Sie sind auf Seite 1von 37

Interconnecting Cisco Networking Devices

By Tom Price

Network Foundations
What is a network?

A network is a modern form of communication for humans.

Cisco is the 'debated' inventor of routers - the industry leader in network equipment.
Networks provide the infrastructure to transfer resources.

Common Network Equipment

Wireless Access Points
Client PC's and Servers

Ethernet - used to connect PC's, servers to wall jacks/switches. 100m max distance. Cost efficient.
Fibre - gives much greater bandwidth than Ethernet and much greater distance. Used for connecting servers to switches and fast
Internet connections.
Serial - still used by ISP's to connect to a CSU/DSU. Being phased out and now uncommon.

Networks handle speed in bits per second (eg. 100Mbps).
Bit (smallest unit)
Byte (8 Bits)
Kilobyte (1024 Bytes)
Megabyte (1024KB)
Gigabyte (1024MB)
Terabyte (1024)

REMEMBER - don’t get confused with megabytes per second (MBps) and megabits per second (Mbps) would need to divide
Mbps by 8 to give the MBps speed!!

Ethernet - has speeds of 10Mbps, 100Mbps, 1000Mbps (1Gbps) and 10Gbps.

Example of Network Speed

Imagine we have a 10Mbps network and we would like to save a 10MB picture to the file server.

10Mbps divide by 8 = 1.25MBps

10MB / 1.25 = 1.25 = 8 seconds

With the overhead of sending data in packets we would estimate the time taken to save the 10MB picture would be 10

OSI Model

The OSI model is a network communication model.

It is a standard architecture defining network communication providing a system to "break down" network communication.

Each layer has its own standards.

OSI was an actual protocol and competed with TCP/IP protocol (like VHS and Betamax!).
Simpler addressing in TCP/IP and so TCP/IP was chosen as the standard.

OSI Model - 7 Layers

7 Application
6 Presentation

5 Session

4 Transport

3 Network

2 Data Link

1 Physical

**Please Do Not Throw Sausage Pizza Away**

Layers and their functions

Application - eg. Internet Explorer, Vuze, Firefox, Chrome, World of Warcraf

Presentation - makes data generic. Eg. turns pics into GIF's, does encryption. Enables receiving application understand.
Session - maintains the session and keeps the process alive.
Transport - how data is sent - the application decides. TCP/UDP are main protocols used (ICMP for ping). Data apps would use
TCP for reliability as provides acknowledgments (ack's). Voice/Video uses UDP for speed and not fussy if a packet or two is
dropped - however Voice is affected by jitter. Transport layer uses ports - destination and source. Eg. Port 80 for HTTP.
Network - logical addressing - IP addresses. Routers sit here.
Data Link - physical addressing - MAC addresses. Switches sit here.
Physical - bits sent over the wire. Network cable, NIC cards.

Routers and switches also need to be able to send bits (Layer 1).

Make an online payment via Bank Website

1. Application - log into the Banks website using Internet Explorer.

2. Presentation - converts data into standard required by the Web server regardless of the browser used. HTML, GIF etc.
3. Session - was started when we logged into website.
4. Transport - needs to be reliable - TCP!! Adds destination port so the receiving web server knows which app the data is
for - HTTPS 443. Adds source port (dynamic/random port) so the bank web server can send ack's back to tell us payment
has been made!
5. Network - used DNS to find out IP address of the Bank website. Uses source and destination IP addresses.
6. Data Link - needs source and destination MAC address. Computer sees that bank website IP is in a different network
and so sends an ARP request for the default gateway (router) MAC address and PC sends request for router to forward
onto Bank web server.
7. Physical - here the bits are sent over the wire through each router etc.

Switches sit at Layer 2 - Data Link.
They learn physical addresses (MAC). Hubs worked at the physical layer but could not learn MAC addresses and just flooded all
ports with broadcasts.
Routers sit at Layer 3 - Network.
They look at IP addresses and use their Routing table to decide where to send.

TCP/IP Model

The TCP/IP network model is a four-layer model. It is effectively a reduced version of the OSI model.
However, the OSI model is more widely used as it breaks down the network layers into greater depth and gives a better
explanation of data flow.

TCP/IP Model

4 Application

3 Transport
2 Internet

1 Network Interface

Spells NITA!

Layers and their functions

Application - defines TCP/IP protocols and how programs interface with transport layer. Eg. HTTP, Telnet, DNS, FTP
Transport - provides session management and transport protocol. Eg. TCP, UDP, ICMP, RTP.
Internet - packages data into IP datagrams and performs routing. Eg. ARP, IP.
Network Interface - how data is physically sent through the network. Eg. Ethernet, Token ring

How the layers map between both models...

Ethernet Frame Diagram

Preamble Destination Source Type Data FCS (CRC)

8 6 6 2 46-1500 4 bytes

A runt is a frame which is less than 64 bytes in size and a giant is a frame which is greater than 1518 bytes in size...both are
discarded by a switch! !

Straight-Through, Crossover and Rollover Cables

Different devices require different cables when connected together in a network!

Two simple rules to remember!
1. When devices are different then a straight-through cable is used.
2. When the devices are the same then a crossover cable is used.

Router to Router Crossover

Switch to Switch Crossover

PC to Router Crossover

PC to Switch Straight-Through

Switch to Router Straight-Through

Switch to Hub Crossover

Straight-Through Cables
These are used to connect computers, printers to a switch or hub (a client to a host).
Pin 1 to Pin 1
Pin 2 to Pin 2
Pin 3 to Pin 3

Crossover Cables
These are commonly used to connect two hosts together. Eg. Router to Router, Switch to Switch or PC to PC.
Pin 1 to Pin 3
Pin 2 to Pin 6
Pin 3 to Pin 1
Pin 4 to Pin 7
Pin 5 to Pin 8

Rollover/Console Cables
These are used to connect a PC to a switch/router for management purposes.
Pin 1 to Pin 8
Pin 2 to Pin 7
Pin 3 to Pin 6
Pin 4 to Pin 5

IP Addressing

32 bit address
Consists of four octets - 0 to 255 - eg (In binary = 11000000.10101000.00000000.01100100 = 32 bits)
Combines with default gateway and subnet mask.
IP Address:
Subnet Mask:
Default Gateway:

Example of how IP addresses are used

Ping to test connectivity between two PC's on same network

PC1 ( types 'ping' in command prompt. This is IP address of PC2.
This initiates an ARP request which is sent to the switch. The switch then sends this to all ports apart from the port PC1 is
connected to. PC2 with the address sends back its MAC address using a Unicast message. PC1 then sends the actual
ping to PC2 once it knows its MAC. The switch also remembers the MAC addresses of each device and the port which they are
connected to.

MAC address - 12 character (48 bit or 6 byte) hexadecimal address (eg. 1E:4T:FG:15:6F:8D). Each character is 4 bits (eg 1001).
These are assigned to each NIC (network interface card).
They have to be unique on the LAN (and they should be when assigned by manufacturer!) but in theory they could be the same
on different LANs across a WAN link.

Default Gateway - is a router which takes us off our network and onto the Internet (or just another subnet within our network.)

If the above ping was sent to a device which was on a different network to our own (eg. then PC1 would have
recognised that this IP is in a different network and would have sent an ARP for the MAC address of its default gateway (router).

Moving around Layer 2 & 3

Switches - sit at Layer 2 - only use MAC addresses

Routers - sit at Layer 3 - use IP addresses

However, we do have L3 Switches which can remember IP addresses.

When sending data routers strip off the MAC addresses and adds a new source and destination MAC address.
IP addresses never change in the packet.

Default Route (

If a router does not know the route it sends it to the Internet/ISP router.
BGP - Border Gateway Protocol - this holds all of the routes for the Internet!! Knows everything!!
Useful command - arp -a - this shows all devices on the LAN (IP and MAC address).

Assigning IP Addresses

Servers, Routers, printers.
We can rename network connections to give a meaningful name (Go to Ctrl Panel -> Network Adapter -> Advanced).

This is a server role - we define an IP address scope - eg. LAN PC's.
When PC's boot up they send a broadcast for IP address. The DHCP server is listening using ports 67,68.
We can add exclusions into scopes for any IP addresses which we may have defined statically (and also add reservations too). A
router can also be a DHCP server.

DHCP Relay
If we have lots of remote offices we can run DHCP from a central point. We can enable DHCP relay on a router to allow DHCP
broadcasts to grab IP addresses from the main office server. As remember...routers discard broadcasts by default

Public and Private IP Addresses

Private - not routable on the Internet!! -> -> ->

Automatic (APIPA)
Assigned when PC cannot contact DHCP server. ->

Loopback (ping) ( ->

Special Addresses
The first address of the subnet is the network ID.
The last address of a subnet is the broadcast address.
Network ID =
Broadcast =

NAT is used so private addresses can be used on the Internet. It translates all private addresses to the external IP address given
by your ISP.

Classes of Addresses

Default Subnet Mask

Class A 1 - 126 (/8)

Class B 128 - 191 (/16)

Class C 192 - 223 (/24)

Class D 224 - 239 (multicast addresses)

Class E 240 - 254 (experimental addresses)

Classfull addressing is where we use the default subnet mask as above.

Cisco advises not having a network with >500 devices due to broadcast traffic!

Classless Addressing
This is where we can use a Class C subnet mask with a Class A network.
Class A network -
Subnet Mask - (This gives us 254 useable addresses)

Types of messages
Unicast - message sent to 1 device
Multicast - message sent to a group of devices (devices tune into a specific IP address in the class D range)
Broadcast - message sent to all devices

How Applications Speak - TCP & UDP

Transport Layer (Layer 4)

TCP and UDP are the primary transport layer protocols used today.

UDP - says "I hope it got there!"

TCP - says "I know it got there!"

TCP uses a 3 way handshake (SYN then SYN,ACK then ACK) to establish connection.

UDP (User Datagram Protocol)

Less reliable than TCP.
Used in VOIP and Video - real-time - no need to resubmit lost packets.
DNS uses UDP as it is very fast. Nslookup - tell me the IP address of a hostname!!
DNS - destination port would be 53 for any DNS requests. A random source port would be assigned eg. 50001.
DNS is a simple answer and question - there is no confirmation of whether the question or answer was received.

TCP (Transmission Control Protocol)

TCP uses a 3 way handshake to establish the connection. It uses acknowledgments to ensure packets have been received. HTTP
is TCP based - ensures webpages load completely!

3 Way Handshake process

1. PC1 sends a SYN to PC2 with sequence number 1000
2. PC2 receives the SYN and sends back a SYN, ACK with sequence number 5000 and ack = 1001
3. PC1 then receives the SYN,ACK and sends an ACK to PC2 with ack = 5001

The handshake process uses sequence numbers that increment when sending data.

The ACK is always 1 more than the sequence number (see above for example!)

TCP Communication always starts with a 3 way handshake before any actual data is transmitted.
1. SYN,
2. SYN + ACK
3. ACK

TCP adds source and destination port to each packet.

TCP Windowing
This is the process where data is sent in groups of packets to speed up a download/copy process.
Eg. You'll notice when we save a large file to a file server it will initially say '10 hours' then '6 hours' etc to copy. This is because
sending PC will gradually increase the number of packets it sends at one time until the server says "No...that's enough
packets...don't send any more than that at any one time"...and so the PC will stop increasing the number of packets it sends at
one time. This is why the ETA always varies.

Flow Control Methods

 Windowing - see above!!!
 Buffering - where devices store incoming traffic in a memory queue, to be processed when possible.
 Congestion Avoidance - is used during peak time where networks drop low priority traffic to maintain faster processing
of higher priority traffic such as Voice or Video.

Common TCP and UDP Port Numbers

Common TCP Ports

21 FTP

22 SSH

23 Telnet


53 DNS Server


110 POP3


Common UDP Ports

53 DNS Client

69 TFTP (Trivial File Transfer Protocol)

We can use port numbers to restrict access. Eg. Block Internet access - port 80, 443.
Need these ports allowed on the firewall if we are allowed the traffic.

FCS (Frame Check Sequence)

This is a hash added to the end of each TCP packet. It tells us if the frame is good/not corrupt!
Also called CRC (Cyclic Redundancy Check).

Data names at different Layers...

Segment -> Application
Packet -> Network
Frame -> Data Link


 1980's
 Uses CSMA/CD - to recover from collisions
 Sit at the physical layer
 One collision domain
 Half duplex - only 1 person can send or receive at any one time
 No intelligence!
 The hub sends all packets to all network ports (broadcast)
 No security

 1990's
 Broke network into multiple collision domains
 Limited ports
 Separated hubs
 Learned MAC addresses (sit at layer 2)
 Sofware based - was very slow (not ASIC based like cisco routers/switches)

 2000's
 Every port is its own collision domain - eg. 24 port switch will have 24 collision domains
 Full Duplex - everyone can send and receive at the same time!
 ASIC based (Application Specific Integrated Circuit) - hardware based and very fast.
 Varying port speeds Eg. 100Mbps, 1000Mbps
 Managed, Intelligent - can configure ports, VLAN's etc
 Learns MAC addresses of all connected devices

Fibre Optic
 Common to connect switches together
 Need SFP module on switch
 Multi mode - plastic, cheap
 Single mode - glass, expensive

CAM Table (Content Accessible Memory)

 Stores MAC addresses and the associated port/interface the device is connected to
 Empty when the switch boots up
 Takes approx. 5 seconds for the switch to learn all MAC addresses of connected devices!

How a Switch behaves…

When a PC pings another PC using IP address on same network
 ARP broadcast (FFFF:FFFF:FFFF is the broadcast address) is sent to find out MAC address of PC2 using its IP address.
 This is sent to all ports on the switch.
 Port with the matching IP replies with its MAC address using Unicast message
 Switch learns the MAC address of the sender & receiver of the ping message - stores the MAC address and
Port/interface in its CAM table!
 Entries in the CAM have a lifespan of 5 minutes.

Broadcast domains
If we have several switches connected together we still only have 1 broadcast domain.
Each port would still be in its own collision domain.

Layer 2 Switching Methods

Store-and-Forward Switching
The switch copies each Frame into it's memory and performs a CRC check (Cyclic Redundancy Check) for errors. If a CRC error is
found then the Frame is discarded. If the Frame is error free then the switch forwards the frame out of the relevant interface.
A Frame is discarded if it is smaller than 64 bytes in length, a runt, or if the Frame is larger than 1518 bytes in length - called a

This method ensures high level of error-free network traffic.

Cut-Through Switching
The switch copies into memory only the destination MAC address which is located within the first 6 bytes of the Frame. The
switch then looks up the MAC address in its CAM table and forwards out of the relevant interface. This method reduces delay as
the Frames are not checked for errors and are forwarded as soon as the MAC address is read and the outgoing interface
However, bad frames are still forwarded. The destination will receive this bad frame and then performs a CRC and realises it is
bad, and will then request for it to be re-sent. This wastes bandwidth and can cause slow network performance.

Todays switches are better suited for a store-and-forward environment.

Cisco IOS

The Interconnect Operating System (IOS)

 Command line method to configure devices
 Consistent through nearly all cisco devices
 It is sofware like MS Windows, OSX, Linux.

Console Connection
 Allows us to configure a Cisco device using console cable and terminal program eg. Putty
 Console cable - RJ45-to-serial
 Console ports are normally 'blue'

1. Get a console cable

2. Connect to PC serial port
3. Connect RJ45 end to console port on switch
4. Get a terminal program eg. Putty.
5. Set it to connect via COM port
a. BAUD rate = 9600
b. Data Bits = 8
c. Parity = None
d. Stop Bits = 1

NOTE - configuring the incorrect BAUD rate results in unreadable characters on screen while accessing the Cisco CLI!

IOS Command Modes

Switch> User Mode (User Exec)

Basic View - cant do any configuration
Enable (en)

Switch# Priveleged Mode (Priv Exec)

More commands available (eg. Show running-config) but still cannot configure

Configure terminal (conf t)

Switch(config)# Global Config mode

Can do all configuration, configure ports, VLANs, hostname, IP addr etc.

Use the 'tab' key to suggests commands.

Use '?' to tell us available commands.

CTRL + Z exits all modes

Base Configuration

Initial Switch Configuration

 Switches can work straight out of the box
 Choose 'No' at the initial config question

Name the Switch

 Switch> Enable
 Switch# conf t
 Switch(config)# hostname Toms-Switch

Negate Commands (use 'no')

 Switch (config)# no hostname

Console Password
 Switch(config)# line console 0
 Switches only have 1 console port
 Switch(config-line)# password cisco
 Switch(config)# login <- REMEMBER THIS LINE

Telnet Password (manage remotely)

 Switch(config)# line vty 0 15
 Switch(config-line)# password cisco
 When looking at running config it will show 0-4 and 5-15 vty ports...this is because cisco devices only used to
have telnet 5 ports.
 We don’t need to use 'login' here as this is already enabled for vty ports.

Enable Mode Password (Priveleged mode)

 Switch(config)# enable secret cisco
 We could have used enable password but this does not encrypt the password and could be seen as clear text
in the running config.

Encrypt Passwords (only line of sight - easily cracked)

 Switch(config)# service password-encryption
This encrypts all passwords including vty and console….however these are easily cracked and only to prevent line
of sight attacks.

Other Useful Commands (for the console line)

The below command stops the console session from timing out!
 Switch(config)# line con 0
 Switch(config-line)# no exec-timeout

This stops all status alerts from inserting into any command we may be typing!
 Switch(config)# line con 0
 Switch(config-line)# logging synchronous
Management (VLAN) IP Address
A switch needs an IP address to be managed remotely. Default VLAN is VLAN 1.
We need to create a VLAN interface called an SVI (Switch Virtual Interface) .
 Switch(config)# interface vlan 1
 Switch(config-if)ip address

All VLANs interfaces are shutdown by default...need to enable interface.

 Switch(config-if)# no shutdown
 The interface will then change to up

Default Gateway
For us to manage the above switch we would need to be logged onto a PC in VLAN 1 in the same subnet.
So to manage the switch from another network we would need to configure a default gateway. If we need to do troubleshooting
on a switch (eg. Ping, tracert) then we need this configured.
 Switch(config)# ip default gateway

Shutdown Unused Ports

It is good practice to shutdown an unused ports to prevent people from plugging in infected laptops etc to the network.
 Switch(config)# int range fa0/10 - 15
 Switch(config-if-range)# shutdown
This shutdowns all ports in the range 10-15!

Logon Banner
We can create a banner message to be displayed for all logins.
 Switch(config)# banner motd + *****CENTRESOFT NETWORK - SWITCH 1*****+
 NOTE: '+' is the delimiting character...anything we type in between the + will be used as the banner!!
 We could have used banner login but this only displays when there is login required/configured for the

Saving Configurations
Running config is saved in RAM...which is volatile and lost if switch is rebooted!
Startup config is stored in NVRAM...which is non volatile and safe if switch loses power!
 Switch# copy running-config startup-config
 Switch# write memory (this method is no longer officially supported!)

SSH (Secure Shell)

Telnet is not secure! None of the communication is encrypted - all in clear text! We could use Wireshark to intercept packets and
find out passwords etc...still difficult to do though as we would need to still gain access to the switch.
SSH is secure and communication is it is the preferred method of remote working!
Uses certificates...Eg. Website has a certificate with a public and private key. It hands us the public key so we can encrypt our
session key! We then send our encrypted session data over the Internet to the website which can decrypt the data using the
private key!! The switch/router works in the same way...

1. Configure hostname
2. Configure domain name
a. Switch(config)# ip domain-name
3. Generate encryption keys
a. Switch(config)# crypto key generate RSA 1024
4. Create local user accounts
a. switch(config)# username user secret cisco
5. Choose to allow telnet + SSH
a. Switch(config)# line vty 0 15
b. Switch(config-line)# transport input ssh telnet
6. Enable local logins
a. Switch(config-line)# login local

We then use SSH client to connect eg. Putty.

Network Time Protocol (NTP)

Each Cisco device has a clock! It’s important that we have the correct time on the device as we sometimes have to check logs on
the device and need to track certain events etc and so time is important! Another practical use to make sure we have the correct
time is when we look at running configurations...we can see the last time the config was edited and by who!

We can set a cisco device as an NTP server or client.

1. To configure an NTP server

a. R1(config)# clock set 12:00:00 4 Nov 2014
b. R1(config)# ntp master 3
i. We simply set the time on the device, set device as master and other devices will pull the time from
this device! The number is the stratum number.

2. To configure an NTP client

a. R2(config)# ntp server A.B.C.D
i. We specify the IP address of the server. We can also just use Windows servers as the server.
ii. We can use the prefer command too if we want to set several time servers.

To verify NTP we can use the below commands…

 R2# show ntp status

o This tells us which server the device is synchronized to
 R2# show ntp associations
o This tells us how many ntp servers we have configured for the device and which was is set as preferred/master
and info about these ntp servers.

NTP Stratum - this is the measure of hops away from the source.

Configuration Backups

Creating a backup
We can use TFTP to backup switch configs.
1. Download and install TFTPD32 - freeware.
2. Ensure port 69 inbound is allowed on PC firewall.
3. Ensure Everyone group has access to the save file location in TFTPD32.
4. Switch# copy running-config tftp
5. Enter IP address of PC you are copying config to.

Restoring a backup
Make sure you are connected via Ethernet and the switch/router has an IP address...may need to assign one before we restore
config (eg. Assign management IP of switch).
1. Switch# copy tftp running-config

Port Security

BYOD - Bring Your Own Device

Common for users laptop to have a virus/Trojan etc and potentially infect the network! Users bringing in these devices can also
slow down the network/Internet!

Port Security allows us to restrict connections to the LAN in two ways…

 Number of MAC addresses allowed per port (stops a user plugging in a hub with multiple devices)
 What MAC address is allowed on a port (only allows users to plug in approved devices)

We can react in 3 ways if one of the above conditions is broken…

 Shutdown -> ERR-DISABLE - Shuts down the port!

 Protect -> Ignores any device which MAC is not allowed
 Restrict -> Same as Protect but adds info to the event logs

Restricting by number of MAC addresses allowed

We will configure a port to only allow 1 MAC address on the port...
 Switch(config)# int fa0/14
 Switch(config-if)# switchport mode access
 Switch(config-if)# switchport port-security maximum 1
 Switch(config-if)# switchport port-security violation shutdown (or protect/restrict)
 Switch(config-if)# switchport port-security
o This command turns on port security!!!

We could set this number to 2 if we had PC and IP phone.

Restricting by MAC addresses

 Switch(config-if)# switchport port-security mac-address sticky
o This will use the address of the currently connected device. If we then plug in another device then this will
cause a violation! Instead of sticky we could just enter the MAC address (show mac address-table - can find MAC
address here)

Useful Commands
 Switch# show port-security
o This will show us any ports with port-security enabled and any violations etc…

 If a port has been shut down if we do a show ip int brief the port status will show as ERR-DISABLE
o We then need to 'shutdown' and then 'no shutdown' the port to bring it back up!

Switching - Day to Day

Network is slow...
Its common for users to complain that the network is slow!!
This can be due to speed and duplex issues on the switch.

Switches are set to auto-detect speed and duplex but with 100Mbps switches it is always best to hard code them!
Most of the time auto-detect works fine...if both switch interface and PC network adapter are set to auto-detect.

Duplex Mismatch (causes Late Collisions!!!)

Network issues normally lie with 'duplex' where one side is set to full-duplex and the other side set to half duplex - normally
where the devices have been unable to auto-detect!! If a switch interface (100Mbps) fails to auto-detect then it will default to
half-duplex!! This has been fixed in 1Gbps switches!!! This results in slow performance as packets drop and collide with high
This is called a duplex mismatch. It is normally on routers/switches where we need to look at the config.
To solve we simply hard code both devices as full duplex.

100Mbps devices -> Hard code them!! Router, switch, server.

1000Mbps devices -> Auto (leave as auto-detect)

Speed and Duplex Config

 Switch(config)# int fa0/1
 Switch(config-if)# speed 100
 Switch(config-if)# duplex full

NOTE - If we hard code either speed or duplex then we must hard code both of them!

On the Server/PC we would go into the Network Adapter settings -> Advanced and choose the Speed/duplex option and set it

Troubleshooting slow networks

This is normally due to collisions on the network.

 Switch# show interface fa0/14

o Here we can see the duplex/speed settings on that interface and confirm that it is set to 100Mbps and full etc.
o We can also see that the interface is up and packets dropped/collisions!! We should never see collisions!!
 Collison - this happens within the first 32 bytes (should only occur on hubs in a half-duplex environment).
 Late Collision - this happens >32 bytes - this is normally due to a duplex mismatch!!
CRC errors - CRC hash is added to each packet to confirm integrity….this is normally a faulty network cable! Also when
there is "excessive noise"!!

Finding devices
Ping IP address of device and then do an arp -a command to find out MAC address.
We can then go to the switch and view the MAC address table
 Switch# show mac address-table | mac-address
 Extended Ping
o If we type ping and press enter we can then specify several other parameters. EG. Protocol, repeat count,
timeout period, datagram size.

VLAN's and Trunks

A "Normal Switch"
 Multiple collision domains (Eg. 24 port switch will have 24 collision domains)
 One broadcast domain (inc. switches which are daisy chained)
 One IP network subnet for all of its hosts
o Eg.
 One failure domain
 Limited security

VLAN Foundations
 A VLAN logically groups users
o It can separate a switch into separate networks
 It segments the broadcast domain
o Will only broadcast on its own VLAN
 Offers subnet correlation
o Eg. and
 Access control
 Quality of service (QoS)
o We can give VLAN's higher priority than another (eg. Voice over internet)
 Can give us Layer 3 control - L3 Switch!
 Switch adds a Frame tag which identifies which VLAN id the frame belongs to - these are carried over trunk links
between switches
 VLAN's limit broadcast propagation!

Trunk Ports
A trunk carries all VLAN's and is used to connect switches together.
Normally set to 1Gbps ports.

Flexibility of VLAN's
 Can group devices together. Eg…
o Servers in a VLAN
o Computers in a VLAN
o Phones in a VLAN
 Can separate buildings/office into separate VLAN's
o Feels good and reduces broadcast traffic!
 Can separate Ethernet and WiFi traffic.
 Server Virtualization. Eg...
o We can setup a trunk on the interface connected to the DHCP server
o Server can then communicate with all VLAN's, devices and saves us having a server on each VLAN

VTP and 802.1Q

VTP and 802.1q

Trunking is the ability to link multiple switches together and pass VLAN info between them. Aka tagging.
 Trunking places VLAN info into each frame (4 bit).
 802.1Q is the language used to tag packets with VLAN info.
 Trunking is a Layer 2 feature (Data Link).
Native VLAN
This is used to send info between switches which is not tagged with VLAN info.
 Eg. Telnet, SSH and CDP traffic.
The native VLAN must match on connecting switches. As default the native VLAN is 1.
If the native VLAN's on switches do not match then we have a native VLAN mismatch. We could have a situation where VLAN 10
is the native VLAN on one switch and VLAN 20 is the native VLAN on another switch. And so, both of these VLANS would be
sending unnecessary broadcasts to each other due to the native VLAN mismatch!!
We configure the native VLAN on trunk port.
Eg. To change the native vlan to VLAN 2…

switch(config)#int fa0/20
switch(config-if)#switchport trunk native vlan 2

802.1q does not encapsulate Ethernet frames. Instead it inserts a header afer the destination and source MAC address!

VTP (VLAN Trunking Protocol)

VTP is actually not a trunking protocol...should be called a discovery and replication protocol!!
It replicates all VLAN's across all switches.
Must be careful when connecting switches as all switch configs will be replaced with the latest "rev" version!!
Each time we make a change on a switch the "rev" version increases and will update on all other servers which are clients and
VTP revisions survive config resets (write erase).
VTP works through a common domain name on all switches.

**Cisco does not recommend VTP!!**

 This is because it can be easily misused and can cause serious network outages
o For example we could accidentally connect a lab switch to the live network and cause all VLAN's to be deleted!!
 Always best to manually create VLAN's on each switch.

VTP Modes

Server (Default)
 Gives the power to change VLAN info
 Sends and receives VTP updates
 Saves VLAN config

 Cannot change VLAN info - gets updates from the server
 Sends and receives VTP updates
 Does not save VLAN config

Transparent (Turns VTP Off!)

 Power to change VLAN info
 Forwards (passes through) VTP updates
 Does not listen to VTP updates
 Saves VLAN config

VLAN Pruning
This keeps unnecessary broadcast traffic from crossing trunk links. Traffic will only be forwarded across a trunk link if that VLAN
exists on the switch.
Only works on VTP Servers.
 All switches need to be servers.

Configuring VLAN's

Reminder - we use VLAN's to separate users and devices to reduce broadcast traffic.

1. Create VLAN's and name

a. Switch# show vlan brief
i. This gives a breakdown of all VLAN's
b. Switch(config)# vlan 50
c. Switch(config-vlan)# name SERVERS

2. Assign ports to VLAN's

a. Switch(config)# int fa0/10
b. Switch(config-if)# switchport mode access
c. Switch(config-if)# switchport access vlan 50
i. VLAN's will show down in 'show ip int brief' if there are no active ports in the VLAN

Useful command
We can also use the show vlan id x command to tell us what ports are tagged to that VLAN.
Switch# show vlan id 10

VLANs = IP Subnet = Broadcast Domain

Note - VLAN's are stored in a database called VLAN.dat. The database survives a write erase and so to completely delete we
need to run the below..
 Erase startup-config
 Delete vlan.dat
 Reload

VLAN Interfaces
On L3 switches we can create VLAN interfaces for each VLAN so they can communicate without a router.
As remember - each VLAN is a different network/subnet and we need a L3 assistant to be able to communicate.
 Switch(config)# int vlan 50
 Switch(config-if)# ip address
 Switch(config-if)# no shutdown
We could now set the above IP as the default gateway of a PC to communicate on our network. Has to be a L3 Switch.

Configuring VLAN's on Mulitple Switches (using VTP)

1. Set VTP name and Mode and password

a. First we need to disable dynamic mode on all ports to stop them trying to be a trunk
i. Switch(config)# int range all ports
ii. Switch(config-if-range)# switchport mode access
b. Now we set the name and mode
i. Switch(config)# vtp domain CBT
ii. Switch(config)# vtp mode server
iii. Switch(config)# vtp password cisco
2. Configure Trunk ports
a. Switch(config)# int fa0/1
b. Switch(config-if)# switchport mode trunk

3. Create VLANs and name

a. See previous!
4. Assign ports to VLANs
a. See previous!

 Transparent mode disables VTP
 New switches will auto join the domain and download VLAN's etc so that’s why its important we disable dynamic mode
on each port!

Best practice is not use VTP and create VLANs manually on each Switch!!

To Turn Off Trunking...

...use the switchport mode access command!!!

Dynamic Trunking Protocol (DTP)

Dynamic Trunking Protocol allows for the creation of trunks between two switches. When two connected ports are configured in
dynamic mode, and at least one of the ports is configured as desirable then the two switches will form a trunk across the link.
 Switch (config-if)# switchport mode dynamic desirable/auto

DTP is enabled by default on all modern switches. However this is bad design as we could have ports forming trunk links and
causing a security risk.

The best thing is to disable DTP!!

Configure all ports as access ports. We can then configure any trunk ports as we need them which is best practice…

 Switch(config-if-range)# switchport mode access

However, even when a port is statically configured as an access port as above, DTP is still active on the port. If we setup a trunk
between two switches in different VTP domains then we would get the below error...

%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP domain mismatch.

DTP advertisements include the VTP domain name and so the trunk will not form if the VTP domain names are different. We can
kill DTP once and for all with the below command…

 Switch(config-if)# switchport nonegotiate

This prevents DTP packets from being sent.

Routing Overview

Routing is the process of moving IP packets between IP-based networks.

 Eg. Move data between two networks via a Cisco router
o and
o Two different networks
 Packets not destined for its own network will be routed by its default gateway!

When a packet is sent for an outside network it is sent to the router (the default gateway).
 The router looks at the packet and see's that it is not for itself (by IP address) and then looks at its routing table.
 It will know where to forward next due to the routes stored in its table (static, OSPF or default route etc)

When packets go over a serial data link (across a WAN) they do not add the source and destination MAC Address. They use HDLC
or PPP. HDLC uses the Type field in a packet so receiving devices can see what is encapsulated. It uses L2 headers for any next
hop routers in a path.

 CEF enhanced (Cisco Express Forwarding) - software based - (not ASIC based like Switches) very fast and powerful
 Not as fast as switches!!
 IOS is the brain-power behind the routing process
 Popular model is 2800 series
 Normally 1U - take up 1 space on a rack
 Normally have 2 Ethernet interfaces
 WIC - Wan Interface Card to receive Internet line from the outside.
 'Blue' ports are console ports

Process Switching/Fast Switching/CEF

 Process switching requires the CPU to be personally involved with every forwarding/routing decision. It is like doing
math, long hand! You have to work out the route each time.
 Fast Switching still uses the CPU, but once a packet has been forwarded it stores info about how to reach the
destination in a fast-switching cache. When another packet goes to the same destination the cache is the
processor does not have to re-compute the route.
 Cisco Express Forwarding (CEF) is the evolution of optimizing the router to make it able to forward more packets faster.
CEF builds a Forwarding Information Base (FIB) and contains pre-computed reverse lookups and next hop information.
CEF is like having programmed an Excel spreadsheet. As soon as the numbers hit the cells, the answer is already
Base Config of a Router
 Set hostname, console password etc.
 However, all interfaces are set to shutdown by default - remember to use 'no shutdown'
 Routers support more telnet sessions
 Set IP Address for interface/interfaces
o Eg. For interface facing the internet and facing our own network will need IP addresses assigning.
 Set default route (
o Ip route fa0/1
 This sends any traffic which we don’t know to the Internet...let our ISP router find the route!

Configuring a Loopback Interface

Loopback interfaces are very common on Cisco routers as they allow for management, logging and authentication. They are
logical interfaces that are 'always up'. They are not tied to any physical interface and therefore cannot go down unless they are
administratively shutdown.

 R1(config)# interface loopback 1

 R1(config-if)# ip address A.B.C.D

We can use 'no' command to remove the interface.

Routing Data Between VLAN's

 VLAN's are a L2 feature

 Hosts on different VLAN's cannot speak directly without a L3 assistant!

...this is where the Router comes in!

Option 1 - Using separate interfaces

We can have the router connected to ports on the switch which are assigned to each VLAN on the switch.
This is not used anymore as if we had 10 VLANs on a switch then we would need 10 physical connections from the router to the
switch which is just not practical.

Option 2 - Using single interface and trunk ports

This is called Router-on-a-stick. We have 1 physical connection from the Router to the Switch.
We create sub-interfaces on the router - one for each VLAN and set the port on the switch connecting to the router as a trunk

We have 1 router, 1 switch, 2 VLAN's (VLAN10, VLAN20)
1. Create sub interfaces on router for each VLAN
o Router(config)# int fa0/0.10
2. Set encapsulation using dot1q to allow VLAN 10 traffic in this case
o Router(config-if)# encapsulation dot1q 10
3. Set IP address of interface (same range as all PC's in VLAN etc)
a. Router(config-if)# ip address
4. Set the interface on the switch to a trunk port
a. Switch(config-if)# switchport mode trunk
b. Switch(config-if)# switchport trunk allowed vlan 1,10,20

We would then need to do the same for VLAN20!

NOTE: Make sure you do a "no shutdown" on the physical interface too!! EG. Fa0/0

Option 3 - Layer 3 Switch

A Layer 3 Switch can handle IP addresses and so removes the need for a router! The switch does all of the routing.
We simply create interfaces for all VLANS on the switch (like we did for the Management VLAN) and assign suitable IP Address!

Cisco 3550 is an example of a L3 Switch.

This option is much faster than using a router-on-a-stick as it has ASIC (Application Specific Integrated Circuitry) support - routes
at wire speed.
VLAN Routing on Layer 3 Switch

Not much different here.

1. Create the VLANs and VLAN interfaces (SVI - Switch Virtual Interface) on the L3 switch (all client PC's in each VLAN have
the VLAN interface IP address as it's default gateway)
2. Then create a default route ( etc) to the routers connected interface on the switch. Make sure we have an
interface configured for the connection from the L3 switch to the router (use ip routing and no switchport command on
switch interface to router to give L3 functionality).

See below for more info...

Configure Router as DHCP server

1. Create DHCP pools…

a. Router(config)# ip dhcp pool SALES
b. Router(dhcp-config)# network
c. Router(dhcp-config)# default-router
d. Router(dhcp-config)# lease 7 0 0

So...we would have SALES VLAN 20 configured on a switch….and we would have an interface configured on the router with IP
address (or we would use a L3 switch with VLAN interfaces configured). The lease command defines
how long the assignment will last for until the router reassigns the IP address (lease days hours minutes). The command is
optional...the default lease is 1 day.

We can also set DNS server by using dns-server A.B.C.D command.

Any PC which is connected to a port in VLAN 20 would pick up an IP in the 192.168.20.xx range!!

Excluded Addresses
We can exclude addresses so that they are not used in any DHCP pools.
 Router(config)# ip dhcp excluded-address
o This would exclude any addresses in the range - 20!

DHCP process (DORA!)

1. The client sends a discover message.
2. The server sends an offer message.
3. The client sends a request message.
4. The server sends an acknowledgment message.

External Authentication Methods

We can use a server that routers and switches can use to authenticate logons to. This provides a central location of a user
directory, authentication auditing and access is much easier to manage.
We can either use a RADIUS or TACACS+ server.

 Uses UDP
 Encrypts only the password during transmission
 Combines authentication and authorization
 Is open standard and more interoperable than TACACS+
 Uses less memory and CPU cycles on routers
 Offers's supported by everyone!
 Excellent performance - very light on routers and switches

TACACS+ server
 Uses TCP
 Encrypts the entire session
 Separates Authentication, Authorization and Accountability.
 Only supported by Cisco
 Uses more memory than RADIUS
 Offers excellent security - more secure than RADIUS as whole session is encrypted
 Flexibility - TCP is much more flexible than UDP and can do much more in advanced networks

Most Enterprise networks use RADIUS over TACACS+ as it is light on routers/switches and everything supports it!!

IP Subnetting

Binary basics
 IPv4 address is a 4 octet address
 Class A, B, C
A =
B =
C =
 8 bits in a byte with values as below…

128 64 32 16 8 4 2 1
 A bit is a 1 or 0...on or off!!

Subnetting based on number of networks

Example 1
Class C:
Need: 50 networks

1. Determine number of networks and convert to binary

a. 50 = 00110010 = 6 bits

2. Reserve bits in subnet mask and find increment

a. = 11111111.11111111.11111111.00000000 = 11111111.11111111.11111111.11111100 = = /30
b. Increment is lowest network bit = 4

3. Use increment to find network ranges

a. Lowest network bit = 4 -> -> ->
195.20.12 ->

Example 2
Class A:
Need: 100 networks

1. Determine number of networks and convert to binary

a. 1000 = 11 11101000 = 10 bits

2. Reserve bits in subnet mask and find increment

a. = 11111111.00000000.0000000.00000000 = 11111111.11111111.11000000.00000000 = = /18
b. Increment is lowest network bit = 64

3. Use increment to find network ranges

a. Lowest network bit = 64 -> -> -> -> -> -> ->

4. Hosts = 2^14 -2 = 16,382

Networks = 2^8 = 256

Subnetting based on host requirements

Same as before but this time we save the host bits as zeros (count from the right hand side)!!

Example 1
Class C:
Hosts: 30 per network

1. Determine the number of hosts and convert to binary

a. 30 = 00011110 = 5 bits

2. Reserve bits in subnet mask and find increment

a. = = = /27
b. Increment is the lowest network bit = 32
3. Use increment to find network ranges
a. Increment = 32 -> -> -> -> ->

4. Hosts = 32 -2 = 30
Networks = 2^3 = 8

Subnet Zero
You may have noticed the ip subnet zero default command in running config. The subnet zero (or zero subnet) is the first subnet
of a subnetted network.
EG. Class B: Need 50 hosts per network.
1. Hosts = 50 = 00110010 = 110010 = 6 bits
2. Subnet mask = 255.255.11000000.000000
3. Ranges…
a. ->
b. ->
c. ->
d. ->

The first subnet would be subnet zero.

VLSM - Variable Length Subnet Masking

We can use several different subnet masks if we need several networks of different sizes.
We would this exactly in the same way accept we work out the subnet mask for the biggest network first (number of hosts) and
then work out the next biggest etc.

Network ID:
Number of networks = 3
Hosts per network = 60, 30 20

Start with the largest subnet first...then work your way down in host size.

So… the biggest network here is 60.

1. 60 = 00111100 = 6 bits

2. = = = /26

a. Increment = 64

3. Inc = 64, so the range for this network is... ->
Hosts = 2^6 -2 = 62
Networks = 2^2 = 4

The next biggest network is 30…

1. 30 = 00011110 = 5 bits

2. = = = /27

a. Inc = 32

3. Inc = 32, so the range for this network is….remember to carry off where the 1st network ended… ->

The next biggest network is 20…

1. 20 = 00010100 = 5 bits

2. = = = /27

a. Increment = 32

3. Inc = 32, so the range for this network is….remember to carry off where the 1st network ended… ->

Hosts = 2^5 -2 = 30

NOTE: Variable Length Subnet Masks allow us to make more efficient use of available IP addresses.

Routing and Static Routes

Purpose of Routing

 Stopping broadcasts - helps reduce traffic (eg. DHCP requests, ARP requests)
 Find the best possible path to a destination
 Move unicast traffic between networks
o Allows PC's on different subnets to communicate directly

Static Routing

Routers have no config out of the box!! They only know how to connect to networks configured on the router!!
Each router has to have each network defined on an interface to be able to talk back and forth.

Static routes allow us to "educate" the router to new places

Eg. We can tell a router how to connect to a subnet which is not configured on the routers interface.

Default route acts as "catch-all" sends any traffic which it does not have a route for to the Internet.

RULE - the more specific a route is the will be chosen first!!

1. Router(config)# ip route
2. Router(config)# ip route
Route 1 would be chosen by the router as it is more states that the network is class C as it supplies a more
specific subnet. If a more specific subnet mask appears in the routing table then that route will take precedence.

 Show ip route
o This shows every network which the router know how to reach.

Configure a Static Route

 R1(config)# ip route

 R2(config)# ip route
Dest Network Subnet Mask Interface of connected router

Static Routes are good for small networks with a couple of offices.
They don’t work so well for larger networks as there are more routers, networks involved and would require lots of config on
each router!
Dest Network Subnet Mask Interface of connected router

Routing Protocols

Routing protocols allow routers to tell connected routers of it's known routes!
 "Tell your friend what you know!!"
 Each router in a network tells all the other routers about it's networks.

They are/offer…
 Dynamic - automatically build routing table
 Redundancy - can have several routes in case a path is lost...failover automatically
 Best path - based on what protocol is used they can automatically determine best path (they use a metric).

Link State vs Distance Vector protocols…

Distance vector protocols simply use the shortest route (fewest hops)to the destination regardless of the connection speed. Link
state will track the state and connection speed of each link and will choose the fastest route. Link state protocols do require
more processing power on the router because of its awareness of connection speeds etc. Link state protocols converge quickly
and build topology tables. Distance Vector protocols simply update the local routing table when updates are received from it's

 Like Fiat Punto!! Not Fast!!
 Default "Hello" advertising cycle is 30 secs
o Says hello and tells routers about its routing table every 30 secs...not efficient!
 Recovery - 90 secs
 Metric - best path - uses hop count - number of routers - not efficient!!
 Only pro is that all devices support it!
 Distance Vector protocol
 Inefficient as it keeps sending full routing table even if there has been no changes!
 RIPng for IPv6
 Cisco created to replace RIP
 Now obsolete as "hello" was set to 90 secs and recovery set to 270 secs!!

 Open Shortest Path First
 Most popular routing protocol
 Like a Corvette!! Does routing very well!!
 Uses Dijkstra's Algorithm!
 Default hello is 10 secs
o Afer initial hello it only says "Hi" to each router instead of the whole routing table...if the routing table
changes it will tell the router of the is efficient!!
o Metric: cost/bandwidth <- uses fastest speed!
 100/bandwidth. Eg. 100/1.44 (Mbps) = 69.4444
o Uses the fastest route (which would be the lowest value)!!!
o Maintains a topology map
 Link state routing protocol
 OSPFv2 for IPv4
 OSPFv3 for IPv6

 Like a 1967 Corvette!!
 Was competitor to OSPF - used for OSI!!
o OSPF won as it was used for TCP/IP
 Excellent protocol!!
 Rarely used...requires expertise!!

 Like a Ferrari!!
 Very fast protocol…but uncommon.
 Created by Cisco for Cisco...easy to configure.
 Metric - can include reliability, MTU, delay on packets...uses 'K' value.

 Border Gateway Protocol
 Like a Hummer!! Not fast but very robust!!
 Used for the Internet
 Handles thousands of routes
 Not for LAN's...used in ISP's

We can use a mixture of each protocol in our network….if a router has learned routes via different protocols then administrative
distance is used. This tells us how believable the routing protocol is.

Administrative Distances
Each protocol has an administrative distance to tell us how believable it is!

RIP 120

IS-IS 115

OSPF 110


BGP 20

Static Route 1

Connected Interface 0
Configuring OSPF

How to get OSPF working…

On Router 1
1. Turn on OSPF
a. R1(config)# router ospf 1
i. The 1 is the Process ID (1-65535)...just use 1! The process ID is just the same as on Windows...each
program has an ID so we can kill it via task manager etc...they don't need to match other routers and only
have local significance.

2. Tell it what interfaces to use and what networks to advertise…the command does both things!!!!
Best practice is to define the exact IP address of the interface we want to send hello packets on.
Areas must match. Areas define how many routers to cover - summarize entries in the routing table (eg.
instead of and
a. R1(config-router)# network area 0
1. R1(config-router)# area 0
The wildcard bits tell us to "ignore the zeroes and look at the ones!!"
The above commands turns on "hello" packets on that interface and also advertises network to it's neighbours!

On Router 2
1. Turn on OSPF
a. R2(config)# router ospf 1
2. Tell it what interfaces to use
a. R2(config-router)# network area 0

HOWEVER….still more to do...

Each router above already knows about those two networks as they are directly connected on those interfaces!!
We need to advertise the network on R1 and the network on R2. You will see from the diagram that
there is no need to send hello packets on those two interfaces as there are no routers attached to those networks...we just need
to advertise the route. We can do this by configuring the interfaces as passive interfaces. This advertises the route but does not
send "hello" packets on the interface.

On Router 1
1. Set interface as passive
a. R1(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R1(config-router)# network area 0
On Router 2
1. Set interface as passive
a. R2(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R2(config-router)# network area 0

Now we're all done!!

The and networks are now being advertised but are not sending "hello" packets which is what we want.
The 192.168.2.xx interfaces are sending the "hello" packets to inform each router of the and networks!!


 R1# show ip ospf neighbour

o This tells us if the router has any neighbours and tells us the dead timer of a connected router
 R1# show ip route
o Will tell us of routes established by OSPF
 R1# show ip protocols
o See if OSPF is enabled
 R1# debug ip ospf packet
o Can see 'hello' messages
 R1# show ip database
o Shows us the OSPF link states

Router ID
The router ID is the highest (loopback) IP address configured on a router (unless a router ID has been manually configured). If no
loopback IP address is set then the Router uses the highest IP address configured on its active interfaces.

CDP (Cisco Discovery Protocol)

We can use the Cisco Discovery Protocol to see information about connected devices.
You may need to issue the CDP run command if none of the commands work.

R1# Show cdp neighbours detail

 This will tell us the IP address and outgoing/incoming ports of any attached devices!!
R2# Show cdp entry *
 Again this tells us the IP address and outgoing/incoming ports of any attached devices!!

Route Preference…
Be aware that a more specific subnet mask beats administrative distance!!
So... an RIP /26 learned route will beat an EIGRP /24 learned route!!!

Designated Router (DR) and Backup Designated Router (BDR)

A DR is a router chosen within an OSPF area where all other routers exchange their routing information with...instead of
exchanging their routing info with all router across the area...a central point for exchanging OSPF routing information!!
On LANs, DR and BDR have to be elected. Two rules are used to elect a DR and BDR:
1. router with the highest OSPF priority will become a DR. By default, all routers have a priority of 1
2. if there is a tie, a router with the highest router ID wins the election
The router with the second highest OSPF priority or router ID will become a BDR.

Access Control Lists

An access list is a list of permit and deny statements.
Eg. Permit


Permit TCP port 80 for

Access lists are a matching mechanism.

They can be used for…

 Access control
 Quality of service
 Demand dial routing
 Policy routing
 Route filtering

Using ACLs for Security

 Enter global config mode and then interface mode

R1(config-std-nacl)# permit

 The list is read from top to bottom and stops at the first match.
 There is an implicit deny at the end of the list….all IP's are denied access unless there has been a permit statement in
the list!
 An ACL can be applied to an interface inbound or outbound.
 Inbound is traffic coming into the router
 Outbound is the traffic coming out of the router


 Be sure you have applied in the correct direction!!

Standard and Extended Access List - Overview

 Matches based only on source address
 Lower processor utilization
 Affect depends on application
o Eg. Deny, permit
 Apply as close to the destination as possible!

 Matches based on source/destination IP address, protocol, source/destination port number
o Eg. TCP/IP - TCP allow, UDP deny, ICMP allow
 Higher processor utilization
 Syntax takes some time to learn
 Apply as close to the source as possible!

Reflexive (established)
 Allows traffic to be returned for any requests made from our local network
o Eg. Users accesses - the webpage would be allowed to be sent back/received.

Configuring and Applying Standard Access Control Lists

**Assume all Ethernet ports are Fa0/0**

Remember that there are two stages to creating an access list…

1. Configuration
2. Application

Example 1
Use a standard access list to block from reaching and

 Afer looking at the network diagram I can see that we need to block R3 from reaching R1. Remember standard access
lists can only block source IP address - in this case We need to go as close as possible to the destination so we are
not affecting any other network flow. In this case it will be best to create the access list on R1 and apply on S0/0 inbound.

1. Configuration
R1(config)# access-list 1 deny host
 Each line we create in an access list has a sequence number which determines the order in which rules are
evaluated. We can squeeze lines in where necessary!
 Remember there is an implicit deny at the end of an access list.
 We need to add a permit any statement.
R1(config)# access-list 1 permit any
 This will add another step to the access list before the implicit deny!

Configuration is now done!!

2. Application
We need to apply the access list to S0/0 inbound on R1.
R1(config)# int s0/0
R1(config-if)# ip access-group 1 in
 Important we apply this in the correct direction!

ALL DONE!! We have now configured and applied the access list. We would test by pinging and using telnets etc.

Example 2
Use a standard access list to block access to the from
1. Configuration
Get as close to the destination as possible. Looking at diagram it will be best to create the access list on R1 and apply on
the Fa0/0 interface outbound.

R1(config)# access-list 2 deny

 Here we are using a wildcard mask so we can block a network instead of a host.
 To get the wildcard mask we just subtract the subnet mask from 255!
 Remember to add the permit any command!
R1(config)# access-list 2 permit any

Config now done.

2. Application
We need to apply the access list to Fa0/0 outbound on R1
R1(config)# int fa0/0
R1(config-if)# ip access-group 2 out

All done...we would test with pings etc to ensure all working OK!

Example 3 - Named Access Lists

Use a standard access list to block from reaching the WAN IP address.

1. Configuration
Looking at the diagram it would be most efficient to apply on R2 S0/1 outbound. We could apply on R3 S0/0 inbound but
this would be creating unnecessary network traffic.
R2(config)# ip access-list standard BLOCK_PC2_ACL
 If we use the ip access-list command then we can give it a meaningful name!! Must better way to create access
R2(config-std-nacl)# deny
R2(config-std-nacl)# permit any
 Remember this!!

2. Application
We need to apply to R2 S0/1 outbound.
R2(config)# int s0/1
R2(config-if)# ip access-group BLOCK_PC2_ACL out
 The name is case sensitive

ALL DONE!! Again test with pings etc to ensure we have desired effect.

Using Standard ACL's to limit Telnet and SSH access

We can create a standard access list and apply to the vty lines using the access-class command.
Eg. We would like to permit only the to be able to telnet/SSH to R1.

R1(config)# ip access-list LIMIT_SSH_TELNET

R1(config-std-nacl)# permit
R1(config-std-nacl)# deny any

R1(config)# line vty 0 15

R1(config-line)# access-class LIMIT_SSH_TELNET in

All done!!

Configuring and Applying Extended Access Control Lists

Remember that extended access control lists gives us more flexibility and control...we can block using source/destination IP
address, protocol, source/destination port number!!

**Assume all Ethernet ports are Fa0/0**

Example 1
Use an extended ACL to block from reaching
 We need to apply as close to the source as possible...and so in this case it would be most efficient to apply on R1 Fa0/0

1. Config
R1(config)# access-list 100 deny ip
 Extended access lists have a number between 100-199...or we could just use ip access-list command to create a
named access list.
 Source address comes first and then destination address
R1(config)# access-list 100 permit ip any any
 Remember we need the permit any statement

2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group 100 in

All done...we can test with pings.

Example 2
Block from reaching on https or http.
 In this case we can just edit the previous access list! We will need to insert the commands to block http and https before
the permit any statement. We can do this using the sequence number...use show ip access-list to see what sequence
number we should use.

1. Config
R1(config)# ip access-list extended 100
R1(config-ext-nacl)# 11 deny tcp host host eq 80
R1(config-ext-nacl)# 12 deny tcp host host eq 443
This will add two commands before the permit any command to block http (80) and https (443)!!

To test we could telnet to from on port 80 and 443.

 Telnet 80/443

We can then run the show ip-access-list on R1 to see how many packets have been dropped!
2. Application
We already applied the ACL in Example 1 :).

Example 3
Permit to access using only telnet and SSH.
 We need to configure as close to the source and so it will be most efficient to configure and apply on R2 Fa0/0 inbound.
Telnet port is 23, SSH is 22.

1. Config
R2(config)# ip access-list extended R3_TELNET_SSH
R2(config-ext-nacl)# permit tcp host eq 22
R2(config-ext-nacl)# permit tcp host eq 23
R2(config-ext-nacl)# deny ip host
 This denies all other traffic from as we only want to allow SSH and Telnet as per above commands!
R2(config-ext-nacl)# permit any any

2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group R3_TELNET_SSH in

All done!! Just to confirm that the would still be able to access the can still go through
R3...just simply only able to telnet and SSH the WAN Ip address!! The network is a completely different

Example 4
Block from reaching any WAN IP address.
 So we need to block access to 10.1.1xx...all of the WAN links!
 Apply as close to the source as possible and so it will be best to apply on R1 Fa0/0 inbound.

1. Config
R1(config)# ip access-list extended BLOCK_WAN
R1(config-ext-nacl)# deny ip
R1(config-ext-nacl)# deny ip
R1(config-ext-nacl)# permit ip any any

2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group BLOCK_WAN in

The will still be able to access all of the LAN and is what we want!
The network will just be unable to contact the WAN IP's directly! They can still pass through them though.

Example 5
Permit access to using only SMTP (25), POP3(110) and IMAP(143) from anywhere.
 As we do not know the source we will need to apply as close to destination as possible….so it would be most efficient to
apply on R2 Fa0/0 outbound.

1. Config
R2(config)# ip access-list extended EMAIL_FILTER_R2
R2(config-ext-nacl)# permit tcp any host eq 25
R2(config-ext-nacl)# permit tcp any host eq 110
R2(config-ext-nacl)# permit tcp any host eq 143
R2(config-ext-nacl)# deny ip any host
 Ensure we get no other traffic coming to (as imagine it is an email/Exch server)
R2(config-ext-nacl)# permit ip any any
 We need this command as we would have other PC's/devices on the network and we wouldn't want to
block all traffic to these devices!

2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group EMAIL_FILTER_R2 out

All sorted!! Test with pings etc...

We can also use 'gt' or 'lt' instead of 'eq' if we want to specify a port with is greater than or less than the port specified.
R2(config-ext-nacl)# permit tcp any host gt 100
 This would allow all traffic to host on a destination port greater than 100.

Editing Access Lists

To edit an access list we can use the ip access-list command and then enter the relevant sequence number to insert the new
command (or delete by using the no command). We would first use show ip access -list command so we can see the current
sequence numbers in the access list…

R2# show ip access-list

Extended IP access list BLOCK_TRAFFIC
10 permit tcp any any
20 permit udp any any

We will now insert a command to allow ICMP traffic...

R2(config)# ip access-list BLOCK_TRAFFIC

R2(config-ext-nacl)# 15 permit icmp any any
R2(config-ext-nacl)# exit

If we issue another show ip access -list command we will see the command has been inserted between the previous two

R2# show ip access-list

Extended IP access list BLOCK_TRAFFIC
10 permit tcp any any
15 permit icmp any any
20 permit udp any any

To remove a line from an access list we can issue the no command as follows in ACL config mode…
R2(config-ext-nacl)# no 20
 This would remove just the '20 permit udp any any' line

To remove an access list completely we would issue the below command in global config mode…
R2(config)# no access-list BLOCK_TRAFFIC

Access Control List Logging

We can add the log option to any access list which will then log any denied packets. Its does not log any packets which have
been permitted.

R2(config-ext-nacl)# permit tcp any host eq 25 log

NAT Concepts

Network Address Translation

 Translates private addresses to public addresses!!
 ISP's do not allow private addresses to be routed on the Internet.
 This is where NAT comes in!

How NAT works

There are 3 types of NAT…
 Dynamic
 Static

PAT (Port Address Translation)

This is very common and used everywhere! It translates many private addresses to 1 public address!!
1. PC ( attempts to access webpage on the Internet (Eg.
2. A source port is generated (eg. 6711) and is added to the request.
3. The request for the webpage is received from the router which realises it is a private address with a source port.
4. The router then translates the address to the assigned public address for the network and attaches the source port.
5. This is then sent to over the Internet
6. Cisco responds back to the public IP address which included the source port.
7. The request then hits the router which can redirect it back to the PC using the source port!

Source port = any number between 1 - 65,535!

Dynamic NAT
This creates one-to-one mappings.
 We can have a pool of private and public addresses and do one-to-one mappings.
 Eg. 10 public and 10 private IP's.
 We don't save any IP addresses in this case
 Used for overlapping addresses - where we temporarily use the same private IP address in an organisation - router sits
in between and does NAT.
 Not used very ofen!

Static NAT
This also creates one-to-one mappings.
 Eg. Used for a mail server or a web server.
o MX record (A/www record for website) points to the public IP
o On the internal router we configure it to forward port 25/80/443 traffic to the internal IP of the mail
server/web server
o Called port forwarding

NAT Configuration


1. Do the base config on a router!

2. Configure interfaces on the router.
 R1(config)# int fa0/0
 R1(config-if)# ip address
 R1(config)# int fa0/1
 R1(config-if)# ip address dhcp
3. Setup DHCP scope
 R1(config)# ip dhcp excluded-address
 R1(config)# ip dhcp pool LAN
 R1(dhcp-config)# network
 R1(dhcp-config)# dns-server
 R1(dhcp-config)# default-router
Note - some routers will auto-configure the default route if we have configured the WAN interface to use DHCP.
4. Identify our interfaces (inside and outside)
 Show ip int brief
 R1(config)# int fa0/0
 R1(config-if)# ip nat inside
 R1(config)# int fa0/1
 R1(config)# ip nat outside
5. Identify our inside IP addresses
 Here we use an access list
 R1(config)# ip access-list standard INSIDE_NAT_ADDRESSES
 R1(config-std-nacl)# permit
6. IP NAT Connection Command
 R1(config)# ip nat inside source list INSIDE_NAT_ADDRESSES interface fa0/1 overload
 The overload command enables PAT
 Without this it would only allow 1 addresses to be NAT'd - this is dynamic NAT

Static NAT
 R1(config)# ip nat inside source static
IP of server Public IP Address
 Can add in port numbers to direct traffic to web server etc.
 R1(config)# ip nat inside source static tcp 80 80

Types of NAT addresses

Inside Local - our Private Address!

Inside Global - our Public Address!
Outside Global - the Public Address of website we are accessing!

So...NAT translates Inside Local to Inside Global!!

Useful NAT Commands

 R1# show ip nat statistics
 This tells us how many active translations there are and how many packets have been translated etc.
 R1# show ip nat translations
 This tells us what inside IP addresses are being translated and to Inside Local and Inside Global

IPv6 Concepts

Why do we need IPv6?

 There is an IP address shortage!! Only 4 billion IPv4 addresses!!
 Current IP addresses are poorly allocated...some companies/organisation were allocated a ridiculous number of
addresses which are not being used…but IANA can't just ask for them back!!
 New network devices are on the rise...even fridges and microwaves are now coming with network cards!
 NAT (the current solution) is seen as a hindrance to innovation.

IPv6 Addressing
 Address size moved from 32 bit (IPv4) to 128 bit (IPv6)
 Provides a ridiculously high number of addresses! We could assign an IP address to each atom on the surface of the
Earth x 100!!!
 Addresses are hexadecimal (0-9, A-F)
o Divided into 8 group of 4 hex characters - each character is 4 bits in length
o EG. 2001:0050:0000:0000:0000:0AB4:1E2B:98AA
o So each octet = 4 x 4 = 16 and the whole address = 16 x 8 = 128 bits!!

RULE 1 - Eliminate groups of consecutive zero's

Using the above example…
Note - We can only use this once in an address.

RULE 2 - Drop leading zero's


Simplified IPv6 headers

 Simpler for routers to process
 Uses the next header field which eliminates a lot of complexity

NDP (Neighbour Discovery Protocol)

PC's using IPv6 use NDP to learn MAC addresses on the same LAN (not ARP like IPv4!!).

Types of Communication and Addresses

 Unicast -> one-to-one

 Multicast -> one-to-many
 Anycast -> one-to-closest
o We give the same address to multiple devices eg. Web server.
o When someone tries to access the website it uses the closest device as it will be most efficient.
 No more broadcasts!! These have been replaced by multicasts...they provide the same functions as broadcasts!

Link Local address

 Similar to IPv4 APIPA address (169.25.x.x)
 Layer 2
 Allows devices to communicate where no DHCP server is available...however unable to route on Internet
 FE80: (FE80::/64)
 Uses EUI-64 addressing...uses MAC address of device and squeezes FFFE in the MAC 02:FE:4G:8A:CH:1F

64 bits 64 bits


FE80:0000:0000:0000 02FE:4GFF:FE8A:CH1F

Unique/Site Local Addresses

 Same as IPv4 private address
 Sometimes known as static unicast configuration!

Global Address
 Same as public IPv4 address
 High level 3 bits set to 001 (2000::/3) (0010 in binary)
 Global routing prefix is 48 bits or less
 Global Addresses begin with 2000::/3

Global Prefix Subnet ID Interface ID

'n' bits 64 -n bits 64 bits

IANA dish out the UIP addresses to all organizations!! They would decide the global routing prefix!
The Subnet ID is comprised of bits lef over afer the global routing prefix.
The primary address expected to comprise the IPv6 internet are from the 2001::/16 subnet.

IPv6 Configuration

Turn on IPv6 Routing

IPv6 routing is turned off by default (unlike IPv4).
 R1(config)# ipv6 unicast-routing
 R2(config)# ipv6 unicast-routing

Assigning Addresses
 R1(config)# int fa0/0
 R1(config-if)# ipv6 address 2001:55::1/64
 R1(config-if)# no shutdown
 R1(config)# int s0/0
 R1(config-if)# ipv6 address 2001:210:10:1::1/64
 R1(config-if)# no shutdown

 R2(config)# int fa0/0

 R2(config-if)# ipv6 address 2001:56::1/64
 R2(config-if)# no shutdown
 R2(config)# int s0/0
 R2(config-if)# ipv6 address 2001:210:10:1::2/64
 R2(config-if)# no shutdown

Verify Addresses
 R1# show ipv6 int brief
 R1# ping ipv6 ip-address

Configure Static Routing

Pretty much same as IPv4!
 R1(config)# ipv6 route 2001:56::1/64 2001:210:10:1::2/64
Dest Network Connected Interface
 R2(config)# ipv6 route 2001:55::1/64 2001:210:10:1::1/64

All done!

Configure Dynamic Routing - OSPFv3

This is different to IPv4 as we no longer use the network command!
We enable OSPF, assign a router-ID and then add interfaces/networks we want to advertise to the OSPF process!
 R1(config)# ipv6 router ospf1
 R1(config-rtr)# router-id
 R2(config)# ipv6 router ospf1
 R2(config-rtr)# router-id
o In IPv6 we need to set the router-ID else the router will not send hello packets

 R1(config)# int fa0/0

 R1(config-if)# ipv6 ospf 1 area 0
 R1(config)# int s0/0
 R1(config-if)# ipv6 ospf 1 area 0
o Show ipv6 protocols

 R2(config)# int fa0/0

 R2(config-if)# ipv6 ospf 1 area 0
 R2(config)# int s0/0
 R2(config-if)# ipv6 ospf 1 area 0
 Show ipv6 ospf neighbours

All done!!

The Migration to IPv6

Mulitple methods exist to provide a smooth, non-pressured transition…

 Dual Stack routers

o This is where we simply enable IPv4 and IPv6 routing and assign each interface an IPv4 and IPv6 IP address!!
o This enables us to communicate via IPv4 and IPv6 at the same time!

 Tunnelling (6to4 and 4to6)

o This uses encapsulation where IPv6 packets are encapsulated within IPv4 packets for transmission over IPv4
networks (and vice versa for IPv4 over IPv6 networks).

 NAT Protocol Translation (NAT-PT)

o This is where a block of IPv4 addresses at an IPv4 interface is set aside for translating addresses as IPv6 hosts
start sessions with IPv4 hosts.