP, however, also supports unequal-cost paths, but this feature is disabled by default.
Enhanced Interior Gateway Routing Protocol
The Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary routing protocol for IP. These
characteristics include:
Fast convergence
Loop-free topology
Interesting point about these protocols is that if you have some routers in your network running IGRP and others
running EIGRP and both sets have the same autonomous system number, routing information will automatically be
shared between the two.
EIGRP uses the Diffusing Update Algorithm (DUAL) to update the routing table.
One really unique feature of EIGRP is that it supports three routed protocols: IP, IPX,
and AppleTalk
Hello packets are generated every five seconds on LAN interfaces as multicasts
(224.0.0.10).
For EIGRP routers to become neighbors, the following information must match:
The AS number
82
When two routers determine whether they will become neighbors, they go through the following process:
1. The first router generates a Hello with configuration information.
2. If the configuration information matches, the second router responds with an Update
message with topology information.
3. The first router responds with an ACK message, acknowledging the receipt of the
seconds ACK.
4. The first router sends its topology to the second router via an Update message.
5. The second router responds back with an ACK.
You must specify the AS number when configure EIGRP. Even though EIGRP is classless, you must configure it as
a classful protocol when specifying your network numbers with the network command.
EIGRP Terms
Term
Definition
Successor
Feasible
successor
The best backup path to reach a destination within the topology tablemultiple successors
can be feasible for a particular destination.
Routing table
This is all of the successor routes from the topology table. There is a separate routing table
for each routed protocol.
Advertised
distance
The distance (metric) that a neighboring router is advertising for a specific route.
Feasible
distance
The distance (metric) that your router has computed to reach a specific route: the advertised
distance from the neighboring router plus the local routers interface metric.
Neighbor table
Contains a list of the EIGRP neighbors and is similar to the adjacencies that are built in
OSPF between the designated router/backup DR and the other routers on a segment. Each
routed protocol (IP, IPX, and AppleTalk) for EIGRP has its own neighbor table.
Topology table
Similar to OSPFs database, contains a list of all destinations and paths the EIGRP router
learnedit is basically a compilation of the neighboring routers routing tables. A separate
topology table exists for each routed protocol.
83
EIGRP is a Cisco-proprietary routing protocol for TCP/IP. Its actually based on Ciscos proprietary IGRP routing
protocol, with many enhancements built into it. Because it has its roots in IGRP, the configuration is similar to
IGRP; however, it has many link state characteristics that were added to it to allow EIGRP to scale to enterprise
network sizes. To know these characteristics read our pervious Example.
In this Example I will demonstrate an example of EIGRP Routing configurations. We will use four different series
router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in
figure.
FastEthernet0/
Serial0/0/0
0
FastEthernet0/
Serial0/0/0
0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
FastEthernet0
Serial0/0/0
/0
IP address
30.0.0.2
40.0.0.1
Connected
With
FastEthernet0 R4 on Serial
/0
0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.1
20.0.0.2
Connected
With
R3 on
FastEthernet0/0
R1 on Serial
0/0/0
84
PC-PT PC0
PC-PT PC1
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI.To configure this topology
.
(1841Router0) Hostname R1
To configure and enable eigrp routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R1(config)#router eigrp 1
R1(config-router)#network 10.0.0.0
R1(config-router)#network 20.0.0.0
R1(config-router)#exit
R1(config)#
(2620XM-Router1) Hostname R2
To configure and enable eigrp routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.
Router(config)#hostname R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 20.0.0.2 255.0.0.0
R2(config-if)#no shutdown
85
86
from
from
from
from
50.0.0.2:
50.0.0.2:
50.0.0.2:
50.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=156ms
time=127ms
time=156ms
time=140ms
TTL=124
TTL=124
TTL=124
TTL=124
87
88
Biggest advantage of OSPF over EIGRP is that it will run on any device as its based on open standard
Advantages
It provides fast convergence with triggered, incremental updates via Link State
Advertisements (LSAs).
It is a classless protocol and allows for a hierarchical design with VLSM and route
summarization.
Disadvantages:
It requires more memory to hold the adjacency (list of OSPF neighbors), topology
and routing tables.
Features
OSPF implements a two-layer hierarchy: the backbone (area 0) and areas off of the
backbone (areas 1 65,535)
Synchronous serial links, no matter what the clock rate of the physical link is, the
bandwidth always defaults to 1544 Kbps.
OSPF uses cost as a metric, which is the inverse of the bandwidth of a link.
OSPF Routing Configurations
In this Example I will demonstrate an example of OSPF Routing configurations. We will use four different series
router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in
figure.
89
Configuring OSPF is slightly different from configuring RIP. When configuring OSPF, use the following syntax:
Router(config)# router ospf process_ID
Router(config-router)# network IP_address wildcard_mask
area area_#
The process_ID is locally significant and is used to differentiate between OSPF processes
running on the same router. Your router might be a boundary router between two OSPF
autonomous systems, and to differentiate them on your router, youll give them unique
process IDs. Note that these numbers do not need to match between different routers and
that they have nothing to do with autonomous system numbers.
1841 Series Router0 (R1)
FastEthernet0/
Serial0/0/0
0
FastEthernet0/
Serial0/0/0
0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
FastEthernet0
Serial0/0/0
/0
IP address
30.0.0.2
Connected
With
FastEthernet0 R4 on Serial
/0
0/0/0
PC-PT PC0
40.0.0.1
FastEthernet0/0
Serial0/0
IP address
30.0.0.1
20.0.0.2
Connected
With
R3 on
FastEthernet0/0
R1 on Serial
0/0/0
PC-PT PC1
90
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI.To configure this topology
.
(1841Router0) Hostname R1
To configure and enable ospf routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 20.0.0.0 0.255.255.255 area 0
R1(config-router)#exit
R1(config)#
(2620XM-Router1) Hostname R2
To configure and enable ospf routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line.
Router(config)#hostname R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 20.0.0.2 255.0.0.0
R2(config-if)#no shutdown
91
92
(2811Router3) Hostname R4
To configure and enable ospf routing on R4 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 40.0.0.2 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to
up
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
Router(config-if)#exit
R4(config)#router ospf 4
R4(config-router)#network 50.0.0.0 0.255.255.255 area 0
R4(config-router)#network 40.0.0.0 0.255.255.255 area 0
R4(config-router)#
00:06:32: %OSPF-5-ADJCHG: Process 4, Nbr 40.0.0.1 on Serial0/0/0 from
LOADING to FULL, Loading Done
R4(config-router)#exit
R4(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Pinging 50.0.0.2 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
50.0.0.2:
50.0.0.2:
50.0.0.2:
50.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=156ms
time=127ms
time=156ms
time=140ms
TTL=124
TTL=124
TTL=124
TTL=124
93
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
10.0.0.2:
10.0.0.2:
10.0.0.2:
10.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=140ms
time=141ms
time=157ms
time=156ms
TTL=124
TTL=124
TTL=124
TTL=124
94
O
30.0.0.0/8 [110/782] via 40.0.0.1, 00:02:37, Serial0/0/0
C
40.0.0.0/8 is directly connected, Serial0/0/0
C
50.0.0.0/8 is directly connected, FastEthernet0/0
R4#
To test ospf routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured
ospf routing but if you did not get replay double check this configuration and try to troubleshoot.
95
Inbound ACLs:
Incoming packets are processed before they are routed to an outbound
interface. An inbound ACL is efficient because it saves the overhead of
routing lookups if the packet will be discarded after it is denied by the
filtering tests. If the packet is permitted by the tests, it is processed for
routing.
Outbound ACLs:
Incoming packets are routed to the outbound interface and then processed
through the outbound ACL.
Universal fact about Access control list
1. ACLs come in two varieties:Numbered and named
2. Each of these references to ACLs supports two types of filtering:
standard and extended.
3. Standard IP ACLs can filter only on the source IP address inside a
packet.
4. Whereas an extended IP ACLs can filter on the source and
destination IP addresses in the packet.
5. There are two actions an ACL can take: permit or deny.
6. Statements are processed top-down.
7. Once a match is found, no further statements are processed
therefore, order is important.
96
Range
IP Standard
199
IP Extended
100199
13001999
20002699
Standard ACLs
A standard IP ACL is simple; it filters based on source address only. You can
filter a source network or a source host, but you cannot filter based on the
destination of a packet, the particular protocol being used such as the
Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), or
on the port number. You can permit or deny only source traffic.
Extended ACLs:
An extended ACL gives you much more power than just a standard ACL.
Extended IP ACLs check both the source and destination packet addresses.
They can also check for specific protocols, port numbers, and other
parameters, which allow administrators more flexibility and control.
Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that
you reference them by number, which is not too descriptive of its use. With a
named ACL, this is not the case because you can name your ACL with a
97
descriptive name. The ACL named DenyMike is a lot more meaningful than
an ACL simply numbered 1. There are both IP standard and IP extended
named ACLs.
Another advantage to named ACLs is that they allow you to remove
individual lines out of an ACL. With numbered ACLs, you cannot delete
individual statements. Instead, you will need to delete your existing access
list and re-create the entire list.
Configuration Guidelines
You can have only one IP ACL applied to an interface in each direction
(inbound and outbound)you can't have two or more inbound or
outbound ACLs applied to the same interface. (Actually, you can have
one ACL for each protocol, like IP and IPX, applied to an interface in
each direction.)
Remember the numbers you can use for IP ACLs.Standard ACLs can
use numbers ranging 199 and 13001999, and extended ACLs can
use 100199 and 20002699.
99
With Access Lists you will have a variety of uses for the wild card masks, but
typically For CCNA exam prospective you should be able to do following:
1. Match a specific host,
2. Match an entire subnet,
3. Match an IP range, or
4. Match Everyone and anyone
Match specific hosts
100
Task
You have given a task to block 10.0.0.3 from gaining access on 40.0.0.0.
While 10.0.0.3 must be able to communicate with networks. Other computer
from the network of 10.0.0.0 must be able to connect with the network of
40.0.0.0.
Decide where to apply ACL and in which directions.
Our host must be able to communicate with other host except 40.0.0.0 so we
will place this access list on FastEthernet 0/1 of R2 (2811) connected to the
network of 40.0.0.0. Direction will be outside as packet will be filter while its
leaving the interface. If you place this list on R1(1841) then host 10.0.0.3 will
not be able to communicate with any other hosts including 40.0.0.0.
To configure R2 double click on it and select CLI (Choose only one method
result will be same)
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out
OR
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as
this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully
replay.
PC>ping 40.0.0.3
Pinging 40.0.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
101
102
You have given a task to the network of 10.0.0.0 from gaining access on
40.0.0.0. While 10.0.0.0 must be able to communicate with networks .
Wildcards
Wildcards are used with access lists to specify an individual host, a network,
or a certain range of a network or networks.
Formula to calculate wild card mask for access list
The key to matching an entire subnet is to use the following formula for the
wildcard mask. It goes as follows:
Wildcard mask = 255.255.255.255 subnet
So for example if my current subnet was 255.0.0.0, the mask would be
0.255.255.255.
255.255.255.255
255 .0 .0 .0
---------------0. 255 .255.255
---------------Once you have calculated the wild card mask rest is same as we did in
pervious example
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as
this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully
replay.
Now do ping from 10.0.0.2 to 40.0.0.3 and further 30.0.0.2 result should be
same as the packet is filtering on network based
Match an IP range
You are a network administrator at XYZ You task is to block an ip range of
10.3.16.0 10.3.31.255 from gaining access to the network of 40.0.0.0
103
Solutions
Our range is 10.3.16.0 10.3.31.255. In order to find the mask, take the
higher IP and subtract from it the lower IP.
10.3.31.255
10.3.16.0
-------------0.0.15.255
-------------In this case the wildcard mask for this range is 0.0.15.255.
To permit access to this range, you would use the following:
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.3.16.0 0.0.15.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
One thing to note is that each non-zero value in the mask must be one less
than a power of 2, i.e. 0, 1, 3, 7, 15, 31, 63, 127, 255.
Match Everyone and Anyone
This is the easiest of Access-Lists to create, just use the following:
access-list 1 permit any
or
access-list 1 permit 0.0.0.0 255.255.255.255
Secure telnet session via standard ACL
This is among the highly tested topic in CCNA exam. We could use extended
ACL to secure telnet session but if you did that, youd have to apply it
inbound on every interface, and that really wouldnt scale well to a large
router with dozens, even hundreds, of interfaces.Here's a much better
solution:
Use a standard IP access list to control access to the VTY lines
themselves.
To perform this function, follow these steps:
1. Create a standard IP access list that permits only the host or hosts you
want to be able to telnet into the routers.
104
2. Apply the access list to the VTY line with the access-class command
Secure R2 in a way that only 20.0.0.2 can telnet it beside it all other
telnet session should be denied
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 3 permit host 20.0.0.2
R2(config)#line vty 0 4
R2(config-line)#password vinita
R2(config-line)#login
R2(config-line)#access-class 3 in
To test do telnet from 20.0.0.2 first is should be successful.
PC>ipconfig
IP Address......................: 20.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
User Access Verification
Password:
R2>
Now telnet it from any other pc apart from 20.0.0.2.it must be filter
and denied
PC>ipconfig
IP Address......................: 20.0.0.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
% Connection refused by remote host
PC>
105
Main command
access-list-number
permit | deny
protocol
source-wildcard and
destination-wildcard
and SMTP.
established
log
IP Protocol
20 (TCP)
FTP data
21 (TCP)
FTP control
23 (TCP)
Telnet
25 (TCP)
53 (TCP/UDP)
69 (UDP)
TFTP
80 (TCP)
HTTP
In this Example we will configure Extended access list. If you want to read
the feature and characteristic of access list reads this previous Example.
Access control list
107
In this Example we will use a RIP running topology. Which we created in RIP
routing practical.
With Access Lists you will have a variety of uses for the wild card masks, but
typically For CCNA exam prospective you should be able to do following:
1. Block host to host
2. Block host to network
3. Block Network to network
108
Now we will block the 10.0.0.3 from gaining access on the network 40.0.0.0.
( if you are doing this practical after configuring pervious example don't
forget to remove the last access list 101. With no access-list command. Or
just close the packet tracer without saving and reopen it to be continue with
this example.)
R1(config)#access-list 102 deny ip host 10.0.0.3 40.0.0.0
0.255.255.255
R1(config)#access-list 102 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 102 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. and 40.0.0.2.It should be
reqest time out. Also ping computers of other network. pingshuld be
sucessfully.
Once you have calculated the wild card mask rest is same as we did in
pervious example
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as
this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully
replay.
Network to Network Access List
Task
Students lab is configured on the network of 10.0.0.0. While management's
system remain in the network of 40.0.0.0. You are asked to stop the lab
system from gaining access in management systems
Now we will block the network of 10.0.0.0 from gaining access on the
network 40.0.0.0. ( if you are doing this practical after configuring pervious
example don't forget to remove the last access list 101. With no access-list
110
command. Or just close the packet tracer without saving and reopen it to be
continue with this example.)
R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0
0.255.255.255
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3. and 40.0.0.2.It
should be reqest time out. Also ping computers of other network. pingshuld
be sucessfully.
Network to host
Task
For the final scenario you will block all traffic to 40.0.0.3 from the Network of
10.0.0.0 To accomplish this write an extended access list. The access list
should look something like the following.
R1(config)#interface fastethernet 0/0
R1(config-if)#no ip access-group 103 in
R1(config-if)#exit
R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255
40.0.0.0 0.255.255.255
R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3
0.0.0.0
R1(config)#access-list 104 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3.It should be
reqest time out. Also ping computers of other network. pingshuld be
sucessfully.
Application based Extended Access list
In pervoius example we filter ip base traffic. Now we will filter applicaion
base traffic. To do this practical either create a topology as shown in figure
and enable telnet and http and ftp service on server or Create thispre
configured topology and load it in packet tracer.
111
112
To test this access list double click on any pc from the network 10.0.0.0 and
select web brower. Now give the ip of 30.0.0.2 web server. It should get
sucessfully access the web page. Now go 30.0.0.2 and open command
prompt. And do ping to 10.0.0.2 or any pc from the network the 10.0.0.0. it
will request time out.
Stop ping but can access web server
We host our web server on 30.0.0.2. But we do not want to allow external
user to ping our server as it could be used as denial of services. Create an
access list that will filter all ping requests inbound on the serial 0/0/0
interface of router2.
R2(config)#access-list 102 deny icmp any any echo
R2(config)#access-list 102 permit ip any any
R2(config)#interface serial 0/0/0
R2(config-if)#ip access-group 102 in
To test this access list ping from 10.0.0.2 to 30.0.0.2 it should be request
time out. Now open the web browser and access 30.0.0.2 it should be
successfully retrieve
Grant FTP access to limited user
You want to grant ftp access only to 10.0.0.2. no other user need to provide
ftp access on server. So you want to create a list to prevent FTP traffic that
originates from the subnet 10.0.0.0/8, going to the 30.0.0.2 server, from
traveling in on Ethernet interface E0/1 on R1.
R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0
eq 20
R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0
eq 21
R1(config)#access-list 103 deny tcp any anyeq 20
R1(config)#access-list 103 deny tcp any anyeq 21
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/1
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
Grant Telnet access to limited user
For security purpose you dont want to provide telnet access on server
despite your own system. Your system is 10.0.0.4. createa extended access
113
list to prevent telnet traffic that originates from the subnet of 10.0.0.0 to
server.
R1(config)#access-list 104 permit tcp host 10.0.0.4 30.0.0.2 0.0.0.0
eq 23
R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2
0.0.0.0 eq 23
R1(config)#access-list 104 permit ip any any
R1(config)#interface fast 0/1
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
Definition
Customer
premises
equipment (CPE)
Your network's equipment, which includes the DCE (modem, NT1, CSU/ DSU) and your DTE (router,
access server)
Where the responsibility of the carrier is passed on to you; this could be inside or outside your local facility;
Demarcation point note that this is a logical boundary, not necessarily a physical boundary
Local loop
The connection from the carrier's switching equipment to the demarcation point
Central office
(CO) switch
114
Toll network
Leased line
Circuit switched
Packet switched
Leased-Line Connections
In lease line, you get your very own piece of wire from your location to the service provider's network. This is good
because no other customer can affect your line, as can be the case with other WAN services. You have a lot of
control over this circuit to do things such as Quality of Service and other traffic management. The downside is that a
leased line is expensive and gets a lot more expensive if you need to connect offices that are far apart.
These are usually referred to as a point-to-point or dedicated connection. A leased line is a pre-established WAN
communications path that goes from the CPE through the DCE switch, then over to the CPE of the remote site.
115
The distance between the two sites is small, making them cost-effective.
You have a constant amount of traffic between two sites and need to guarantee
bandwidth for certain applications
Circuit-Switched Connections
A circuit-switched WAN uses the phone company as the service provider, either with analog dial-up or digital ISDN
connections. With circuit-switching, if you need to connect to the remote LAN, a call is dialed and a circuit is
established; the data is sent across the circuit, and the circuit is taken down when it is no longer needed. Circuitswitched connections include the following types:
Asynchronous serial connections
These include analog modem dialup connections and the standard telephone system, which is commonly referred to
as Plain Old Telephone Service (POTS) by the telephone carriers.
Synchronous serial connections
These include digital ISDN BRI and PRI dialup connections; they provide guaranteed bandwidth.
Packet-Switched Connections
Packet-switched WAN services allow you to connect to the provider's network in much the same way as a PC
connects to a hub: When connected, your traffic is affected by other customers' and theirs by you. This can be an
issue sometimes, but it can be managed. The advantage of this shared-bandwidth technology is that with a single
physical connection from your router's serial port, you can establish virtual connections to many other locations
around the world. Packet-switched connections use logical circuits to make connections between two sites. These
logical circuits are referred to as virtual circuits (VCs). So if you have a lot of branch offices and they are far away
from the head office, a packet-switched solution is a good idea.
X.25
The oldest of these four technologies is X.25, which is an ITU-T standard. X.25 is a network layer protocol that runs
across both synchronous and asynchronous physical circuits, providing a lot of flexibility for your connection
options. X.25 was actually developed to run across unreliable medium. It provides error detection and correction, as
well as flow control, at both the data link layer (by LAPB) and the network layer (by X.25). In this sense, it
performs a function similar to what TCP, at the transport layer, provides for IP. Because of its overhead, X.25 is best
delegated to asynchronous, unreliable connections. If you have a synchronous digital connection, another protocol,
such as Frame Relay or ATM, is much more efficient.
Frame Relay
Frame Relay is a digital packet-switched service that can run only across synchronous digital connections at the data
link layer. Because it uses digital connections (which have very few errors), it does not perform any error correction
or flow control as X.25 does. Frame Relay will, however, detect errors and drops bad frames. It is up to a higher
layer protocol, such as TCP, to resend the dropped information.
ATM
ATM is also a packet-switched technology that uses digital circuits. Unlike Frame Relay and X.25, however, this
service uses fixed-length (53 byte) packets, called cells, to transmit information. Therefore, this service is commonly
called a cell-switched service. It has an advantage over Frame Relay in that it can provide guaranteed throughput
and minimal delay for a multitude of services, includingvoice, video, and data. However, it does cost more than
116
Frame Relay services. ATM (sort of an enhanced Frame Relay) can offer a connection guaranteed bandwidth,
limited delay, limited number of errors, Quality of Service (QoS), and more. Frame Relay can provide some minimal
guarantees to connections, but not to the degree of precision that ATM can. Whereas Frame Relay is limited to 45
Mbps connections, ATM can scale to very high speeds: OC-192 (SONET), for instance, affords about 10 Gbps of
bandwidth.
Encapsulation method
With each WAN solution, there is an encapsulation type. Encapsulations wrap an information envelope around your
data that is used to transport your data traffic. If you use leased line as your wide-area networking choice, you can
encapsulate your data inside a High-Level Data-Link Control (HDLC) frame, PPP frame, or Serial Line IP (SLIP)
frame. For packet-switched networks, you can encapsulate or package your data in X.25 frames, Frame Relay, or
Asynchronous Transfer Mode (ATM) frames.
HDLC
Based on ISO standards, the HDLC (High-Level Data Link Control) protocol can be used with synchronous and
asynchronous connections and defines the frame type and interaction between two devices at the data link layer.
Cisco's HDLC is a proprietary protocol and will not work with other company's router.
PPP
PPP (the Point-to-Point Protocol) is based on an open standard.
PPP Authentication
PAP goes through a two-way handshake process. In this process, the source sends its username (or hostname) and
password, in clear text, to the destination. The destination compares this information with a list of locally stored
usernames and passwords. If it finds a match, the destination sends back an accept message. If it doesn't find a
match, it sends back a reject message.
CHAP uses a three-way handshake process to perform the authentication. The source sends its username (not its
password) to the destination. The destination sends back a challenge, which is a random value generated by the
destination. used by the source to find the appropriate password to use for authentication Both sides then take the
source's username, the matching password, and the challenge and run them through the MD5 hashing function. The
source then takes the result of this function and sends it to the destination. The destination compares this value to the
hashed output that it generatedif the two values match, then the password used by the source must have been the
same as was used by the destination, and thus the destination will permit the connection.
In this Example I will demonstrate how can you configure wan encapsulation protocols. HDLC is the default
encapsulation for synchronous serial links on Cisco routers. You would only use the encapsulation hdlc command to
return the link to its default state
117
For practical example of HDLC PPP create a simple topology as shown in figure in packet tracer.
118
Router(config)#exit
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
[output is omited]
Configuration of PPP
Now we will configure PPP encapsulations on both router. We will also authenticate it with CHAP. Hostname of
Router are R1 and R2 and password is vinita.
Double Click on R1 and configure it
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#username R2 password vinita
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap
R1(config-if)#exit
R1(config)#
Now configure R2 for PPP
Router>enable
Router#configure terminal
Router(config)#hostname R2
R2(config)#username R1 password vinita
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication chap
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
R2(config)#
Frame Really
Frame Relay is a scalable WAN solution that is often used as an alternative to leased lines when leased lines prove to
be cost unaffordable. With Frame Relay, you can have a single serial interface on a router connecting into multiple
remote sites through virtual circuits.
DLCI
Each VC has a unique local address, called a DLCI. Circuits are identified by data-link connection identifiers
(DLCI). DLCIs are assigned by your provider and are used between your router and the Frame Relay provider. In
other words, DLCIs are locally significant. This means that as a VC traverses various segments in a WAN, the DLCI
119
numbers can be different for each segment. DLCIs are locally significant. The carriers switches take care of
mapping DLCI numbers for a VC between DTEs and DCEs.
Configuration of Frame Relay
120
Lets practically implement whatever you learn so far. configure this topology in packet tracer.
Now first configure R1. Fast Ethernet port and hostname is already configured. Double click on R1 and configure
serial port for frame relay encapsulation and further create sub interface for connecting R2, R3, R4. Configure also
static route for connecting remaining network.
Configure R1
R1>enable
R1#configure terminal
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config-subif)#interface serial 0/0/0.102 point-to-point
R1(config-subif)#ip address 192.168.1.245 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 102
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.103 point-to-point
R1(config-subif)#ip address 192.168.1.249 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 103
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.104 point-to-point
R1(config-subif)#ip address 192.168.1.253 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 104
R1(config-subif)#exit
R1(config)#ip route 192.168.1.64 255.255.255.224 192.168.1.246
R1(config)#ip route 192.168.1.96 255.255.255.224 192.168.1.250
121
Router(configif)#encapsulation framerelay
Router(config-if)#frame-
Depending on the option you select, this command sets the LMI type to the
122
relay lmitype {ansi | cisco | ANSI standard, the Cisco standard, or the ITU-T Q.933 Annex A standard.
q933a}
Router(config-if)#framerelay interface-dlci 110
Sets the DLCI number of 110 on the local interface and enters Frame Relay
DLCI configuration mode
Router(config-fr-dlci)#exit
Router#show frame-relay
pvc
Router#show frame-relay
lmi
Router#clear frame-relay
counters
Router#clear frame-relay
inarp
Router#debug frame-relay
lmi
Used to help determine whether a router and Frame Relay switch are
exchanging LMI packets properly
123
124
Absorption Objects
that absorb the RF waves, such as walls, ceilings, and floors
Scattering Objects
that disperse the RF waves, such as rough plaster on a wall, carpet on the floor, or
drop-down ceiling tiles
Reflection Objects
that reflect the RF waves, such as metal and glass
Responsible body
The International Telecommunication Union-Radio Communication Sector (ITU-R) is
responsible for managing the radio frequency (RF) spectrum and satellite orbits for wireless
communications: its main purpose is to provide for cooperation and coexistence of
standards and implementations across country boundaries.
Two standards bodies are primarily responsible for implementing WLANs:
IEEE
defines the mechanical process of how WLANs are implemented in the 802.11
standards so that vendors can create compatible products.
125
900 MHz and 2.4 GHz frequencies are referred to as the Industrial, Scientific, and
Medical (ISM) bands.
Unlicensed bands are still regulated by governments, which might define restrictions
in their usage.
A hertz (Hz) is a unit of frequency that measures the change in a state or cycle in a wave
(sound or radio) or alternating current (electricity) during 1 second.
Transmission Method
Direct Sequence Spread Spectrum (DSSS)
uses one channel to send data across all frequencies within that channel. Complementary
Code Keying (CCK) is a method for encoding transmissions for higher data rates, such as 5.5
and 11 Mbps, but it still allows backward compatibility with the original 802.11 standard,
which supports only 1 and 2 Mbps speeds. 802.11b and 802.11g support this transmission
method.
OFDM (Orthogonal Frequency Division Multiplexing)
increases data rates by using a spread spectrum: modulation. 802.11a and 802.11g support
this transmission method.
MIMO (Multiple Input Multiple Output)
transmission, which uses DSSS and/or OFDM by spreading its signal across 14 overlapping
channels at 5 MHz intervals. 802.11n uses it. Use of 802.11n requires multiple antennas.
WLAN Standards
Standards
802.11a
802.11b
802.11g
802.11n
Data Rate
54 Mbps
11 Mbps
54 Mbps
Throughput
23 Mbps
4.3 Mbps
19 Mbps
74 Mbps
Frequency
5 GHz
2.4 GHz
2.4 GHz
Compatibility
None
802.11a, b, and g
38140
38140
70250
Number of
Channels
Up to 23
14
126
Transmission
OFDM
DSSS
DSSS/OFDM
MIMO
Ad hoc mode
Infrastructure mode
Ad hoc mode is based on the Independent Basic Service Set (IBSS). In IBSS, clients can set
up connections directly to other clients without an intermediate AP. This allows you to set up
peer-to-peer network connections and is sometimes used in a SOHO. The main problem with
ad hoc mode is that it is difficult to secure since each device you need to connect to will
require authentication. This problem, in turn, creates scalability issues.
Infrastructure mode was designed to deal with security and scalability issues. In
infrastructure mode, wireless clients can communicate with each other, albeit via an AP. Two
infrastructure mode implementations are in use:
In BSS mode,
clients connect to an AP, which allows them to communicate with other clients or LANbased
resources. The WLAN is identified by a single SSID; however, each AP requires a unique ID,
called a Basic Service Set Identifier (BSSID), which is the MAC address of the APs wireless
card. This mode is commonly used for wireless clients that dont roam, such as PCs.
In ESS mode,
two or more BSSs are interconnected to allow for larger roaming distances. To make this as
transparent as possible to the clients, such as PDAs, laptops, or mobile phones, a single SSID
is used among all of the APs. Each AP, however, will have a unique BSSID.
Coverage Areas
A WLAN coverage area includes the physical area in which the RF signal can be sent and
received Two types of WLAN coverages are based on the two infrastructure mode
implementations:
127
The terms BSS and BSA, and ESS and ESA, can be confusing. BSS and ESS refer to the
building topology whereas BSA and ESA refer to the actual signal coverage
BSA
With BSA, a single area called a cell is used to provide coverage for the WLAN clients and AP
ESA
With ESA, multiple cells are used to provide for additional coverage over larger distances or
to overcome areas that have or signal interference or degradation. When using ESA,
remember that each cell should use a different radio channel.
128
Therefore, the APs were commonly configured to filter traffic based on MAC addresses. The
administrator would configure a list of MAC addresses in a security table on the AP, listing
those devices allowed access; however, the problem with this solution is that MAC addresses
can be seen in clear-text in the airwaves. A rogue device can easily sniff the airwaves, see
the valid MAC addresses, and change its MAC address to match one of the valid ones.
This is called MAC address spoofing.
WEP
WEP (Wired Equivalent Privacy) was first security solutions for WLANs that employed
encryption. WEP uses a static 64-bit key, where the key is 40 bits long, and a 24-bit
initialization vector (IV) is used. IV is sent in clear-text. Because WEP uses RC4 as an
encryption algorithm and the IV is sent in clear-text, WEP can be broken. To alleviate this
problem, the key was extended to 104 bits with the IV value. However, either variation can
easily be broken in minutes on laptops and computers produced today.
802.1x EAP
The Extensible Authentication Protocol (EAP) is a layer 2 process that allows a wireless client
to authenticate to the network. There are two varieties of EAP: one for wireless and one for
LAN connections, commonly called EAP over LAN (EAPoL).
One of the concerns in wireless is allowing a WLAN client to communicate to devices behind
an AP. Three standards define this process: EAP, 802.1x, and Remote Authentication Dial In
User Service (RADIUS). EAP defines a standard way of encapsulating authentication
information, such as a username and password or a digital certificate that the AP can use to
authenticate the user.802.1x and RADIUS define how to packetize the EAP information to
move it across the network.
WPA
Wi-Fi Protected Access (WPA) was designed by the Wi-Fi Alliance as a temporary security
solution to provide for the use of 802.1x and enhancements in the use of WEP until the
802.11i standard would be ratified. WPA can operate in two modes: personal and enterprise
mode. Personal mode was designed for home or SOHO usage. A pre-shared key is used for
authentication, requiring you to configure the same key on the clients and the AP. With this
mode, no authentication server is necessary as it is in the official 802.1 x standards.
Enterprise mode is meant for large companies, where an authentication server will centralize
the authentication credentials of the clients.
WPA2
WPA2 is the IEEE 802.11i implementation from the Wi-Fi Alliance. Instead of using WEP,
which uses the weak RC4 encryption algorithm, the much more secure Advanced Encryption
Standard (AES)counter mode CBC-MAC Protocol (CCMP) algorithm is used.
Wireless Network
129
130
Type
Coverage
Performa
nce
Standards
Applications
Moderate
Within a
Wireless
building or
LAN
campus
High
Wireless
Within a city
MAN
High
Wireless
Worldwide
WAN
Low
wireless configuration
131
No security is configured
132
This will bring GUI mode of Wireless router. Scroll down screen to Network Step and Select
Disable DHCP
133
Go in end of page and click on Save setting this will save setting click on continue for further
setting
Now select Administration from top Manu and change password to test and go in the end of
page and Click on Save Setting
134
Click on continue for further setting. This time it will ask you to authenticate again give new
password test this time
135
136
PC
IP
Subnet Mask
Default Gateway
PC0
192.168.0.2
255.255.255.0
192.168.0.1
PC1
192.168.0.3
255.255.255.0
192.168.0.1
PC2
192.168.0.4
255.255.255.0
192.168.0.1
137
Now it's time to connect PC's from Wireless router. To do so click PC select Desktop click on
PC Wireless
As you can see in image that Wireless device is accessing MotherNetwork on CH 6 and signal
strength is 100%. In left side you can see that WEP security is configured in network. Click
on connect button to connect MotherNetwork
138
It will ask for WAP key insert 0123456789 and click connect
139
As you can see in image below that system is connected. And PCI card is active.
140