CCNA Project Report

TABLE OF CONTENTS
1. About The
Company..
2. OSI and TCP/IP Network
Model
3. How to connect with Cisco devices in
windows...
4. Cisco devices hardware component and booting
process.
5. How to reset Router
password
6. Packet Tracer installation
.
7. Cisco IOS Access
Modes
8. Administration of Cisco
devices.
9. Back up and Restore of Network
Devices
10. How to update Cisco
IOS
11. Switching
..
12. Methods of
Switching
..
13. Virtual
LAN
14. Configuration of Cisco 2960

Switch
15. Switch port security
configuration
16. Configure VLAN,VTP server
,STP,DTP
17.
Routing Static Dynamics (RIP OSPF EIGRP)
18. Basic router

configurations
1
19. static routing and Default

Routing.
20. Routing Information Protocol
RIP...
21. Enhanced Interior Gateway Routing Protocol (EIGRP)
.
22. OPEN SHORTEST PATH FIRST(OSPF)
.
23. Access Control List..
.
24. WAN protocols HDLC PPP Frame
Relay..
25. Wireless Networking on Cisco
Routers
ABOUT : Appin Technologies

Torchbearer of Progressive Excellence
Appin Security Group is worlds 4th largest Critical Infrastructure Security Solutions
Company, which under one roof is offering a host of technology based solutions to diverse
segments of the market helping organizations to overcome their challenges with the
optimum use of technology. From preventative maintenance to customized solutions, we put
our experience to work to provide you with greater operating time.
Appin Security Group holds unique distinction of providing critical Information security
consulting & network security services to Indias all 4 major Airports, Presidents house,
Nuclear power plants, Commonwealth Games, Delhi metro rail corporation, Mahanagar
Telephone Nigam ,Indian Police service and Ministry of Defense including army, navy and
Airforce units. We are also a security solutions provider to over 1300 Websites that are
audited and monitored by Appin Security Group globally. We have served many global
leaders such as like Microsoft, Daikin, Actis, Intuit, Huawei and Shinsei in their critical
security needs.
With physical presence in 73 cities, over 320 dedicated greenfield engagements and a
dedicated team of 1250 security researchers, product developers, deployment and
maintenance specialists ; we have been adjudged as the 4th largest company globally
serving the critical infrastructure security solutions market.
Emerging threat to safety and security requires new ideas, new solutions and new
technology. Its not about hiring more security guards. Its about connecting knowledge.
Appin Security Group creates smart solutions by linking the intelligence from multiple
systems. Overcoming technology boundaries creates a more robust, more flexible, and more
responsive solution. Appin Security Group has a robust portfolio of solutions specially
designed for your unique critical environment.
Greatness is a pursuit- a very honorable one. And leadership is a continually evolving science.It is the uni
The Appin Technology Lab, the custodian of your framework, is Informationage security and solutions com
Detection,Verification and Resolution
The sure-shot way to stamp out the potential for damage and loss to your set-up is to diagnose, and then
Carving a Niche
Appin's journey has been its destination. In our earnest endeavor to satisfy our patrons, we have left no st
The Appin Technology Lab holds the peerless merit of providing critical information security consulting & n
We secure the President's House, Nuclear power plants,Commonwealth Games,Delhi Metro Rail
We are also a security solutions provider to over 1300 websites that are audited and monitored by the Ap
Appin Technology Lab currently a network of 110+ training labs provides comprehensive training in Info
form and have a call back from our counselor and receive directions to the nearest center, or read more a
Gone are the days when a company was restricted to doing business only in their own backyards.A truly g
Stay Secure
There is always a profound fear of insecurity and unrelenting threats to an organizations stability and its s
Human element
Its our vibrant entrepreneurial culture that makes it all click, with human values a central component of ou
We are group of dedicated,hardworking,ordinary people who have teamed together to accomplish extraor
OSI Reference Model
The OSI reference model is the primary model for network communications. The early development of LANs,
MANs, and WANs was confused in many ways. The early 1980s saw great increases in the number and sizes of
networks. As companies realized that they could save money and gain productivity by using networking technology,
they added networks and expanded existing networks as rapidly as new network technologies and products were
introduced.
In 1984, the International Organization for Standardization (ISO) developed the OSI Reference Model to
describe how information is transferred from one networking component to another, from the point when a user
enters information using a keyboard and mouse to when that information is converted to electrical or light signals
transferred along a piece of wire (or radio waves transferred through the air).
ISO developed the seven-layer model to help vendors and network administrators gain a better understanding of
how data is handled and transported between networking devices, as well as to provide a guideline for the
implementation of new networking standards and technologies. To assist in this process, the OSI Reference Model
separates the network communication process into seven simple layers.
Dividing the network into these seven layers provides these advantages:
Reduces complexity:
It breaks network communication into smaller, simpler parts. It divides the network communication process into
smaller and simpler components, thus aiding component development, design, and troubleshooting.
Facilitates modular engineering:
It allows different types of network hardware and software to communicate with each other.
Interoperability between Vendors
It allows multiple-vendor development through standardization of network components. Defines the process for
connecting two layers together, promoting interoperability between vendors It Allows vendors to compartmentalize
their design efforts to fit a modular design, which eases implementations and simplifies troubleshooting
Ensures interoperable technology:
It prevents changes in one layer from affecting the other layers, allowing for quicker development.
Accelerates evolution:
It provides for effective updates and improvements to individual components without affecting other components or
having to rewrite the entire protocol.
Simplifies teaching and learning:
It breaks network communication into smaller components to make learning easier. Provides a teaching tool to help
network administrators understand the communication process used between networking components
The OSI Reference Model
The OSI reference model consists of seven layers: physical, data-link, network,
transport, session, presentation, and application.
The OSI model layers usually do not correspond exactly to the protocol stack running
on an actual system.
The data-link layer protocols often include physical layer specifications.
The network and transport layer protocols work together to provide a cumulative
end-to-end communication service.
The functions of the session, presentation, and application layers are often combined
into a single application layer protocol.
OSI Reference Model
Each OSI layer contains a set of functions performed by programs to enable data to travel from a source to a
destination on a network. In our pervious Example I told you the advantage of OSI model.
advantage of OSI model
In this Example I will provide brief descriptions of each layer in the OSI reference model.
Application Layer
The application layer is the OSI layer that is closest to the user. This layer provides network services to the user's
applications. It differs from the other layers in that it does not provide services to any other OSI layer, but only to
applications outside the OSI reference model. Applications layer provide a platform to access the data of remote
computer.
The application layer protocols that you should know are as follows:
SNMP (Simple Network Management Protocol)Communicates status and

allows control of networked devices.
TFTP (Trivial File Transfer Protocol)Simple, lightweight file transfer.
DNS (Domain Naming System) Translates a website name (easy for people) to
an IP address (easy for computers).
DHCP (Dynamic Host Configuration Protocol) Assigns IP, mask, and DNS
server (plus a bunch of other stuff) to hosts.
Telnet Provides a remote terminal connection to manage devices to which you are
not close enough to use a console cable.
HTTP (Hypertext Transfer Protocol)Browses web pages.
FTP (File Transfer Protocol) Reliably sends/retrieves all file types.
SMTP (Simple Mail Transfer Protocol)Sends email.
POP3 (Post Office Protocol v.3)Retrieves email.
NTP (Network Time Protocol) Synchronizes networked device clocks.
presentation layer
The presentation layer is responsible for formatting data so that application-layer protocols (and then the users) can
recognize and work with it. Presentation layer format the file extensionssuch as .doc, .jpg, .txt, .avi, and so on.
you realize that each of these file types is formatted for use by a particular type of application. The presentation
layer taking the application layer data and marking it with the formatting codes so that it can be viewed reliably
when accessed later. If necessary, the presentation layer might be able to translate between multiple data formats by
using a common format.
The Session Layer
The session layer establishes, manages, and terminates sessions between two communicating hosts. It provides its
services to the presentation layer. The session layer also synchronizes dialogue between the presentation layers of
the two hosts and manages their data exchange. For example, web servers have many users, so many communication
processes are open at a given time. Therefore, keeping track of which user communicates on which path is
important.
Transport Layer
The transport layer is possibly the most important layer for exam study purposes. A lot is going on here, and it is
heavily tested.
The transport layer's main jobs
It sets up and maintains a session connection between two devices.
It can provide for the reliable or unreliable delivery of data across this connection.
It multiplexes connections, allowing multiple applications to simultaneously send and

receive data. When
Implementing a reliable connection, sequence numbers and acknowledgments (ACKs)

are used.
Flow control (through the use of windowing or acknowledgements)
Reliable connections (through the use of sequence numbers and Acknowledgement )
Transport layer use two protocols for sending data TCP and UDP.
TCP
TCP is connection oriented protocols. Connection-oriented transmission is said to be reliable. Thinks TCP as registry
AD facility available in Indian post office. For this level of service, you have to buy extra ticket and put a bunch of
extra labels on it to track where it is going and where it has been. But, you get a receipt when it is delivered, you are
guaranteed delivery, and you can keep track of whether your shipment got to its destination. All of this costs you
morebut it is reliable!
UDP
UDP is connection less protocols. Connection-less transmission is said to be unreliable. Now, don't get too wrapped
up in the term "unreliable" this doesn't mean that the data isn't going to get there; it only means that it isn't
guaranteed to get there. Think of your options when you are sending a postcard, put it in the mailbox, and chances
are good that it will get where it's supposed to gobut there is no guarantee, and stuff does go missing once in a
while. On the other hand, it's cheap.
Reliability
When reliability is necessary, it should cover these four items:
recognizing lost packets and having them re-sent
recognizing packets that arrive out of order and reordering them
detecting duplicate packets and dropping the extra ones
Avoiding congestion
Connection Multiplexing/Application Mapping

Transport layer assigns a unique set of numbers for each connection. These numbers are called port or socket
numbers. TCP, and UDP, provide a multiplexing function for a device: This allows multiple applications to
simultaneously send and receive data.
Imagine a server that performs a number of functionsfor example email, web pages, FTP, and DNS. The server
has a single IP address, but can perform all these different functions for all the hosts that want to connect to it. The
transport layer (layer 4) uses port numbers to distinguish between different types of traffic that might be headed for
the same IP address.
Port numbers are divided into ranges by the IANA. Following are the current port ranges:
Port number
descriptions
01023
Well-KnownFor common TCP/IP functions and applications
102449151
RegisteredFor applications built by companies
4915265535
Dynamic/PrivateFor dynamic connections or unregistered applications
10
Common TCP and UDP Port Numbers

TCP
UDP
FTP
20, 21
DNS
53
Telnet
23
DHCP
67,68
SMTP
25
TFTP
69
DNS
53
NTP
123
HTTP
80
SNMP
161
POP
110
NNTP
119
HTTPS
443
Network Layer
The network layer provides a logical topology and layer-3 addresses. Routers function at the network layer. This
layer is responsible for three main functions:
Defines logical addresses used at layer-3
Finds paths, based on the network numbers of logical addresses, to reach destination
devices
Connects different data link types together, such as Ethernet, FDDI, Serial, and Token
Ring
IP packet
Where the transport layer uses segments to transfer information between machines, the Internet layer uses
datagram's. Datagram is just another word for packet.
The IP protocol is mainly responsible for these functions:
Connectionless data delivery: best effort delivery with no data recovery capabilities
Hierarchical logical addressing to provide for highly scalable internetworks
IP addresses are broken into two components:
11
Network component Defines on what segment, in the network, a device is located
Host component defines the specific device on a particular network segment
Two types of packets are used at the Network layer: data and route updates.
Data packets
Used to transport user data through the internetwork. Protocols used to support data traffic are called routed
protocols; examples of routed protocols are IP and IPv6.
Route update packets
Used to update neighboring routers about the networks connected to all routers within the internetwork. Protocols
that send route update packets are called routing protocols; examples of some common ones are RIP, RIPv2, EIGRP,
and OSPF. Route update packets are used to help build and maintain routing tables on each router.
IP Classes
Class A addresses range from 1-126: 00000001-01111111.
Class B addresses range from 128-191: 10000000-10111111.
Class C addresses range from 192-223: 11000000-11011111.
Class D addresses range from 224-239: 11100000-11101111.
Class E addresses range from 240-254:
1. 0 is reserved and represents all IP addresses;

2. 127 is a reserved address and is used for testing, like a loop back on an interface:
3. 255 is a reserved address and is used for broadcasting purposes.
Public addresses are Class A, B, and C addresses that can be used to access devices in other public networks, such as
the Internet. Public IP address assign authority The Internet Assigned Numbers Authority (IANA) is ultimately
responsible for handing out and managing public addresses. Normally you get public addresses directly from your
ISP, which, in turn, requests them from one of five upstream address registries:
American Registry for Internet Numbers (ARIN)
Reseaux IP Europeans Network Coordination Center (RIPE NCC)
Asia Pacific Registry for Internet Numbers (APNIC)
Latin American and Caribbean Internet Address Registry (LACNIC)
12
African Network Information Centre (AfriNIC)
Private IP and ISP

Private ip address can be used to configure private network. You can use private ip to build your network without
paying a single rupees. But one biggest problem with private ip is that with private you can not access the internet.
This is the point where ISP comes from. ISP purchase a bulk of public ip address and provide them on rent.
Whatever you pay to ISP for accessing internet is actually the charge of using public ip address.
Private ip address:- Not route able in public network
Class A: 10.0.0.0-10.255.255.255 (1 Class A network)
Class B: 172.16.0.0-172.31.255.255 (16 Class B networks)
Class C: 192.168.0.0-192.168.255.255 (256 Class C networks)

Protocol
Description
IP
IP of TCP/IP, featuring routable 32-bit addressing.
IPX
The equivalent of IP in Novell Netware.
ICMP
Internet Connection Management Protocol. Incorporates Ping and Traceroute, which are
layer 3 link-testing utilities.
OSPF, IGRP,
EIGRP, RIP,
ISIS
Dynamic routing protocols that learn about remote networks and the best paths to them
from other routers running the same protocol.
ARP, RARP
Address Resolution Protocol (and Reverse ARP). ARP learns what MAC address is
associated with a given IP address. Reverse ARP learns an IP address given a MAC
address.
Data link layer

Main functions of data link layer is
Defining the Media Access Control (MAC) or hardware addresses
Defining the physical or hardware topology for connections
Defining how the network layer protocol is encapsulated in the data link layer frame
13
Providing both connectionless and connection-oriented services
Defines hardware (MAC) addresses as well as the communication process that occurs
within a media.
The first six hexadecimal digits of a MAC address form the OUI.
MAC addresses only need to be unique in a broadcast domain,
You can have the same MAC address in different broadcast domains (virtual LANs).
There are two specifications of Ethernet frame Ethernet II and 802

802.2 use a SAP or SNAP field to differentiate between encapsulatedlayer-3 payloads.
With a SNAP frame, the SAP fields are set to 0xAA and the type field is used to indicate the layer-3 protocol. One of
the issues of the original SAP field in the 802.2 SAP frame is that even though it is eight bits (one byte) in length,
only the first six bits are used for identifying upper-layer protocols, which allows up to 64 protocols.
802.2 SNAP frame support of up to 65,536 protocols
Ethernet II's Version of Ethernet
Ethernet II does not have any sub layers, while IEEE 802.2/3 has two: LLC and MAC.
Ethernet II has a type field instead of a length field (used in 802.3). IEEE 802.2
defines the type for IEEE Ethernet
Physical Layer
The Physical layer communicates directly with the various types of actual communication media. Different kinds of
media represent these bit values in different ways. Some use audio tones, while others utilize state transitions
changes in voltage from high to low and low to high. Specific protocols are needed for each type of media to explain
the proper bit patterns to be used, how data is encoded into media signals, and the various qualities of the physical
medias attachment interface.
Cisco's three-layer hierarchical model

Core Layer
The core provides a high-speed layer-2 switching infrastructure and typically does not manipulate packet contents.
Distribution Layer
The distribution layer provides a boundary between the access and core layers. It contains routers and switches.
Routers are used to provide the logical boundary--broadcasts are contained within the access layer and Filtering
policies can be implemented to restrict traffic flows.
Access Layer
14
The access layer provides the user's initial access to the network, which is typically via switches or hubs.
TCP/IP protocol
The TCP/IP protocol stack has four layers. Note that although some of the layers in the TCP/IP protocol stack have
the same names as layers in the OSI reference model, the layers have different functions in each model, as is
described in the following list:
Application layer:
The application layer handles high-level protocols, including issues of representation, encoding, and dialog control.
The TCP/IP model combines all application-related issues into one layer and ensures that this data is properly
packaged for the next layer.
Transport layer:
The transport layer deals with QoS issues of reliability, flow control, and error correction. One of its protocols, TCP,
provides for reliable network communications.
Internet layer:
The purpose of the Internet layer is to send source datagrams from any network on the internetwork and have them
arrive at the destination, regardless of the path they took to get there.
Network access layer:
The name of this layer is broad and somewhat confusing. It is also called the host-to-network layer. It includes the
LAN and WAN protocols and all the details in the OSI physical and data link layers.
How to connect with Cisco devices in windows
15
In this lab scenario I will demonstrate that how can you connect with a Cisco router. To connect physical Cisco
device you need a console cable. Attach cable to com port on computer and other end to console port of Cisco
devices.
Console Port
When you first obtain a new Cisco device, it won't be configured. That is to say, it will not do any of the customized
functions you might need; it does not have any IP addresses, and it is generally not going to do what you paid for.
Routers need basic configuration to function on a network. The console port is used for local management
connections. This means that you must be able to physically reach the console port with a cable that is typically
about six feet long. The console port looks exactly like an Ethernet port.
Once you have proper console cable follow this path
Now on computer click on stat button ==> program = = > accessories == >
communications == > hyper terminal == > location information == > cancel == >
Confirm cancel == > yes == > hyper terminal == > OK Connection Descriptions
== > Vinita == > OK == > location information == > confirm cancel == > yes ==
> hyper terminal == > connect to == > OK == > Port Settings == > Do setting as
Given Below and press OK.
16
If you still have problem in configuring hyper terminal or you do not have hyper terminal options in accessories you
can use this tiny software. With this software you connect with any devices that support Telnet, SSH, Rlogin,
17
console connections. This is ready to use software. Download it and execute it. Select Serial sub key from Session
main key and rest it will do automatically.

Device A
Cable
Device B
Router's serial port
Cisco serial DCE/DTE

cables
Router's serial port
Router's Ethernet port
Crossover
Straight-through
Switch port
Crossover
Computer NIC
Console of router/switch
Rollover
Computer COM port
Switch port
Crossover
Switch port
Computer NIC
Crossover
Computer NIC
Computer NIC
Straight-through
Switch port
18
Naming Conventions for IOS Images

c1841-advipservicesk9-mz.124-6.T7.bin ( this name is used to expalation)
c1841
The c1841 refers to the name of the platform on which the image will run. This is
important because different router models have different processors, and an image
compiled for one processor or router model will typically not run on a different model.
advipservicesk9
The advipservicesk9 refers to the features included in this IOS version, commonly
referred to as the feature set. In this example, the IOS is the advanced IP services
and the k9 refers to the inclusion of encryption support.
mz or z
The mz or z means that the image is compressed and must be uncompressed before
loading/running. If you see l (the letter l, not the number 1) here, this indicates where
the IOS image is run from. The l indicates a relocatable image and that the image can
be run from RAM. Remember that some images can run directly from flash,
depending on the router model.
124-6.T7
The 124-6.T7 indicates the software version number of the IOS. In this instance, the
version is 12.4(6)T7. Images names with T indicate new features, and without the T
the mainline (only bug fixes are made to it).
.bin
The .bin at the end indicates that this is a binary image.
An IOS filename is broken down into four parts:
Platform
Feature set
Run location and compression
Version
Memory Locations
Code
Location
19
Image runs in flash
Image runs in Random Access Memory

(RAM)
Image runs in Read Only Memory (ROM)
Image will be relocated at runtime
Code
Compression
Image is Zip compressed
Image is Mzip compressed
Image is Stac compressed
Compression Identifiers
Connections
Cisco's networking products support two types of external connections:
ports (referred to as lines) and interfaces.
Out-of-band management (which you do by console ports) does not affect the bandwidth flowing through your
network, while in-band management(which is doen by interface) does
Console Port
Almost every Cisco product has a console port. This port is used to establish an out of- band connection in order to
access the CLI to manage your Cisco device. Most console connections to Cisco devices require an RJ-45 rollover
cable and an RJ-45-to-DB9 terminal adapter.
The rollover cable pins are reversed on the two sides.
Com port setting
Speed
9600 bps
Data bits
Stop bits
Parity & Flow Control
None
20
Cabling Devices
A straight-through cable is used for DTE-to-DCE connections.
A hub to a router, PC, or file server
A switch to a router, PC, or file server
Crossover cables should by used when you connect a DTE to another DTE or a DCE
to another DCE.
A hub to another hub
A switch to another switch
A hub to a switch
A PC, router, or file server to another PC, router, or file server

Interface of Router
Console
The console port is used for local management connections. This means that you must be able to physically reach
the console port with a cable. The console port looks exactly like an Ethernet port. It uses the same connector, but it
has different wiring and is often identified with a light blue label "CONSOLE."
Aux Port
The AUX port is really just another console port that is intended for use with a modem, so you can remotely connect
and administer the device by phoning it. However using aux port for configuration create some security issues, so
21
make sure that you get advice on addressing those before setting this up.
Ethernet Port
An Ethernet port (which might be a FastEthernet or even a GigabitEthernet port, depending on your router model) is
intended to connect to the LAN. Some routers have more than one Ethernet or FastEthernet port; it really depends
on what you need and of course what you purchase. The Ethernet port usually connects to the LAN switch with a
22
straight-through cable.
Serial Port
A Cisco serial port is a proprietary design, a 60-pin D-sub. This connector can be configured for almost any kind of
serial communication. You need a cable that has the Cisco connector on one end and the appropriate type of
23
connector for the service you want to connect to on the other.
Cisco devices hardware component and booting process

ROM
ROM contains the necessary firmware to boot up your router and typically has the following four components:
POST (power-on self-test) Performs tests on the router's hardware components.
Bootstrap program Brings the router up and determines how the IOS image and
configuration files will be found and loaded.
ROM Monitor (ROMMON mode) A minioperating system that allows you to

perform low-level testing and troubleshooting, the password recovery procedure,
Mini-IOS A stripped-down version of the IOS that contains only IP code. This should
be used in emergency situations where the IOS image in flash can't be found and
you want to boot up your router and load in another IOS image. This stripped-down
IOS is referred to as RXBOOT mode.
RAM
RAM is like the memory in your PC. On a router, it (in most cases) contains the running IOS image; the active
configuration file; any tables (including routing, ARP, CDP neighbor, and other tables); and internal buffers for
temporarily storing information, such as interface input and output buffers. The IOS is responsible for managing
memory. When you turn off your router, everything in RAM is erased.
Flash
24
Flash is a form of nonvolatile memory in that when you turn the router off, the information stored in flash is not lost.
Routers store their IOS image in flash, but other information can also be stored here. Note that some lower-end
Cisco routers actually run the IOS directly from flash (not RAM). Flash is slower than RAM, a fact that can create
performance issues.
NVRAM
NVRAM is like flash in that its contents are not erased when you turn off your router. It is slightly different, though,
in that it uses a battery to maintain the information when the Cisco device is turned off. Routers use NVRAM to
store their configuration files. In newer versions of the IOS, you can store more than one configuration file here.
Router Boot up Process
A router typically goes through five steps when booting up:
The router loads and runs POST (located in ROM), testing its hardware
components, including memory and interfaces.
The bootstrap program is loaded and executed.
The bootstrap program finds and loads an IOS image: Possible locations: flash, a TFTP server, or the Mini-IOS in ROM.
Once the IOS is loaded, the IOS attempts to find and load a configuration
file, stored in NVRAM
After the configuration is loaded, you are presented with the CLI interface.
you are placed into is User EXEC mode.
Setup Mode
Cisco devices include a feature called Setup mode to help you make a basic initial configuration. Setup mode will
run only if there is no configuration file in NVRAMeither because the router is brand-new, or because it has been
erased. Setup mode will ask you a series of questions and apply the configuration to the device based on your
answers. You can abort Setup mode by typing CTRL+C or by saying "no" either when asked if you want to enter the
initial configuration dialog or when asked if you want to save the configuration at the end of the question.
Configuration register
The configuration register is a special register in the router that determines many of its boot up and running options,
including how the router finds the IOS image and its configuration file. The configuration register is a four-character
hexadecimal value that can be changed to manipulate how the router behaves at bootup. The default value is
0x2102.
The characters "0x" indicate that the characters that follow are in hexadecimal. This makes it clear whether the value
is "two thousand one hundred and two" or, as in this case, "two one zero two hexadecimal".
The fourth character in the configuration register is known as the boot field. Changing the value for this character
will have the following effects:
0x2100 = Always boot to ROMMON.
25
0x2101 = Always boot to RXBOOT.
0x2102 through 0x210F = Load the first valid IOS in flash; values of 2
through F for the fourth character specify other IOS image files in flash.
The third character in the configuration register can modify how the router loads the configuration file. The setting
of 0x2142 causes the router to ignore the startup-config file in NVRAM (which is where the password is stored) and
proceed without a configurationas if the router were brand new or had its configuration erased.
How to reset Router password

The Password Recovery process is simple and takes less than five minutes depending on how fast your router boots
1. Connect to the console port, start your terminal application, and power cycle the
router. When you see the boot process beginning, hit the Break sequence. (This is
usually Ctrl+Page Break, but it might differ for different terminal applications.)
Doing this interrupts the boot process and drops the router into ROMMON.
2. At the ROMMON prompt, enter the command confreg 0x2142 to set the
configuration register to 0x2142.
3. Restart the router by power cycling it or by issuing the command reset.
4. When the router reloads, the configuration register setting of 0x2142 instructs the
router to ignore the startup-config file in NVRAM. You will be asked if you want to go
through Setup mode because the router thinks it has no startup-configuration file.
Exit from Setup mode.
5. Press Return and enable command enable to go into privileged EXEC command
mode. No password is required because the startup config file was not loaded.
6. Load the configuration manually by entering copy startup-config running-config.
7. Go into the Global Configuration mode using the command configure terminal and
change the password with the command enable password password or enable
secret password.
8. Save the new password by entering copy running-config startup-config.
9. Go to the global config prompt, and change the configuration register back to the
default setting with the command config-register 0x2102. Exit back to the
privileged exec prompt.
10. Reboot the router using the reload command. You will be asked to save your changes;
you can do so if you have made additional configuration changes.
Reset password on 1841
26
System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.
Self decompressing the image :
################
monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 0x2142
rommon 2 > reset
############################################################### [OK]
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M),
Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 04:52 by pt_team
Image text-base: 0x60080608, data-base: 0x6270CD50
Processor board ID FTX0947Z18E
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M),
Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
--- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!
Router>enable
Router#copy startup-config running-config
Destination filename [running-config]?
428 bytes copied in 0.416 secs (1028 bytes/sec)
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password vinita
Router(config)#enable secret vinita
Router(config)#config-register 0x2102
Router(config)#exit
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#reload
Proceed with reload? [confirm]
27
Packet Tracer
Packet tracer is tiny software developed by Cisco System. With packet tracer you can do entire practical of Cisco
Routers and switches . Beside packet tracer there are lot of simulator software are available on internet. But most of
them will cost you around 150$. In this Example from our free CCNA study guide series we will guide you that how
can you install packet tracer.
Packet Tracer offers a broad range of opportunities for instructors to demonstrate networking concepts. Although
Packet Tracer is not a substitute for real equipment, it allows students to practice using a model of the Cisco Internet
work Operating System (IOS) command line interface and provides visual, drag-and-drop problem solving using
virtual networking devices. This hands-on capability is a fundamental component of learning how to configure
routers and switches from the command line. Students can see how to configure and connect networking hardware
while confirming systems design. Instructors can create their own self-evaluated activities that present immediate
feedback to students on their proficiency in completing assignments.
Packet tracer
Download packet tracer from any of these location
http://uploading.com/files/ac18cbf4/c.pt_5.2.rar
28
Do right click and select extract here.
Double click on setup file to invoke installation
Cisco IOS Mode User Privilege Configurations

CLI Access Modes
Each Cisco device on CLI interface supports three access modes
User EXEC
Provides basic access to the IOS with limited command availability (basically simple
monitoring and troubleshooting commands)
Privilege EXEC
Provides high-level management access to the IOS, including all commands available
at User EXEC mode
Configuration
Allows configuration changes to be made to the device
User EXEC Mode
Your initial access to the CLI is via the User EXEC mode, which has only a limited number of IOS commands you
can execute. Depending on the Cisco devices configuration, you might be prompted for a password to access this
mode.
This mode is typically used for basic troubleshooting of networking problems. You can tell that you are in User
EXEC mode by examining the prompt on the left side of the screen:
Router>
29
If you see a > character at the end of the information, you know that you are in User EXEC mode. The information
preceding the > is the name of the Cisco device.
For instance, the default name of all Cisco routers is Router, whereas the 2960 switchs User EXEC prompt looks
like this: Switch>. These device names can be changed with the hostname command.
Privilege EXEC Mode
Once you have gained access to User EXEC mode, you can use the enable command to access Privilege EXEC
mode:
Router> enable
Router#
Once you enter the enable command, if a Privilege EXEC password has been configured on the Cisco device, you
will be prompted for it. Upon successfully authenticating, you will be in Privilege EXEC mode. You can tell that
you are in this mode by examining the CLI prompt. In the preceding code example, notice that the > changed to a #.
When you are in Privilege EXEC mode, you have access to all of the User EXEC commands as well as many more
advanced management and troubleshooting commands. These commands include extended ping and trace abilities,
managing configuration files and IOS images, and detailed troubleshooting using debug commands. About the only
thing that you cant do from this mode is change the configuration of the Cisco devicethis can be done only from
Configuration mode. If you wish to return to User EXEC mode from Privilege EXEC mode, use the exit command:
Router# exit
Router>
Again, by examining the prompt, you can tell that you are now in User EXEC mode.
Configuration Modes of Cisco IOS Software
From privileged EXEC mode, you can enter global configuration mode using the
configure terminal command.
From global configuration mode, you can access specific configuration modes, which include, but are not limited to,
the following:
Interface:
Supports commands that configure operations on a per-interface basis
Subinterface:
Supports commands that configure multiple virtual interfaces on a single physical
interface
Controller:
Supports commands that configure controllers (for example, E1 and T1 controllers)
Line:
Supports commands that configure the operation of a terminal line (for example, the
console or the vty ports)
Router:
Supports commands that configure an IP routing protocol
30
If you enter the exit command, the router backs out one level, eventually logging out. In general, you enter the exit
command from one of the specific configuration modes to return to global configuration mode. Press Ctrl+Z or
enter end to leave configuration mode completely and return to the privileged EXEC mode.
Commands that affect the entire device are called global commands.
The hostname and enable password commands are examples of global commands.
Commands that point to or indicate a process or interface that will be configured are called major commands.
When entered, major commands cause the CLI to enter a specific configuration mode.
Major commands have no effect unless you immediately enter a subcommand that supplies the configuration entry.
For example, the major command interface serial 0 has no effect unless you follow it with a subcommand that tells
what is to be done to that interface.
Router Modes
Router>
User mode
Router#
Privileged mode (also known as EXEC-level mode)
Router(config)#
Global configuration mode
Router(config-if)#
Interface mode
Router(config-subif)#
Subinterface mode
Router(config-line)#
Line mode
Router(config-router)#
Router configuration mode
Administration of Cisco devices

Back Up and Restore IOS
You can use TFTP, FTP, or RCP to transfer an IOS image to or from a server. Only tftp server is covered in CCNA
exam so we will cover it. TFTP is the trivial file transfer protocol. Unlike FTP, there are no means of authenticating
with a username or password or navigating directories.
31
To back up your IOS, you will use the copy command from within privileged EXEC mode. The syntax of this
command is copy <from><to>. Thus, if you want to copy an IOS from your IOS to a TFTP server, the syntax would
be copy tftp flash. After executing this command, you will be prompted with a number of questions asking for such
things as the IOS filename and IP address of the TFTP server.
To restore or upgrade your IOS from a TFTP server to a router, the syntax would be copy tftp flash.
Remember the following troubleshooting steps if you are having difficulties using TFTP:
Verify that the TFTP server is running.
Verify cable configurations. You should use a crossover cable between a router and a
server or, if you have a switch, use a straight-through cable from the router to the
switch and from the switch to the server.
Verify that your router is on the same subnet as your TFTP server.
If you are using a Linux TFTP server, make sure that you first use the touch
command to create a zero-byte file with the name of the IOS image; otherwise, the
file will not copy to the TFTP server.
Being a Cisco Associate you should be able to take back and restore of networks critical resources. Cisco devices
use Tftp server for this purpose. In real life you should keep daily back up of Cisco IOS and running configuration.
In lab we can do the same practical on packet tracker.
Back up and Restore of Network Devices
32
Create this topology and load it in packet tracer
As you can see in diagram we have a TFTP server connected with router from cross cable. A pc is connected with
router from console cable. IP address on Server is 10.0.0.2 and 10.0.0.1 on routers fast Ethernet port 0/0 is already
configured.
Now your task is to take the back of running configuration on tftp server. So we
can retrieve it in any situations.
Double click on pc0 click on Desktop tab select terminal click on terminal
configuration ( Do not change default setting). Click on ok This will emulate
Router on screen
Now Follow these steps
33
R1>enable
R1#copy running-config tftp:
Address or name of remote host []? 10.0.0.2
Destination filename [R1-confg]?
.!!
[OK - 359 bytes]
R1#
Now we have taken the backup of running configuration. To verify it click on
Server and select config tab and click on TFTP and scroll down. At the end of
window you can see the backup files.
As you can see in image we have successfully taken the backup. Now open again
terminal in PC0 and remove the startup configuration. And reload the router.
34
R1>enable
R1#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
R1#reload
Now router will restart and as we have already discussed in our pervious Example Booting process of Cisco devices,
that router load its running configuration from NARAM. And we have deleted the contain for NAVRAM (Startupconfiguration) so it will launch default startup program. Write No and press enter.
Now you will see default router prompt. We have to do some basic setting before
connecting the TFTP Server.
Router>enable
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#
we have done the essential configuration to connect the tftp server. Now restore
the configuration back to router
Router#copy tftp running-config
Source filename []? R1-confg
Destination filename [running-config]?
Loading R1-confg from 10.0.0.2: !
[OK - 359 bytes]
R1#
At this point the configuration is in RAM so you will lost it on reboot so copy it in
NVRAM.
R1#copy running-config startup-config
[OK]
R1#
How to update IOS
35
Being a CCNA certified associate you should also be capable to update the IOS of Cisco devices. This process
include the serious risk of getting defective of device. So dont do it on live device until you became perfect on
simulator.
Create this topology and load it in packet tracer
IP and other setting is already configured on Server and Router. We have new IOS
stored on TFTP Server. Double click on pc0 click on Desktop tab select terminal
click on terminal configuration ( Do not change default setting). This will emulate
Router on screen.
First step toward the updating of IOS is to check the available space in flash
R1>enable
R1#sh flash
System flash directory:
File Length
Name/status
1
33591768 c1841-advipservicesk9-mz.124-15.T1.bin
[33591768 bytes used, 30424616 available, 64016384 total]
63488K bytes of processor board System flash (Read/Write)
R1#
As you can see in output we have 30424616 bytes free available. We can
download new IOS in flash from TFTP Server. To load new IOS
R1#copy tftp flash
Source filename []?c1841-ipbasek9-mz.124-12.bin
Destination filename [c1841-ipbasek9-mz.124-12.bin]?
.
Loading c1841-ipbasek9-mz.124-12.bin from 10.0.0.2: !!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 16599160 bytes]
As you can see in output we have downloaded new IOS now we can remove old IOS
R1#delete flash:c1841-advipservicesk9-mz.124-15.T1.bin
36
Delete filename [c1841-advipservicesk9-mz.124-15.T1.bin]?

Delete flash:/c1841-advipservicesk9-mz.124-15.T1.bin? [confirm]
R1#show flash
File Length
Name/status
2
16599160 c1841-ipbasek9-mz.124-12.bin
R1#
Now restart the router to take effect of new IOS
R1#reload
%SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
################################################################# [OK]
Restricted Rights Legend
Cisco IOS Software, 1841 Software (C1841-IPBASEK9-M), Version 12.4(12),
Compiled Mon 15-May-06 14:54 by pt_team
Image text-base: 0x600790EC, data-base: 0x61480000
Cisco IOS Software, 1841 Software (C1841-IPBASEK9-M), Version 12.4(12),
Compiled Mon 15-May-06 14:54 by pt_team
Router>
As you can see in output router is booted from new IOS. As new IOS is loaded so all pervious configuration will
also be removed load it again from TFTP Server and save it to NVRAM.
Switching
37
2960 switch overview functionality

2960 Overview
The 2960 series of switches comes with the LAN-based software image, which provides advanced quality of
service, rate limiting, access control list (ACL), and many other features.
Depending on the series of 2960 Switch could have fast Ethernet port or dual purpose gigabit Ethernet port.
The dual-purpose Gigabit Ethernet (GE) port supports a 10/100/1000 port and an SFP (fiber) port, where one of the
two ports (not both) can be used. The 2960 series supports an optional external redundant power supply (RPS) that
can be attached to the rear of the chassis.
2960 LEDs and MODE Button

The front of the 2960 chassis has many LEDs that you can use to monitor the switch's activity and performance. At
the top-left of the 2960's front chassis are the SYSTEM and RPS LEDs. The colors of these LEDs and their
meanings are shown in Table
LED
SYSTEM
Color
Description
Green
The system is up and operational.
Amber
The system experienced a malfunction.
Off
The system is powered down.
Green
The RPS is attached and operational.
Amber
The RPS is installed but is not operational. Check the RPS to ensure that it
hasn't failed.
Flashing amber
Both the internal power supply and the external RPS are installed, but the RPS is
providing power.
Off
The RPS is not installed.
RPS
Switch Bootup Process
38
For your initial access to the switch, make sure you plug the rollover cable into the switchs console port and the
other end into the COM port of your computer. Start up a terminal emulation program such as HyperTerminal.
Switch have same hardware component that router have. And follow the same booting process. To know more about
Cisco Devices booting process read our pervious Example
Cisco devices hardware devices and booting process
System Configuration Dialog
If no configuration is found, the IOS will run the setup script, commonly called the System Configuration Dialog.
This script asks you questions to help it create a basic configuration on the switch. When posing questions, the setup
script uses brackets ([ and ]) to indicate default values. Leaving these answers blank (that is, not supplying an
answer) results in the script accepting the value indicated in brackets for the configuration component. In the script,
you can configure the switchs hostname, set up a Privilege EXEC password, assign a password for the virtual type
terminals (VTYs), and set up an IP address for a VLAN interface to manage the switch remotely.
Heres an example of this script:
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic of switching
Bridges and switches are layer 2 devices that segment (break up) collision domains. A collision domain basically
includes all the devices that share a media type at layer 1.
Difference between bridge and switch

Functions
Bridges
Switches
Form of switching
Software
Hardware
39
Method of switching
Store and
forward
Store and forward, cut-through,

Fragment-free
port
2-20
100 plus
Duplex
Half
Half and full
Collision domains
1 per port
1 per port
Broadcast domains
per vlan
STP instances
Methods of Switching
Store and Forward
Store and Forward is the basic mode that bridges and switches use. It is the only mode that bridges can use, but
many switches can use one or more of the other modes as well, depending on the model. In Store-and-Forward
switching, the entire frame is buffered (copied into memory) and the Cyclic Redundancy Check (CRC), also known
as the FCS or Frame Check Sequence is run to ensure that the frame is valid and not corrupted.
Cut Through
Cut Through is the fastest switching mode. The switch analyzes the first six bytes after the preamble of the frame to
make its forwarding decision. Those six bytes are the destination MAC address, which, if you think about it, is the
minimum amount of information a switch has to look at to switch efficiently. After the forwarding decision has been
made, the switch can begin to send the frame out the appropriate port(s), even if the rest of the frame is still arriving
at the inbound port. The chief advantage of Cut-Through switching is speed; no time is spent running the CRC, and
the frame is forwarded as fast as possible
Fragment-free
Switching will switch a frame after the switch sees at least 64 bytes, which prevents the switching of runt frames.
This is the default switching method for the 1900 series. 2950 doesnt support cut-through Fragment-Free switching
is sometimes called "runtless" switching for this reason. Because the switch only ever buffers 64 bytes of each
frame, Fragment Free is a faster mode than Store and Forward, but there still exists a risk of forwarding bad frames,
so the previously described mechanisms to change to Store and Forward if excessive bad CRCs are received are
often implemented as well.
40
Virtual LAN
A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span
multiple physical segments.
Advantages of VLANs:
Increase the number of broadcast domains while reducing their size.
Provide additional security.
Increase the flexibility of network equipment.
Allow a logical grouping of users by function, not location.
Make user adds, moves, and changes easier.
Subnets and VLANs

Logically speaking, VLANs are also subnets. A subnet, or a network, is a contained broadcast domain. A broadcast
that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer-3 devices, provide
this boundary function. Switch provide this function at layer 2 by VLAN.
Scalability
VLANs provide for location independence. This flexibility makes adds, changes, and moves of networking devices
a simple process. It also allows you to group people together, which also makes implementing your security policies
straightforward.
IP protocols supports 500 devices per vlans.
VLAN Membership
A devices membership in a VLAN can be determined by one of two methods: static or dynamic
Static: - you have to assign manually
Dynamic:- Configure VTP server and it will automatically do rest
VLAN Connections
two types of connections: access links and trunks.
Access-Link Connections An access-link connection is a connection between a switch and a device with a normal
Ethernet NIC, where the Ethernet frames are transmitted unaltered.
Trunk Connections trunk connections are capable of carrying traffic for multiple VLANs. Cisco supports two
Ethernet trunking methods:
41
Ciscos proprietary Inter Switch Link (ISL) protocol for Ethernet
IEEEs 802.1Q, commonly referred to as dot1q for Ethernet
ISL is Cisco-proprietary trunking method that adds a 26-byte header and a 4-byte trailer to the original Ethernet
frame. Ciscos 1900 switch supports only ISL
802.1Q is a standardized trunking method that inserts a four-byte field into the original Ethernet frame and
recomputed the FCS. The 2950 only supports 802.1Q. 802.1Q trunks support two types of frames: tagged and
untagged.
An untagged frame does not carry any VLAN identification information in it

basically, this is a standard, unaltered Ethernet frame.
A tagged frame contains VLAN information, and only other 802.1Q-aware devices
on the trunk will be able to process this frame
By default, all VLANs are permitted across a trunk link. Switch-to-Switch trunk
links always require the use of a crossover cable, never a straight-through cable.
Configuration of Cisco 2960 Switch

To practically implement these command either create a simple topology on packet tracer .
42
Example topology for basic switch commands
Now click on any switch and configure it as given below

To know all available command on user exec mode type ?and press enter
Switch>?
Exec commands:
[1-99]
connect
disconnect
enable
exit
logout
ping
Session number to resume

Open a terminal connection
Disconnect an existing network connection
Turn on privileged commands
Exit from the EXEC
Exit from the EXEC
Send echo messages
[Output is omitted]
Three command can be used to logout from terminal use any one
Switch>enable
Switch#disable
Switch>exit
Switch con0 is now available
Press RETURN to get started.
Show version command will tell about the device platform and detected interface
and ios name
Switch>enable
Switch#show version
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version
12.2(25)FX, RELEASE SOFTWARE (fc1)
Compiled Wed 12-Oct-05 22:05 by pt_team
ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX,
RELEASE SOFTWARE (fc4)
System returned to ROM by power-on
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with
21039K bytes of memory.
2 Gigabit Ethernet/IEEE 802.3 interface(s)
43
[Output is omitted]
show mac address command will show all detected mac address dynamically and
manually
Switch#show mac-address-table
Mac Address Table
------------------------------------------Vlan
----
Mac Address
-----------
Type
--------
Ports
-----
1
0001.643a.5501
DYNAMIC
Gig1/1
Run time configuration of ram can be any time by simple show run commands
Switch#show running-config
Current configuration : 925 bytes
version 12.2
no service password-encryption
!
hostname Switch
[Output is omitted]
To view startup configuration [ Stored in NVRAM] use show start command
Switch#show startup-config
version 12.2
!
hostname Switch
[Output is omitted]
show vlan command will give the detail overview of all vlan configured on switch
Switch#show vlan
VLAN Name
Status
Ports
---- -------------------------------- --------- ----------------------1
default
active
Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
[Output is omitted]
show interface command will show all detected interface with their hardware
description and configuration
Switch#show interfaces
FastEthernet0/1 is up, line protocol is up (connected)
Hardware is Lance, address is 0060.2f9d.9101 (bia 0060.2f9d.9101)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
44
Encapsulation ARPA, loopback not set

[Output is omitted]
interface vlan 1 is used to assign ip address and default gateway to switch. Show
interface vlan 1 will give a over view of vlan1.
Switch#show interface vlan1
Vlan1 is administratively down, line protocol is down
Hardware is CPU Interface, address is 0060.5c23.82ae
(bia 0060.5c23.82ae)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
[Output is omitted]
delete command is used to delete all vlan configuration from switch Dont add
space between flash and vlan.dat Run this exactly shown here adding a space
could erase flash entirely leaving switch blank
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
%deleting flash:/vlan.dat
Startup configuration can be removed by erase commands
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
use configure terminal command to go in global configuration mode
Switch#configure terminal
Enter configuration commands, one per line.
Now change default switch name to switch 1
End with CNTL/Z.
Switch(config)#hostname Switch1
Set enable password to vinita and secret to nikki
Switch1(config)#enable password vinita
Switch1(config)#enable secret nikki
Set console password to vinita and enable it by login command, order of command
is important set password before you enable it
Switch1(config)#line console 0
Switch1(config-line)#password vinita
Switch1(config-line)#login
Switch1(config-line)#exit
Enable 5 telnet session [ vty0 - vty4] for router and set their password to vinita
Switch1(config)#line vty 0 4
45
Switch1(config-line)#password vinita
Switch1(config-line)#login
Switch1(config-line)#exit
Now set switch ip address to 192.168.0.10 255.255.255.0 and default gateway to
192.168.0.5
Switch1(config)#interface vlan1
Switch1(config-if)#ip address 192.168.0.10 255.255.255.0
Switch1(config-if)#exit
Switch1(config)#ip default-gateway 192.168.0.5
Set a description finance VLAN to interface fast Ethernet 1
Switch1(config)#interface fastEthernet 0/1
Switch1(config-if)#description finance VLAN
By default switch automatically negotiate speed and duplex but you can adjust it
manually
Switch1(config-if)#duplex full
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to downSwitch1
(config-if)#duplex auto
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Switch1(config-if)#duplex half
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
changed state to down
Switch1(config-if)#duplex auto
Switch1(config-if)#speed 10
Switch1(config-if)#speed 100
Switch1(config-if)#speed auto
Switch1(config-if)#exit
Switch1(config)#exit
mac address table can be wiped out by clear commands
Switch1#show
Switch1#show mac-address-table
Mac Address Table
------------------------------------------Vlan
----
Mac Address
-----------
Type
--------
Ports
-----
1
0001.643a.5501
DYNAMIC
Gig1/1
Switch1#clear mac-address-table
Switch1#clear mac-address-table ?
dynamic dynamic entry type
Switch1#clear mac-address-table dynamic
To restart switch use reload command [ running configuration will be erased so
copy it first to startup configuration ]
Switch1#reload
46
Switch con0 is now available

Press RETURN to get started.
Switch port security
In this Example I will show you that how can you
Configuring the IP address and subnet mask
Setting the IP default gateway
Enable telnet session for switch
Enable Ethereal Channel
Enable port security
To perform this activity Create this lab topology and load in packet tracer .
Switch Port Security
Configure IP address subnet mask and default gateway
47
IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential
configurations you have connect with switch via console cable each time. That's very tedious as you have to go near
to switch each time.
Switch>enable
Switch(config)#hostname S1
S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.0.10 255.0.0.0
S1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
S1(config-if)#exit
S1(config)#ip default-gateway 10.0.0.1
Enable Telnet and password protect the line
You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning
privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords
can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords
are case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions,
noting that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered
from 0 through 4 and are referred to all at once as line vty 0 4.
S1(config)#line console 0
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#line vty 0 4
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#
Enable Switch port security
this feature set allows you (among several other options) to disable a port if more than one MAC address is detected
as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices
such as servers. You can use the port security feature to restrict input to an interface by limiting and identifying
MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port,
the port does not forward packets with source addresses outside the group of defined addresses.
Switch>enable
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security violation shutdown
48
S2(config-if)#exit
S2(config)#
You can verify port security.
Click on the red x button on the right hand portion of the PT window. This
will allow you to delete a connection in the topology. Place the x over the
connection between Server and S2 and click. The connection should
disappear.
Select the lightening bolt button on the bottom left-hand corner of the PT
window to pull up connection types. Click the copper straight-through
connection. Click the TestPC device and select the fastethernet port. Next,
click on S2 and select port Fa0/1.
From the command prompt of TestPC type the command ping 10.0.0.4. The
ping should fail.
On S3, enter the command show port-security interface fa0/1.
Port security is enabled, port-status is secure-shutdown, security violation count

is 1.
Configure Vlan vtp server stp dtp
In our pervious Example you learnt about the feature of switching. To read these Examples you can follow these
links.
In this tutorial I will demonstrate that how can you
Configure Access or Trunk links
Create VLAN
Assign VLAN membership
Configure Intra VLAN routing
Configure VTP Server
Make VTP Clients
Show STP Static
Configure DTP port
49
To complete these lab either create a topology as shown in figure or Create this file and load it in packet tracer
Advance switch configuration
PC configurations
Device
IP Address
s
VLAN
Connected With
PC0
10.0.0.2
VLAN10
Switch1 on F0/1
PC1
20.0.0.2
VLAN20
Switch1 on F0/2
PC2
10.0.0.3
VLAN10
Switch2 on F0/1
PC3
20.0.0.3
VLAN20
Switch2 on F0/2
PC4
10.0.0.4
VLAN10
Switch3 on F0/1
PC5
20.0.0.4
VLAN20
Switch3 on F0/2
2960 24 TTL Switch 1 Configuration

Port Connected to
VLAN
LINK
STATUS
F0/1 With PC0
VLAN10
Access
OK
50
F0/2 With PC1
VLAN20
Access
OK
Gig1/1 With Router
VLAN 10,20
Trunk
OK
Gig 1/2 With Switch2
VLAN 10,20
Trunk
OK
F0/24 Witch Switch2
VLAN 10,20
Trunk
OK

F0/1 With PC0
VLAN10
Access
OK
F0/2 With PC1
VLAN20
Access
OK
VLAN 10,20
Trunk
OK
VLAN 10,20
Trunk
OK
F0/24 Witch Switch1
VLAN 10,20
Trunk
Blocked
F0/23 Witch Switch3
VLAN 10,20
Trunk
OK

F0/1 With PC0
VLAN10
Access
OK
F0/2 With PC1
VLAN20
Access
OK
VLAN 10,20
Trunk
OK
F0/24 Witch Switch1
VLAN 10,20
Trunk
Blocked
Task
You are the administrator at XYZ company have two department sales and management.
You have given three pc for sales and three pc in management. You created two VLAN. VLAN
10 for sales and VLAN20 for management. For backup purpose you have interconnected
switch with one extra connection. You have one router for intera VLAN communications.
Let's start configuration first assign IP address to all pc's
To assign IP address double click on pc and select ip configurations from desktop tab and give ip address as shown
in table given above
VLAN Trunking Protocol
Configure VTP Server
51
We will first create a VTP Server so it can automatically propagate VLAN information to other switch. Double click
on Switch1 and select CLI. Set hostname to S1 and create VTP domain name example and set password to vinita
( Remember password is case sensitive ).
Switch 1
Switch>enable
S1(config)#vtp mode server
Device mode already VTP SERVER.
S1(config)#vtp domain example
Changing VTP domain name from NULL to example
S1(config)#vtp password vinita
Setting device VLAN database password to vinita
Configure VTP clients
Once you have created a VTP domain. Configure remaining Switch to Client mode.
Switch 2
Switch>enable
S2(config)#vtp mode client
Setting device to VTP CLIENT mode.
S2(config)#
Switch 3
Switch>enable
S3(config)#vtp mode client
Setting device to VTP CLIENT mode.
S3(config)#
Dynamic Trunking Protocol
Configure DTP port
All Switch ports remain by default in access mode. Access port can not transfer the trunk frame. Change mode to
trunk on all the port those are used to interconnect the switches
Switch 1
52

S1(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface
changed state to up
S1(config-if)#exit
S1(config)#interface gigabitEthernet 1/1
S1(config-if)#exit
changed state to up
S1(config-if)#exit
S1(config)#
Switch 2
changed state to up
S2(config-if)#exit
S2(config-if)#exit
changed state to up
S2(config-if)#exit
S2(config-if)#exit
Switch 3
FastEthernet0/24,
FastEthernet0/24,
GigabitEthernet1/2,
GigabitEthernet1/2,
GigabitEthernet1/1,
GigabitEthernet1/1,
FastEthernet0/23,
FastEthernet0/23,

S3(config-if)#exit
S3(config-if)#exit
Virtual LAN (VLAN)
Create VLAN
After VTP server configuration its time to organize VLAN. We need only to create VLAN on VTP server and reset
will be done by VTP Server automatically.
53
Switch 1
S1(config)#vlan 10
S1(config-vlan)#exit
S1(config)#vlan 20
S1(config-vlan)#exit
S1(config)#
As we have already configure VTP server in our network so we don't need to create VLAN on S2 or S3. We need
only to associate VLAN with port.
Assign VLAN membership
Switch 1
S1(config-if)#switchport access vlan 10
S1(config-if)#interface fastEthernet 0/2
Switch 2
Switch 3
Now we have two working vlan. To test connectivity do ping form 10.0.0.2 to 10.0.0.3 and 10.0.0.4. if you get
successfully replay then you have successfully created VLAN and VTP server.
Spanning-Tree Protocol
In this configuration STP will block these ports F0/24 of S1 , F0/23 and F0/24 of S2 and F0/24 of S3 to avoid loop
at layer to two. Verify those ports blocked due to STP functions
Verify STP ports
Switch 2
S2#show spanning-tree active
VLAN0001
Spanning tree enabled protocol ieee
Root ID
Priority
32769
Address
0002.174D.7794
Cost
4
Port
26(GigabitEthernet1/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID
Priority
Address
Hello Time
32769 (priority 32768 sys-id-ext 1)

00D0.FF08.82E1
2 sec Max Age 20 sec Forward Delay 15 sec
54
Aging Time
20
Interface
Role Sts Cost
Prio.Nbr
---------------- ---- --- --------- -------Fa0/1
Desg FWD 19
128.1
Fa0/2
Desg FWD 19
128.2
Fa0/23
Desg FWD 19
128.23
Fa0/24
Altn BLK 19
128.24
Gi1/1
Desg FWD 4
128.25
Gi1/2
Root FWD 4
128.26
[Output is omitted]
S2#
You can test STP protocols status on S1 and S3also with
show spanning-tree active command
Type
--------------------------P2p
P2p
P2p
P2p
P2p
P2p
Router on Stick
At this point of configurations you have two successfully running VLAN but they will not connect each other. To
make intra VLAN communications we need to configure router . To do this double click on router and select CLI.
Configure intra VLAN
Router
Router>enable
Router(config)#interface fastEthernet 0/0
Router(config-if)#no ip address
Router(config)#interface fastEthernet 0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 10.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#interface fastEthernet 0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#exit
To test connectivity between different vlan do ping form any pc to all reaming pc. it should be ping successfully. If
you have error Create this configured topology and cross check that where you have committed mistake.
Routing Static Dynamics (RIP OSPF EIGRP)
Basic router configurations login in router
In our last Example I show you that how can you connect Cisco router. In this Example I will show how can you can
configure router. For demonstration purpose I used packet tracer software. If you havent install packet tracer read
our pervious Example to download and install packet tracer. Link is given on the top side of left. Create a simple
topology by dragging dives on workspace as shown in figure.
55
Click inside the Router and select CLI and press Enter to get started. Setup mode
start automatically if there is no startup configuration present. The answer inside
the square brackets [ ], is the default answer. If this is the answer you want, just
press enter. Pressing CTRL+C at any time will end the setup process, shut down
all interfaces, and take you to user mode (Router>).
You cannot use setup mode to configure an entire router. It does only the basics. For example, you can only turn on
either RIPv1 or Interior Gateway Routing Protocol (IGRP), but not Open Shortest Path First Protocol (OSPF) or
Enhanced Interior Gateway Routing Protocol (EIGRP). You cannot create access control lists (ACL) here or enable
Network Address Translation (NAT). You can assign an IP address to an interface, but not to a subinterface. All in
all, setup mode is very limiting.
--- System Configuration Dialog --Continue with configuration dialog? [yes/no]:

Write no and press enter. To get router prompt
You are now connected to Router and are in user mode prompt. The prompt is broken down into two parts, the
hostname and the mode. Router is the Router0's hostname and > means you are in user mode.
Press RETURN to get started
Router>
User mode is indicated with the '>' next to the router name. in this mode you can look at settings but can not make
changes.
In Privilege mode(indicated by the '#', you can do anything). To get into privilege mode the keyword is enable.
Next type the command enable to get to the privileged mode prompt.
Router > enable
Router#
To get back to the user mode, simply type disable. From the user mode type logout or exit to leave the router.
Router#disable
Router>
Router>exit
Router con0 is now available
Press RETURN to get started
press enter to get back router prompt
Router>
You are now in User mode. Type ?to view all the available commands at this prompt.
56
Router>?
From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration
mode type exit or <CTL>+z
Router>enable
Router#config terminal
Router(config)#exit
Router#
To view all commands available from this mode type ?and press enter This will give you the list of all available
commands for the router in your current mode. You can also use the question mark after you have started typing a
command. For example if you want to use a show command but you do not remember which one it uses 'show ?'
will output all commands that you can use with the show command.
Router#show ?
access-expression List access expression
access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More-Basic Global Configurations mode Commands
Configuring a Router Name
This command works on both routers and switches
Router(config)#hostname Lucknow
Lucknow(config)#
You could choose any descriptive name for your cisco devices
Configuring PasswordsThise command works on both routers and switches
Router(config)#enable password test
Sets enable password to test
Router(config)#enable secret vinita
Sets enable secret password to vinita
Router(config)#line console 0
Enters console line mode
Router(config-line)#password console
Sets console line mode password to console
Router(config-line)#login
Enables password checking at login
Router(config)#line vty 0 4
Enters vty line mode for all five vty lines
Router(config-line)#password telnet
Sets vty password to telnet
57
Router(config)#line aux 0
Enters auxiliary line mode
Router(config-line)#password aux
Sets auxiliary line mode password to aux
CAUTION: The enable secret password is encrypted by default. The enable password is not. For this reason,
recommended practice is that you never use the enable password command. Use only the enable secret password
command in a router or switch configuration.
You cannot set both enable secret password and enable password to the same password. Doing so defeats the use of
encryption.
Configuring a Fast Ethernet Interface
Moves to Fast Ethernet 0/0 interface configuration mode
Router(config-if)#description Student Lab LAN
Optional descriptor of the link is locally significant
Router(config-if)#ip address 192.168.20.1 255.255.255.0 Assigns address and subnet mask to interface
Turns interface on
Creating a Message of the Day Banner
Router(config)#banner motd # Next Schedule metting with manager is Postponed

#
Router(config)#
The MOTD banner is displayed on all terminals and is useful for sending messages that affect all users. Use the no
banner motd command to disable the MOTD banner. The MOTD banner displays before the login prompt and the
login banner, if one has been created.
Creating a Login Banner
Router(config)#banner login # Unauthorized access is prohibited !
Please enter your username and password. #
Router(config)#
The login banner displays before the username and password login prompts. Use the no banner login command to
disable the login banner. The MOTD banner displays before the login banner.
# is known as a delimiting character. The delimiting character must surround the
banner and login message and can be any character so long as it is not a
character used within the body of the message
58
Assigning a Local Host Name to an IP Address

Router(config)#ip host Lucknow 172.16.1.1
Assigns a host name to the IP address. After this assignment, you can use the host name rather than an IP address
when trying to Telnet or ping to that address
The no ip domain-lookup Command
Router(config)#no ip domain-lookup
Router(config)#
Turns off trying to automatically resolve an unrecognized command to a local host name
Ever type in a command incorrectly and are left having to wait for a minute or two as the router tries to translate
your command to a domain server of 255.255.255.255? The router is set by default to try to resolve any word that is
not a command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not going to set up
DNS, turn off this feature to save you time as you type, especially if you are a poor typist
The logging synchronous Command

Router(config)#line console 0
Router(config-line)#exec-timeout 0 0
Router(config-line)#
Sets the time limit when the console automatically logs off. Set to 0 0 (minutes seconds) means the console never
logs off.
The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is considered
to be bad security and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and
zero (0) seconds (exec-timeout 10 0).
Saving and erasing configurations
Router(config)#exit
Bring you back in Privilege exec mode
Router#copy running-config startup-config
Saves the running configuration to local NVRAM
Router#copy running-config tftp
Saves the running configuration remotely to a TFTP server
Router#erase startup-config
Deletes the startup configuration file from NVRAM
Configuration Example: Basic Router Configuration

For example purpose we will use the topology created in start of this Example. Create a simple topology by
dragging dives on workspace as shown in figure.
59
Click inside the Router and select CLI and press Enter to get started.
Router>enable
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#description Student Lab LAN
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
state to up
R1(config-if)#exit
R1(config)#banner motd # Next Schedule metting with is postponed #
R1(config)#banner login # Unauthorized access is prohibited !
Enter you user name and password #
R1(config)#ip host Lucknow 172.16.1.1
R1(config)#no ip domain-lookup
R1(config)#line console 0
R1(config-line)#exec-timeout 0 0
R1(config-line)#logging synchronous
R1(config-line)#password consloe
R1(config-line)#login
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password telnet
R1(config-line)#exit
% Unrecognized command
R1(config)#enable password test
R1(config)#enable secret vinita
R1(config)#exit
%SYS-5-CONFIG_I: Configured from console by console
R1#copy running-config startup-config
[OK]
R1#
60
Basic router configurations show commands
In our last Example I show you that how can you connect Cisco router. In this Example I will show how can you can
configure router. For demonstration purpose I used packet tracer software. If you havent install packet tracer read
our pervious Example to download and install packet tracer. Link is given on the top side of left. Create a simple
topology by dragging dives on workspace as show in figure.
Basic Show Commands

Router#show running-config
!
version 12.4
!
hostname Router
!
ip ssh version 1
!
interface FastEthernet0/0
[output is Omitted]
Show the active configuration in memory. The currently active configuration script running on the router is referred
to as the running-config on the routers command-line interface. Note that privileged mode is required. The running
configuration script is not automatically saved on a Cisco router, and will be lost in the event of power failure. The
running configuration must be manually saved with the 'copy' command
Router#show flash
File Length
Name/status
1
33591768 c1841-advipservicesk9-mz.124-15.T1.bin
Flash memory is a special kind of memory on the router that contains the operating system image file(s). Unlike
regular router memory, Flash memory continues to maintain the file image even after power is lost.
Router#show history
The routers Command Line Interface (CLI) maintains by default the last 10 commands you have entered in memory.
To retrieve the previous command you typed
Press the up arrow
61
To retrieve the next command you typed

Press the down arrow
Router#show protocols
Use this command to view the status of the current layer 3 routed protocols running on your router
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version
12.4(15)T1,
RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-15.T1.bin"
[output is Omitted]
Processor board ID FTX0947Z18E
M860 processor: part number 0, mask 49
1 Low-speed serial(sync/async) network interface(s)
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
This command will give you critical information, such as: router platform type, operating system revision, operating
system last boot time and file location, amount of memory, number of interfaces, and configuration register
Router#show clock
*1:46:13.169 UTC Mon Nov 1 2009
Will show you Routers clock
Router#show hosts
will display a cached list of hosts and all of their interfaces IP addresses
Router#show users
Will show a list of all users who are connected to the router
Router#show interfaces
will give you detailed information about each interface
Router#show protocols
62
will show the global and interface-specific status of any layer 3 protocols
Router#show ip interface brief
Interface
Protocol
IP-Address
OK? Method Status
FastEthernet0/0
10.0.0.1
YES manual up
FastEthernet0/1
unassigned
YES manual administratively down down
Serial0/0/0
20.0.0.1
YES manual up
up
up
Vlan1
unassigned
YES manual administratively down down
Router#
This command will show brief descriptions about interface. This command mostly used in troubleshooting. There
may be three possible conditions of status.
UP :- interface is up and operational
DOWN :- physical link is detected but there are some problem in configurations.
Administratively down :- port is disable by shutdown command ( Default mode of any port on router.)
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C
10.0.0.0/8 is directly connected, FastEthernet0/0
C
20.0.0.0/8 is directly connected, Serial0/0/0
D
30.0.0.0/8 [90/40514560] via 20.0.0.2, 00:02:55, Serial0/0/0
D
40.0.0.0/8 [90/41026560] via 20.0.0.2, 00:02:54, Serial0/0/0
D
50.0.0.0/8 [90/41029120] via 20.0.0.2, 00:02:50, Serial0/0/0
R1#
This command will give a detail about known route. Router will not forward packet if route is not shown here for
that packet. Routers routing decision is made by this routing table.
R1#show controllers serial 0/0/0

Interface Serial0/0/0
Hardware is PowerQUICC MPC860
DCE V.35, clock rate 64000
idb at 0x81081AC4, driver data structure at 0x81084AC0
Most common use of this command is to find out whether the port is DCE end or DTE. If the port is DCE end then
clock rate and bandwidth command will require. As you can see in output that port is DCE.
R1#show ip protocols
63
Routing Protocol is "eigrp 1 "

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
Automatic network summarization is in effect
Automatic address summarization:
Maximum path: 4
Routing for Networks:
10.0.0.0
20.0.0.0
Routing Information Sources:
Gateway
Distance
Last Update
20.0.0.2
90
16
Distance: internal 90 external 170
Use this command to know about running routing protocols. This will give the complete status about routing
protocols likes on which interface its receiving updates and on which interface its broadcasting update what is time
intervals
press enter to get back router prompt
Router>
You are now in User mode. Type ?to view all the available commands at this prompt.
Router>?
From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration
mode type exit or <CTL>+z
Router>enable
Router#config terminal
Router(config)#exit
Router#
To view all commands available from this mode type: ?and press: enter This will give you the list of all available
commands for the router in your current mode. You can also use the question mark after you have started typing a
command. For example if you want to use a show command but you do not remember which one it uses 'show ?'
will output all commands that you can use with the show command.
Router#show ?
access-expression List access expression
access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More--
64
Basic of routing
Routing is the process by which a packet gets from one location to another. To route a packet, a router needs to know
the destination address and on what interface to send the traffic out .When a packet comes into an interface (in
interface) on a router, it looks up the destination IP address in the packet header and compares it with its routing
table. The routing table, which is stored in RAM, tells the router which outgoing interface the packet should go out
to reach the destination network. There are three ways to control routing decisions on your router:
Static routes
Default routes
Dynamic routes
Static Routes
Use a static route when you want to manually define the path that the packet will take through your network. Static
routes are useful in small networks with rarely changing routes, when you have little bandwidth and do not want the
overhead of a dynamic routing protocol, or when you want to manually define all of your routes for security reasons.
Static routes are created in global configuration mode. The syntax for the static route is as follows:
ip route destination network address [subnet mask]

{next-hop-address | interface] [distance]
Defaults routers
This is the special type of static route, commonly called the gateway of last resort. If the specified destination is not
listed in the routing table, the default route can be used to route the packet. A default route has an IP address of
0.0.0.0 and a subnet mask of 0.0.0.0, often represented as 0.0.0.0/0. Default routes are commonly used in small
networks on a perimeter router pointing to the directly connected ISP router.
Dynamic Routes
A router learns dynamic routes by running a routing protocol. Routing protocols will learn about routes from other
neighboring routers running the same routing protocol. Through this sharing process, a router will eventually learn
about all of the reachable network and subnet numbers in the network.
Now be familiar with the terms routing protocol and routed protocol that have two different meanings. A routing
protocol learns about routes for a routed protocol.
65
Routed protocol:
Any network protocol that provides enough information in its network layer address to enable a packet to be
forwarded from one host to another host based on the addressing scheme, without knowing the entire path from
source to destination. Packets generally are conveyed from end system to end system. IP is an example of a routed
protocol.
Routing protocol:
Facilitates the exchange of routing information between networks, enabling routers to build routing tables
dynamically. Traditional IP routing stays simple because it uses next-hop (next-router) routing, in which the router
needs to consider only where it sends the packet and does not need to consider the subsequent path of the packet on
the remaining hops (routers). Routing Information Protocol (RIP) is an example of a routing protocol.
There are two types of routing protocols:
Interior Gateway Protocols (IGP): These routing protocols exchange routing

information within an autonomous system. Routing Information Protocol version 2
(RIPv2), Enhanced Interior Gateway Routing (EIGRP), and Open Shortest Path First
(OSPF) are examples of IGPs.
Exterior Gateway Protocols (EGP): These routing protocols are used to route
between autonomous systems. Border Gateway Protocol (BGP) is the EGP of choice in
networks today.
Metrics
Routing
Protocols
Metric
Description
RIP
Hop count
How many layer 3 hops away from the destination
OSPF
Cost
Measurement in the inverse of the bandwidth of

the links
EIGRP
Bandwidth
The capacity of the links in Kbps (T1 = 1554)
EIGRP
Delay
Time it takes to reach the destination
EIGRP
Load
The path with the least utilization
EIGRP
MTU
The path that supports the largest frame sizes
EIGRP
Reliability
The path with the least amount of errors or down

time
Autonomous Systems
An autonomous system (AS) is a group of networks under a single administrative control, which could be your
company, a division within your company, or a group of companies.
66
Not every routing protocol understands the concept of an AS. Routing protocols that understand the concept of an
AS are EIGRP, OSPF, IS-IS, and BGP. RIP doesnt understand autonomous systems, while OSPF does; but OSPF
doesnt require you to configure the AS number, whereas other protocols, such as EIGRP, do.
Administrative Distance
Administrative distance is the measure of trustworthiness that a router assigns to how a route to a network was
learned.
An administrative distance is an integer from 0 to 255. A routing protocol with a lower administrative distance is
more trustworthy than one with a higher administrative distance.
Administrative
Distance
Route Type
Connected interface route
Static route
90
Internal EIGRP route (within the same AS)
110
OSPF route
120
RIPv1 and v2 route
170
External EIGRP (from another AS)
255
Unknown route (is considered an invalid route and will not be used)
basic of static routing configure cisco router
Static routing occurs when you manually add routes in each router's routing table. There are advantages and
disadvantages to static routing, but that's true for all routing processes.
Static routing has the following advantages:
There is no overhead on the router CPU.
There is no bandwidth usage between routers.
It adds security because the administrator can choose to allow routing access to
certain networks only.
Static routing has the following disadvantages:
The administrator must really understand the internetwork and how each router is
connected in order to configure routes correctly.
67
If a network is added to the internetwork, the administrator has to add a route to it

on all routersmanually.
It's not possible in large networks because maintaining it would be a full-time job in
itself.
Command syntax for static route:
ip route [destination_network] [mask] [next-hop_address or

exit_interface] [administrative_distance] [permanent]
ip route The command used to create the static route.
destination_networkThe network you're placing in the routing table.
mask The subnet mask being used on the network.
next-hop_address The address of the next-hop router that will receive the packet and forward it to the remote
network.
exit_interfaceUsed in place of the next-hop address if you want, and shows up as a directly connected route.
administrative_distance By default, static routes have an administrative distance of 1 (or even 0 if you use an exit
interface instead of a next-hop address).
permanent Keyword (Optional) Without the permanent keyword in a static route statement, a static route will be
removed if an interface goes down. Adding the permanent keyword to a static route statement will keep the static
routes in the routing table even if the interface goes down and the directly connected networks are removed.
In previous Example you learn that
How to connect Cisco devices
How to use available help options
Basic of routing protocols
Show commands
How to configure router for basic
In this Example we will recall all the topics you have learnt yet
and will try to implement these command in practically.
Create a topology as shown in figure on packet tracer or
68
Now configure PC-0 first.To configure pc double click on pc and select desktop
Now click on IP configurations
Set ip address as shown in figure
69
IP address 10.0.0.2
Subnet mask 255.0.0.0
Default Gateway 10.0.0.1
Follow the same process in PC-2 and set the ip address to
IP address 30.0.0.2
Subnet mask 255.0.0.0
Default Gateway 30.0.0.1
Now double click on 1841 Router 0 and select CLI
Type no and press enter to avoid startup configuration

Now you are in user exec mode.
Router>
Set Hostname to R1 and assign 10.0.0.1 255.0.0.0 ip address to fast Ethernet 0/0.
also set a message Unauthorized access is prohibited.
Router>enable
R1(config)#banner motd # Unauthorized access is prohibited #
R1(config-if)#exit
R1(config)#
Configure Router-2 in same way with hostname R2 and 30.0.0.1 255.0.0.0 ip
address on fast Ethernet 0/0.
70
Router>enable
R2(config)#interface fastEthernet 0/0
state to up
R2(config-if)#exit
R2(config)#
Now we have connectivity between local segment and router's Ethernet port.
configure serial port

When Serial connections are configured they need one more command that normal Ethernet connections do not.
That command is the clock rate command.
The clock rate command establishes a common rate at which the sending and receiving routers will send data to
each other.
It should be noted that if using a service provider circuit, there is no need for the clock rate command since the
service provider provides the clocking. Establish a simple serial to serial connection between R1 Serial 0/0/0 and R2
Serial 0/0/0.
Now configure serial port on both router with ip address 20.0.0.1 255.0.0.0 on one
and 20.0.0.2 255.0.0.0 on two.
On R1
R1(config)#interface serial 0/0/0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to
up
R1(config-if)#exit
R1(config)#
On R2
R2(config)#interface serial 0/0
R2(config-if)#exit
At this point you have configured ip address on interfaces.
But still pc0 will not ping to pc1 as R1 have no information the network of 30.0.0.0
There are two way to configure route in router. Static or Dynamic. You will learn more about static and dynamic in
our next Example. In this example we will use simple static route.
First tell R1 about to network of 30.0.0.0
71
R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.2

R1(config)#
In this command 30.0.0.0 is the destination network and 255.0.0.0 is the subnetmask on destination network and
20.0.0.2 is the ip address of next hope
30.0.0.0 = destination network.
255.0.0.0 = subnet mask.
20.0.0.2 = next-hop address.
Say this way "To get to the destination network of 30.0.0.0, with a subnet mask of 255.0.0.0, send all packets to
20.0.0.2"
Now tell R2 about to network of 10.0.0.0
R2(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1
R2(config)#
Now test the connectivity. Go on pc1 and
C:\> ping 30.0.0.2
If you get reply then you have successfully configured static routing between R1 and R2.
Default Routing
default routingis used to send packets with a remote destination network not in the routing table to the next-hop
router. You should only use default routing on stub networksthose with only one exit path out of the network.
Routing Information Protocol RIP
Routing Information Protocol (RIP) is a standards-based, distance-vector, interior gateway protocol (IGP) used by
routers to exchange routing information. RIP uses hop count to determine the best path between two locations. Hop
count is the number of routers the packet must go through till it reaches the destination network. The maximum
allowable number of hops a packet can traverse in an IP network implementing RIP is 15 hops.
it has a maximum allowable hop count of 15 by default, meaning that 16 is deemed unreachable. RIP works well in
small networks, but it's inefficient on large networks with slow WAN links or on networks with a large number of
routers installed.
In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When a
router receives a neighbor's RIP table, it uses the information provided to update its own routing table and then sends
the updated table to its neighbors.
Differences between RIPv1 or RIPv2
RIPv1
A classful protocol, broadcasts updates every 30 seconds, hold-down period 180

seconds. Hop count is metric (Maximum 15).
72
RIP supports up to six equal-cost paths to a single destination, where all six paths
can be placed in the routing table and the router can load-balance across them. The
default is actually four paths, but this can be increased up to a maximum of six.
Remember that an equal-cost path is where the hop count value is the same. RIP will
not load-balance across unequal-cost paths
RIPv2
RIPv2 uses multicasts, version 1 use broadcasts,
RIPv2 supports triggered updateswhen a change occurs, a RIPv2 router will

immediately propagate its routing information to its connected neighbors.
RIPv2 is a classless protocol. RIPv2 supports variable-length subnet masking (VLSM)
RIPv2 supports authentication. You can restrict what routers you want to participate
in RIPv2. This is accomplished using a hashed password value.
RIP Timers
RIP uses four different kinds of timers to regulate its performance:
Route update timer
Sets the interval (typically 30 seconds) between periodic routing updates in which the router sends a complete copy
of its routing table out to all neighbors.
Route invalid timer
Determines the length of time that must elapse (180 seconds) before a router determines that a route has become
invalid. It will come to this conclusion if it hasnt heard any updates about a particular route for that period. When
that happens, the router will send out updates to all its neighbors letting them know that the route is invalid.
Holddown timer
This sets the amount of time during which routing information is suppressed. Routes will enter into the holddown
state when an update packet is received that indicated the route is unreachable. This continues either until an update
packet is received with a better metric or until the holddown timer expires. The default is 180 seconds.
Route flush timer
Sets the time between a route becoming invalid and its removal from the routing table (240 seconds). Before it's
removed from the table, the router notifies its neighbors of that route's impending failure. The value of the route
invalid timer must be less than that of the route flush timer. This gives the router enough time to tell its neighbors
about the invalid route before the local routing table is updated.
73
Rip Routing configurations

We will use two router and four subnet. Create a topology as shown in figure on packet tracer.
Router
FastEthernet 0/0
FastEthernet 0/1
Serial 0/0/0
R1
10.0.0.1
20.0.0.1
50.0.0.1
R2
30.0.0.1
40.0.0.1
50.0.0.2
PC
IP Address
PC
IP Address
PC0
20.0.0.2
PC1
20.0.0.3
PC2
40.0.0.2
PC3
40.0.0.3
PC4
10.0.0.2
PC5
10.0.0.3
PC6
30.0.0.2
PC7
30.0.0.3
Assign ip address to PC. Select pc and double click on it. select ip configurations
from desktop tab and set ip address given as in table.
To configure router double click on it and select CLI.To configure this topology .
74
(1841Router0) Hostname R1
To configure and enable rip routing on R1 follow these commands exactly.
Router>enable
state to up
R1(config-if)#exit
state to up
R1(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#network 10.0.0.0
Router>enable
changed state to up
R2(config-if)#exit
changed state to up
R2(config-if)#exit
75

R2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
R2(config-if)#exit
R2(config-router)#exit
To test rip routing do ping from pc0 to all pc and vice versa. If you get replay then you have successfully configured
rip routing but if you did not get replay double check this configuration and try to troubleshoot.
Rip Routing Configurations
In our pervious Example we discuss about the feature of RIP and configured a simple topology.
In this Example I will demonstrate an example of Rip Routingconfigurations. We will use four different series
router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in
figure.
IP RIP comes in two different versions: 1 and 2. Version 1 is a distance vector protocol and is defined in RFC 1058.
Version 2 is a hybrid protocol and is defined in RFCs 1721 and 1722. The CCNA exam now primarily focuses on
version 2. There are no major differences between RIPv1 or RIPv2 so far configurations concern. To read more
about differences between RIPv1 or RIPv2 or know about the characteristics read our pervious Example about RIP.
1841 Series Router0 (R1)
76
FastEthernet0/
Serial0/0/0
0
FastEthernet0/
Serial0/0/0
0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
2621XM Series Router0 (R3)
FastEthernet0
Serial0/0/0
/0
IP address
30.0.0.2
40.0.0.1
Connected
With
FastEthernet0 R4 on Serial
/0
0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.1
20.0.0.2
Connected
With
R3 on
FastEthernet0/0
R1 on Serial
0/0/0
PC-PT PC0
PC-PT PC1
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI. To configure this
topology .
Router>enable
state to up
R1(config-if)#exit
77

R1(config-if)#exit
R1(config)#
(2620XM-Router1) Hostname R2
Router>enable
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to
up
R2(config-if)#exit
R2(config-if)#exit
state to up
R2(config)#
(2620XM-Router2)Hostname R3
Router>enable
state to up
R3(config-if)#interface serial 0/0
78
%LINK-5-CHANGED: Interface Serial0/0, changed state to down
R3(config-if)#exit
up
R3(config)#
Router>enable
Router(config)#interface serial 0/0/0
up
state to up
R4(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Pinging 50.0.0.2 with 32 bytes of data:
Reply
Reply
Reply
Reply
from
from
from
from
50.0.0.2:
50.0.0.2:
50.0.0.2:
50.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=156ms
time=127ms
time=156ms
time=140ms
TTL=124
TTL=124
TTL=124
TTL=124
Ping statistics for 50.0.0.2:
79
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:
Minimum = 127ms, Maximum = 156ms, Average = 144ms
PC>
PC-2
PC>ipconfig
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Reply
Reply
Reply
Reply
from
from
from
from
10.0.0.2:
10.0.0.2:
10.0.0.2:
10.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=140ms
time=141ms
time=157ms
time=156ms
TTL=124
TTL=124
TTL=124
TTL=124

You can verify that RIP is running successfully via show ip protocols command in
privilege mode.
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 2 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 1, receive any version
Interface
Send Recv Triggered RIP Key-chain
FastEthernet0/0
1
2 1
Serial0/0/0
1
2 1
Automatic network summarization is in effect
Maximum path: 4
10.0.0.0
20.0.0.0
Passive Interface(s):
Gateway
Distance
Last Update
20.0.0.2
120
00:00:20
Distance: (default is 120)
R1#
You can use show ip route command to troubleshoot rip network. If you did not
see information about any route checks the router attached with that network.
R1#show ip route
80

area


C
C
R
30.0.0.0/8 [120/1] via 20.0.0.2, 00:00:01, Serial0/0/0
R
40.0.0.0/8 [120/2] via 20.0.0.2, 00:00:01, Serial0/0/0
R
50.0.0.0/8 [120/3] via 20.0.0.2, 00:00:01, Serial0/0/0
R1#
To test rip routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured
rip routing but if you did not get replay double check this configuration and try to troubleshoot
Enhanced Interior Gateway Routing Protocol (EIGRP)
EIGRP is the advance version of Ciscos earlier version IGRP. Before you learn more about EIGRP let be familiar
with IGRP.
Interior Gateway Routing Protocol (IGRP)
The Interior Gateway Routing Protocol (IGRP) is a Cisco-proprietary routing protocol for IP. it is a distance vector
protocol.
It uses a sophisticated metric based on bandwidth and delay.
It uses triggered updates to speed-up convergence.
It supports unequal-cost load balancing to a single destination.
IGRP is Cisco proprietary uses bandwidth, delay, reliability, load, and MTU as its metrics (bandwidth and delay be
default).
IGRP's routing update period is every 90 seconds. Its hold-down period is 280 seconds, and its flush period is 630
seconds.
It also supports triggered updates and load balancing across unequal-cost paths.
IGRP requires an AS number in its router command; plus, when entering network numbers for the network
command, they are entered as the classful network number, as they are for RIP.
81
IGRP supports both equal- and unequal-cost paths for load balancing to single destination Equal-cost paths are
enabled by default, where IGRP supports up to six equal-cost paths (four by default) to a single destination in the IP
routing table. IGRP, however, also supports unequal-cost paths, but this feature is disabled by default.
Enhanced Interior Gateway Routing Protocol
The Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary routing protocol for IP. These
characteristics include:
Fast convergence
Loop-free topology
VLSM and route summarization
Multicast and incremental updates
Routes for multiple routed protocols
Here is a brief comparison of EIGRP and IGRP:
Both offer load balancing across six paths (equal or unequal).
They have similar metric structures.
EIGRP has faster convergence (triggered updates and saving a neighbors

routing table locally).
EIGRP has less network overhead, since it uses incremental updates.
Interesting point about these protocols is that if you have some routers in your network running IGRP and others
running EIGRP and both sets have the same autonomous system number, routing information will automatically be
shared between the two.
EIGRP uses a 32-bit metric, while IGRP uses a 24-bit metric.
EIGRP uses the Diffusing Update Algorithm (DUAL) to update the routing table.
One really unique feature of EIGRP is that it supports three routed protocols: IP, IPX,
and AppleTalk
Hello packets are generated every five seconds on LAN interfaces as multicasts
(224.0.0.10).
For EIGRP routers to become neighbors, the following information must match:
The AS number
82
The K-values (these enable/disable the different metric components)
When two routers determine whether they will become neighbors, they go through the following process:
1. The first router generates a Hello with configuration information.
2. If the configuration information matches, the second router responds with an Update
message with topology information.
3. The first router responds with an ACK message, acknowledging the receipt of the
seconds ACK.
4. The first router sends its topology to the second router via an Update message.
5. The second router responds back with an ACK.
You must specify the AS number when configure EIGRP. Even though EIGRP is classless, you must configure it as
a classful protocol when specifying your network numbers with the network command.
EIGRP Terms
Term
Definition
Successor
The best path to reach a destination within the topology table.
Feasible
successor
The best backup path to reach a destination within the topology tablemultiple successors
can be feasible for a particular destination.
Routing table
This is all of the successor routes from the topology table. There is a separate routing table
for each routed protocol.
Advertised
distance
The distance (metric) that a neighboring router is advertising for a specific route.
Feasible
distance
The distance (metric) that your router has computed to reach a specific route: the advertised
distance from the neighboring router plus the local routers interface metric.
Neighbor table
Contains a list of the EIGRP neighbors and is similar to the adjacencies that are built in
OSPF between the designated router/backup DR and the other routers on a segment. Each
routed protocol (IP, IPX, and AppleTalk) for EIGRP has its own neighbor table.
Topology table
Similar to OSPFs database, contains a list of all destinations and paths the EIGRP router
learnedit is basically a compilation of the neighboring routers routing tables. A separate
topology table exists for each routed protocol.
83
EIGRP Routing Configurations
EIGRP is a Cisco-proprietary routing protocol for TCP/IP. Its actually based on Ciscos proprietary IGRP routing
protocol, with many enhancements built into it. Because it has its roots in IGRP, the configuration is similar to
IGRP; however, it has many link state characteristics that were added to it to allow EIGRP to scale to enterprise
network sizes. To know these characteristics read our pervious Example.
In this Example I will demonstrate an example of EIGRP Routing configurations. We will use four different series
figure.
FastEthernet0/
Serial0/0/0
0
FastEthernet0/
Serial0/0/0
0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
FastEthernet0
Serial0/0/0
/0
IP address
30.0.0.2
40.0.0.1
Connected
With
/0
0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.1
20.0.0.2
Connected
With
R3 on
FastEthernet0/0
R1 on Serial
0/0/0
84
PC-PT PC0
PC-PT PC1
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI.To configure this topology
.
To configure and enable eigrp routing on R1 follow these commands exactly.
Router>enable
state to up
R1(config-if)#exit
R1(config-if)#exit
R1(config)#router eigrp 1
R1(config)#
Router>enable
End with CNTL/Z.
85

up
R2(config-if)#exit
R2(config-if)#exit
state to up
R2(config)#
Router>enable
state to up
R3(config-if)#exit
up
R3(config)#
Router>enable
End with CNTL/Z.
86

up
state to up
R3(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Reply
Reply
Reply
Reply
from
from
from
from
50.0.0.2:
50.0.0.2:
50.0.0.2:
50.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=156ms
time=127ms
time=156ms
time=140ms
TTL=124
TTL=124
TTL=124
TTL=124

PC>
PC-2
PC>ipconfig
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Reply from 10.0.0.2: bytes=32 time=140ms TTL=124
87

You can verify that eigrp is running successfully via show ip protocols command in
privilege mode.
Routing Protocol is "ospf 4"
Router ID 50.0.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
50.0.0.0 0.255.255.255 area 0
40.0.0.0 0.255.255.255 area 0
Gateway
Distance
Last Update
40.0.0.1
110
00:01:26
R4#
You can use show ip route command to troubleshoot eigrp network. If you did not
R4#show ip route
area
O
10.0.0.0/8 [110/1564] via 40.0.0.1, 00:02:37, Serial0/0/0
O
20.0.0.0/8 [110/1563] via 40.0.0.1, 00:02:37, Serial0/0/0
O
30.0.0.0/8 [110/782] via 40.0.0.1, 00:02:37, Serial0/0/0
C
C
R4#
To test eigrp routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured
eigrp routing but if you did not get replay double check this configuration and try to troubleshoot.
88
OPEN SHORTEST PATH FIRST(OSPF)
Biggest advantage of OSPF over EIGRP is that it will run on any device as its based on open standard
Advantages
It will run on most routers, since it is based on an open standard.
It uses the SPF algorithm, developed by Dijkstra, to provide a loop-free topology.
It provides fast convergence with triggered, incremental updates via Link State
Advertisements (LSAs).
It is a classless protocol and allows for a hierarchical design with VLSM and route
summarization.
Disadvantages:
It requires more memory to hold the adjacency (list of OSPF neighbors), topology
and routing tables.
It requires extra CPU processing to run the SPF algorithm
It is complex to configure and more difficult to troubleshoot.
Features
OSPF implements a two-layer hierarchy: the backbone (area 0) and areas off of the
backbone (areas 1 65,535)
To provide scalability OSPF supports two important concepts: autonomous systems

and areas.
Synchronous serial links, no matter what the clock rate of the physical link is, the
bandwidth always defaults to 1544 Kbps.
OSPF uses cost as a metric, which is the inverse of the bandwidth of a link.
OSPF Routing Configurations
In this Example I will demonstrate an example of OSPF Routing configurations. We will use four different series
figure.
89
Configuring OSPF is slightly different from configuring RIP. When configuring OSPF, use the following syntax:
Router(config)# router ospf process_ID
Router(config-router)# network IP_address wildcard_mask
area area_#
The process_ID is locally significant and is used to differentiate between OSPF processes
running on the same router. Your router might be a boundary router between two OSPF
autonomous systems, and to differentiate them on your router, youll give them unique
process IDs. Note that these numbers do not need to match between different routers and
that they have nothing to do with autonomous system numbers.
FastEthernet0/
Serial0/0/0
0
FastEthernet0/
Serial0/0/0
0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
FastEthernet0
Serial0/0/0
/0
IP address
30.0.0.2
Connected
With
/0
0/0/0
PC-PT PC0
40.0.0.1
FastEthernet0/0
Serial0/0
IP address
30.0.0.1
20.0.0.2
Connected
With
R3 on
FastEthernet0/0
R1 on Serial
0/0/0
PC-PT PC1
90
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI.To configure this topology
.
To configure and enable ospf routing on R1 follow these commands exactly.
Router>enable
state to up
R1(config-if)#exit
R1(config-if)#exit
R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config)#
Router>enable
End with CNTL/Z.
91

up
R2(config-if)#exit
R2(config-if)#exit
state to up
R2(config-router)#network 3
00:03:10: %OSPF-5-ADJCHG: Process 2, Nbr 20.0.0.1 on Serial0/0 from
LOADING to FULL, Loading Done0.0.0.0 0.255.255.255 area 0
R2(config)#
Router>enable
state to up
R3(config-if)#exit
up
00:04:53: %OSPF-5-ADJCHG: Process 3, Nbr 30.0.0.1 on FastEthernet0/0 from
LOADING to FULL, Loading D
R3(config)#
%SYS-5-CONFIG_I: Configured from console by console
R3#
92
Router>enable
up
state to up
R4(config-router)#
00:06:32: %OSPF-5-ADJCHG: Process 4, Nbr 40.0.0.1 on Serial0/0/0 from
LOADING to FULL, Loading Done
R4(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Reply
Reply
Reply
Reply
from
from
from
from
50.0.0.2:
50.0.0.2:
50.0.0.2:
50.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=156ms
time=127ms
time=156ms
time=140ms
TTL=124
TTL=124
TTL=124
TTL=124

PC>
PC-2
PC>ipconfig
93
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Reply
Reply
Reply
Reply
from
from
from
from
10.0.0.2:
10.0.0.2:
10.0.0.2:
10.0.0.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=140ms
time=141ms
time=157ms
time=156ms
TTL=124
TTL=124
TTL=124
TTL=124

You can verify that ospf is running successfully via show ip protocols command in
privilege mode.
Routing Protocol is "ospf 4"
Router ID 50.0.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
50.0.0.0 0.255.255.255 area 0
40.0.0.0 0.255.255.255 area 0
Gateway
Distance
Last Update
40.0.0.1
110
00:01:26
R4#
You can use show ip route command to troubleshoot ospf network. If you did not
R4#show ip route
area
O
O
10.0.0.0/8 [110/1564] via 40.0.0.1, 00:02:37, Serial0/0/0

20.0.0.0/8 [110/1563] via 40.0.0.1, 00:02:37, Serial0/0/0
94
O
30.0.0.0/8 [110/782] via 40.0.0.1, 00:02:37, Serial0/0/0
C
C
R4#
To test ospf routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured
ospf routing but if you did not get replay double check this configuration and try to troubleshoot.
95
Access control list

ACLs are basically a set of commands, grouped together by a number or
name that is used to filter traffic entering or leaving an interface.
When activating an ACL on an interface, you must specify in which direction
the traffic should be filtered:
Inbound (as the traffic comes into an interface)
Outbound (before the traffic exits an interface)
Inbound ACLs:
Incoming packets are processed before they are routed to an outbound
interface. An inbound ACL is efficient because it saves the overhead of
routing lookups if the packet will be discarded after it is denied by the
filtering tests. If the packet is permitted by the tests, it is processed for
routing.
Outbound ACLs:
Incoming packets are routed to the outbound interface and then processed
through the outbound ACL.
Universal fact about Access control list
1. ACLs come in two varieties:Numbered and named
2. Each of these references to ACLs supports two types of filtering:
standard and extended.
3. Standard IP ACLs can filter only on the source IP address inside a
packet.
4. Whereas an extended IP ACLs can filter on the source and
destination IP addresses in the packet.
5. There are two actions an ACL can take: permit or deny.
6. Statements are processed top-down.
7. Once a match is found, no further statements are processed
therefore, order is important.
96
8. If no match is found, the imaginary implicit deny statement at the

end of the ACL drops the packet.
9. An ACL should have at least one permit statement; otherwise, all traffic
will be dropped because of the hidden implicit deny statement at the
end of every ACL.
No matter what type of ACL you use, though, you can have only one ACL per
protocol, per interface, per direction. For example, you can have one IP ACL
inbound on an interface and another IP ACL outbound on an interface, but
you cannot have two inbound IP ACLs on the same interface.
Access List Ranges
Type
Range
IP Standard
199
IP Extended
100199
IP Standard Expanded Range
13001999
IP Extended Expanded Range
20002699
Standard ACLs
A standard IP ACL is simple; it filters based on source address only. You can
filter a source network or a source host, but you cannot filter based on the
destination of a packet, the particular protocol being used such as the
Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), or
on the port number. You can permit or deny only source traffic.
Extended ACLs:
An extended ACL gives you much more power than just a standard ACL.
Extended IP ACLs check both the source and destination packet addresses.
They can also check for specific protocols, port numbers, and other
parameters, which allow administrators more flexibility and control.
Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that
you reference them by number, which is not too descriptive of its use. With a
named ACL, this is not the case because you can name your ACL with a
97
descriptive name. The ACL named DenyMike is a lot more meaningful than
an ACL simply numbered 1. There are both IP standard and IP extended
named ACLs.
Another advantage to named ACLs is that they allow you to remove
individual lines out of an ACL. With numbered ACLs, you cannot delete
individual statements. Instead, you will need to delete your existing access
list and re-create the entire list.
Configuration Guidelines
Order of statements is important: put the most restrictive statements

at the top of the list and the least restrictive at the bottom.
ACL statements are processed top-down until a match is found,

and then no more statements in the list are processed.
If no match is found in the ACL, the packet is dropped (implicit deny).
Each ACL needs either a unique number or a unique name.
The router cannot filter traffic that it, itself, originates.
You can have only one IP ACL applied to an interface in each direction
(inbound and outbound)you can't have two or more inbound or
outbound ACLs applied to the same interface. (Actually, you can have
one ACL for each protocol, like IP and IPX, applied to an interface in
each direction.)
Applying an empty ACL to an interface permits all traffic by default: in

order for an ACL to have an implicit deny statement, you need at least
one actual permit or deny statement.
Remember the numbers you can use for IP ACLs.Standard ACLs can
use numbers ranging 199 and 13001999, and extended ACLs can
use 100199 and 20002699.
Wildcard mask is not a subnet mask. Like an IP address or a subnet

mask, a wildcard mask is composed of 32 bits when doing the
conversion; subtract each byte in the subnet mask from 255.
There are two special types of wildcard masks:

0.0.0.0 and 255.255.255.255
98
A 0.0.0.0 wildcard mask is called a host mask

255.255.255.255. If you enter this, the router will cover the address and
mask to the keyword any.
Placement of ACLs
Standard ACLs should be placed as close to the destination devices as
possible.
Extended ACLs should be placed as close to the source devices as possible.
standard access lists

Because a standard access list filters only traffic based on source traffic, all
you need is the IP address of the host or subnet you want to permit or deny.
ACLs are created in global configuration mode and then applied on an
interface. The syntax for creating a standard ACL is
access-list {1-99 | 1300-1999} {permit | deny} source-address
[wildcard mask]
In this Example we will configure standard access list. If you want read the
feature and characteristic of access list reads this previous Example.
Access control list
In this Example we will use a RIP running topology. Which we created in RIP
routing practical.
99
Create this RIP routing topology and open it in packet tracer
Three basic steps to configure Standard Access List
Use the access-list global configuration command to create an entry in

a standard ACL.
Use the interface configuration command to select an interface to

which to apply the ACL.
Use the ip access-group interface configuration command to activate

the existing ACL on an interface.
With Access Lists you will have a variety of uses for the wild card masks, but
typically For CCNA exam prospective you should be able to do following:
1. Match a specific host,
2. Match an entire subnet,
3. Match an IP range, or
4. Match Everyone and anyone
Match specific hosts
100
Task
You have given a task to block 10.0.0.3 from gaining access on 40.0.0.0.
While 10.0.0.3 must be able to communicate with networks. Other computer
from the network of 10.0.0.0 must be able to connect with the network of
40.0.0.0.
Decide where to apply ACL and in which directions.
Our host must be able to communicate with other host except 40.0.0.0 so we
will place this access list on FastEthernet 0/1 of R2 (2811) connected to the
network of 40.0.0.0. Direction will be outside as packet will be filter while its
leaving the interface. If you place this list on R1(1841) then host 10.0.0.3 will
not be able to communicate with any other hosts including 40.0.0.0.
To configure R2 double click on it and select CLI (Choose only one method
result will be same)
R2>enable
R2#configure terminal
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config-if)#ip access-group 1 out
OR
R2>enable
R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as
this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully
replay.
PC>ping 40.0.0.3
Request timed out.
Request timed out.
Request timed out.
101
Request timed out.

PC>ping 30.0.0.3
Request timed out.
As we applied access list only on specific host so other computer from the
network of 10.0.0.0 must be able to connect with the network of 40.0.0.0. To
test do ping from 10.0.0.2 to 40.0.0.3
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 40.0.0.3
Request timed out.
Match an entire subnet
Task
102
You have given a task to the network of 10.0.0.0 from gaining access on
40.0.0.0. While 10.0.0.0 must be able to communicate with networks .
Wildcards
Wildcards are used with access lists to specify an individual host, a network,
or a certain range of a network or networks.
Formula to calculate wild card mask for access list
The key to matching an entire subnet is to use the following formula for the
wildcard mask. It goes as follows:
Wildcard mask = 255.255.255.255 subnet
So for example if my current subnet was 255.0.0.0, the mask would be
0.255.255.255.
255.255.255.255
255 .0 .0 .0
---------------0. 255 .255.255
---------------Once you have calculated the wild card mask rest is same as we did in
pervious example
R2>enable
R2(config-if)#
replay.
Now do ping from 10.0.0.2 to 40.0.0.3 and further 30.0.0.2 result should be
same as the packet is filtering on network based
Match an IP range
You are a network administrator at XYZ You task is to block an ip range of
10.3.16.0 10.3.31.255 from gaining access to the network of 40.0.0.0
103
Solutions
Our range is 10.3.16.0 10.3.31.255. In order to find the mask, take the
higher IP and subtract from it the lower IP.
10.3.31.255
10.3.16.0
-------------0.0.15.255
-------------In this case the wildcard mask for this range is 0.0.15.255.
To permit access to this range, you would use the following:
R2>enable
R2(config-if)#
One thing to note is that each non-zero value in the mask must be one less
than a power of 2, i.e. 0, 1, 3, 7, 15, 31, 63, 127, 255.
Match Everyone and Anyone
This is the easiest of Access-Lists to create, just use the following:
access-list 1 permit any
or
access-list 1 permit 0.0.0.0 255.255.255.255
Secure telnet session via standard ACL
This is among the highly tested topic in CCNA exam. We could use extended
ACL to secure telnet session but if you did that, youd have to apply it
inbound on every interface, and that really wouldnt scale well to a large
router with dozens, even hundreds, of interfaces.Here's a much better
solution:
Use a standard IP access list to control access to the VTY lines
themselves.
To perform this function, follow these steps:
1. Create a standard IP access list that permits only the host or hosts you
want to be able to telnet into the routers.
104
2. Apply the access list to the VTY line with the access-class command
Secure R2 in a way that only 20.0.0.2 can telnet it beside it all other
telnet session should be denied
R2>enable
R2(config)#access-list 3 permit host 20.0.0.2
R2(config)#line vty 0 4
R2(config-line)#password vinita
R2(config-line)#access-class 3 in
To test do telnet from 20.0.0.2 first is should be successful.
PC>ipconfig
IP Address......................: 20.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
User Access Verification
Password:
R2>
Now telnet it from any other pc apart from 20.0.0.2.it must be filter
and denied
PC>ipconfig
IP Address......................: 20.0.0.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
% Connection refused by remote host
PC>
105
Configure Extended Access Lists

An extended ACL gives you much more power than just a standard ACL.
Extended IP ACLs check both the source and destination packet addresses.
They can also check for specific protocols, port numbers, and other
parameters, which allow administrators more flexibility and control.
access-list access-list-number {permit | deny}

protocol source source-wildcard [operator port]
destination destination-wildcard [operator port]
[established] [log]
Command Parameters
Descriptions
access-list
Main command
access-list-number
Identifies the list using a number

in the ranges of 100199 or
2000 2699.
permit | deny
Indicates whether this entry

allows or blocks the specified
address.
protocol
IP, TCP, UDP, ICMP, GRE, or IGRP.
source and destination
Identifies source and destination

IP addresses.
source-wildcard and
destination-wildcard
The operator can be lt (less

than), gt (greater than), eq
(equal to), or neq (not equal to).
The port number referenced can
be either the source port or the
destination port, depending on
where in the ACL the port
number is configured. As an
alternative to the port number,
well-known application names
can be used, such as Telnet, FTP,
106
and SMTP.
established
For inbound TCP only. Allows TCP

traffic to pass if the packet is a
response to an outboundinitiated session. This type of
traffic has the acknowledgement
(ACK) bits set. (See the
Extended ACL with the
Established Parameter
example.)
log
Sends a logging message to the

console.
Before we configure Extended Access list you should cram up some

important port number
Well-Known Port Numbers and IP Protocols
Port Number
IP Protocol
20 (TCP)
FTP data
21 (TCP)
FTP control
23 (TCP)
Telnet
25 (TCP)
Simple Mail Transfer Protocol

(SMTP)
53 (TCP/UDP)
Domain Name System (DNS)
69 (UDP)
TFTP
80 (TCP)
HTTP
In this Example we will configure Extended access list. If you want to read
the feature and characteristic of access list reads this previous Example.
Access control list
107
In this Example we will use a RIP running topology. Which we created in RIP
routing practical.
Create this RIP routing topology and open it in packet tracer
Three basic steps to configure Extended Access List
Use the access-list global configuration command to create an entry in

a Extended ACL.
Use the interface configuration command to select an interface to

which to apply the ACL.
Use the ip access-group interface configuration command to activate

the existing ACL on an interface.
With Access Lists you will have a variety of uses for the wild card masks, but
typically For CCNA exam prospective you should be able to do following:
1. Block host to host
2. Block host to network
3. Block Network to network
108
4. Block telnet access for critical resources of company

5. Limited ftp access for user
6. Stop exploring of private network form ping
7. Limited web access
8. Configure established keyword
Block host to host
Task
You are the network administrator at XYZ Your company hire a new
employee and give him a pc 10.0.0.3. your company's critical record remain
in 40.0.0.3. so you are asked to block the access of 40.0.0.3 from 10.0.0.3.
while 10.0.0.3 must be able connect with other computers of network to
perfom his task.
Decide where to apply ACL and in which directions.
As we are configuring Extended access list. With extended access list we can
filter the packed as soon as it genrate. So we will place our access list on
F0/0 of Router1841 the nearest port of 10.0.0.3
To configure Router1841 (Hostname R1) double click on it and select CLI
R1>enable
R1(config)#access-list 101 deny ip host 10.0.0.3 40.0.0.3 0.0.0.0
R1(config)#access-list 101 permit ip any any
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. It should be reqest time out.
Also ping other computers of network including 40.0.0.2. pingshuld be
sucessfully.
Block host to network
Task
109
Now we will block the 10.0.0.3 from gaining access on the network 40.0.0.0.
( if you are doing this practical after configuring pervious example don't
forget to remove the last access list 101. With no access-list command. Or
just close the packet tracer without saving and reopen it to be continue with
this example.)
R1(config)#access-list 102 deny ip host 10.0.0.3 40.0.0.0
0.255.255.255
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. and 40.0.0.2.It should be
reqest time out. Also ping computers of other network. pingshuld be
sucessfully.
Once you have calculated the wild card mask rest is same as we did in
pervious example
R2>enable
R2(config-if)#
replay.
Network to Network Access List
Task
Students lab is configured on the network of 10.0.0.0. While management's
system remain in the network of 40.0.0.0. You are asked to stop the lab
system from gaining access in management systems
Now we will block the network of 10.0.0.0 from gaining access on the
network 40.0.0.0. ( if you are doing this practical after configuring pervious
example don't forget to remove the last access list 101. With no access-list
110
command. Or just close the packet tracer without saving and reopen it to be
continue with this example.)
R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0
0.255.255.255
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3. and 40.0.0.2.It
should be reqest time out. Also ping computers of other network. pingshuld
be sucessfully.
Network to host
Task
For the final scenario you will block all traffic to 40.0.0.3 from the Network of
10.0.0.0 To accomplish this write an extended access list. The access list
should look something like the following.
R1(config-if)#no ip access-group 103 in
R1(config-if)#exit
R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255
40.0.0.0 0.255.255.255
R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3
0.0.0.0
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3.It should be
reqest time out. Also ping computers of other network. pingshuld be
sucessfully.
Application based Extended Access list
In pervoius example we filter ip base traffic. Now we will filter applicaion
base traffic. To do this practical either create a topology as shown in figure
and enable telnet and http and ftp service on server or Create thispre
configured topology and load it in packet tracer.
111
Extended Access list
The established keyword

The established keyword is a advanced feature that will allow traffic
through only if it sees that a TCP session is already established. A TCP
session is considered established if the three-way handshake is initiated first.
This keyword is added only to the end of extended ACLs that are filtering TCP
traffic.
You can use TCP established to deny all traffic into your network except for
incoming traffic that was first initiated from inside your network. This is
commonly used to block all originating traffic from the Internet into a
company's network except for Internet traffic that was first initiated from
users inside the company. The following configuration would accomplish this
for all TCP-based traffic coming in to interface serial 0/0/0 on the router:
R1(config)#access-list 101 permit tcp any any established
R1(config-if)#exit
Although the access list is using a permit statement, all traffic is denied
unless it is first established from the inside network. If the router sees that
the three-way TCP handshake is successful, it will then begin to allow traffic
through.
112
To test this access list double click on any pc from the network 10.0.0.0 and
select web brower. Now give the ip of 30.0.0.2 web server. It should get
sucessfully access the web page. Now go 30.0.0.2 and open command
prompt. And do ping to 10.0.0.2 or any pc from the network the 10.0.0.0. it
will request time out.
Stop ping but can access web server
We host our web server on 30.0.0.2. But we do not want to allow external
user to ping our server as it could be used as denial of services. Create an
access list that will filter all ping requests inbound on the serial 0/0/0
interface of router2.
R2(config)#access-list 102 deny icmp any any echo
To test this access list ping from 10.0.0.2 to 30.0.0.2 it should be request
time out. Now open the web browser and access 30.0.0.2 it should be
successfully retrieve
Grant FTP access to limited user
You want to grant ftp access only to 10.0.0.2. no other user need to provide
ftp access on server. So you want to create a list to prevent FTP traffic that
originates from the subnet 10.0.0.0/8, going to the 30.0.0.2 server, from
traveling in on Ethernet interface E0/1 on R1.
R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0
eq 20
eq 21
R1(config)#access-list 103 deny tcp any anyeq 20
R1(config)#access-list 103 deny tcp any anyeq 21
R1(config-if)#exit
Grant Telnet access to limited user
For security purpose you dont want to provide telnet access on server
despite your own system. Your system is 10.0.0.4. createa extended access
113
list to prevent telnet traffic that originates from the subnet of 10.0.0.0 to
server.
eq 23
R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2
0.0.0.0 eq 23
R1(config)#interface fast 0/1
R1(config-if)#exit
WAN protocols HDLC PPP Frame Really NAT PAT

Wan terms definitions Encapsulation method hdlc ppp
A WAN is a data communications network that operates beyond the geographical
scope of a LAN.
WANs use facilities provided by a service provider, or carrier, such as a telephone or cable company. They connect
the locations of an organization to each other, to locations of other organizations, to external services, and to remote
users. WANs generally carry a variety of traffic types, such as voice, data, and video.
WAN connections are made up of many types of equipment and components.
data communications equipment (DCE) terminates a connection between two sites and provides clocking and
synchronization for that connection; it connects to data termination equipment (DTE).
A DTE is an end-user device, such as a router or PC, which connects to the WAN via the DCE.
Term
Definition
Customer
premises
equipment (CPE)
Your network's equipment, which includes the DCE (modem, NT1, CSU/ DSU) and your DTE (router,
access server)
Where the responsibility of the carrier is passed on to you; this could be inside or outside your local facility;
Demarcation point note that this is a logical boundary, not necessarily a physical boundary
Local loop
The connection from the carrier's switching equipment to the demarcation point
Central office
(CO) switch
The carrier's switch within the toll network
114
Toll network
The carrier's internal infrastructure for transporting your data
Customer premises equipment (CPE)

Customer premises equipment (CPE) is equipment that's owned by the subscriber and located on the subscribers
premises.
Demarcation point
The demarcation point is the precise spot where the service providers responsibility ends and the CPE begins. Its
generally a device in a telecommunications closet owned and installed by the telecommunications company (telco).
Its your responsibility to cable (extended demarc) from this box to the CPE, which is usually a connection to a
CSU/DSU or ISDN interface.
Local loop
The local loop connects the demarc to the closest switching office, which is called a central office.
Central office (CO)
This point connects the customers network to the providers switching network.
Toll network
The toll network is a trunk line inside a WAN providers network. This network is a collection of switches and
facilities owned by the ISP. Definitely familiarize yourself with these terms because theyre crucial to understanding
WAN technologies.
Synchronous V/s asynchronous
Synchronous serial connection allows you to simultaneously send and receive information without having to wait
for any signal from the remote side. Nor does a synchronous connection need to indicate when it is beginning to
send something or the end of a transmission. These two things, plus how clocking is done, are the three major
differences between synchronous and asynchronous connectionsasynchronous connections are typically used for
dialup connections, such as modems.
wide-area networking can be broken into three categories:
Leased line
Circuit switched
Packet switched
Leased-Line Connections
In lease line, you get your very own piece of wire from your location to the service provider's network. This is good
because no other customer can affect your line, as can be the case with other WAN services. You have a lot of
control over this circuit to do things such as Quality of Service and other traffic management. The downside is that a
leased line is expensive and gets a lot more expensive if you need to connect offices that are far apart.
These are usually referred to as a point-to-point or dedicated connection. A leased line is a pre-established WAN
communications path that goes from the CPE through the DCE switch, then over to the CPE of the remote site.
115
The distance between the two sites is small, making them cost-effective.
You have a constant amount of traffic between two sites and need to guarantee
bandwidth for certain applications
Circuit-Switched Connections
A circuit-switched WAN uses the phone company as the service provider, either with analog dial-up or digital ISDN
connections. With circuit-switching, if you need to connect to the remote LAN, a call is dialed and a circuit is
established; the data is sent across the circuit, and the circuit is taken down when it is no longer needed. Circuitswitched connections include the following types:
Asynchronous serial connections
These include analog modem dialup connections and the standard telephone system, which is commonly referred to
as Plain Old Telephone Service (POTS) by the telephone carriers.
Synchronous serial connections
These include digital ISDN BRI and PRI dialup connections; they provide guaranteed bandwidth.
Packet-Switched Connections
Packet-switched WAN services allow you to connect to the provider's network in much the same way as a PC
connects to a hub: When connected, your traffic is affected by other customers' and theirs by you. This can be an
issue sometimes, but it can be managed. The advantage of this shared-bandwidth technology is that with a single
physical connection from your router's serial port, you can establish virtual connections to many other locations
around the world. Packet-switched connections use logical circuits to make connections between two sites. These
logical circuits are referred to as virtual circuits (VCs). So if you have a lot of branch offices and they are far away
from the head office, a packet-switched solution is a good idea.
X.25
The oldest of these four technologies is X.25, which is an ITU-T standard. X.25 is a network layer protocol that runs
across both synchronous and asynchronous physical circuits, providing a lot of flexibility for your connection
options. X.25 was actually developed to run across unreliable medium. It provides error detection and correction, as
well as flow control, at both the data link layer (by LAPB) and the network layer (by X.25). In this sense, it
performs a function similar to what TCP, at the transport layer, provides for IP. Because of its overhead, X.25 is best
delegated to asynchronous, unreliable connections. If you have a synchronous digital connection, another protocol,
such as Frame Relay or ATM, is much more efficient.
Frame Relay
Frame Relay is a digital packet-switched service that can run only across synchronous digital connections at the data
link layer. Because it uses digital connections (which have very few errors), it does not perform any error correction
or flow control as X.25 does. Frame Relay will, however, detect errors and drops bad frames. It is up to a higher
layer protocol, such as TCP, to resend the dropped information.
ATM
ATM is also a packet-switched technology that uses digital circuits. Unlike Frame Relay and X.25, however, this
service uses fixed-length (53 byte) packets, called cells, to transmit information. Therefore, this service is commonly
called a cell-switched service. It has an advantage over Frame Relay in that it can provide guaranteed throughput
and minimal delay for a multitude of services, includingvoice, video, and data. However, it does cost more than
116
Frame Relay services. ATM (sort of an enhanced Frame Relay) can offer a connection guaranteed bandwidth,
limited delay, limited number of errors, Quality of Service (QoS), and more. Frame Relay can provide some minimal
guarantees to connections, but not to the degree of precision that ATM can. Whereas Frame Relay is limited to 45
Mbps connections, ATM can scale to very high speeds: OC-192 (SONET), for instance, affords about 10 Gbps of
bandwidth.
Encapsulation method
With each WAN solution, there is an encapsulation type. Encapsulations wrap an information envelope around your
data that is used to transport your data traffic. If you use leased line as your wide-area networking choice, you can
encapsulate your data inside a High-Level Data-Link Control (HDLC) frame, PPP frame, or Serial Line IP (SLIP)
frame. For packet-switched networks, you can encapsulate or package your data in X.25 frames, Frame Relay, or
Asynchronous Transfer Mode (ATM) frames.
HDLC
Based on ISO standards, the HDLC (High-Level Data Link Control) protocol can be used with synchronous and
asynchronous connections and defines the frame type and interaction between two devices at the data link layer.
Cisco's HDLC is a proprietary protocol and will not work with other company's router.
PPP
PPP (the Point-to-Point Protocol) is based on an open standard.
PPP Authentication
PAP goes through a two-way handshake process. In this process, the source sends its username (or hostname) and
password, in clear text, to the destination. The destination compares this information with a list of locally stored
usernames and passwords. If it finds a match, the destination sends back an accept message. If it doesn't find a
match, it sends back a reject message.
CHAP uses a three-way handshake process to perform the authentication. The source sends its username (not its
password) to the destination. The destination sends back a challenge, which is a random value generated by the
destination. used by the source to find the appropriate password to use for authentication Both sides then take the
source's username, the matching password, and the challenge and run them through the MD5 hashing function. The
source then takes the result of this function and sends it to the destination. The destination compares this value to the
hashed output that it generatedif the two values match, then the password used by the source must have been the
same as was used by the destination, and thus the destination will permit the connection.
Configure hdlc ppp pap chap
In this Example I will demonstrate how can you configure wan encapsulation protocols. HDLC is the default
encapsulation for synchronous serial links on Cisco routers. You would only use the encapsulation hdlc command to
return the link to its default state
117
For practical example of HDLC PPP create a simple topology as shown in figure in packet tracer.
Double click on R1 and check the default encapsulation

Router>
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
[output is omited]
As you can verify that default encapsulation on router is HDLC. A wan link work
only when it detects same protocols on same sides. To check it change the default
encapsulation to PPP.
Router(config-if)#encapsulation ppp
Router(config)#exit
Serial0/0/0 is up, line protocol is down (disabled)
Hardware is HD64570
Encapsulation PPP, loopback not set, keepalive set (10 sec)
[output is omited]
as you can see that line protocols is disable. To enable it set the encapsulation
back to HDLC and restart the port with shut down command
Router(config-if)#encapsulation hdlc
Router(config-if)#shutdown
118
Router(config)#exit
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
[output is omited]
Configuration of PPP
Now we will configure PPP encapsulations on both router. We will also authenticate it with CHAP. Hostname of
Router are R1 and R2 and password is vinita.
Double Click on R1 and configure it
Router>enable
R1(config)#username R2 password vinita
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap
R1(config-if)#exit
R1(config)#
Now configure R2 for PPP
Router>enable
R2(config)#username R1 password vinita
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication chap
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
R2(config)#
Frame Really
Frame Relay is a scalable WAN solution that is often used as an alternative to leased lines when leased lines prove to
be cost unaffordable. With Frame Relay, you can have a single serial interface on a router connecting into multiple
remote sites through virtual circuits.
DLCI
Each VC has a unique local address, called a DLCI. Circuits are identified by data-link connection identifiers
(DLCI). DLCIs are assigned by your provider and are used between your router and the Frame Relay provider. In
other words, DLCIs are locally significant. This means that as a VC traverses various segments in a WAN, the DLCI
119
numbers can be different for each segment. DLCIs are locally significant. The carriers switches take care of
mapping DLCI numbers for a VC between DTEs and DCEs.
Configuration of Frame Relay
Configuring Frame Relay involves the following steps:

Chang the encapsulation
Go in interface mode and select the Frame Relay encapsulation on the interface. There are two types of Frame Relay
encapsulations: Cisco and IETF. Cisco is the default. The syntax to set your encapsulation is
encapsulation frame-relay [ietf]

Configuring the Frame Relay map
configuring a static Frame Relay map, is optional unless you are using subinterfaces. The Frame Relay map will
map a Layer 3 address to a local DLCI. This step is optional because inverse-arp will automatically perform this
map for you. The syntax for a Frame Relay map is as follows:
frame-relay map protocol address dlci [broadcast] [cisco | ietf]
Configuring subinterfaces
If you are using a routing protocol in a hub-and-spoke topology, you will probably want to use subinterfaces to
avoid the split-horizon problem. To configure a subinterface, remove the IP address off the main interface and put it
under the subinterface. Configuring a subinterface involves assigning it a number and specifying the type. The
following command creates point-to-point subinterface serial0/0.1
Router(config)#interface serial0/0.1 point-to-point

To create a multipoint subinterface, enter multipoint instead:
Router(config)#interface serial0/0.1 multipoint

Assign IP address to subinterface
After entering one of these commands you will be taken to the subinterface configuration mode where you can enter
your IP address:
If you are using a multipoint subinterface, you will need to configure frame-relay maps and
you cannot rely on inverse-arp.
If you are using a point-to-point subinterface, you will need to assign a DLCI to the subinterface. This is only for
point-to-point subinterfaces; this is not needed on the main interface or on multipoint subinterfaces. To assign a
DLCI to a point-to-point subinterface, enter the following command under the subinterface:
frame-relay interface-dlci dlci

Configuration of Frame Relay
120
Lets practically implement whatever you learn so far. configure this topology in packet tracer.
Now first configure R1. Fast Ethernet port and hostname is already configured. Double click on R1 and configure
serial port for frame relay encapsulation and further create sub interface for connecting R2, R3, R4. Configure also
static route for connecting remaining network.
Configure R1
R1>enable
R1(config-if)#encapsulation frame-relay
R1(config-if)#exit
R1(config-subif)#interface serial 0/0/0.102 point-to-point
R1(config-subif)#ip address 192.168.1.245 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 102
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.103 point-to-point
R1(config)#ip route 192.168.1.64 255.255.255.224 192.168.1.246
R1(config)#ip route 192.168.1.96 255.255.255.224 192.168.1.250
121
R1(config)#ip route 192.168.1.128 255.255.255.224 192.168.1.254

R1(config)#exit
configure R2
R2>enable
R2(config-if)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.245
configure R3
R3>enable
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.249
R3(config)#
configure R4
R4>enable
R4(config-if)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.253
R4(config)#
now verify by doing ping from pc0 to all pc. It should be ping successfully. I have uploaded a configured topology
but use it as the final resort first try yourself to configure it.
Router(config)#interface
serial 0/0/0
Enter in interface mode
Router(configif)#encapsulation framerelay
Turns on Frame Relay encapsulation with the default encapsulation type of

cisco
Router(config-if)#frame-
Depending on the option you select, this command sets the LMI type to the
122
relay lmitype {ansi | cisco | ANSI standard, the Cisco standard, or the ITU-T Q.933 Annex A standard.
q933a}
Router(config-if)#framerelay interface-dlci 110
Sets the DLCI number of 110 on the local interface and enters Frame Relay
DLCI configuration mode
Router(config-fr-dlci)#exit
Returns to interface configuration mode
Maps the remote IP address (192.168.100.1) to the local DLCI number

Router(config-if)#frame(110). The optional broadcast keyword specifies that broadcasts across IP
relay map ip 192.168.100.1 should be forwarded to this address. This is necessary when using dynamic
110 broadcast
routing protocols.
Router(config-if)#no frame- Turns off Inverse ARP.
relay inverse arp
Router#show frame-relay
map
Displays IP/DLCI map entries
pvc
Displays the status of all PVCs configured
lmi
Displays LMI statistics
Router#clear frame-relay
counters
Clears and resets all Frame Relay counters
Router#clear frame-relay
inarp
Clears all Inverse ARP entries from the map table
Router#debug frame-relay
lmi
Used to help determine whether a router and Frame Relay switch are
exchanging LMI packets properly
123
Wireless networking on Cisco Router

wireless networking basic Transmission Factors Responsible
Wireless Networking
Wireless networking is the new face of networking. Wireless networking have been
around for many years. Cell phones are also a type of wireless communication and are
popular today for people talking to each other worldwide.
Wireless networking are not only less expensive than more traditional wired networking
but also much easier to install. An important goal of this site is to provide you adequate
knowledge for installing a wireless network and get certified in wireless networks as well
as.
Perhaps you already useing wireless networking in your local coffee shop, at the airport, or
in hotel lobbies, and you want to set up a small office or home network. You already know
how great wireless networking is, so you want to enjoy the benefits where you live and work.
It is truly transformational to one's lifestyle to decouple computing from the wires! If you are
looking to set up a wireless network, you've come to the right place. We will show you the
best way to set up wirless network easily. Many people are looking to find out how to use
wireless networking at home.
In this wireless networking section we provide An Absolute Beginner's Guide provides in the
perfect format for easily learning what you need to know to get up to speed with wireless
network without wasting a lot of time.
The organization of this site, and the special elements that we have described in this section
will help you get the information you need quickly, accurately, and with clarity. In this
section you will find inspiration as well as practical information. we believe that Wireless
networks is a modest technology that has the power to have a huge and positive impact..
This is wonderful material, and it's lots of fun! So what are you waiting for? It's time to Go for
wireless networking.
Wireless Basic
Radio Frequency Transmission Factors
Radio frequencies (RF) are generated by antennas that propagate the waves into the air.
Antennas fall under two different categories:
directional and omni-directional.
124
Directional antennas are commonly used in point-to-point configurations (connecting two

distant buildings), and sometimes point-to-multipoint (connecting two WLANs).
An example of a directional antenna is a Yagi antenna: this antenna allows you to adjust the
direction and focus of the signal to intensify your range/reach.
Omni-directional antennas are used in point-to-multipoint configurations, where they
distribute the wireless signal to other computers or devices in your WLAN. An access point
would use an omni-directional antenna. These antennas can also be used for point-to-point
connections, but they lack the distance that directional antennas supply
Three main factors influence signal distortion:
Absorption Objects
that absorb the RF waves, such as walls, ceilings, and floors
Scattering Objects
that disperse the RF waves, such as rough plaster on a wall, carpet on the floor, or
drop-down ceiling tiles
Reflection Objects
that reflect the RF waves, such as metal and glass
Responsible body
The International Telecommunication Union-Radio Communication Sector (ITU-R) is
responsible for managing the radio frequency (RF) spectrum and satellite orbits for wireless
communications: its main purpose is to provide for cooperation and coexistence of
standards and implementations across country boundaries.
Two standards bodies are primarily responsible for implementing WLANs:
IEEE
defines the mechanical process of how WLANs are implemented in the 802.11
standards so that vendors can create compatible products.
The Wi-Fi Alliance

basically certifies companies by ensuring that their products follow the 802.11
standards, thus allowing customers to buy WLAN products from different vendors
without having to be concerned about any compatibility issues.
Frequencies bands:
WLANs use three unlicensed bands:

1. 900 MHz Used by older cordless phones
2. 2.4 GHz Used by newer cordless phones, WLANs, Bluetooth, microwaves, and other
devices
3. 5 GHz Used by the newest models of cordless phones and WLAN devices
125
900 MHz and 2.4 GHz frequencies are referred to as the Industrial, Scientific, and
Medical (ISM) bands.
5 GHz frequency the Unlicensed National Information Infrastructure (UNII) band.
Unlicensed bands are still regulated by governments, which might define restrictions
in their usage.
A hertz (Hz) is a unit of frequency that measures the change in a state or cycle in a wave
(sound or radio) or alternating current (electricity) during 1 second.
Transmission Method
Direct Sequence Spread Spectrum (DSSS)
uses one channel to send data across all frequencies within that channel. Complementary
Code Keying (CCK) is a method for encoding transmissions for higher data rates, such as 5.5
and 11 Mbps, but it still allows backward compatibility with the original 802.11 standard,
which supports only 1 and 2 Mbps speeds. 802.11b and 802.11g support this transmission
method.
OFDM (Orthogonal Frequency Division Multiplexing)
increases data rates by using a spread spectrum: modulation. 802.11a and 802.11g support
this transmission method.
MIMO (Multiple Input Multiple Output)
transmission, which uses DSSS and/or OFDM by spreading its signal across 14 overlapping
channels at 5 MHz intervals. 802.11n uses it. Use of 802.11n requires multiple antennas.
WLAN Standards
Standards
802.11a
802.11b
802.11g
802.11n
Data Rate
54 Mbps
11 Mbps
54 Mbps
248 Mbps (with

22 antennas)
Throughput
23 Mbps
4.3 Mbps
19 Mbps
74 Mbps
Frequency
5 GHz
2.4 GHz
2.4 GHz
2.4 and/or 5 GHz
Compatibility
None
With 802.11g and

the original
With 802.11b
802.11
802.11a, b, and g
Range (meters) 35120
38140
38140
70250
Number of
Channels
Up to 23
14
126
Transmission
OFDM
DSSS
DSSS/OFDM
MIMO
Wireless networking Access Modes
Two 802.11 access modes can be used in a WLAN:
Ad hoc mode
Infrastructure mode
Ad hoc mode is based on the Independent Basic Service Set (IBSS). In IBSS, clients can set
up connections directly to other clients without an intermediate AP. This allows you to set up
peer-to-peer network connections and is sometimes used in a SOHO. The main problem with
ad hoc mode is that it is difficult to secure since each device you need to connect to will
require authentication. This problem, in turn, creates scalability issues.
Infrastructure mode was designed to deal with security and scalability issues. In
infrastructure mode, wireless clients can communicate with each other, albeit via an AP. Two
infrastructure mode implementations are in use:
Basic Service Set (BSS)
Extended Service Set (ESS)
In BSS mode,
clients connect to an AP, which allows them to communicate with other clients or LANbased
resources. The WLAN is identified by a single SSID; however, each AP requires a unique ID,
called a Basic Service Set Identifier (BSSID), which is the MAC address of the APs wireless
card. This mode is commonly used for wireless clients that dont roam, such as PCs.
In ESS mode,
two or more BSSs are interconnected to allow for larger roaming distances. To make this as
transparent as possible to the clients, such as PDAs, laptops, or mobile phones, a single SSID
is used among all of the APs. Each AP, however, will have a unique BSSID.
Coverage Areas
A WLAN coverage area includes the physical area in which the RF signal can be sent and
received Two types of WLAN coverages are based on the two infrastructure mode
implementations:
Basic Service Area (BSA)
Extended Service Area (ESA)
127
The terms BSS and BSA, and ESS and ESA, can be confusing. BSS and ESS refer to the
building topology whereas BSA and ESA refer to the actual signal coverage
BSA
With BSA, a single area called a cell is used to provide coverage for the WLAN clients and AP
ESA
With ESA, multiple cells are used to provide for additional coverage over larger distances or
to overcome areas that have or signal interference or degradation. When using ESA,
remember that each cell should use a different radio channel.
Wireless Networking Basic Security
How an end user client with a WLAN NIC accesses a LAN

1. To allow clients to find the AP easily, the AP periodically broadcasts beacons,
announcing its (SSID) Service Set Identifier, data rates, and other WLAN information.
2. SSID is a naming scheme for WLANs to allow an administrator to group WLAN devices
together.
3. To discover APs, clients will scan all channels and listen for the beacons from the
AP(s). By default, the client will associate itself with the AP that has the strongest
signal.
4. When the client associates itself with the AP, it sends the SSID, its MAC address, and
any other security information that the AP might require based on the authentication
method configured on the two devices.
5. Once connected, the client periodically monitors the signal strength of the AP to
which it is connected.
6. If the signal strength becomes too low, the client will repeat the scanning process to
discover an AP with a stronger signal. This process is commonly called roaming.
SSID and MAC Address Filtering
When implementing SSIDs, the AP and client must use the same SSID value to authenticate.
By default, the access point broadcasts the SSID value, advertising its presence, basically
allowing anyone access to the AP. Originally, to prevent rogue devices from accessing the
AP, the administrator would turn off the SSID broadcast function on the AP, commonly called
SSID cloaking. To allow a client to learn the SSID value of the AP, the client would send a null
string value in the SSID field of the 802.11 frame and the AP would respond; of course, this
defeats the security measure since through this query process, a rogue device could repeat
the same process and learn the SSID value.
128
Therefore, the APs were commonly configured to filter traffic based on MAC addresses. The
administrator would configure a list of MAC addresses in a security table on the AP, listing
those devices allowed access; however, the problem with this solution is that MAC addresses
can be seen in clear-text in the airwaves. A rogue device can easily sniff the airwaves, see
the valid MAC addresses, and change its MAC address to match one of the valid ones.
This is called MAC address spoofing.
WEP
WEP (Wired Equivalent Privacy) was first security solutions for WLANs that employed
encryption. WEP uses a static 64-bit key, where the key is 40 bits long, and a 24-bit
initialization vector (IV) is used. IV is sent in clear-text. Because WEP uses RC4 as an
encryption algorithm and the IV is sent in clear-text, WEP can be broken. To alleviate this
problem, the key was extended to 104 bits with the IV value. However, either variation can
easily be broken in minutes on laptops and computers produced today.
802.1x EAP
The Extensible Authentication Protocol (EAP) is a layer 2 process that allows a wireless client
to authenticate to the network. There are two varieties of EAP: one for wireless and one for
LAN connections, commonly called EAP over LAN (EAPoL).
One of the concerns in wireless is allowing a WLAN client to communicate to devices behind
an AP. Three standards define this process: EAP, 802.1x, and Remote Authentication Dial In
User Service (RADIUS). EAP defines a standard way of encapsulating authentication
information, such as a username and password or a digital certificate that the AP can use to
authenticate the user.802.1x and RADIUS define how to packetize the EAP information to
move it across the network.
WPA
Wi-Fi Protected Access (WPA) was designed by the Wi-Fi Alliance as a temporary security
solution to provide for the use of 802.1x and enhancements in the use of WEP until the
802.11i standard would be ratified. WPA can operate in two modes: personal and enterprise
mode. Personal mode was designed for home or SOHO usage. A pre-shared key is used for
authentication, requiring you to configure the same key on the clients and the AP. With this
mode, no authentication server is necessary as it is in the official 802.1 x standards.
Enterprise mode is meant for large companies, where an authentication server will centralize
the authentication credentials of the clients.
WPA2
WPA2 is the IEEE 802.11i implementation from the Wi-Fi Alliance. Instead of using WEP,
which uses the weak RC4 encryption algorithm, the much more secure Advanced Encryption
Standard (AES)counter mode CBC-MAC Protocol (CCMP) algorithm is used.
Wireless Network
129
A wireless network enables people to communicate and access applications and

information without wires. This provides freedom of movement and the ability to extend
applications to different parts of a building, city, or nearly anywhere in the world. Wireless
networks allow people to interact with e-mail or browse the Internet from a location that
they prefer.
Many types of wireless communication systems exist, but a distinguishing attribute of a
wireless network is that communication takes place between computer devices. These
devices include personal digital assistants (PDAs), laptops, personal computers (PCs),
servers, and printers. Computer devices have processors, memory, and a means of
interfacing with a particular type of network. Traditional cell phones don't fall within the
definition of a computer device; however, newer phones and even audio headsets are
beginning to incorporate computing power and network adapters. Eventually, most
electronics will offer wireless network connections.
As with networks based on wire, or optical fiber, wireless networks convey information
between computer devices. The information can take the form of e-mail messages, web
pages, database records, streaming video or voice. In most cases, wireless networks transfer
data, such as e-mail messages and files, but advancements in the performance of wireless
networks is enabling support for video and voice communications as well.
Types of Wireless Networks

WLANS: Wireless Local Area Networks
WLANS allow users in a local area, such as a university campus or library, to form a network
or gain access to the internet. A temporary network can be formed by a small number of
users without the need of an access point; given that they do not need access to network
resources.
WPANS: Wireless Personal Area Networks
The two current technologies for wireless personal area networks are Infra Red (IR) and
Bluetooth (IEEE 802.15). These will allow the connectivity of personal devices within an area
of about 30 feet. However, IR requires a direct line of site and the range is less.
WMANS: Wireless Metropolitan Area Networks
This technology allows the connection of multiple networks in a metropolitan area such as
different buildings in a city, which can be an alternative or backup to laying copper or fiber
cabling.
WWANS: Wireless Wide Area Networks
These types of networks can be maintained over large areas, such as cities or countries, via
multiple satellite systems or antenna sites looked after by an ISP. These types of systems are
referred to as 2G (2nd Generation) systems.
Comparison of Wireless Network Types
130
Type
Coverage
Performa
nce
Standards
Applications
Wireless Within reach

PAN
of a person
Moderate
Wireless PAN Within reach of a person

Cable replacement for
Moderate Bluetooth, IEEE 802.15, and IrDa
peripherals
Cable replacement for peripherals
Within a
Wireless
building or
LAN
campus
High
IEEE 802.11, Wi-Fi, and HiperLAN
Mobile extension of wired

networks
Wireless
Within a city
MAN
High
Proprietary, IEEE 802.16, and WIMAX
Fixed wireless between

homes and businesses
and the Internet
CDPD and Cellular 2G, 2.5G, and 3G
Mobile access to the

Internet from outdoor
areas
Wireless
Worldwide
WAN
Low
wireless configuration
In this topology we have three pc connected with Linksys Wireless routers.
DHCP is configured and enabled on Wireless router
IP pool for DHCP is 192.168.0.100 to 192.168.0.150
131
PC are configured to receive IP from DHCP Server
No security is configured
Default SSID is configured to Default
Topology is working on infrastructure mode
Default user name and password is admin
IP of wireless is set to 192.168.0.1
Now your task is to:
Configure Static IP on PC and Wireless Router
Change SSID to MotherNetwork
Change IP address of router to 10.0.0.1 and 10.0.0.2 of PC0 10.0.0.3 of PC1

10.0.0.4 of PC2
Secure your network by configuring WAP key on Router
Connect PC by using WAP key
configure wireless network

As given in question our network is running on 192.168.0.0 network and all PCs are DHCP
clients and functioning properly. So we will first connect to Wireless router to off DHCP.
Double click on PC and select Web Browser. As given in question IP of Wireless router is
192.168.0.1 so give it in Web browser and press enter, now it will ask for authentication
which is also given in question. Give user name admin and Password to admin
132
This will bring GUI mode of Wireless router. Scroll down screen to Network Step and Select
Disable DHCP
133
Go in end of page and click on Save setting this will save setting click on continue for further
setting
Now select Administration from top Manu and change password to test and go in the end of
page and Click on Save Setting
134
Click on continue for further setting. This time it will ask you to authenticate again give new
password test this time
135
Now click on wireless tab and set default SSID to MotherNetwork
Now Select wireless security and change Security Mode to WEP
136
Set Key1 to 0123456789
Again go in the end of page and Click on Save Setting

Now we have completed all given task on Wireless router. Now configure the
static IP on all three PC's
Double click on pc select Desktop tab click on IP configuration select Static IP and set IP as
given below
PC
IP
Subnet Mask
Default Gateway
PC0
192.168.0.2
255.255.255.0
192.168.0.1
PC1
192.168.0.3
255.255.255.0
192.168.0.1
PC2
192.168.0.4
255.255.255.0
192.168.0.1
137
Now it's time to connect PC's from Wireless router. To do so click PC select Desktop click on
PC Wireless
Click on connect tab and click on Refresh button
As you can see in image that Wireless device is accessing MotherNetwork on CH 6 and signal
strength is 100%. In left side you can see that WEP security is configured in network. Click
on connect button to connect MotherNetwork
138
It will ask for WAP key insert 0123456789 and click connect
It will connect you with wireless router.
139
As you can see in image below that system is connected. And PCI card is active.
140

CCNA Project Report

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CCNA Project Report

Hochgeladen von

Copyright:

Verfügbare Formate

TABLE OF CONTENTS

14. Configuration of Cisco 2960

Routing Static Dynamics (RIP OSPF EIGRP)

18. Basic router

19. static routing and Default

ABOUT : Appin Technologies

OSI Reference Model

The OSI Reference Model

The data-link layer protocols often include physical layer specifications.

SNMP (Simple Network Management Protocol)Communicates status and

TFTP (Trivial File Transfer Protocol)Simple, lightweight file transfer.

HTTP (Hypertext Transfer Protocol)Browses web pages.

FTP (File Transfer Protocol) Reliably sends/retrieves all file types.

SMTP (Simple Mail Transfer Protocol)Sends email.

POP3 (Post Office Protocol v.3)Retrieves email.

NTP (Network Time Protocol) Synchronizes networked device clocks.

It sets up and maintains a session connection between two devices.

It multiplexes connections, allowing multiple applications to simultaneously send and

Implementing a reliable connection, sequence numbers and acknowledgments (ACKs)

Flow control (through the use of windowing or acknowledgements)

Reliable connections (through the use of sequence numbers and Acknowledgement )

recognizing lost packets and having them re-sent

recognizing packets that arrive out of order and reordering them

detecting duplicate packets and dropping the extra ones

Connection Multiplexing/Application Mapping

Well-KnownFor common TCP/IP functions and applications

RegisteredFor applications built by companies

Dynamic/PrivateFor dynamic connections or unregistered applications

Common TCP and UDP Port Numbers

Defines logical addresses used at layer-3

Hierarchical logical addressing to provide for highly scalable internetworks

IP addresses are broken into two components:

Network component Defines on what segment, in the network, a device is located

Host component defines the specific device on a particular network segment

Class A addresses range from 1-126: 00000001-01111111.

Class B addresses range from 128-191: 10000000-10111111.

Class C addresses range from 192-223: 11000000-11011111.

Class D addresses range from 224-239: 11100000-11101111.

Class E addresses range from 240-254:

1. 0 is reserved and represents all IP addresses;

American Registry for Internet Numbers (ARIN)

Reseaux IP Europeans Network Coordination Center (RIPE NCC)

Asia Pacific Registry for Internet Numbers (APNIC)

Latin American and Caribbean Internet Address Registry (LACNIC)

African Network Information Centre (AfriNIC)

Private IP and ISP

Private ip address:- Not route able in public network

Class A: 10.0.0.0-10.255.255.255 (1 Class A network)

Class B: 172.16.0.0-172.31.255.255 (16 Class B networks)

Class C: 192.168.0.0-192.168.255.255 (256 Class C networks)

IP of TCP/IP, featuring routable 32-bit addressing.

The equivalent of IP in Novell Netware.

Data link layer

Defining the Media Access Control (MAC) or hardware addresses

Defining the physical or hardware topology for connections

Providing both connectionless and connection-oriented services

MAC addresses only need to be unique in a broadcast domain,

There are two specifications of Ethernet frame Ethernet II and 802

Cisco's three-layer hierarchical model

How to connect with Cisco devices in windows

main key and rest it will do automatically.

Router's serial port

Cisco serial DCE/DTE