Sie sind auf Seite 1von 132

Cisco ccna/ccent interconnecting Cisco networking devices part 1

  • 1. Welcome to Cisco ccent ( 35:26 mins ) To check details about certifications go to

  ICND2 is called as well CCNA Ccent ( ICND 1 ) 2. Foundation :
ICND2 is called as well CCNA
Ccent ( ICND 1 )
2. Foundation : what is a network ( 35:32 mins )
network : collection of devices that can communicate together
lan : PC + switch to connect together
router : used to connect different lans together
difference between internet and wan
1) internet :
 public network
 no security
 no guarantee services
 can be used to connect
2)
different offices
wan :
 private network
 security
 guarantee services
because we pay AT&T as
an example to maintain
our links through the AT&T
network ( those links are
fast but the problem is
they are costly )
When we run a network that contains applications we care about
the following :
1. Speed :
Bit = o or 1 ( binary )
Byte = 8bit ( character ) , as an example if we type the

letter W , that letter represent 8 bit or a byte , another example is the word WAS represent 3 bytes W = 1 byte = 8 bit = 00101010 as an example Kilobyte = 1024 byte Megabyte = 1024 kilobyte Gigabyte=1024 megabyte

Terabyte = 1024 gigabyte

 

Bit

Multiply 8 ( X 8 )

byte

Bit X 8 = byte

Multiply 1024 ( X

Kilobyte

Byte X1024 = kilobyte

  • 1024 )

Multiply 1024 ( X

megabyte

kilobyte X1024 =

  • 1024 )

megabyte

Multiply 1024 ( X

gigabyte

megabyte X1024 =

  • 1024 )

gigabyte

Multiply 1024 ( X

Terabyte

gigabyte X1024 =

  • 1024 )

terabyte

  All the network is tied to Bits , as an example a modem speed
All the network is tied to Bits , as an example a modem speed
56kbps means 56 kilo bits per second ( this is called also the
throughput )
Kbps = kilo bit per seconds
 kBps = kilo byte per seconds
lan links speeds are in general : 10Mbps , 100mbps , 1000mbps
wan links speeds are in general : 56kbps , 1.544mbps ( T1 ) ,
100mbps ( as you notice wan link speeds are slower than lan link
speeds )
2.
delay : like what happens in voice over ip (VOIP ) , ip phones
found in the network is an example of the delay that happens
3.
availability : availability of the bandwidth
network designs ( topologies ) : ways of connecting your devices
together
1.
bus topology : The problem of this
topology is if the thick line went
down then we lose a group of
devices
2.

token ring topology : There is a token ring that is arrived to each device and grapping the data sending or receiving and delivering to each device

 Terabyte = 1024 gigabyte Bit Multiply 8 ( X 8 ) byte Bit X 8
 Terabyte = 1024 gigabyte Bit Multiply 8 ( X 8 ) byte Bit X 8
  • 3. star topology ( most used nowadays ) : It looks like a star, there is a switch in the middle and all other devices (PC) connected to it

3. star topology ( most used nowadays ) : It looks like a star, there is

Examples:

3. Foundations in the OSI world (43: 30 mins)  OSI functions : 1. Helps break
3.
Foundations in the OSI world (43: 30 mins)
OSI functions :
1.
Helps break down network functions
2.
Create standards for equipment manufacturing
3.
Allows vendors to focus in specialized areas of the network
4.
To memorize the OSI model use one of the following :
5.
Please do not throw sausage pizza away
6.
All people seems to need dominos pizza
OSI Model :
Layer name
Application
layer
Remarks
It provides an interface that allows applications
to communicate across the network like email
system , online games or a browser
The data becomes formatted in a general format
that is understandable by any server
communicating to like if you are going to
www.google.com , that site is formatted in a
general format ( HTML ) and maybe it contains a
picture ( JPEG format ) , HTML and JPEG are
generic formats that are understood by all
Generic encryption services like what’s used on
online banking sites
It starts and ends a session
Logically keeps sessions separate
Describes how the data is sent , we can send the
data reliably or unreliably ( TCP is a reliable
Presentation
layer
Session layer
Transport layer
 Network layer    Data link layer    Physical layer  
Network layer
Data link layer
Physical layer
protocol and UDP is an unreliable protocol )
Define well known services ( ports )
Provides logical addressing ( ip addresses )
( when you assign an ip address it happens in
this layer )
Finds best path to a destination
Routers work here
Provides physical addressing ( Mac address ) ,
Mac address is the address of network interface
cards ( NIC )
Ensures data is error free , it ensures that the
packet once it has been sent to once it has
been received it won’t be changed ( packet
won’t change during its travel from source to
destination )
Switches work here
Provides access to the cable
Electrical signals , ones and zeros ( 0 or 1 )
Physical connections like cables , network
cards , wan interfaces
 In Cisco , application , presentation and session layers are least
important because its handled by windows
Reliable protocol ( TCP ) means once you send a message to a
server that server replies back with an ACK packet , in case the
sender didn’t receive an ACK packet from the server then the source
will resend the packet until it receives the ACK packet
Unreliable protocol ( UDP ) is used with real time applications like
VOIP or video over IP ( as an example streaming a movie on the
network ) , in case a packet is dropped we will then have some
glitches in video or the voice goes scramble in the unreliable
protocol we don’t care if the packet was dropped or not
MAC address is used to allow computers to communicate on the
network
Ports are used to designate what service you are trying to access as
an example maybe a server has a DB and email system on it , to
differentiate between those two features we use ports to designate
which service to use
Transport layer chooses reliability protocols ( TCP or UDP ) and port
numbers

OSI model in real world :

Example: a client wants to access Cisco website Client information: ip address 10.1.1.5 Mac address: 00a0151189f2 Server information: ip address 200.1.1.1(cisco.com)

Source

Application Destination layer Application Presentation layer Presentation Send me a webpage ( get Cisco web site
Application
Destination
layer
Application
Presentation
layer
Presentation
Send me a webpage ( get Cisco
web site )
Package it in http
layer
Session layer
layer
Session layer
Transport
Transport
layer
Network layer
Data link
layer
layer
Physical layer
Network
layer
Data link
Mac
layer
address
Physical
Mac
layer
Creating an own session for
requesting Cisco site
Use TCP protocol ( because
http uses TCP in general ) plus
specify the source and
destination ports , the source
port is the web browser port
( its dynamic as an example
1098 and the destination port
is 80
It adds source and destination
ip address
It adds source and destination
Mac address
Putting all the information on
wire
address
0089:1111:2222
0089:1111:3333
Notes about the example above:
 All the 7 steps are done in a reverse way on the destination
side starting from the physical layer going up to the
application layer
 The Mac address changes when the packet is sent from the
source to the destination
 At 1 st the source Mac address will be 00a0151189f2 and the
destination will be 0089:1111:2222
 2 nd the source Mac address will be 0089:1111:2222 and the
destination will be 0089:1111:3333 and so on until it arrives
to the destination
 The ip address don’t change from the beginning of sending
the packet to its arrival at the destination the source ip
address is 10.1.1.5 and the destination ip address is
200.1.1.1

Ipconfig/all command is used to show the Mac address in

Source Application Destination layer Application Presentation layer Presentation Send me a webpage ( get Cisco web

hexadecimal Netstat –n command is used to show all the open sessions from my

computer by ip address only Netstat command is used to show all the open sessions from my

computer in general

4. basic TCP/IP : addressing fundamentals ( 39: 42 mins )

how OSI and TCP/IP models relate together :

OSI model describes how network communicates TCP/IP model describes how network communications

actually happen

OSI model model) (DOD)

TCP/IP model (department of defense

Application layer Application layer Presentation layer Session layer Transport layer Transport layer Internet layer Network access
Application layer
Application
layer
Presentation
layer
Session layer
Transport layer
Transport layer
Internet layer
Network access
Network layer
NOTE: there
layer
Data link layer
correlation
is a page that describe the
between the 2 models
Physical layer
Ip address format
1.
The ip address has 4 octets , it’s always combined with a
subnet mask and a default gateway
2.
The subnet mask dictates which portion of the IP address
identifies the network and the host , in the subnet mask the
number 255 represents a network and the number 0
represents a host
Example:
Ip address: 172.30.3.82 (those represent 4 octets)
Subnet mask: 255.255.255.0
Default gateway: 172.30.3.1
 Every interface on the router represents a network ( connected to a
specific network )
Example:

If 10.1.1.10 wants to communicate with 10.1.1.11 it sends an address resolution protocol ( ARP ) to know the ip address of the destination , ARP is a broadcast message , once 10.1.1.11 receives the ARP message it will respond back with its MAC address , then 10.1.1.10 starts transferring data to 10.1.1.11 Computers don’t start talking with other computers directly it must use data link addresses at 1 st (MAC address) If 10.1.1.10 wants to communicate with 10.5.5.100 , we can’t use ARP because they are on different networks and the routers

DON’T forward broadcasts , so the source address will forward the packet to the default gateway
DON’T forward broadcasts , so the source address will forward
the packet to the default gateway ( there will be an ARP process
but only to send the packet to the address of the default
gateway )
source MAC address: MAC
Destination ip address: 10.5.5.100
destination MAC address:
Source ip address: 10.1.1.10
source MAC address: MAC
destination MAC address:
source MAC address: MAC
destination MAC address:
Default address classes :
1.
Class A :
1 st octet of the ip address is in the range 1-126 ( as an
example 10.5.1.1 )
 Subnet mask 255.0.0.0
 Hosts available In this class is 16777214 ( Cisco
recommends to have 500 hosts per network
2.
Class B :
1 st octet of the ip address in the range 128-191 ( as an

Step 1: source ip address: 10.1.1.10

10.1.1.10

MAC router interface 10.1.1.1 Step 2: the router checks based on the routing table it contains so that it can know how to reach 10.5.5.100

router interface 10.2.2.1 Destination ip address: 10.5.5.100 MAC router interface 10.2.2.2 Step 3: source ip address: 10.1.1.10 router interface 10.3.3.1 Destination ip address: 10.5.5.100 MAC router interface 10.3.3.2 And so on until the packet reaches 10.5.5.100

example 150.51.233.1 ) Subnet mask 255.255.0.0

Hosts available In this class is 65536

  • 3. Class C :

1 st octet of the ip address in the range 192-223 ( as an

example 220.1.50.63 )

Subnet mask 255.255.255.0 Hosts available In this class is 254 Any address starts with 127 in the 1 st octet field is a

loopback address ( 127.x.x.x ) Public addresses VS private addresses :

  • 1. Public addresses are usable on the internet and internal networks and they are provided by the ISP

  • 2. Private addresses are usable on internal networks only , there are 3 ranges of private addresses :

  Class A : 10.0.0.0-10.255.255.255  Class B : 172.16.0.0-172.31.255.255  Class C : 192.168.0.0-192.168.255.255
 Class A : 10.0.0.0-10.255.255.255
 Class B : 172.16.0.0-172.31.255.255
 Class C : 192.168.0.0-192.168.255.255
The loopback range is 127.x.x.x and its used for testing purposes
only
Network address translation ( NAT ) is used to allow people to share
public addresses to surf the internet ( as an example using one
public ip address for several computers instead of using multiple IP
addresses for each computer )
Auto configuration range ( APIPA ) is 169.254.x.x and its used if a
host can’t get an ip address automatically from a DHCP server
Basic difference between TCP and UDP protocols :
TCP ( transmission control
protocol )
Build connections : when sending
packets it creates sessions and
uses 3 way handshake in its
sending
UDP ( user datagram protocol )
Uses sequence numbers
Reliable protocol : it uses ACK
packets , if the sender didn’t
receive an ACK packet it will
resend the packet until it receives
the ACK packet
Connection less : when sending
packets you don’t know if the
packet is dropped or not ( it
doesn’t care if the packet arrives
or not )
Best effort delivery ( used with
real time applications like VOIP )
Unreliable protocol

5. Basic TCP/IP: TCP and UDP communication (23:20 mins)

TCP 3 way handshake process :

  • 1. Source sends SYN packet to the destination

  • 2. The destination sends back a SYN-ACK packet to the source to acknowledge that it received the packet

  • 3. The source sends back an ACK packet to the destination to acknowledge receiving the SYN-ACK packet

After those 3 way handshake the communication starts ,

every time you open a website as an example you must enter the 3 way handshake process

Sequence numbers :

 TCP windowing : it increases the number of data sent based on how reliable it
TCP
windowing :
it
increases
the number
of
data sent
based on
how reliable
it
detects the
connection
Example:

3.

Sequence numbers reflect how many bytes a computer is sending at once , because that in real life it appears as big numbers

6. Basic TCP/IP: understanding port numbers (17:17 mins)

Ports are used to separate different applications used on my computer ( as an example one server that contains two services like a DB and an email system , if we want to differentiate

between those two services we specify the port number ) Port numbers are used to specify which session to use in sending

or receiving packets Socket = ip address : port number ( example 10.5.1.100:80 , this

is called together socket )  0-1023 are considered well known ports ( reserved and can’t
is called together socket )
 0-1023 are considered well known ports ( reserved and can’t be
assigned )
Well known TCP/UDP Port numbers :
TCP ( transmission control protocol
UDP( user datagram protocol ) ( 0-
( 0-65535)
Port 21 : FTP ( file transfer
65535 )
Port 53 : DNS client port ( as an
protocol ) port , used for sending
and receiving files
Port 80 : http port
example this port is used if I’m
using my pc to retrieve the ip
address of www.yahoo.com when I
type it in any browser
Port 69 : TFTP ( trivial file transfer
protocol ) port , used to send and
receive from Cisco devices
Port 110 : pop3 ( post office
protocol ) port , used for receiving
emails
Port 443 : https port
Port 22 : SSH port , its considered
encrypted telnet
Port 23 : telnet port , this is
considered non secure
Port 25 : SMTP ( simple mail
transfer protocol ) port , used for
sending mails
Port 53 : DNS server port , used so
that servers can resolve names to
ip addresses

7. Basic TCP/IP: the tale of two packets (20:47 mins)

If the packet is sent locally on the same network the source uses the

ARP to know the MAC address of the destination If the packet is sent on a different network , it doesn’t use ARP because the router doesn’t forward broadcast packets ( ARP ) , so the packet is sent to the default gateway ( interface of the router ) ,

in this case only an ARP packet is sent but not to know the destination MAC address instead its sent to know the MAC address of the router interface ( default gateway )

8. LANS: welcome to Ethernet (22:31 mins)

 Ethernet speed is measured in bits per second ( bps ) not bytes per second
 Ethernet speed is measured in bits per second ( bps ) not bytes per
second ( Bps ) ( as an example Ethernet speed = 10 Mbps not 10
MBps )
Ethernet operates in physical layer and data link layer :
Data link layer
Logical link control ( LLC ) layer :
it picks which direction it will go
in the network layer
Media access control ( MAC )
layer : this sub layer defines the
addressing used by Ethernet ( it
defines the MAC addresses )
Physical layer : examples of the physical standards are CAT 5 and
RJ45 connections , wireless and fiber optic
 CSMA/CD ( carrier sense , multiple access / collision detection ) ,
CSMA/CD is a set of rules governing how you talk on an Ethernet
network :
 Carrier : the network signal
Sense : the ability to detect if there is a carrier signal ( in
general Ethernet devices detects the carrier signals )
 Multiple access : all devices have equal access
 Collision : what happens if two devices send at the same
time
 Detection : how the computers handle collisions when they
happen
Any Ethernet device like a switch port or a NIC must support
CSMA/CD
Ethernet uses CSMA/CD and token ring uses CSMA/CA ( carrier
sense multiple access /collision avoidance ) , in token rings there
won’t happen a collision at all because the is only one token
available – only one device sends at a time –
Methods of communication :
1.
Unicast message : when one computer wants to send to
another computer
2.
Broadcast message : one message sent to all (example : an
ARP packet, it will go out all of the switch ports except the

one it received on

)

members of that multicast group , the main advantage of multicast messages is it helps with reducing the consumption of bandwidth available

Example of using multicast : the radio stream , if this radio stream uses unicast messages then it will use a lot of bandwidth to maintain a link for each PC running that radio channel and if it’s using broadcast messages then the network will be flooded so the best solution for radio streams is to use multicast messages

 MAC addresses : the official explanation  Ethernet cables : Category 5 ( CAT 5
MAC addresses : the official explanation
Ethernet cables :
Category 5 ( CAT
5 ) unshielded
twisted pair
( UTP )
100 meters
Multi mode fiber
Single mode
fiber
Maximum
distance
Connection
type
RJ – 45 ( a
famous type of
CAT 5 is CAT5e
275 meters to a
few miles
Varies , this type
is better than
single mode as :
1 mile to
many miles
Varies
it sends
multi signals
through the
path
 it’s cheaper

9. LANS: understanding the physical connections (18: 17 mins)

 

and its lower

in cost

cabling standards :

Color 1 2 3 4 5 6 7 8 number /cabling standard T568-A Gree gree Oran
Color
1
2 3
4 5
6
7 8
number
/cabling
standard
T568-A
Gree
gree
Oran
blue
Blue
orang
Brow
Brow
n
n
ge
strip
e
n
n
strip
strip
strip
T568-B
Oran
oran
Gree
blue
Blue
green
Brow
Brow
ge
ge
n
strip
n
n
strip
strip
strip
straight through connection = T568A+ T568A OR T568B+T568B
cross over connection = T568A+t568B
You can do a customized cabling standard but in this case it won’t
support the maximum standard distance of CAT 5, which is 100
meters!
Ethernet connection rules :
1.
Unlike devices use straight through cables
2.
Like devices use cross over cables
Like devices are :
1.
PC , Router
2.
Switch , HUB
HUBS :
 only regenerates the signal ( a packet that is sent is

Examples: PC connected to a switch, router connected to a switch, PC connected to a HUB, router connected to a HUB

Examples: PC connected to another PC, router connected to another router, PC connected to a router, switch connected to another switch, HUB connected to another HUB, switch connected to a HUB

10. LANS: understanding LAN switches (19: 46 mins)

received for all ) hub= 1 collision domain and 1 broadcast domain Hub is also called shared CSMA/CD the problem of a hub is only 1 device can send or receive at

a time , in case a collision occurred ( two devices sent at the same time ) one of the devices who detected the collision will send a jam packet to stop all the network communications

the more the devices on a hub the more the chance of a collision to happen hubs work on physical layer collision domain : how many devices can send and receive at the

same time broadcast domain : how far a broadcast will travel before it stops

bridges :

bridges are software based number of collision domains = number of ports on the bridge bridges are slow in general bridges has the capability to learn MAC addresses bridges have a low number of ports bridges work on data link layer switches :

  switches support full duplex communications , each port connected to a device can send
 switches support full duplex communications , each port
connected to a device can send and receive at the same
time ( no collisions happens at all with switches )
 switches are hardware based , its application specific
integration circuitry ( ASIC ) devices
 number of collision domains = number of ports on the
switch
 switches work on data link layer
example on full duplex link , if we have 100 mbps link speed , that
means it is 200mbps full duplex ( 100mbps to send data and
100mbps to receive data )
how a switch work : once the switch 1 st boot up it starts building its
  the more the devices on a hub the more the chance of a collision

CAM ( content access memory ) table Example:

11. LANS: working with the Cisco switch IOS (29:15 mins)

 what is the Cisco IOS : 1. the internetwork operating system 2. a command line
what is the Cisco IOS :
1.
the internetwork operating system
2.
a command line method of configuring a Cisco device
3.
software that is consistent through nearly all Cisco devices
4.
learn it once , use it many times
5.
more powerful than any graphic interface
connecting to the Cisco switch :
1.
get a console cable
2.
plug the serial end into the back of your PC
3.
plug the RJ 45 end into the console port on the switch
4.
get a terminal program like :
 hyper terminal
 teraterm
 minicom
 securecrt
5.
set it to connect via com port with the following configurations
:
baud rate : 9600
data bits : 8
parity : none
stop bits : 1
Flow control : none
Tips about the commands in the Cisco IOS:
If you type ? at any sentence in the IOS it will show you a full list of
commands , after that press ENTER to go sentence by sentence ,
press SPACE to go page by page and finally you can press ANY
CHARACTER to get out of the help system
Router#c?
In this way the ? will show all the commands that start
with the letter C
If we typed ? and found <CR> , that means carriage return and it
means there are no commands left to include in the command we
type
In the help system if you find any word with capital letters that
means its variable and you need to enter something to fill that
variable
Example:

Router#clock set 13:16:30 ?

month name instead of

<1-31> day of the month

the command

MONTH month of the year

set 13:16:30

September
September

Say we want to enter a

entering a number (1-31)

then will be: Router#clock

You can use the TAB key on the keyboard to auto complete the command If we typed any command and had the message incomplete command , then that means that there is a missing parameter If we typed any command and had the message ambiguous command , then that means that I typed a command in an incomplete way ( I must type it in a full way because there would be properly more than a command that have the same start , For instance, you could type "qu," but that would be an ambiguous command because both "quit" and "quote" are valid commands If we typed any command and had the message unrecognized command , then that means that I typed the command in the wrong mode Router# show history , this command is used to check all the commands I typed before , it memorizes up to 10 by default and this value can be changed

   IOS modes : 1. Switch > this is called user mode ( user
IOS modes :
1.
Switch > this is called user mode ( user exec ) , only basic show
commands , telnet commands and pin command can be run in this
mode
2.
Switch # this is called privileged mode ( privileged exec ) , from user
mode you type the command ENABLE to enter this mode , you can
view anything in this mode like viewing the current configuration of
the switch/router
3.
Switch (config) # this is called global configuration mode, in this
mode we can configure global command, and those global
commands globally affect the switch/router, as an example if you
type switch (config) #hostname …. Command this will change the
hostname of the router/switch , to enter this mode you type from the
privileged mode config terminal switch # config terminal
4.
Switch (config-if)# this is called interface configuration mode , any
command typed in this mode affect a specific interface only , to
enter this mode you type as an example the command switch
(config ) # interface fa0/0 from global configuration mode
Switch (config-if)# end , this moves you back to privilege mode from
interface mode
If you type the command EXIT in any mode it will move you back one

step CTRL+Z , moves you back to privilege mode from any mode CTRL+E , moves the cursor to the end of the line

CTRL+A , moves the cursor to the beginning of the line

12. LANS: initial setup of a Cisco switch (35:03 mins)

Understanding the physical indicators on the switch ( the lights ) :

  • 1. System indicator : if its green then its good , if its amber ( yellow ) that means there is a problem , usually after booting the switch the system indicator gets solid green

  • 2. Rps ( redundant power supply ) indicator : in case we connected both batteries found in the switch to electricity it will get solid green ( that means the switch is power redundant )

  • 3. Mode button : this gives us the option to choose a specific mode for the switch Stat mode : this is the default mode , this shows on the switch the status of the port , if as an example a port is plugged in it will show a green light Util mode : this shows on the switch the utilization status of the switch , as an example if the switch is 10% utilized then the 1 st 4 ports of the switch will show green , if the utilization of the switch is 100% then all the ports are lit green , this mode only shows how much throughput is going through the switch Duplex mode : this mode will show the duplex status for each port on the switch , if the port is lit green it means that the port is configured as full duplex and if the port isn’t lit then it means that the port is configured as half duplex mode Speed mode : this mode shows the speed of each port on the switch , if the speed of the port is 100mbps then it will be lit green and if its 10mbps it won’t be lit green Once you boot the switch you will notice the following on the screen (IN ORDER!):

  the MAC address of the switch  the flash that have the IOS 
 the MAC address of the switch
 the flash that have the IOS
the decompression process for the IOS and copying the IOS
information to the NVRAM
 The switch model , the IOS version and the .bin flash name
 It shows the test process for the internal parts
 It shows the memory of the switch , as an example
65526K/8192K
 It shows how many interfaces are installed
 It shows how much NVRAM is found ( this is where the
switch stores its configuration)
 At the end of the boot process it will ask you to enter the

initial setup wizard or not

Enable secret and enable password commands allows you to protect

the privilege mode Router (config) # enable password PASSWORD Router (config) # enable secret PASSWORD CTRL+C command is used to exit the initial setup wizard mode

Router ( config ) # hostname NAME command is used to change the hostname of the router

General information about VLANS :

Number of VLANS = number of broadcast domains Using VLANS , each VLAN is isolated from others by default VLAN 1 is created and all the interfaces in the

switch are assigned to that default VLAN ( VLAN1 )

To configure a management IP for the switch we need to configure interface VLAN 1 : Interface vlan1 is a virtual interface that is used in general for configuring an IP address for the switch to have the ability to telnet to that particular switch , in general all

 members of VLAN1 can reach interface VLAN 1 To have the ability to telnet to
members of VLAN1 can reach interface VLAN 1
To have the ability to telnet to a switch we need to configure an ip
address and a default gateway
To configure an ip address and a default gateway for the switch :
Switch (config) # interface VLAN 1
Switch (config-if) # ip address 172.30.2.180 255.255.255.0 (this
to configure an IP)
Switch (config - if) # no shutdown
Switch (config) # ip default-gateway 172.30.2.1 (this is to
configure a DG)
Switch # Show interface VLAN 1 command is used to see the status
of the interface VLAN 1 and the ip configured for that particular
switch , if we ran that command and noticed the following : VLAN1 is
administratively down , line protocol is down (VLAN1 is
administratively down means that the port is shutdown and we need
to enable it with the no shutdown command - Switch (config - if) #
no shutdown - and it shows the physical state ( physical layer state )
, line protocol is down shows the data link state ( data link layer
state )
 Switch # show running-config command ( switch # show run ) is
used to show the current configuration ( running-config is the
configuration found in the RAM ) , if the switch goes down we will
then lose this configuration because that we save all the running-
config configuration to the startup-config ( startup-config is the
configuration found in NVRAM – non volatile RAM - )

Switch # show startup-config command is used to show the startup configuration ( startup-config is the configuration found in the NVRAM) Switch # show version command is used to show the model of the switch , current IOS version that is running on the switch , how long the switch was up and running , model number of the switch and the memory available on the switch

Switch# copy running – config startup – config command is used to copy the configuration from the RAM to the NVRAM so that if the switch went down we won’t lose the configuration

13. LANS: configuring switch security, part 1 (37: 08 mins)

    If you don’t set password on the switch it won’t allow you
If you don’t set password on the switch it won’t allow you to telnet
to it until you set one
User mode passwords are passwords on telnet ports ,console ports
and auxiliary ports
Privilege mode passwords are passwords configured using the
commands switch ( config ) # enable password PASSWORD and
switch ( config ) # enable secret PASSWORD
Switch ( config ) # enable password PASSWORD command is used to
enable security on the privilege mode ( #) ( enable privilege mode
password ) , the problem of this command is it appears in the Switch
# show run as plain text
Example:
> enable
Password:
#
Switch (config ) # enable secret PASSWORD command is used to
enable security on the privilege mode ( #) ( enable privilege mode
password ) , this command appears in the Switch # show run as
hashed or encrypted , the Switch (config ) # enable secret
PASSWORD command supersedes Switch ( config ) # enable
password PASSWORD command
To do a quick backup for the switch /router we copy the running
configuration to a notepad and if we want to restore that
configuration back we just enter to the global configuration mode
and paste it there
Switch # show run command is used to view the configured
passwords ( privileged mode password and user mode passwords) ,
in general telnet passwords , console passwords , enable password
and auxiliary passwords appears in plain text and enable secret
password is the only one that appears encrypted
Based on the previous point if we want to encrypt all the passwords
that appear in the Switch # show run command we use the Switch
(config ) # service password-encryption command
Example:

Switch # show run

Enable secret

5
5

(MD5 hashing) ! !

2nbjhb/$ksjh

this is called level 5 encryption

Line con 0 Password

7
7

234shdj

weak and can be

this is called level 7 encryption, this is

Broke easily (you can Google for a

 BREAK CISCO PASSWORD) To protect privilege mode (#) with a password we use the Switch
BREAK CISCO PASSWORD)
To protect privilege mode (#) with a password we use the Switch
(config ) # enable secret PASSWORD command or Switch ( config ) #
enable password PASSWORD command
To protect user mode (>) with a password we secure the telnet ports
, the console port and the auxiliary port
 To configure a password on the console port :
Switch (config) # line con 0
Switch (config- line) # password PASSWORD
assigns a password
to console
Switch (config-line) # login
to inform the
router to ask for a password
To configure a password on the telnet ports :
Switch (config) # line vty 0 4
Switch (config- line) # password PASSWORD
 Notes:
 Switch ( config-line )# login command in telnet is configured
by default , this command gives you the prompt password
required none is set in case we didn’t configure a password
, or password : in case we configured a password
 If we configured the command
Switch ( config-line )# no
login then you can enter the switch using telnet without
prompting you for entering a password
 Vty ports are ports that accept telnet sessions , as an
example if we configure the command Switch ( config ) #
line vty 0 15 that means we are configuring for 16 telnet
sessions ( this is the maximum the switch can handle ) , in
this case 16 telnet sessions can be active at the same time
(16 people can telnet at the same time )
 If we configure the command Switch ( config ) # line vty 0 1
then only 2 people will be requested for a password and can
telnet to the switch
Logger banners :
1.
Banner login : this banner is displayed when you login using VTY ( it
appears before requesting the user name and password )
2.
Banner MOTD : this banner is displayed once you connect to the

router directly , or you telnet to the router or connect by console

Note: if you configure both the banner MOTD and the banner login, the banner MOTD will appear before the banner login

Switch ( config ) # banner motd “ here I type anything I want it to appear “ command is used to configure the banner MOTD , the “ is

any symbol I can use but it must be the same at the beginning and the end of the text I want to include telnet is weak because it uses a password that can be caught by

packet sniffers like wireshark program to configure telnet we only need to configure a password for it

SSH ( secure shell ) : it’s telnet plus encryption protocol

to configure SSH :

  • 1. it needs a user name and password

2. assign a domain name that will be used to generate the encryption certificates 3. Generate
2.
assign a domain name that will be used to generate the encryption
certificates
3.
Generate RSA keys to secure the SSH sessions, the general template
looks like: switch name. Domain name( example : SW1.virus.com ,
SW1 is the switch name and virus.com is the domain name )
4.
specify which version of SSH to use
5.
configure to use SSH instead of telnet
The following example will show how to configure SSH with specifying
each point from above:
1.
switch ( config ) # username USERNAME password PASSWORD
2.
switch ( config ) # ip domain – name DOMAINNAME
3.
switch ( config ) # crypto key generate rsa
this command will
request from us the size of the
Key to generate,
the best to choose is 1024 (the
Default is 512)
4.
switch ( config ) # ip ssh version 2
5.
switch ( config ) # line vty 0 4
Switch (config) # transport input Ssh
this command enables
SSH and disables telnet,
The default command
is switch (config) #
Transport input telnet
and it’s enabled by default,
We can also enable
both telnet and SSH using the
Command switch
(config) # transport input telnet
Ssh
14. LANS: configuring switch security, part 2 (19: 00 mins)

switch # show ip interface brief command is used to show what ip addresses are configure and what interfaces we have on the switch , it will appear as a table , in the table there is a column called status that represents the physical layer and another column called protocol that represents the data link layer

switch # terminal monitor command is used to display all the sys messages on the screen while connected using telnet/ssh session Example: 01:38:06: % sys-5-config-I configured from console by shady on VTY0 (172.30.2.50) Console session will show those messages by default on the screen switch # show Mac address-table command is used to show the MAC address table , it contains static MAC addresses ( learnt manually by adding it to the table list) and dynamic MAC addresses ( learnt automatically ) port security :

 port security is a way to lock down what devices can plug-in to the switch
 port security is a way to lock down what devices can plug-in
to the switch or how many devices can plug-in to your
switch
 using port security we can secure the port by MAC address
so that only specific computers can connect to specific ports
 to configure port security :
this command is used to
An access port (access ports are
An end device to that port like a PC or a
Case this port is connected to another
Configure the port mode to be TRUNK
this command is used to
this command
MAC addresses allowed
This port (interface) is 1
Number 1 is the default this

Switch (config) # interface fastethernet 0/5 Switch (config-if) # switchport mode access

change the port mode to be

configured if we

router), in

switch then we

Switch (config-if) # switchport port-security

enable port security only

Switch (config-if) # switchport port-security maximum 1

means that the maximum

connecting to

and because

command

Won’t appear in the switch#

show run

Results

Switch (config-if) # switchport port-security violation ?

This command is used to tell us what I will do if somebody violates my policy ? = 1) shutdown: it will shutdown the port and the only way to enable that port again is to run the command switch (config-if) # no shutdown 2) Protect: based on our example if somebody attaches more than a device (more than a MAC address ) to this port , it will just accept the 1 st device and the other will be ignored and cant access the network ( in other words it will just tell the new device that I’m sorry , I’m not listening to you ) 3) restrict : restrict is like protect keyword plus logging the violation breach , this is used a lot just to know who violated that port as it logs all the violations that happen on the port

automatically, the automatic running config learnt MAC address will appear in the Interface fastethernet 0/5 Switchport
automatically, the automatic
running config
learnt MAC address will appear in the
Interface fastethernet 0/5
Switchport mode access
Switchport port-security
Switchport port-security Mac-address sticky
Switchport port-security Mac-address sticky 0015.c5af.ea57
this
appears automatically if we
Used the keyword sticky

switch(config-if)# do show run int fa0/5 , the DO command allow us to run any show command from any mode instead of running it from privilege mode only Switch # show port-security interface fastethernet 0/5 command is used to show port security information for a specific interface Example:

NOTE: restrict and protect don’t shut down the port but they just ignore it

Switch (config-if) # switchport port-security Mac-address ?

This command is used to specify the MAC addresses allowed by learning them manually or learning them automatically

? = 1) H.H.H: to specify a MAC address manually by typing it in the format H.H.H 2) Sticky: to learn the Mac address that is connected to the port

Example: this is a sample running config file (NOTE: you won’t find the command switchport port Security maximum as based on this example its using the default number so it won’t appear in the Running config file):

Switch # show port-security interface fastethernet 0/5

Port status: secure-up Security violation count: 0

Last source address: VLAN: 0015.c5af.ea37:1 Notes about the above example:

if the pc is connected to the port the port status will show

 secure-up and if the pc isn’t connected to the port it will show secure-down and
secure-up and if the pc isn’t connected to the port it will
show secure-down and finally if the port is shutdown and
has been violated it will show us secure-shutdown
 the security violation count shows how many violations
happened on this port , restrict keyword will increase this
count but protect keyword wont
 the command switch # show port-security interface
fastethernet 0/5 shows the last Mac address that violated
security
switch # show port-security command is used to show the port
security information for all interfaces
switch(config)# interface range fastethernet 0/2-24
this
command is used to configure a
Range of ports at the same
time with the same
configuration, this command
configures the ports 2-24
Switch (config-if-range) # switchport mode access
Switch (config-if-range) # switchport port-security
15. LANS: optimizing and troubleshooting switches (31: 44 mins)
by default each port on the switch is configured as auto duplex and
auto speed ( it auto detects the duplex and speed ) , most of the
problems that happen on the switch isn’t from detecting the speed
but from detecting the duplex like duplex mismatch problem
Duplex mismatch is a problem that happens if one side is configured
as half duplex and the other side is configured as full duplex (a PC
connecting slow is a result from duplex mismatch. Another example
is a switch that contains collisions because as we know there isn’t an
collisions found when we use switches but in case there is the
problem would be properly a duplex mismatch issue )
full duplex is to send and receive at the same time
half duplex is to send OR receive at one time
collection of commands to know :

Switch (config) # interface fastethernet 0/2

Switch (config-if) # duplex half

port as half duplex

command used to configure the

Switch (config) # interface fastethernet 0/1

Switch (config-if) # duplex full

port as full duplex

command used to configure the

Switch (config-if) #speed 10

command used to set the speed

to 10Mbps (NOTE that

There isn’t an available command for

Ethernet ports, speed

Commands are only available for

fastethernet ports or gigabit ports)

Ethernet

Switch (config) # line con 0 Switch (config-line) # logging synchronous Switch (config-line) # exec-timeout 30 0 Switch (config-line) # exit Switch (config) # line vty 0 4 Switch (config-line) # logging synchronous

this command is used to make the Log/status messages appear on the Screen in separate lines
this command is used
to make the
Log/status messages appear
on the
Screen in separate lines instead
of
Interrupting the commands we
type
Switch (config-line) # exec-timeout 30 5
in general if you
don’t type anything for
5 minutes then the session
you opened
Will timeout and you will get
Disconnected, with this
command you
Extend the time to 30 minutes
and 5
Seconds
Switch (config-line) # no exec-timeout 30 0
this command is used
in case you don’t
Want to disconnect your open
session at
All (you cancel any timeout
period)

domain lookup : this is a feature that allows you to type in privilege mode any word and the router/switch start trying to translate that word to an ip address , but in general we disable this feature using the command switch (config)# no ip domain-lookup Example:

Before applying the command switch (config) # no ip domain-lookup

Switch# flow

Translating “flow” …. Domain server (255.255.255.255)

%unknown command or computer name, or unable to find computer address

Above it’s trying to resolve the word flow (properly a device on the network) to an ip address by sending broadcast messages to know that ip address

After applying the command switch (config) # no ip domain-lookup

 alias : in case we have a long command we can make an alias for
alias : in case we have a long command we can make an alias for it
to use it instead of typing that command every time
Switch (config) # alias exec s show ip interface brief
In this command we must specify the mode the actual command
(show ip interface brief) runs in, here its privilege mode (exec) and
the alias we chose is the letter (S)
broadcast storms and STP ( spanning tree protocol )
troubleshooting using show commands :
switch # show ip interface brief command will show you all the
ports available on the switch and the status of every port , if the
protocol status is showing down then there is a data link layer
problem like mismatch encapsulation
switch# show interface fastethernet 0/2 command will show you
details about a specific port ( in this example fa0/2 ) like the Mac
address , MTU , bandwidth , delay , reliability ( in general this must
be 255/255 , if the cable was flipping then this amount will decrease

Switch# flow

%unknown command or computer name, or unable to find computer address

There isn’t any translation process now so no broadcast messages to be sent even

– that means the flip cable won’t be reliable - ) , it also shows the duplex mode , speed , txload ( how much load you are sending , if its 1/255 that means this port isn’t sending a lot ) and rxload ( how much load you are receiving ) and finally it shows you how many bits per rate are received and sent ( input/output rate ) , how many packet was in/out from this port and how many broadcast packets has been received Example:

   If there is 17928 packets input and 14446 broadcasts received then the broadcast
If there is 17928 packets input and 14446 broadcasts received then
the broadcast packets would be 14446/17928=0.80=80% (80% of the
packets are broadcasts), in general the broadcast packets mustn’t
be more than 20%
switch # show interface description command shows the ports of the
switch, the status of each port and the description ( what has been
configured using switch (config-if)#description DESCRIPTION
command ) of each port , it also shows all the bad packets like runts
, giants , input errors , CRC , frame , overrun , ignored and throttles ,
finally it shows you the total packets output , collision and late
collision
runts ( packets that are too small in size ) and giants ( packets that
are too big in size ) are dropped in general and they are resulted
from bad connections
input errors , CRC and frames are resulted usually from a faulty NIC
or switch port or if there is any interference on the cable itself
 late collision happens if the cable is too long ( longer than 100
meters for CAT 5 cables ) because if the cable is too long then the
distance for the packet to arrive is long as well
collisions happens usually when there is a duplex mismatch
switch # show run command is the easiest way to check the current
configurations
16. Wireless: understanding wireless networking (34:25 mins)
types of wireless networks :
 personal area network ( PAN ) : it uses a small radius feet like
connecting a Bluetooth set to a mobile device or connecting a
wireless mouse
 local area network (LAN )
 metropolitan area network ( MAN ) like a point to point
wireless bridges
 wide area network (WAN ) like cellular networks
wireless LAN facts :
  • 1. a wireless access point (WAP ) communicates like a hub :

  • 2. it has a shared signal ( in other words the more users connected to the wireless access point the more bandwidth is used )

3.

it acts as half duplex

  • 4. uses unlicensed bands of radio frequency (RF ) , unlicensed means not managed internationally ( no need to buy a license to use it ) , as an example if you go to a park and the wireless that was available in that park is saturated , you can’t complain to anybody to fix that issue because it doesn’t comply with any license

  • 5. wireless is a physical layer and data link layer standard

6. facing connectivity issues because of interference 7. uses CSMA/CA instead of CSMA/CD ( like token
6.
facing connectivity issues because of interference
7.
uses CSMA/CA instead of CSMA/CD ( like token rings ) as an
example if a user wants to send a packet it informs at 1 st the
whole wireless network that it will send a packet , when the
access point ( AP ) replies back to that user then that user can
start sending
unlicensed frequencies :
1.
900 MHZ range : 902MHZ-928MHZ ( this is a low data rate and it
covers big ranges ) , we don’t find a lot of devices within this range
because the lower the frequency ( lower data rates ) you have the
further range you will get but that results to less bandwidth ( lower
frequency= further range = less bandwidth )
2.
2.4GHZ range : 2.400GHZ-2.483GHZ
3.
5GHZ range : 5.150GHZ-5.350GHZ ( this is a high data rate and
covers shorter ranges )
Understanding radio frequencies ( RF ) :
1.
Radio frequency (RF) waves are absorbed ( passing through walls )
or reflected ( by metal )
2.
Higher data rates ( high frequencies ) have shorter ranges ( the
more speed you are using the closer in you must be to the WAP )
3.
In general the more you get far from the wireless access point the
weaker the signal becomes
4.
802.11 ( wireless ) , 802.3 ( Ethernet )
The 802.11 line up :
1.
802.11B:
 Most popular standard ( more popular than 802.11A although
802.11A is better )
 The speed reaches Up to 11MBps ( 1, 2,5.5,11 data rates )
 Three clean channels available without any interference
It uses 2.4GHZ RF
2.
802.11G :
 Backwards compatible with 802.11B
 The speed reaches up to 54MBps ( 12 data rates )
 Three clean channels available without any interference
It uses 2.4GHZ RF
3.
802.11A:

The speed reaches up to 54MBps ( 12 data rates ) 12 to 23 clean channels available without any interference

It uses 5.8GHZ RF

Not cross compatible with 802.11B/G because 802.11A uses a

different range ( 5.8GHZ ) than 802.11B/G(2.4GHZ )

NOTE: there is a page that describes wireless channels and the clean

channels

 

Wireless access points ( WAP ) in general has a coverage of 300 feet without obstructions ITU-R : international telecommunication union – radio communication sector , this regulates the radio frequencies used for wireless transmission Institute of electrical and electronic engineers (IEEE) maintains the 802.11 wireless transmission standards

  WI-FI alliance ensures certified interoperability between 802.11 wireless vendors  Wireless dangers : 1.
 WI-FI alliance ensures certified interoperability between 802.11
wireless vendors
Wireless dangers :
1.
War driving : is to drive your car in a neighborhood that have a
wireless connection and using that connection for free
2.
Hackers
3.
Employees : some of the employees may bring their own wireless
access points and plug it in the company network to have a
wireless connection , those wireless access points are called
rouge wireless access points
Wireless security : it’s in general a combination of authentication
and encryption
1.
Authentication : an example of authentication is to require a
user name and password or using certificates to accomplish
the authentication process , ( examples of authentication
methods are 802.1x authentication and pre shared keys )
2.
Encryption: anything sent on the network is encrypted to
protect the data , ( examples of encryption methods are WEP-
wired equivalent privacy - , WPA – WI-FI protected access – and
WPA2 )
3.
Intrusion prevention system ( IPS ) : is used to detect rouge

17. Wireless: wireless security and implementation (29:27 mins)

wireless access points , if IPS detects a rouge access point it will shutdown the port the rouge access point has been connected to or the IPS will send you a message or email Evolution of wireless security

1. Originally : pre-shared key WEP : Pre-shared key is a system of security where you type a key on the wireless access point and all the clients that join that wireless access point must type that same key , In general pre-shared key method is weak because if one of the

employers left the company then you need to change that key on all the devices

  • 2. Evolution 1 : pre-shared key WPA1 : This evolution improves the security from WEP encryption to WPA1 encryption as WPA1 uses TKIP (temporal key integrity protocol) method for the encryption and that is a bit strong compared to WEP encryption

  • 3. Evolution 2 : WPA1 and 802.1x authentication : In general the 802.1x authentication concept is when a device joins the wireless access point it sends to that access point a user name and password or a certificate based on what authentication method the device is using , the access point passes that user name and password or that certificate to a specific server to check that this user name and password or this certificate is valid , after that the server sends back to the access point that the user name and password or the certificate is valid , finally the device join the wireless access point network

Each time a device is joined to the wireless access point several encryption keys (those aren’t
Each time a device is joined to the wireless access point several
encryption keys (those aren’t pre-shared keys) are generated using
an encryption algorithm (every new session established creates new
encryption keys)
The advantage of 802.1x authentication is it’s a bit strong , let’s say
for an example one of the employees left the company we don’t
need to change the key as we did in the pre-shared key method
instead we just disable the user account or the certificate that
employee was using from the main server
4. Evolution 3 : WPA2 ( 802.11I )and 802.1x authentication : this
evolution improves the security from WPA1 encryption and 802.1x
authentication to WPA2 encryption and 802.1x authentication as
WPA2 uses AES (advanced encryption standard ) method for the
encryption and that is a bit strong compared to WPA1 that uses TKIP
( temporal key integrity protocol ) method for the encryption
Understanding the SSID :
 The service set identifier (SSID ) uniquely identifies and
separates wireless networks , SSID is the name of the wireless
network
 You can have a wireless access point that have multiple SSID
as an example you can have a wireless access point that have

NOTE: evolution 2 and evolution 3 supports pre-shared keys as well

2 SSID one is called public ( unsecured network ) and the other is called private ( secured network ) When a wireless client is enabled the following happens :

  • 1. The client issues a probe ( request )

  • 3. The client associates with a chosen SSID ( the client joins the SSID that is held by the wireless access point who have the strongest signal as may be this SSID is shared by multiple wireless access points so the client joins itself with the one who provides the strongest signal )

  • 4. The wireless access point adds the client MAC address to its association table

If the signal goes weak then the client re issue another probe ( request ) ,

the closer wireless access point with the same SSID will reply back to the client

 The correct design of a wireless LAN ( WLAN ) : 1. Radio frequencies (
The correct design of a wireless LAN
( WLAN ) :
1.
Radio frequencies ( RF) service
areas should have 10%-15% overlap
( this percentage can be known by
using fluke networks or software
sniffers )
2.
Repeaters should have 50% overlap
3.
Bordering access points should use
different channels
Setting up a wireless network :
1.
Pretest the switch port that will be
used to connect the wireless access
point on it with a laptop by testing
DHCP service and DNS service on
that laptop while its connected to that switch port
2.
Connect the wireless access point to that switch port
3.
Setup and test the SSID that have been created without configuring
additional security
4.
Add security ( WEP/WPA1/WPA2 ) to the wireless access point and
test it
5.
Add authentication ( 802.1x/pre-shared key ) to the wireless access
point and test it
IPv4 address :
 IPv4 address can be one of 3 different classes : class A , class B

18. Advanced TCP/IP: working with binary (25:51 mins)

and class C When the IP address is combined with a subnet mask it defines a network and host portion ( example : if we have the ip address 10.1.1.1 with a subnet mask 255.0.0.0 we notice that 10 is the network part ( because its linked with 255 from the subnet mask ) and 1.1.1 is the host part ( because its linked with 0 from the subnet mask ) IP protocol Operates at layer 3 of the OSI model

3. The client associates with a chosen SSID ( the client joins the SSID that is

IPv4 address is a 4 octet address ( 4 byte address as 1 octet equals 1 byte or 32 bit address , example : 10.10.10.10) Working with binary :

Example: we want to convert 210 in decimal to binary

 

2 7

2 6

2 5

2 4

2

128

64

32

16

8

binary

1

1

0

1

0

3

2 2

2 1

2 0

4

2

1

0

1

0

Example: we want to convert 00110110 in binary to decimal 2 7 2 6 2 5
Example: we want to convert 00110110 in binary to decimal
2 7
2 6
2 5
2 4
2 3
2 2
2 1
2 0
128
64
32
16
8
4
2
1
0
0
1
1
0
1
1
0
After adding the numbers that is linked with 1 in binary we will have
the number:
32+16+4+2=54 in decimal
 Sub netting stands for breaking our main network to multiple
networks
Steps for sub netting :
1.
Determine the number of networks and convert it to binary
2.
Reserve bits in your subnet mask and find your increment
3.
Use increment to find your network ranges
1.
5 networks , 5 = 00000101 , 3 bits reserved to implement the
number 5 or we can just do the following : 2 3 -2=6 , 3 bits covers 6
networks and what we want is 5
To know the number of subnets, it equals 2 x where x is the number of
bits; according to this example we have 3 bits so there are 8 subnets
2.
The result from point 1 is we want 3 bits
We use 255.255.255.0 subnet mask as the IP address 216.21.5.0 is a
class C address , if it was class A address we will use 255.0.0.0 ( /8)
and if its class B address we will use 255.255.0.0 (/16)
255.255.255.0 = 11111111.11111111.11111111. 000 00000 those are

Binar

y

19. advanced TCP/IP: IP sub netting part 1 (55:06 mins) Every interface on the router represents a network

Example: if we have the IP address 216.21.5.0 with a subnet mask 255.255.255.0 and we want 5 networks to implement with that given IP address

the 3 bits found in point 1

111
111
  • 11111111.11111111.11111111. 00000 so the

subnet mask to use is 255.255.255.224, after that we subtract 256- 224=32 to know the increment

According to the above subnet mask if we want to know the number of hosts in each subnet = 2 x -2 where x= number of zeros, in the example above 2 5 -2=30 host per subnet

  • 3. From point 2 we knew the increment = 32 so we start incrementing based on that

Network ID Broadcast ID Usable hosts 210.21.5.0 210.21.5.31 1-30 210.21.5.32 210.21.5.63 33-62 210.21.5.64 210.21.5.95 65-94 210.21.5.96
Network ID
Broadcast ID
Usable hosts
210.21.5.0
210.21.5.31
1-30
210.21.5.32
210.21.5.63
33-62
210.21.5.64
210.21.5.95
65-94
210.21.5.96
210.21.5.107
97-106
210.21.5.108
210.21.5.139
109-138
210.21.5.140
210.21.5.171
141-170
210.21.5.172
210.21.5.223
173-222
210.21.5.224
210.21.5.255
225-254
Bit notation : example of bit notation = 255.255.255.0 - /24 ( 24 1
bits )
The subnet 255.255.255.252 gives 2 usable networks and that is
usually useful for point to point wan links
that ip address for 5 networks and 30 hosts per network
1.
To have 30 hosts : 2 5 -2 = 30 , that results to have 5 bits to cover the
situation
2.
255.255.255.0 = 11111111.11111111.11111111.000 00000 those are
the 5 bits found in point 1
11111111.11111111.11111111.111 00000 so the
subnet mask to use is 255.255.255.224 as we care for the SUBNET
BITS! , after that we subtract 256-224=32 to know the increment
The number of subnets = 2 3 = 8
The number of hosts per subnet = 2 5 -2=30 hosts per subnet
3.

Network ID

Broadcast ID

Usable hosts

210.21.5.0

210.21.5.31

1-30

  • 210.21.5.32 210.21.5.63

33-62

  • 210.21.5.64 210.21.5.95

65-94

  • 210.21.5.96 210.21.5.107

97-106

  • 210.21.5.108 210.21.5.139

109-138

  • 210.21.5.140 210.21.5.171

141-170

  • 210.21.5.172 210.21.5.223

173-222

  • 210.21.5.224 210.21.5.255

225-254

20. advanced TCP/IP: IP sub netting part 2 (22:29 mins) NOTE: this section will explain sub netting based on the number of hosts Example: if you have the IP address 216.21.5.0 and you want to use

21.

advanced TCP/IP: IP sub netting part 3 (19:53 mins)

NOTE: this section will explain sub netting based on reverse engineering method ( we are given the IP and the subnet mask and we need to know the network range for that specific IP ) Example: if you have the IP address 192.168.1.127 and the subnet mask 255.255.255.224 what will the network range be that includes this given IP ADDRESS? 256-224 = 32 increment so we start doing the increment process until we find the following range:

192.168.1.96-192.168.1.127, finally we discover that the ip 192.168.1.127 isn’t a valid host ip instead it’s a
192.168.1.96-192.168.1.127, finally we discover that the ip
192.168.1.127 isn’t a valid host ip instead it’s a broadcast IP!!
Routing: initial router configuration (31: 07 mins)
 There is a USB port on the router that is used usually to connect a
USB drive to hold the encryption keys or to use it as a flash for the
router
A WIC card is a wan internet card
2801 router model have different cards installed on it , it contains 2
fast Ethernet ports ( one is used for example to connect to internet
and the other is used to connect to the internal network , it also
contains a T1 interface that is used to connect T1 lines and finally it
has switch ports ) , because those available cards on this model we
can use this router as a router and switch in the same time
Router boot process ( what happens when you boot up the router ) :
1.
It shows the total memory of the router and the model of the
router
2.
It shows the name of the IOS image found in the flash of the
router
3.
It shows how many interfaces are available on the router
4.
It shows the size of the flash and NVRAM available on the router
 All the commands we applied on the switch in PREVIOUS sections
are the same that are applied to the routers except for configuring
the IP address and the default gateway
Router (config) # interface fastethernet 4
Router (config-if) # description DESCRIPTION
this
command is used to configure
The description for the
port

Router (config-if) # ip address 68.110.171.98 255.255.255.224

this

22.

command is used to assign a

Static ip to

this specific interface, in

a dynamic

Case we want to assign

Ip address to this specific

interface

 

Then we use the

command

address DHCP Router (config-if) # no shutdown

Router (config-if) # ip

  SDM : 1. SDM means Security device manager 2. SDM is a Graphical user
SDM :
1.
SDM means Security device manager
2.
SDM is a Graphical user interface (GUI ) that you can use to
configure and manage your router
3.
SDM is a web based tool that uses java
4.
SDM works on all main line routers ( all models ) like 2800 ,
800 and 2600 router models
5.
SDM is designed to allow IOS configuration without extensive
knowledge about that
Steps for configuring your router to support SDM :
1.
Generate encryption keys ( used in SSH and https ) , to
generate those keys we need to configure a domain name
Ip address to this specific interface Then we use the command address DHCP Router (config-if) #

23. Routing: SDM and DHCP server configuration, part 1 (32: 06 mins)

  • 2. Turn on the http/https servers for your router

  • 3. Create a privilege level 15 user account

  • 4. Configure your VTY and http access ports for privilege level 15 and to use the local user database

  • 5. Install java on your PC and access the router using one of the following ways :

  • a) Using a web browser if SDM is installed on the router only , new routers come by default with SDM installed on it

  • b) Using the SDM java program if the SDM is installed on the

PC ,the advantage of using this method is its faster As you notice we can install the SDM on the flash of the router or on

 the PC or on both of them , depending on the way we install the
the PC or on both of them , depending on the way we install the SDM
we can use the above methods to access the router and configure it
Configuring your router to support SDM ( based on the points
above ) :
1.
Router ( config)# ip domain-name DOMAIN NAME this command is
used to configure a
Domain name as the keys for
SSH and https can’t be
generated without a domain
name
Router (config) # crypto key generate rsa ?
This command
will request from us the size
Of the Key
to generate, the best to choose
Is 1024
(the default is 512)
 ?= a) general-keys keyword, if you generate general-purpose keys,
only one pair of RSA keys will be generated. This pair will be used
with IKE policies specifying either RSA signatures or RSA-encrypted
nonces. Therefore, a general-purpose key pair might be used more
frequently than a special-usage key pair. ( if I don’t type it , this will
be applied by default )
b) usage-keys keyword, if you generate special-usage keys, two
pairs of RSA keys will be generated. One pair will be used with any
Internet Key Exchange (IKE) policy that specifies RSA signatures as
the authentication method, and the other pair used with any IKE
policy that specifies RSA-encrypted nonce’s as the authentication
method.
NOTE : if we change the domain name after creating the crypto keys
then we need to regenerate those keys to adopt with the new
domain name
2.
Router ( config ) # ip http server
this command is used to turn
on the
Http server (port 80)
Router (config) # ip http secure-server this command is used to turn
on https

Server (port 443)

3.

Router (config) # username USERNAME privilege 15 ?

this

command is used to create a user

Name that have a privilege

level 15 (

 

This privilege level is the

highest and

Its called enable mode

level as well) ?= a) password PASSWORD keyword is used to specify a password that will use level 0 (unencrypted password and this level is the default) (it’s the same like the router (config) # enable password PASSWORD command)

b) Password 7 PASSWORD keyword is used to specify a password that will be encrypted if
b) Password 7 PASSWORD keyword is used to specify a password
that will be encrypted if we run the router# sh run command but this
password can be breakable
c) Secret PASSWORD keyword is used to specify a password that is
encrypted and stronger from using password keyword (it is the same
like the router (config) # enable secret PASSWORD command
 If I use the username and password declared in this point it will
enter me directly to privilege mode (passing enable mode) because
the privilege level I’m using is 15
4. router(config)# ip http authentication local
to secure http access ports
this command is used
(Http server) and to use the
local user
Database
The local keyword means that once we enter a user name and
password in the browser to access SDM the router checks that user
name and password with its local DB ( what has been configured in
point 3 is called the local DB )
We can use the command router(config)# ip http authentication
enable instead of the command router(config)# ip http
authentication local
if we want the router to check the username
and password and compare it with the enable passwords ( what has

been entered using the Router (config) # enable password PASSWORD or Router (config) # enable secret PASSWORD commands instead of checking the local DB ( what has been entered using Router ( config ) # username USERNAME privilege 15 password PASSWORD command )

Router (config) # line vty 0 4 Router (config-line) # login local

secure the VTY ports and to

this command is used to

Use the local user database The local keyword means that once we enter a user name and password in the telnet session to access the router , that router will check the user name and password with its local DB ( what has been configured in point 3 is called the local DB ) instead of using the password that is configured usually using the router (config-line)# password PASSWORD command

Router (config-line) # transport input all this command both telnet and SSH on the Router and
Router (config-line) # transport input all
this command
both telnet and SSH on the
Router and its equivalent to the
command
Switch (config)
#transport input telnet Ssh
5.
Open SDM by browser ( if the SDM is installed on the router ) or from
the SDM program itself if its installed on the local PC
24. Routing: SDM and DHCP server configuration, part 2 (20: 02 mins)
Dynamic host configuration protocol ( DHCP ):
1.
DHCP allows you to give devices IP addresses without manual
configuration
2.
DHCP IP address is Typically given for a specific time
3.
Can be manually allocated for key network devices ( we can reserve
an IP address based on the MAC address device )
4.
DHCP servers can be server based or router based , server based
advantage is that it would be easier to use using the GUI , router
based advantage is that it would be more stable
DHCP process :
1.
DHCP discover message
( Broadcast message )
2.
DHCP offer message
( unicast message )
3.
DHCP request message
( unicast message )
4.
DHCP ACK ( unicast message
)

To configure DHCP using SDM , this could be done from additional

tools tab :

Domain name : if we choose this option for DHCP then once

you double check the name of any client in the network who

has been assigned with this DHCP option you will notice that the name of the client has been added beside it this domain name Tick mark () import all the DHCP options into the DHCP server database , in case the router has been assigned a dynamically IP address from the ISP , using this option it can pull other DHCP options provided from the same ISP , once the router receives those options it starts assigning it dynamically to the clients who requests an ip address from this router

  In SDM if you press on the DHCP pool status tab you will notice
In SDM if you press on the DHCP pool status tab you will notice the
leased IP addresses
To configure the DHCP using command line :
Router (config) # ip DHCP pool POOLNAME
this command
is used to configure the
DHCP pool name
Router (config) #network 192.168.1.0 255.255.255.0
this command
is used to configure the IP
Addresses that will be
available in this
DHCP pool (those IP
addresses will be
Leased to clients)
Router (config) # domain-name DOMAINNAME
this command
is used to configure the
Domain name that would be
offered by
The DHCP router to the
clients when
They assign an IP address
from this
Router
Router (config) # default-router 192.168.1.1
this
command is used to configure the
Default gateway that would
be offered
By the DHCP router to the
clients when
They assign an IP address
from this

Router

Router (config) # import all

Tick mark

options into the

this command is the same of

() import all the DHCP

Router (config) # lease 3

DHCP server database this command is used if we

want to

 

Lease the IP addresses for 3

days

Router (config) # ip DHCP excluded-address 192.168.1.1

192.168.1.19

Router (config) # ip DHCP excluded-address 192.168.1.101  Router# show ip DHCP binding this command shows
Router (config) # ip DHCP excluded-address 192.168.1.101
Router# show ip DHCP binding
this command shows all the
IP addresses leased to the
Clients using DHCP and the MAC
addresses for the
Clients that are using the leased ip
addresses
Router# show ip route command allow us to know what networks
can be reachable by the router ( it shows us the list of networks a
router can reach )
Example:
Router# show ip route
Gateway of last resort
this sentence shows us the details
of the default route
To configure static routes :
R1 (config) # Ip route 192.168.3.0 255.255.255.0 192.168.2.2
the above command is to configure a static route , the general
Router (config) # lease 3 DHCP server database this command is used if we want to

command syntax is :

192.168.1.254

The two above commands Excludes those IP address Ranges from our

pool so the available ip addresses Left that will be leased for Clients is

192.168.1.20-192.168.1.100

25. Routing: implementing static routing (37: 32 mins) The purpose of the routers is to stop broadcast and allow traffic to move from one network to another

R1(config)# ip route destination_network next_hop_address the next hop address could be an ip address of the next router , in our example it would be 192.168.2.2 or we can use the local interface ,

according to our example it will be S1 Default route : any route the router can’t reach it ( it’s not found in

the routing table ) will start using the default route to reach the unreachable networks To configure default route :

R1 (config) # ip route 0.0.0.0 0.0.0.0 S1

this command is used

to configure default route On R1, we can use instead of S1 keyword 68.110.171.97  Router(config)#
to configure default route
On R1, we can use instead of S1
keyword
68.110.171.97
 Router(config)# ip name-server 4.2.2.2
configure a DNS server for
this command is used to
The router so that if we want to
resolve the ip
Address of www.google.com this
DNS server
4.2.2.2 Will do the task
R1(config)# ip route destination_network next_hop_address the next hop address could be an ip address of the

26. Routing: implementing dynamic routing with RIP (40: 46 mins)

Routing protocols : routing protocols tells other routers on the

network what stuff I know , it allows routers to build paths automatically by saving those paths and the next hop addresses to reach those routers in routing tables

Types of routing protocols :

  • 1. Distance vector routing protocols:

Distance vector routing protocols is easy to configure It doesn’t contain a lot of features ( its slow in detecting

problems on the network )  some distance vector routing protocols examples are RIP and IGRP
problems on the network )
 some distance vector routing protocols examples are RIP
and IGRP
2.
links state routing protocols :
 link state routing protocols are difficult to configure ( more
knowledge is required )
 link state routing protocol is rich of features
 some link state routing protocols examples are OSPF and
IS-IS ( it’s an OSI protocol )
3.
hybrid routing protocols :
 hybrid routing protocols combines the best of link state
routing protocol and distance vector routing protocol
 it’s a Cisco proprietary routing protocol ( it only works
with Cisco devices )
 some hybrid routing protocols examples are EIGRP
( enhanced entries gateway routing protocol )
RIP ( routing information protocol ) : RIP comes in 2 versions
1.
RIPv1 :
 Classfull version , it doesn’t support VLSM (variable length
subnet mask and it means changing your subnet mask
wherever and whenever you want ) , it only advertise
networks but without their subnet masks
Example:

No authentication : the RIP authentication in general means to request a password to add a route to the routing table or to request a password for joining the RIP routing network , RIPv1 doesn’t support authentication and that is a problem as I can just connect a rouge RIP router to poison the routing table with fake routes that results making the network goes down RIPv1 uses broadcast , it sends packets every 30 seconds to check the entries found in the routing table that they are still valid or not

2. RIPv2 :  Classless version , it supports VLSM ( it advertises the routes with
2.
RIPv2 :
 Classless version , it supports VLSM ( it advertises the
routes with their subnet masks )
 RIPv2 supports authentication
 RIPv2 uses multicast , only RIP routers receive the hello
packets , in RIPv1 the technique used was broadcasting
those hello packets for all the devices in the network
Steps to configure RIP :
1.
Turn on RIP using its global configuration command
2.
Change the version of RIP used
3.
Enter the network statements , those statements are used to :
a)
Tells RIP what networks to advertise
b)
Tells RIP what interfaces to send advertisements on
To configure RIP :
Router (config) #router rip
this command is used to
turn on RIP routing
Protocol
Router (config-router) # version 2
this command is
used to change version of RIP
To version 2, the default
version is version 1
Router (config-router) # network 192.168.1.0
this command is
used to advertise the directly
connected networks , in general

the syntax of the network we type must be Classfull , in case we didn’t type a Classfull network address the IOS will change that command automatically to be Classfull

Router (config-router) # no auto-summary

to disable RIP from auto

this command is used

Summarizing the network addresses to Classfull addresses, in router# show ip route command

it will start showing details about the subnets

it will start showing details about the subnets Example:    Router# show run |
Example:    Router# show run | include ip route command is used to only
Example:
Router# show run | include ip route command is used to only show
the commands that include the word ip route in it
Router# debug ip rip command is used to show details of the RIP
process
Router# show ip protocols command is used to show what routing
protocols are running on the router plus showing details on it
Router# u all command is used to disable all debugging commands
on the router
NAT ( network address translation ) allows multiple devices to share
an internet IP address ( a public address )
PAT( port address translation ) is a form of NAT and it’s called NAT
overload
Static Nat is usually used with web servers
To configure NAT using SDM there is a tab for NAT that contain 2
options :

27. Routing: internet access with NAT and PAT (24: 41 mins)

  • 1. Basic NAT : it’s the same PAT ( NAT overload )

  • 2. Advanced NAT or static NAT How PAT works :

 Steps to configure PAT : note that this is a example without explanation as this
 Steps to configure PAT : note that this is a example without explanation as this
 Steps to configure PAT : note that this is a example without
explanation as this section is only an introduction for NAT and PAT
Router (config) # access-list 1 permit 192.168.1.0 0.0.0.255
Router (config) #interface VLAN1
Router (config-if) # ip Nat inside
Router (config-if) # exit
Router (config) # interface fastethernet 0/4
Router (config-if) #ip Nat outside
Router (config-if) # exit
Router (config) # ip Nat inside source list 1 interface fast Ethernet

0/4 overload In the last command the overload keyword means that I can allow more than a client (the IP range that is declared in access list 1) to use the public IP address we have Router# show ip Nat translations command is used to show all the

Nat translations that is held by the router , it also shows the following :

1. Inside local address : this represents my PC

2.

Inside global address : this represents the local public IP address configured on our local router

  • 3. Outside global : this represents the remote public IP address configured on remote router

  • 4. Outside local : this represents the remote PC

  Wan connections is used to connect you to the internet like frame relay ,
Wan connections is used to connect you to the internet like frame
relay , ATM , PPP and HDLC
Lan connections is used to connect you local like Ethernet
technology
 Wan links define a new type of layer 1 and layer 2 connectivity :
Wan links allows links to the internet or other offices
Data link
ISDN , metro Ethernet , MPLS , T1,E1, dial up modems ,
layer
frame relay , ATM ,
PPP and HDLC ( in lan there was
Physical
Mac addresses )
serial physical connections ( in lan connections it was
layer
Ethernet cables like CAT5E and RJ45 connections )
Frame relay connects using DLCI , DLCI is like MAC addresses in
LAN
ATM connects using VPI/VCI pair, VPI/VCI pair is like MAC
addresses in LAN
Leased line protocols are HDLC and PPP ( the y are the only
protocols that work on point to point connections like leased lines
)
Styles of WAN connections ( data link layer connections ):
1. Leased lines connections :
 It’s a dedicated
bandwidth line
( bandwidth is only
assigned for me and it’s
not shared )
 It’s very expensive
 Examples on leased
lines : T1 CAS

28. Routing: WAN connectivity (27: 38 mins)

2. Inside global address : this represents the local public IP address configured on our local

( 1.544Mbps) and E1 CAS The problem is if you have a high bandwidth speed link ,

if you don’t use all of it the rest will remain unused without having any benefit from it

2.

Circuit switched connections :

It’s an on demand bandwidth used between different

locations ( we use the dial up technology to get it when we need it ) The advantage of this technology is it’s the very cheap The disadvantage of this technology is it’s slow bandwidth and the time we spend to install this technology Examples on circuit switched connections : dialup modems and ISDN

3. Packet switched connections :  It’s a shared bandwidth technology but a guaranteed bandwidth between
3. Packet switched connections :
 It’s a shared bandwidth technology but a guaranteed
bandwidth between
locations ( if you pay
for this service you
guarantee a specific
bandwidth but maybe
you
gain more ( this is
called bursting ) but
no less
 The advantage of this
technology is that you
can connect a serial
cable to the internet
cloud and from that cloud we can connect to multiple
offices using only one packet switched connection ( that
is done using that is done using virtual circuits )
 Examples on packet switched connections : ATM , frame
relay , X.25 ( old technology ) and MPLS
 The 1 st technology was x.25 then it became frame relay
then ATM and now MPLS
The physical connections for WAN ( physical layer connections ):
configuring leased line connections :
2. Circuit switched connections :  It’s an on demand bandwidth used between different locations (
1. Leased line can be configured using HDLC ( high level data link control ) 
1.
Leased line can be configured using HDLC ( high level data link
control )
This is a layer 2 WAN protocol ( if you want to compare it
to layer 2 LAN protocol it will be Ethernet technology )
 This is a Cisco proprietary protocol ( it only works with
Cisco routers )
the default protocol that is used
 It’s simple to configure and use
 Extremely low overhead
 No features
2.
Leased line can be also configured using PPP ( point to point

protocol ) This protocol is alternative to HDLC Industry standard ( This protocol works with all the

routers and it’s not proprietary to Cisco only ) Moderate overhead Feature- riffic , it supports four major features :

1.

Authentication : you add a user name and password on the wan link , it must match on both sides

  • 2. Compression : it helps to use less bandwidth but it will use more processing on routers

  • 3. Call back feature , this primarily used on modems , when you dial in to the modem and authenticate ( type your username and password ) , the router immediately hangs up on you and dials you back to a predefined number ( this is used for security or if we want the call distances bill to be charged on the other side not on us )

4. Multilink : it’s a system you employ that allows you to combine the bandwidth of
4. Multilink : it’s a system you employ that allows you to
combine the bandwidth of multiple wan connections
into one , say as an example we have 3 T1 links , the
multilink feature combines that bandwidth together
so the result is we have 4.5Mbps and it loads balance
the traffic over those 3 links !
 The encapsulation ( HDLC/PPP ) must be matched at both ends of
the link , if it’s not the same then the link won’t work and it will
show protocol status down in the results of the command Router#
show ip interface brief
Router # show run interface serial 0/0 command is used to show
the configuration of serial 0/0 from the router # show run
command only
If the encapsulation used was HDLC ( the default encapsulation
used on Cisco devices ) it won’t appear using the router # show
run command
Router# show interfaces serial 0/0 command is used to show all
the details about a specific interface ( in this example showing
the details of serial 0/0 ) , this command is used to check the
current encapsulation used on this serial in case we have a leased
line ( it shows the HDLC and PPP information and if those
protocols are working or not )
Example: this example shows that PPP is working fine
Router# show interfaces serial 0/0
Encapsulation PPP, LCP open
Open IPCP, CDPCP

LCP is the link control protocol and its responsible to negotiate the PPP features , it will show us LCP closed if there is a problem to negotiate with compression , authentication , multilink or call back feature , IPCP (ip control protocol ) and CDPCP ( Cisco discovery protocol control protocol ) are control

protocols; IPCP lets the IP protocol (TCP/IP ) to work on the WAN link ( PPP link ) ,CDPCP allows CDP to work over a

WAN link Router# show controllers serial 0/0 command is used to know the

cable type connected to this specific interface ( it will show that the type of the cable is DTE or DCE ) ( DCE is always connected to the ISP side and DTE is connected on our side ) Router# show ip interface brief command is used mostly to show the protocol status , if the protocol is showing down status then properly the problem is a mismatch encapsulation ( another command to check the function of HDLC or PPP )

 How to configure PPP : Router (config) interface serial 0/0 Router (config-if) # encapsulation PPP
How to configure PPP :
Router (config) interface serial 0/0
Router (config-if) # encapsulation PPP
this command is used to
configure the encapsulation
On this interface that is used to
configure leased line
On it
Router (config-if) # clock 56000
this command is used to
specify the speed of the
connection, this is configured if and
only if this specific interface is a DCE
( data clock equipment , is a type of
connector that needs clock
configuration to work properly – it
determines how fast the WAN
connection goes - , this value is usually
configured from the ISP side but if we
are in a lab environment we need to
configure it as if it’s not configured
the link won’t work ) , 56000 is
measured in bits per second so the
value here is 56 kilo bit per second

29. Management and security: telnet, SSH and CDP (28: 48 mins) Router# telnet 192.168.2.2 command is used to telnet to another router form our router Managing telnet/SSH :

1. Press < CTRL , SHIFT , 6 > then X : this suspends the telnet/SSH session , to resume that session we just type the command router# resume 1 ( number 1 represents the session number ) from our router or we press the button ENTER in

privilege mode , the later command will resume the recent

session opened

  • 2. Router# show sessions command is used to show the open

sessions

from
from

your router ( when you run this command you

will notice an asterisk * that shows the recent open session )

  • 3. Router# show users command is used to show the open

sessions

to
to

your router ( when you run this command you will

notice a column called location , this column will show you

which users –routers – are connected to your router , usually

when you run this command it takes some time until the IP addresses found under the
when you run this command it takes some time until the IP
addresses found under the locations column is resolved to its
names , to get around this issue we just run the command
router(config)# no ip domain-lookup to disable the domain
lookup feature and stop the resolving issue , in this case it
runs faster than before )
4.
Router# disconnect command is used to kill one of your open
telnet sessions ( at 1 st I run the command
Router# show
sessions to know which session Is opened from my router and I
want to kill then I run this command )
5.
Router# clear line X command where X represents the number
of session opened to my router ( at 1 st I run the command
Router# show users to know which session is opened to my
router and I want to kill then I run this command )
6.
Router# exit command is used to kill a telnet session , in case I
want to telnet again to that same device I need to run the
command Router# telnet IPADDRESS again
7.
Router # show lines command is used to show all the lines
( telnet connection ports ) on your router and the status of
each one
CDP ( Cisco discovery protocol ) :
1.
CDP allows you to discover directly connected Cisco devices
2.
It’s a Cisco proprietary protocol
3.
CDP is useful for building accurate network diagrams because
using CDP we can know the IP address , IOS version and the
router platform of Cisco neighbor devices
4.
CDP is a broadcast packet that is sent every 60 seconds
Some useful CDP commands :
1.
Router# show cdp neighbors command is used to discover

basic information for directly connected Cisco devices , some of the basic information that is discovered

(This command is used to know the local and remote

interfaces) When we run this command:

a) The local interface : this is the interface on our router that

is connected to the other directly Cisco device , this same

information can be known if we run the command router#

show ip interface brief b) The port ID : this is the remote interface of the connected

Cisco device

  • 2. Router# show cdp entry * command is used to show all the remote connected devices on our router , if I run the command router# show cdp entry NAMEOFROUTER it will show me the remote IP address for a specific Cisco device

3. Router# show cdp neighbors detail command is the same function of router# show cdp entry
3.
Router# show cdp neighbors detail command is the same
function of router# show cdp entry command ( this command
is used to know remote IP addresses )
4.
Router ( config-if)# no cdp enable command is used to disable
CDP on a specific interface ( if we run this command then the
directly connected Cisco device to this interface won’t be
discovered )
5.
Router(config)# no cdp run command is used to disable CDP on
all the interfaces found on the router
 We usually use telnet commands , CDP commands and router#
show ip interface brief command to know all the IP addresses and
interfaces found in a network
30. Management and security: file management (20: 11 mins)
TFTP ( trivial file transfer protocol ) server uses UDP port 69 and
its main function to copy from/to the router to do a backup or
restore for the IOS found on the router to this TFTP server
 RAM equals running config and NVRAM equals startup config
Router# show flash command is used to see all the files in the
flash like the name of the IOS file ( this is what Router# show
version do as well )
Router# show running-config command is used to check what the
RAM contains
Router# show startup-config command is used to check what the
NVRAM contains
Router# show version command is used to check the value of the
RAM and NVRAM and to know the name of the IOS file as well
Example:
Router# show version
238592K/23552K
those two values combined together is
the NVRAM

Memory components :

1. RAM : RAM represents the running config file the benefit of the

RAM that its very fast in read/write but the disadvantage of RAM is it loses data when the router is shutdown or restarted because that we usually copy the configuration file from RAM to NVRAM

before restart using the command router# copy running-config startup-config

Example of using the RAM is for packet buffers

  • 2. NVRAM : this is considered small in size and it represents the startup config file

  • 3. Flash : this component is used to store the IOS , in general once

you start the router it starts decompressing the IOS from the flash to the RAM Some useful commands :

1. Router# copy running-config startup-config command is used to copy the configuration file from RAM to
1.
Router# copy running-config startup-config command is used to
copy the configuration file from RAM to NVRAM ( router# wr
command do the same function as well )
2.
Router# copy running-config TFTP command is used to copy the
configuration file from RAM to TFTP server
3.
Router# copy flash TFTP command is used to copy the configuration
file from flash to TFTP server ( to backup the IOS on a TFTP server ) (
this command can be typed like this as well : router# copy flash :
NAMEOFIOS.bin TFTP://IPOFTFTPSERVER/NAMEOFIOS.bin )
4.
Router# copy TFTP run command is used to copy the configuration
file from TFTP server to the RAM ( NOTE that if you run this
command and we had already a running config file it won’t overwrite
the current file instead it will merge both configuration files to
appear as one file , it will overwrite entries in the current
configuration file if there is a conflict only )
5.
Router# copy tftp startup-config command is used to copy the
configuration file from TFTP server to NVRAM ( not like router# copy
TFTP run it won’t merge with the current configuration file instead it
will replace it totally )
6.
Router # reload command is used to restart the router and reload
the configuration file from NVRAM
If want to restore our configuration we do the following :
1.
Router# copy TFTP startup-config
2.
Router# reload
Note that we didn’t run the command router# copy startup-config
running-config because it will do the merge (anything copied to running-
config will be merged) plus once we reboot the router all the running
config found in RAM will be erased (flushed)
If you want to upgrade your IOS you do the following :
1.
We put the new IOS and place it on a TFTP server
2.
we boot the router from the TFTP server using the command
router# boot system TFTP : //IPOFTFTPSERVER/NAMEOFIOS.bin
, to check that the new IOS is working fine
3.
if we find that the new IOS is corrupted then we just boot

normally from flash with using the current IOS

4. if we find that the new IOS is working fine from TFTP then we copy that new IOS to the flash using the command router# copy TFTP flash

Cisco ccna interconnecting Cisco networking devices part 2

1. review : rebuilding the small office network part 1 ( 33:54 mins )

to delete all the configuration on the router :

There are two ways to do that: 1) router# erase startup-config this command is used to
There are two ways to do that:
1)
router# erase startup-config
this command is used to
delete all the
Router# reload
Configuration file found in NVRAM
this command is used to
reboot the router,
When the prompt asks to save
the
configuration or not we
2)
router# write erase
choose NO
this command has the
same function of
Router# erase startup-config
Router# reload
 auxiliary ports are found only on routers and they are used to
connect modems on it
to build a small office at 1 st we care about configuring the switches
( LAN tasks ) :
1) beginning : wipe out configurations :
This is done using switch# erase startup-config and switch# write
erase commands
2) security : passwords and banners
a)
this is done by configuring passwords for privilege mode using
switch (config) # enable password PASSWORD and switch (config)
# enable secret PASSWORD commands
b)
this is done by configuring passwords for telnet ports , auxiliary
ports and con ports
c)
this is done by configuring banners on the switches using the
command Switch ( config ) # banner motd “ here I type anything
I want it to appear “
d)
use the command switch (config)# service password-encryption
to encrypt all the clear text passwords
3) cosmetics : name , work environment
a)
configure names for the switches using the command
switch(config)# hostname HOSTNAME
b)
configure work environment :

use the command switch(config-line)# no exec-timeout or switch(config-line)# exec-timeout 0 0 so that the connection sessions last forever without been kicking out use the command switch(config-line)# logging synchronous to make the Log/status messages appear on the Screen in separate lines instead of Interrupting the commands we type use the command switch(config)# no ip domain-lookup to

stop the feature of translating names to IP addresses that results fasting the issues 4) management : IP address and gateway all switch ports in general are assigned to VLAN1 to configure an ip address and DG for the switch :

Switch (config) # interface VLAN 1 Switch (config-if) # ip address 172.30.2.180 255.255.255.0 Switch (config -
Switch (config) # interface VLAN 1
Switch (config-if) # ip address 172.30.2.180 255.255.255.0
Switch (config - if) # no shutdown
Switch (config) # ip default-gateway 172.30.2.1
 We assign the ip address for interface VLAN1 and we
enable that interface as its administratively down by
default
5) Interfaces : speed , duplex and description :
 We configure the speed of the port by using the command
Switch (config-if) #speed 10
 We configure the duplex for the port using the command
Switch (config-if) # duplex full
or Switch (config-if) #
duplex half
 We use the command switch (config-if)#description
DESCRIPTION to configure a description for the switch port
6) Verify and backup : CDP, TFTP , show interfaces
a)
For CDP we use the command :
 switch# show cdp neighbors command to know the local
and remote interfaces
 switch# show cdp neighbors details command to know the
remote IP addresses
b)
for TFTP we use the command :

switch# copy flash TFTP command to back up the IOS to a TFTP server Router# copy run TFTP command to backup the configuration file to a TFTP server ( we can also copy the running configuration by copying and paste it starting from the ! mark to a notepad and in case we want to restore that configuration back then we just copy all that configuration starting from ! mark and paste it in the global configuration mode )

  • c) Switch# show interfaces command is used to show each interface in details

2. review : rebuilding the small office network part 2 ( 28:45 mins )  router
2.
review : rebuilding the small office network part 2 ( 28:45 mins )
router tasks :
1) beginning : wipe out config
2) security : passwords and banners ( for routers there is an
additional configuration for auxiliary ports , in case the console
port can’t be used to login to the router we can use this aux port
to do the task )
3) cosmetics : names , work environment
4) interfaces : identify IP address , speed , duplex and description
5) routing : default routes ( used for external routing-internet- ) ,
RIP ( used for internal routing)
6) verify and backup : CDP , TFTP , show ip router , show interfaces
most of the points mentioned above are discussed before and they
are similar to switches tasks
3.
review : rebuilding the small office network part 3 ( 23:36 mins )
to access internet we need a default route on the router plus NAT
 on internet routers we use a default route to reach routes
beyond ISP ( to reach internet )
 on internet routers we configure NAT to let all internal routers
reach and surf the internet
some useful commands :
1) router(config)# interface fastethernet 0/0
Router (config-if) # no keepalive
this command is used

to disable this specific

interface from sending keepalive messages that is used mainly to know what is connected on that interface , if the keepalive messages are disabled and we ran

2)

router# show ip protocols

the command router# show ip interface brief the status of this port will be UP/UP regardless if there is a cable connected or not ! (Be aware from using this command)

this command is

used to show what routing

protocols are configured on this router ( as an example if we run this router that was configured for RIP it will show under the sentence routing information sources all the routers in the network that is configured for RIP and has been learnt by this router )

3) router# traceroute 192.168.3.1 to track the path to a this command is used Specific ip
3) router# traceroute 192.168.3.1
to track the path to a
this command is used
Specific ip address
Example:
Router# traceroute 192.168.3.1
1
192.168.1.2 0msec 0msec 4msec
2
192.168.2.2 0msec * 4msec
notice the *, this is
a normal issue (the IOS always
drops the second ping on the final
hop)
4) router(config)# router RIP
Router (config-router) # redistribute static
this command is
used to advertise static

routes in RIP ( the router who have any static or static default route will advertise it using RIP protocol to other routers , the other routers who receive that advertise will have a new route learnt by RIP with a symbol R* - that means static routes advertised by RIP - ) , the main function of this command is to configure a static default route on one router then advertising it to other routers using the RIP protocol instead of visiting each

router and configuring that static default route manually !

4.  Switch VLANS : understanding VLANS ( 16:09 mins ) VLANS ( virtual LANS )
4.
Switch VLANS : understanding VLANS ( 16:09 mins )
VLANS ( virtual LANS ) :
 VLANS are logically groups of users
 VLANS segments broadcast domains , only the broadcast
packet is sent in the same VLAN
 VLAN support access control
 VLAN helps in quality of service ( prioritize traffic is placed in a
separate VLAN )
 Trunk ports : those ports help to span VLAN among multiple
switches , it carries VLAN information ( VLAN traffic ) between
switches , trunk ports are assigned to ALL the VLANS ( in other
words it carries ALL the different VLANS traffic )
 Number of VLANS = number of broadcast domains =number of
subnets
VLAN is a subnet correlation (each VLAN has a separate
subnet, so to let the VLANS talk together they must have a
route between them)
Normal switching functions :
 One broadcast domain ( broadcasts sent to all ports )
 One subnet per LAN
 Number of collision domains = number of ports on the switch
 Very limited access control, switches are very difficult to
restrict traffic, the only way to restrict the traffic in switches is
to use access lists and that is a headache! , to work around
this issue we use VLANS
Flexibility of VLANS :
 Segmentation of users without routers
 No longer limited to physical locations ( the user can be
located anywhere , we just plug that user port to the assigned
VLAN )
 Tighter control of broadcasts
5.
Switch VLANS : understanding trunks and VTP( 39:07 mins )
What is trunking ( tagging ) :
  • 1. Trunking passes multi VLAN information between switches

  • 2. Places vlan information Into each frame

  • 3. Layer 2 feature

  • 4. Trunk links are also called tag links because its responsible of tagging VLAN traffic while it passes the link

Before the packet is sent on trunk ports its tagged and once it arrives the destination the packet will be untagged and arrives as normal data

NOTE : anything below in this section written as VTP will be meant

about the method of Cisco to manage the VLANS because they also

call the vlan trunking protocols ( ISL , 802.1Q ) as VTP as well so if you notice any term VTP we meant the messaging protocol that manages the addition ,deletion and renaming of VLANS , and if you notice any term called VLAN trunking protocol ( tagging protocols or trunking protocols ) we mean ISL and 802.1q

 VTP (we will call this VRP , the details are mentioned below ) : 1.
VTP (we will call this VRP , the details are mentioned below ) :
1.
Is a Cisco proprietary Layer 2 messaging protocol that
manages the addition, deletion, and renaming of VLANs on a
network-wide basis.
2.
The only vlan trunking protocol ( tagging protocol ) is 802.1Q
Before there was:
 802.1Q : it’s a industry standard and this is currently
used , this tagging protocol allows switches that have
different VLANS to communicate together
ISL ( inter switch link ) : it’s a Cisco proprietary trunking
protocol and it has been discontinued
3.

VTP must be named VRP ( vlan replication protocol ) to stop confusing VTP with 802.1Q ( read the above notes for more details )

4.

VTP replicates VLANS , once you add a new VLAN on a switch ,

its replicated using VTP to other switches , VTP only replicates added and deleted VLANS , we still need to assign ports to each created VLAN manually

5. VTP works on trunk links

with VTP once you create a VLAN on any switch the VTP database

counter increases by 1 , ( the VTP database that have the highest counter number replicates to the rest of the switches because it assumes that it contains the latest updated information ) if we bring an old switch that contains some existing configuration for VLANS and plugged it to our network, if that old switch contains a higher counter number than the other switches it will replicate its configuration to our switches and ruin the network , if we tried to restore the configuration on our switches it won’t solve the problem because it will still contain a lower counter number than the counter number of the old switch so the old switch will replicate again, to work around this issue we configure our switches with VLAN configurations manually to update the database counter and make it the highest to protect the replication process we configure VTP domain names , in this case only the switches that have the same VTP domain names will do a replication among each other using VTP

  Native VLANS : 1. The default Native VLAN is VLAN 1 2. Native VLANs
Native VLANS :
1.
The default Native VLAN is VLAN 1
2.
Native VLANs must match on all switches to function in a proper
way
3.
Native VLAN is designed in general for packets received on trunks
that haven’t been tagged
 5. VTP works on trunk links with VTP once you create a VLAN on any

Example 1:

Example 2:

Example 2:  VTP modes : 1. Server mode ( default mode ) :  Power
 VTP modes : 1. Server mode ( default mode ) :  Power to change
VTP modes :
1.
Server mode ( default mode ) :
 Power to change VLAN information ( adding, deleting and
changing )
 Sends and receives VTP updates
 Saves VLAN configuration
2.
Client mode :
 Can’t change VLAN information
 Sends and receives VTP updates
 Doesn’t save VLAN configuration
3.
Transparent mode :

Power to change VLAN information Forwards ( passes through ) VTP updates Doesn’t listen to VTP advertisements Save VLAN information Note that if we configured all the switches in the network in

transparent mode this is like disabling VTP in our network

In general we configure one VTP server and the rest as VTP clients ( in this case we do the changes on the VTP server only and then the changes are replicated to the VTP clients ) , if we configured a

switch as transparent mode it will have its own database (VLAN

information )that don’t replicate with others , it receives from VTP servers but don’t change it on its own database, it only passes those updates to the connected devices on the transparent switch

VLAN pruning :

It keeps unnecessary broadcast traffic from crossing trunk

links  This technique only works on VTP servers  Switch(config)# VTP pruning command is used
links
 This technique only works on VTP servers
 Switch(config)# VTP pruning command is used only on VTP servers
to turn on VTP pruning
Example:
6.
Switch
VLANS: configuring VLANS and VTP part 1(35:58 mins)
1.
configure trunks ( the links that are found between switches to
pass the VLAN information )
2.
configure VTP :
 configure VTP domain name
 configure a password for the VTP domain name
 configure the VTP mode
3.
configure VLANS
4.
assign ports to each created VLAN
5.
configuring routing protocols to route traffics between created
VLANS
access ports on the switch are used to connect devices such as PCS
on it
trunk ports on the switch are used to connect trunk links between

switches

1. configure trunks

Switch (config) # interface fastethernet 0/0 Switch (config-if) # switchport mode trunk

this command is used

to configure the port as

a trunk port ( this means that this port is connected to another switch ) , by default the mode for any port switch is dynamic desirable ( this means that this port can be an access port or a trunk port depending on what is connected on that port )

NOTE that if we ran the command switch (config-if) # switchport mode trunk on some switches
NOTE that if we ran the command switch (config-if) # switchport mode
trunk
on some switches you may face an error:
Command rejected: an interface whose trunk encapsulation is ‘auto’
cannot be configured to ‘trunk’ mode
This happens because some switches have the choice to choose
between the 2 trunking protocols ISL and 802.1Q like the 3550 switch,
to overcome this issue we specify the encapsulation to be 802.1q
instead of being the default as auto negotiate using the command:
switch (config-if) # switchport trunk encapsulation dot1q, if we didn’t
receive this error that means that this switch only supports the dot1q
encapsulation
Switch (config) # interface range fastethernet 0/2-24
this
command is used to specify a range
Of interfaces to configure a
similar command for all those
interfaces instead of
accessing each interface
individually
Switch (config-if) # switchport mode access
this
command is used to configure the
port as a access port , we use
this command after
specifying the trunk ports as
we need to configure all the
ports on the switch to be
access ports or trunk ports

switch# show run interface fastethernet 0/1 command shows only

information related about this specific interface switch # show VTP status command shows all the information related to VTP like VTP version , VTP revision ( how many changes was made to this switch ) , max VLAN supported at one time ( in

general the maximum number of VLANS we can have on a switch is

1-4094 ) , number of existing VLANS , VTP domain name , VTP mode and finally it shows the local updater ID Example: switch # show VTP status

Configuration last modified by 0.0.0.0

0.0.0.0 means that this

switch we ran this command local updater ID is 192.168.1.12 on (usually this switch is configured as a VTP server, If this switch is a VTP client the 0.0.0.0 won’t appear as we can’t modify the configuration of VLAN except in VTP server mode, so it will show us the IP of the VTP server switch instead of 0.0.0.0

 switch# show VLAN command is used to show what VLANS was created on the network
switch# show VLAN command is used to show what VLANS was
created on the network and it only shows you the access ports
assigned to every VLAN
Example: switch# show VLAN
1: native VLAN
those are predefined VLANs
created to support different 1002: fddi-default
networks
1003: token-ring-default
1004: fddinet-default
1005: trnet-default
switch# show interfaces trunk command is used to show the trunk
ports configured on the switch
switch# show interfaces fastethernet 0/0 switchport command is
used to show the status of a specific port if its configured as access
port or trunk port and the status of the encapsulation mode if its
trunk or dynamic
Example: switch# show interfaces fastethernet 0/0 switchport
Administrative mode:
Operational mode:
the administrative mode entry will show you
the status of the encapsulation mode, by
default it will show you the keyword dynamic,
if we ran the command switch (config-if) #
switchport trunk encapsulation dot1Q then it
will show you the keyword trunk
the operational mode entry shows the status

of the port if its trunk or access if we have 3 switches and we configured only one switch with a

domain name ( the rest have BLANK domain names ) , that configured domain name will be replicated to the switches that have a blank domain name , if we configure later a new domain name it won’t be replicated like what happened before as the replication is done only if there is a BLANK domain name

2. configure VTP

Switch (config) # VTP domain DOMAINNAME

this command is used

to configure the domain

Name, note that the DOMAINNAME is case Sensitive

Switch (config) # VTP password PASSWORD

to configure a password

this command is used

Switch (config) # VTP mode client For the domain name this command is used to configure
Switch (config) # VTP mode client
For the domain name
this command is used to
configure the mode
For the switch, if we didn’t
configure the VTP
mode, by default it
will be a VTP server
3.
configure VLANS
Switch (config) # VLAN NUMBER
this command is used to
create only a VLAN
Switch (config-vlan) # name NAME
With a specified number and we
can verify that using the
command switch# show VLAN
this command is used
to assign a name to the
VLAN
Switch (config-vlan) # exit
7. Switch VLANS: configuring VLANS and VTP part 2(39:36 mins)
 NOTE : in this section we will continue the configuration of the
switches based on the previous section , we will finalize point 4 and
point 5 in this section
4.
Assign ports to VLANS :
Switch (config) # interface fastethernet 0/0
Switch (Config-if) # switchport access VLAN NUMBER
this command
is used to assign interface
Fastethernet 0/0 to a specific
VLAN number, in this case
any PC connected to this port
will be joined to that specific
VLAN number
 The best practice to assign VLAN numbers is : Vlan number = subnet

number As an example VLAN 1 has a subnet of 192.168.1.0, VLAN 10 has a

subnet of 192.168.10.0; VLAN 20 has a subnet of 192.168.20.0 and so on

5. Routing between VLANS  There are three methods to route between VLANS : 1. Separate
5.
Routing between VLANS
There are three methods to route between VLANS :
1.
Separate port to each VLAN
2.
Layer 3 switch
3.
Router on a stick
1.
Separate port to each VLAN :
2. Layer 3 switch :  A layer 3 switch is a switch that has layer
2.
Layer 3 switch :
A layer 3 switch is a switch that has layer 3 capabilities , it works
based on creating interface VLANS
A layer 2 switch is a switch that has layer 2 capabilities only
3.
Router on a stick

There are 3 steps to configure router on the stick :

1. Configure router sub interfaces , NOTE that we don’t assign an ip address to the physical interface , all the assigned ip addresses are for the created sub interfaces

2.

Configuring the switch port connected to the router as a trunk port

  • 3. Assign a VLAN number to each created sub interface

Router on a stick method is useful because we can secure VLANS by using access lists (ACL ) as an example to prevent users of a specific vlan to reach users of another vlan

  • 1. Router ( config ) # interface fastethernet 0/0.50 this command is used to create a sub Interface, the number 50 is any number we specify but we prefer to match it with the VLAN number for simplicity

Router (config - subif) # ip address 192.168.1.1 255.255.255.0 2. switch ( config) # interface fastethernet
Router (config - subif) # ip address 192.168.1.1 255.255.255.0
2.
switch ( config) # interface fastethernet 0/0
Switch (config-if) # switchport mode trunk
3.
Router(config –subif )# encapsulation dot1Q 50
this command
configures

After running the above command you will receive a message:

% configuring IP routing on a LAN subinterface is only allowed if that sub

interface is already configured as part of an IEEE 802.10, IEEE 802.1Q or ISL VLAN

That means we need to inform the router that this created sub interface

will respond to packets that come from a specific VLAN ( in our example its 50 ) , to solve this message we run the command router (config-subif)# encapsulation dot1Q 50

Encapsulation for a specific sub interface to respond to all the traffic that comes from a specific VLAN (in our example its 50) and eliminate the message we received in point 1 After running the above command you will receive a message:

If the interface doesn’t support baby giant frames , maximum MTU of the interface has to be reduced by 4 bytes on both sides of the connection to properly transmit or receive large packets , please refer to documentation on configuring IEEE 802.1Q VLANS

Baby giant frame : the biggest packet you can send is 1500bytes , in case that packet is tagged to be sent over a trunk we will add a 4 byte ( tag size ) to the 1500 to result 1504bytes for the packet , that is called baby giant frame and that must be supported by switches

and routers , in general the routers and switches adjust the size of the packet to be 1496 bytes instead of 1500 bytes so that when that packet is tagged it will be 1500 bytes ( this is the maximum size that

can be handled by Ethernet technology ) If we ping from a PC in one VLAN to a PC in another VLAN and it

wasn’t successful then we need to check the router if it contains any routing entries for those VLANS

 An ideal design for any network is to divide it to switch layers : 
An ideal design for any network is to divide it to switch layers :
 A layered approach allows for easy, manageable growth
 Ether channel technology can provide more bandwidth on key
links , ether channel can bundle 2-8 ports in a single pipe , in
this case we can have increased bandwidth ( throughput )
 Redundant connections eliminates a single point of failure
Redundancy chaos :
 Switches forward broadcast packets out of all its ports by
design except the one it receives on
 Redundant connections are necessary in business networks
 The place of spanning tree : we drop tress on a redundant link
( block a specific redundant link ) until those links are needed
then that tree ( block ) is removed from that link
TTL ( time to live ) : TTL is how long the packet survive , TTL is a
layer 3 field that works only with routers , if switches was capable to
understand the TTL field then we wouldn’t face any loops
STP (Spanning tree protocol ) :
 Original STP ( 802.1D) was created to prevent loops
 Switches send “ probes “ into the network , those probes are
called BPDUs ( bridge protocol data units ) to discover loops ,
once a BPDU is arrived on a switch , the switch starts to
analyze that BPDU , if it found its name in it then that means
this BPDU was passed before from this switch that results
there is a loop in the network
The BPDU also helps to elect a root bridge ( this is the core
switch of the network )

8. Switch STP: understanding the spanning tree protocol (28:18 mins)

The simplest view of STP : all switches find the best path to reach the root bridge then block all the redundant links ( the remaining links that cause the loops ) Switches run STP by default General notes about STP elections :

There are 3 port types in general :

1. Root port ( RP ) : this port is used to reach the root bridge

  • 2. Designated port ( DP ) : this port is a forwarding port , there must be one DP per link

  • 3. Blocking / non- designated port : this is a blocked port ( where the tree falls )

Bridge ID = prority.MAC address , the default number of the

priority is 32768 and the Mac address is the MAC of the switch itself not the interfaces , the lower the priority it is the best to be elected as a root bridge , if all the switches are equal in there priority the n we compare based on the MAC address , the lower Mac address will be the best to be elected as a root bridge By default STP elects the oldest manufactured switch as a root bridge because by default it contains the lowest bridge ID STP election process ( how STP finds the best path ) :

 1. Elect the root bridge: STP must elect a root bridge, which is based on
1.
Elect the root bridge: STP must elect a root bridge, which is based
on Lower Priority. by default all STP switches have 32768 so STP
Priority+ Mac address is considered ( based on lower MAC
address )
2.
Root Bridge will have all its ports as designated ports
3.
Elect the RP: All other Switches or Non Root Switches must select
a path to the Root Bridge. This depends on the lower cost path to
the root, regardless of direct or indirect connectivity with Root
Bridge. Every switch must have a RP; the minimum root path
calculation is performed by processing Incoming BPDUs. , The
Incoming BPDU carry Root path cost that is the cumulative path
cost of number of paths between the Root Bridge and Non Root
Bridge.
NOTE: if the cost path is tied then we elect based on lower bridge
ID, if the lower bridge ID is tied then we elect based on the lower
physical port ID
Bandwidth of the link
Cost of the link
10Mbps
100
100Mbps
19
1Gbps
4
10Gbps
2
4.
All other Switches or non Root Bridges must select one DP, the
election of DP is done like RP exactly!

In brief:

RP: lowest path, if tied then we will go to lowest bridge id, if tied then we will go to lowest physical port id DP: lowest bridge id, if tied then we will go to the lowest physical port id

Example:

Exclusion examples: 1. 2.
Exclusion examples:
1.
2.
9.  Switch # show spanning-tree command shows you the following : 1. It shows you

9.

 Switch # show spanning-tree command shows you the following : 1. It shows you the
Switch # show spanning-tree command shows you the following :
1.
It shows you the root ID ( bridge ID ) , the root ID is the bridge ID
for the root bridge , it shows the priority value , the Mac address
of the root bridge , the local switch port that the root bridge is
connected on ( this shows the local port switch that we ran this
command on )
2.
It shows you the bridge ID of the switch that you ran this
command on , if we ran this command on the root bridge the root
ID will give the same information of the bridge ID and it will show
you that this is the root bridge plus all the ports will be In
forwarding state ( designated ports )
3.
It shows you the port status on the switch
 PVST+ (Per VLAN STP ) : it’s an enhanced version of STP that runs
by default on Cisco switches , once you run the command Switch #
show spanning-tree you will notice that the priority value = priority
+ VLAN number ( sys-id ext ) , more details about this enhancement
version will be found in next section

Switch STP: configuring basic STP (21:16 mins)

Example:

According to the above example: 1. The root bridge priority is 32769 and the Mac address
According to the above example:
1. The root bridge priority is 32769 and
the Mac address is 0009.e848.6c00
2. The root bridge is connected
on DS1 local
port fa0/27
3. The priority
for DS1 is
32769
=
32768
( default
) + 1
vlan number ( sys-id-ext ) as PVST+ is running on this switch by default
vlan number ( sys-id-ext ) as PVST+ is running on this switch by
default

Example:

According to the above example: 1. One of the features that you will know in next
According to the above example:
1. One of
the
features
that you will know in next section about PVST+ is we can
have a root bridge for each
VLAN , in
this
example we will find for VLAN 20
DS1 is the root bridge and the
priority
is 32788
=
32768 ( default ) + 20 ( vlan number )

There are 2 ways To configure a switch to be the root bridge

manually :

1.

Switch (config)# spanning-tree vlan 1 root primary this command is

used to configure a switch to be a root bridge ( it will decrease the priority as much as needed to elect this switch as a root bridge ) , we must specify in the command the VLAN to modify STP in that VLAN , if we used instead of the primary keyword the secondary keyword it will configure this switch as a backup switch , this command is basically used with PVST+ to configure a root bridge for each VLAN we have in the network

2.

Switch (config)# spanning-tree vlan 1 priority 0

this command will

 configure this switch to be a root bridge by specifying manually the priority to be
configure this switch to be a root bridge by specifying manually the
priority to be 0 , the priority can be configured with a number
between 0-61440 with increments of 4096
If somebody connects a switch to the network and changed the
priority for that switch to be the lowest to elect it as a root bridge ,
in this case it will ruin the network , to protect our network from
such attacks we configure root guard

10. Switch STP: enhancements to STP (29:54 mins)

1. Switch (config)# spanning-tree vlan 1 root primary this command is used to configure a switch

Notes :

1.

When you 1 st plug in a device to a switch port it will take 30

seconds ( 15 seconds in listening mode and 15 seconds in learning mode ) to check the device , the 1 st 15 seconds of listening mode is used basically to double check that this port doesn’t have another switch connected on it and that is done by checking if the port receives a BPDU or not , if a port is

configured to not receive BPDUs , and it received one in the 1 st 15 seconds ( listening mode ) then instead of entering the learning mode it will be shutdown

2. A blocking port transitioning from the blocking state to a forwarding state ( changing from
2.
A blocking port transitioning from the blocking state to a
forwarding state ( changing from blocking mode to listening mode
to learning mode and finally transferred to forwarding mode ) will
take 50 seconds = 20 seconds in blocking mode , 15 seconds in
listening mode and 15 seconds in learning mode
3.
When there is a failover in STP ( one link goes down and another
link works until the 1 st links is functioning ) , it will take 30-50
seconds , if there is another failover ( the original link is up again
and functioning ) it will take 1-1:30 mins because we add a
blocking timer to the 30-50 seconds that happened In the 1 st
failover
Problems and solutions of STP :
1.
STP faces some problems with PCs : modern PCs can boot faster
than 30 seconds ( listening and learning modes ) and that amount
is faster than a port transitioning from blocking state to
forwarding state ( 50 seconds ) , in this case the PCs are forced to
wait those 50 seconds until it starts communicating on the
network as the PC won’t work until the port works
The solution for this problem is to use portfast feature , this
feature transitions the port from blocking mode to forwarding
mode immediately without entering the listening and learning
modes , this feature is enabled using the command switch
(config-if)# spanning-tree portfast ( this command disables STP
on that port and its configured only on access ports )
2.

STP faces some problems with uplink ports (ports that are connecting to other switches ) : if this port transition from blocking mode to forwarding mode it will spend approximately 50 seconds and that is a big amount that causes trouble in our network The solution for this problem is to use RSTP (rapid spanning tree)

Initial STP enhancements :

1.

PVST+ ( per VLAN spanning tree + ) :

Runs as an instance of STP per VLAN

Allows different root bridges per VLAN

In STP we had a disabled link ( resulted from a blocking port ) , using PVST+ all the links will be used based on VLANS By default PVST+ runs on Cisco switches

Example:

 In STP we had a disabled link ( resulted from a blocking port ) ,
2. RSTP ( rapid STP ) :  RSTP is also known as 802.1W  RSTP
2. RSTP ( rapid STP ) :
 RSTP is also known as 802.1W
 RSTP is designed to be a proactive system ,in STP it forgets
about the blocked ports and in case it wants to transfer a
blocked port to a forwarding port it must rediscover it from
beginning and that takes time , in RSTP it remembers all
the ports and mark the blocked ports ( named in STP ) as
alternate ports
 RSTP Redefines port roles that help in improving the

performance :

1. Root port : this port is used to reach the root bridge ( it’s

the same like STP )

  • 2. Designated port : this is a forwarding port and there must be one port per link ( it’s the same like STP )

  • 3. Alternate ports :

this port is a discarding port ( in STP there are blocking ports and in RSTP it’s called alternate ports so instead of having a disabled link like in STP we have a backup path to the root using RSTP ) RSTP have many similarities with STP RSTP must be running on all the switches found in our network because if we have any switch running STP and the others are configured as RSTP , that STP switch will slow down the network Usually we enable with RSTP the portfast feature using the command switch(config)# spanning-tree portfast to improve the performance and have a fast network When a port goes down in RSTP it is transitioned to alternate port mode and won’t give any outage , but when you failback to that alternate port ( to transition to forwarding mode again ) it will be down for 1-2 seconds only Switch # show spanning –tree command is used to show the status of RSTP if its running or not Switch(config )# spanning-tree mode rapid-pvst command is used to enable RSTP on the switch , this command must be run on all the switches in the network to have a fast network , we can also use the keywords MST ( multiple spanning tree instead of rapid-pvst , this

2. Designated port : this is a forwarding port and there must be one port per
    spanning tree mode is the oldest mode and it runs one instance
spanning tree mode is the oldest mode and it runs one instance of
spanning tree on all the VLANS , this type is used when there are a
lot of VLANS on the network and we don’t want to consume a lot of
router resources
) or PVST+ ( this is the default spanning tree
running , so no need to enable it )

11. General switching: troubleshooting and security best practices (29:23 mins)

Troubleshooting a switched network :

  • 1. Get familiar with the network

  • 2. Absolutely have an accurate network diagram

Common troubleshooting issues :

  • 1. Port issues :

Check cabling issues Verify speed and duplex auto configuration , usually the problem we face is from the duplex mismatch not from the speed Check that the assigned VLANS has not been deleted , if a PC is assigned to a VLAN and that VLAN was deleted it will show the port switch as amber and the PC can’t

communicate anymore with the network 2. Spanning tree issues : usually if there is a problem
communicate anymore with the network
2.
Spanning tree issues : usually if there is a problem all the lights
on the switch will appear as amber
 Solve the immediate issue ( disconnect redundant links ) , in
this case we won’t face any spanning tree problems once
we specify which redundant link to disable of course by
using STP technology
 Ensure all the links are reflected on a network diagram as
we need an updated network diagram , in general spanning
tree has an effective radius ( distance ) of 7 devices
 Ensure root bridge selection is appropriate
 Make sure all the switches are running RSTP
3.
VLAN and trunking issues :
 Watch for native VLAN mismatch , as in page 52 from this
document if the native VLAN didn’t match we will face a
problem , so we prefer to unify it on all switches
 Hard code trunk ports to be “ on “ using the command
switch ( config – if ) # switchport mode trunk , by default its
configured as dynamically allocated
 Verify the IP address assignments in a VLAN
 Use ping and traceroute commands to diagnose routing
issues
4.
VTP issues :

Verify the trunks Verify VTP information like the VTP password , VTP version , VTP domain name and the VTP modes Last resort to solve VTP issues is to delete the VLAN.dat that is found in the flash and reconfigure the VLANS from beginning , all the VLAN information in general is found in VLAN .dat , if you want to flush all the VLAN configuration just run the command switch # delete flash : VLAN.dat then reboot the switch

Switch security is essential :

Most security focuses around the network perimeter Switch security checklist :

  • a. Physical security : we secure the location of the switch itself because if somebody as an example pressed the mode button found on the switch for 10 seconds it will erase all the configuration , this feature can be disabled using command line

  • b. Set passwords and logon banners

  • c. Disable the web server , this feature is used to give a GUI page through web browser to check the switch ports and configure them , the web server can be disabled by running the command switch ( config ) # no ip http server

d. Limit remote access subnets using ACL e. Use SSH whenever its possible f. Configure logging
d.
Limit remote access subnets using ACL
e.
Use SSH whenever its possible
f.
Configure logging , this is done in 2 ways :
1.
Logging the messages on the local switch :
Switch (config) # logging buffered 64000 this command will
allocate 64000 bytes for memory buffer to log messages like
when an interface is up or down it will log that event
Switch # show logging command is used to show the logged
messages on the switch
2.
Logging all the messages to be saved on a remote host that
has a program to receive those messages like kiwi syslog
demon , to configure the switch to send those logs we run
the command switch ( config ) # logging A.B.C.D
g.
Limit CDP reach when it’s possible : we disable CDP in case we
want to protect our network from packet sniffers as they can
read CDP packets but we don’t recommend disabling CDP as IP
phones use CDP to function
To limit CDP reach it can be done in 2 ways:
1.
Switch(Config)# no CDP run
2.
Switch ( config- if ) # no CDP enable
h.
Use BDPU guard on portfast ports :in general BPDU is used
with STP to announce switches and discover if there are any
loops in the network , we enable BPDUguard on portfast ports
( ports connected to PCs ) as those ports don’t need to receive
a BPDU because PCs are connected on those ports only , in
case we connected a switch on this port and it started to send
BPDUs , once the portfast that is enabled for BPDUguard

received a BPDU it will shut down the port ( it enters in an error0disabled state ) and that helps to prevent loops In brief: The BPDU guard feature puts Port Fast-enabled interfaces that receive BPDUs in an error-disabled state. This feature can be enabled using the command switch (config) # spanning-tree bpduguard

Example:  If we configured BPDUfilter using the command switch (config) # spanning-tree bpdufilter, The BPDU
Example:  If we configured BPDUfilter using the command switch (config) # spanning-tree bpdufilter, The BPDU
Example:
If we configured BPDUfilter using the command switch (config) #
spanning-tree bpdufilter, The BPDU filtering feature prevents the
switch interface from sending or receiving BPDUs.
bdpuguard stops sending BPDU from an interface and in case it
receives a BPDU it goes in error state ( shut down ) and this is
activated on portfast ports in general , it’s used to protect our
network from connecting an additional hub or switch on our existing
switch , bpdufilter from other hand stops sending AND receiving on
the port , in case it receives any BPDU it will only discard it and its
used on the access layer switches ports as we don’t need to receive
STP information there
If you use VLSM then you need a classless routing protocol to work
with VLSM like RIPv2 , OSPF , IS-IS and EIGRP , the class full routing
protocols like IGRP and RIPv1 won’t work with VLSM in a proper way
In any VLSM scenario we do the following :

12. Sub netting: understanding VLSM (18:42 mins) VLSM ( variable link subnet mask ) : can change my subnet mask whenever and wherever

  • 1. Start with the largest subnet

  • 2. After specify the 1 st network range we do sub netting again and pick a suitable network range

Example:

Example:  Types of routing protocols: refer to page 36 for more information  Distance vector
 Types of routing protocols: refer to page 36 for more information  Distance vector (
 Types of routing protocols: refer to page 36 for more information
Distance vector ( DV ) routing protocols :
1.
DV routing protocols send the entire routing table at specific
intervals ( as an example RIP sends its entire routing table to the
entire network as broadcasts or multicasts ( depending on the
version of RIP )
every 30 seconds , those updates are keepalives
of the RIP , if a RIP router didn’t receive this update every 30
seconds then there is properly a problem occurring )
2.
In their simplicity DV routing protocols have looping issues like
countdown to infinity

13. Routing protocols: distance vector VS link state (26:25 mins)

Example on countdown to infinity problem:

 DV loop preventions : 1. Maximum distance : the maximum distance for RIP is 16
DV loop preventions :
1.
Maximum distance : the maximum distance for RIP is 16 hops
away , the 16 th hop is considered as dead
2.
Route poisoning : in case there is a down network , it will be
advertised by RIP as a 16 hop and according to the 1 st mechanism
( maximum distance ) that hop will be considered dead
3.
Triggered update : when there is a change in the network
( properly a network is down ) , the router immediately triggers
an update ( instead of waiting for 30 seconds to send an update
about that change ) to update other routers that there is a
network change( the down network will be advertised as route
poisoning )
4.
Hold down timers : when there is a down network , all the routers
that aren’t connected directly to that down network will set this
timer so that it won’t receive any updates related to that down
network until the hold timer expires ( by default its 180 seconds )
, this mechanism is useful if we have flapping links that goes up
and down frequently
5.
Split horizon : it informs the router not to send updates back in
the same direction they received them on networks than have
been advertised , this mechanism causes a lot of problems in
frame relays so we prefer to disable this mechanism in frame
relay

Example: