PROJECT REPORT ON SECURITY IN COLLEGE NETWORKING

(Submitted in Partial Fulfillment of the requirement for the award of degree of B.Tech in Computer Science)
SUBMITTED BY: ASHOK KUMAR NITISH GARG (5708209) (5708281)

SANDEEP PANNU (5708250)

(YEAR-2011).

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING R.P.INDERAPRASTHA INSTITUTE OF TECHNOLOGY BASTARA, KARNAL, HARYANA

R.P.INDERAPRASTHA INSTITUTE OF TECHNOLOGY

BASTARA, KARNAL
Date:-

TO WHOMSOEVER IT MAY CONCERN

This is to certify that the following students have completed their minor project SECURITY IN COLLEGE NETWORKING, in the partial fullfilment of the award of the degree of B.Tech (Computer Science and Enginnering) by KURUKSHETRA UNIVERSITY, KURUKSHETRA, at RPIIT, Bastara.

The Project team comprises of following students.

1. Ashok Kumar 2. Nitish Garg 3. Sandeep Pannu

(5708209) (5708281) (5708250)

( Er. Shipra & Garima Choudhary)

(Er. Garima Choudhary)

(Miss. Mukta Bansal)

Project guide

Project coordinator

HOD, CSE

ACKNOWLEDGEMENT
The submission of this project report is giving me an opportunity to convey my gratitude to all those who have helped me to reach a stage where I have immense confidence to launch my career in the competitive IT world. I take this opportunity to express my deepest gratitude to those who have generously helped me in providing the valuable knowledge and expertise during my training. I would like to thank my guide (Er. Shipra & Garima Choudhary), for giving valuable suggestions throughout my training Again, I register my gratitude to Head Of Department (Miss. Mukta Bansal).My sincere thanks to all members of the faculty and the non teaching staff whose guidance and help throughout my degree has been a great support.

Nitish Garg (5708281) Ashok Kumar (5708209) Sandeep Pannu (5708250)

ABSTRACT
We have simply shown computer networking model and how routing is done among different networks or routers . we have assigned class c type ip addresses to routers and assigned private ip addresses to systems to reduce cost. The following components have been connected in the networking model 1. Router (2800 series) 2. Switches 3. Pc 4. DNS servers Protocols being used:1. ROUTING INFORMATION PROTOCOL (RIP) - RIP is a dynamic, distance vector routing protocol. RIP uses UDP port 520 for route updates. RIP calculates the best route based on hop count. This makes RIP very fast to converge.RIP sends full table updates at regular intervals specified by the route-update timer (30 seconds is the default). This means that a RIP router summarizes all routes it knows and sends the summary information to all other RIP routing devices. RIP updates can contain up to 25 messages. 2. OPEN SHORTEST PATH FIRST ROUTING PROTOCOL(OSPF) - EIGRP is a link-state routing protocol that considers a composite metric which, by default, uses bandwidth and delay as parameters instead of hop count. OSPF sends its routing table to its neighbors every 10 seconds

RIP routing protocol have been implemented on network 1 routers. OSPF routing protocol have been implemented on network 2 routers . We have advertised paths to routers in the network 1 through RIP protocol and advertised routing paths to routers in the network 2 through OSPF protocol. As the routing protocols being used are different,so in order that the routers can exchange the routing tables with another area router we have implemented a border router on which the RIP and OSPF protocols have been distributed. So that routers can be able to exchange routing tables. As both the protocols have been distributed on area border router , it will be aware of the routing paths of both networks. Area border router also reduces the overhead of exchanging routing information between both area routers when network topology change.

TABLE OF CONTENTS

CONTENTS
Certificate Acknowledgement Abstract Table of Contents

PAGE NO.

CHAPTER 1. INTRODUCTION TO THE PROJECT.. 1.1.1 1.1.2 HISTORY....7WHAT IS NETWORK8-16

1.2 GENERAL CONCEPTS17-33 CHAPTER 2. TECHNOLOGY USED..... 2.1.1 2.1.2 ROUTER USRE INTERFACE..34-39 NETWORK SIMULATOR & ROUTER SIMULATOR40

CHAPTER 3. SCREENSHOTS... 41-59 CHAPTER 4. RESULTS.. 4.1 CONCLUSION.60 4.2 FUTURE SCOPE..61 REFERENCES..62

CHAPTER 1 : INTRODUCTION

1.1 HISTORY :Many readers may already be familiar with Cisco and what they do. However, those of you who are new to the field, just coming in fresh from your MCSE, and those of you who maybe have 10 or more years in the field but wish to brush up on the new technology may appreciate a little background on Cisco. In the early 1980s, Len and Sandy Bosack, a married couple who worked in different computer departments at Stanford University, were having trouble getting their individual systems to communicate (like many married people). So in their living room they created a gateway server that made it easier for their disparate computers in two different departments to communicate using the IP protocol. In 1984, they founded cisco Systems (notice the smallc) with a small commercial gateway server product that changed networking forever. Some people think the name was intended to be San Francisco Systems but the paper got ripped on the way to the incorporation lawyerswho knows? In 1992, the company name was changed to Cisco Systems, Inc. The first product the company marketed was called the Advanced Gateway Server (AGS). Then came the Mid-Range Gateway Server (MGS), the Compact Gateway Server (CGS), the Integrated Gateway Server (IGS), and the AGS+. Cisco calls these the old alphabet soup products. In 1993, Cisco came out with the amazing 4000 router and then created the even more amazing 7000 , 2000, and 3000 series routers. These are still around and evolving (almost daily, it seems). Cisco has since become an unrivaled worldwide leader in networking for the Internet. Its networking solutions can easily connect users who work from diverse devices on disparate networks. Cisco products make it simple for people to access and transfer information without regard to differences In the big picture, Cisco provides end-to-end networking solutions that customers can use to build an efficient, unified information infrastructure of their own or to connect to someone elses. This is an important piece in the Internet/networkingindustry puzzle because a common architecture that delivers consistent network services to all users is now a functional imperative. Because Cisco Systems offers such a broad range of networking and Internet services and capabilities, users who need to regularly access their local network or the Internet can do

so unhindered, making Ciscos wares indispensabe. Cisco answers this need with a wide range of hardware products that form information networks using the Cisco Internetwork Operating System (IOS) software. This software provides network services, paving the way for networked technical support and professional services to maintain and optimize all network operations. Along with the Cisco IOS, one of the services Cisco created to help support the vast amount of hardware it has engineered is the Cisco Certified Internetwork Expert (CCIE) program, which was designed specifically to equip people to effectively manage the vast quantity of installed Cisco networks. The business plan is simple: If you want to sell more Cisco equipment and have more Cisco networks installed, ensure that the networks you install run properly. Clearly, having a fabulous product line isnt all it takes to guarantee the huge success that Cisco enjoyslots of companies with great products are now defunct. If you have complicated products designed to solve complicated problems, you need knowledgeable people who are fully capable of installing, managing, and troubleshooting them. That part isnt easy, so Cisco began the CCIE program to equip people to support these complicated networks. This program, known colloquially as the Doctorate of Networking, has also been very successful, primarily due to its extreme difficulty. Cisco continuously monitors the program, changing it as it sees fit, to make sure that it remains pertinent and accurately reflects the demands of todays internetworking business environments.

1.2 WHAT IS NETWORK:-

A network, often simply referred to as a computer network, is a collection of computers and devices connected by communications channels that facilitates communications among users and allows users to share resources with other users. A computer network allows sharing of resources and information among devices connected to the network.

A computer network is a group of two or more computers connected to each electronically. This means that the computers can "talk" to each other and that every computer in the network can send information to the others.

In the world of computers, networking is the practice of linking two or more computing devices together for the purpose of sharing data. Networks are built with a mix of computer hardware and computer software.

Fig 2.1: A Computer Network

Thus networking is the practice of linking two or more computers or devices with each other. The connectivity can be wired or wireless. In a nutshell computer networking is the engineering discipline concerned with the communication between computer systems or devices. Computer networking is sometimes considered a sub-discipline of telecommunications, computer science, information technology and electronics engineering since it relies heavily upon the theoretical and practical application of these scientific and engineering disciplines.

2.1.1 Network Classification: As a computer network is a system for communication among two or more computers. Though there are numerous ways of classifying a network, the most popular categorization is by range, functional relationship, network topology and specialized function. (i) By Range: Local area network (LAN): A local area network is a network that connects computers and devices in a limited geographical area such as home, school, computer laboratory, office building, or closely positioned group of buildings. Each computer or device on the network is a node. Current wired LANs are most likely to be based on Ethernet technology, although new standards like ITU-T G.hn also provide a way to create a wired LAN using existing home wires (coaxial cables, phone lines and power lines).

Fig 2.2: A Typical Local Area Network All interconnected devices must understand the network layer (layer 3), because they are handling multiple subnets (the different colors). Those inside the library, which have only 10/100 Mbit/s Ethernet connections to the user device and a Gigabit Ethernet connection to the central router, could be called "layer 3 switches" because they only have Ethernet interfaces and must understand IP. It would be more correct to call them access routers, where the router at the top is a distribution router that connects to the Internet and academic networks' customer access routers. The defining characteristics of LANs, in contrast to WANs (Wide Area Networks), include their higher data transfer rates, smaller geographic range, and no need for leased telecommunication lines. Current Ethernet or other IEEE 802.3 LAN

technologies operate at speeds up to 10 Gbit/s. This is the data transfer rate. IEEE has projects investigating the standardization of 40 and 100 Gbit/s. Metropolitan area network (MAN): A metropolitan area network is a large computer network that usually spans a city or a large campus. A MAN usually interconnects a number of local area networks (LANs) using a high-capacity backbone technology, such as fiber-optical links, and provides up-link services to wide area networks and the Internet. A Metropolitan Area Network (MAN) is a large computer network that spans a metropolitan area or campus. Its geographic scope falls between a WAN and LAN. MANs provide Internet connectivity for LANs in a metropolitan region, and connect them to wider area networks like the Internet.

Fig 2.3: A Simple MAN

Wide area network (WAN): The term Wide Area Network (WAN) usually refers to a network which covers a large geographical area, and use communications circuits to connect the intermediate nodes. A major factor impacting WAN design and performance is a requirement that they lease communications circuits from telephone companies or other communications carriers. Transmission rates are typically 2 Mbps, 34 Mbps, 45 Mbps, 155 Mbps, 625 Mbps (or sometimes considerably more). Numerous WANs have been constructed, including public packet networks, large corporate networks, military networks, banking networks, stock brokerage networks, and airline reservation networks. Some WANs are very extensive, spanning the globe, but most do not provide true global coverage. Organizations supporting WANs using the Internet Protocol are known as Network Service Providers (NSPs). These form the core of the Internet. By connecting the NSP WANs together using links at Internet Packet Interchanges

(sometimes called "peering points") a global communication infrastructure is formed. NSPs do not generally handle individual customer accounts (except for the major corporate customers), but instead

deal with intermediate organizations whom they can charge for high capacity communications. They generally have an agreement to exchange certain volumes of data at a certain "quality of service" with other NSPs. So practically any NSP can reach any other NSP, but may require the use of one or more other NSP networks to reach the required destination. NSPs vary in terms of the transit delay, transmission rate, and connectivity offered. Since radio communications systems do not provide a physically secure connection path, WWANs typically incorporate encryption and authentication methods to make them more secure. Unfortunately some of the early GSM encryption techniques were flawed, and security experts have issued warnings that cellular communication, including WWAN, is no longer secure. UMTS (3G) encryption was developed later and has yet to be broken.

2.1.2 Networking Models: Network models define a set of network layers and how they interact. There are several different network models depending on what organization or company started them. The most important two are:

The TCP/IP Model - This model is sometimes called the DOD model since it was designed for the department of defense. It is also called the internet model because TCP/IP is the protocol used on the internet.

OSI Network Model - The International Standards Organization (ISO) has defined a standard called the Open Systems Interconnection (OSI) reference model. This is a seven layer architecture listed in the next section.

2.1.2.1 The TCP/IP Model: The TCP/IP model is a description framework for computer network protocols created in the 1970s by DARPA, an agency of the United States Department of Defense. It evolved from ARPANET, which were the world's first wide area network and a predecessor of the Internet. The TCP/IP Model is sometimes called the Internet Model or the DoD Model. The TCP/IP model, or Internet Protocol Suite, describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination. Protocols exist for a variety of different types of communication services between computers.

TCP/IP Model

Layers in the TCP/IP Model: The layers near the top are logically closer to the user application, while those near the bottom are logically closer to the physical transmission of the data. Viewing layers as providing or consuming a service is a method of abstraction to isolate upper layer protocols from the nitty-gritty detail of transmitting bits over, for example, Ethernet and collision detection, while the lower layers avoid having to know the details of each and every application and its protocol. The following is a description of each layer in the TCP/IP networking model starting from the lowest level: i. Data Link Layer: The Data Link Layer is the networking scope of the local network connection to which a host is attached. This regime is called the link in Internet literature. This is the lowest component layer of the Internet protocols, as TCP/IP is designed to be hardware independent. As a result TCP/IP has been implemented on top of virtually any hardware networking technology in existence. The Data Link Layer is used to move packets between the Internet Layer interfaces of two different hosts on the same link. The processes of transmitting and receiving packets on a given link can be controlled both in the software device driver for the network card, as well as on firmware or specialized chipsets. These will perform data link functions such as adding a packet header to prepare it for transmission, and then actually transmit the frame over a physical medium.

ii.

Network Layer: The Network Layer solves the problem of sending packets across one or more networks.

Internetworking requires sending data from the source network to the destination network. This process is called routing. In the Internet Protocol Suite, the Internet Protocol performs two basic functions: Host

addressing and identification and Packet routing. IP can carry data for a number of different upper layer protocols. These protocols are each identified by a unique protocol number: for example, Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP) are protocols 1 and 2, respectively.

iii.

Transport Layer: The Transport Layer's responsibilities include end-to-end message transfer
capabilities independent of the underlying network, along with error control, segmentation, flow control, congestion control, and application addressing (port numbers). End to end message transmission or connecting applications at the transport layer can be categorized as either connection-oriented, implemented in Transmission Control Protocol (TCP), or connectionless, implemented in User Datagram Protocol (UDP). The Transport Layer can be thought of as a transport mechanism, e.g., a vehicle with the responsibility to make sure that its contents (passengers/goods) reach their destination safely and soundly, unless another protocol layer is responsible for safe delivery. The Transport Layer provides this service of connecting applications through the use of service ports. Since IP provides only a best effort delivery, the Transport Layer is the first layer of the TCP/IP stack to offer reliability. IP can run over a reliable data link protocol such as the High-Level Data Link Control (HDLC). Protocols above transport, such as RPC, also can provide reliability.

iv.

Application Layer: The TCP/IP network interface layer provides network functions such as frame
synchronization, media access, and error control. It is sometimes referred to as the network access layer, and is roughly equivalent to the Open System Interconnection (OSI) model's data link layer. The network interface layer's functionality is divided between the network interface carddriver combination and the low-level protocol stack driver. Application Layer protocols generally treat the transport layer (and lower) protocols as "black boxes" which provide a stable network connection across which to communicate, although the applications are usually aware of key qualities of the transport layer connection such as the end point IP addresses and port numbers. As noted above, layers are not necessarily clearly defined in the Internet protocol suite.

2.1.2.2 OSI Reference Network Model: OSI MODEL: The Open System Interconnection (OSI) reference model describes how information from a software application in one computer moves through a network medium to a software application in another computer. The OSI reference model is a conceptual model composed of seven layers, each specifying particular network functions. The model was developed by the International Organization for Standardization (ISO) in 1984, and it is now considered the primary architectural model for intercomputer communications. The OSI model divides the tasks involved with moving information between networked computers into seven smaller, more manageable task groups. A task or group of tasks is then assigned to each of the seven OSI layers. Each layer is reasonably self-contained so that the tasks assigned to each layer can be implemented independently. This enables the solutions offered by one layer to be updated without adversely affecting the other layers. The following diagram details the seven layers of the Open System Interconnection (OSI) reference model:

Fig 2.21: The OSI Reference Model Showing Seven Layers

Characteristics of the OSI Layers: The seven layers of the OSI reference model can be divided into two categories: upper layers and lower layers. The upper layers of the OSI model deal with application issues and generally are implemented only in software. The highest layer, the application layer, is closest to the end user. Both users and application layer processes interact with software applications that contain a communications component. The term upper layer is sometimes used to refer to any layer above another layer in the OSI model. The lower layers

of the OSI model handle data transport issues. The lowest layer, the physical layer, is closest to the physical network medium and is responsible for actually placing information on the medium.

Fig 2.22: Two Sets of Layers Make Up the OSI Layers

Description of the OSI Layers: I. Physical Layer: It defines the electrical and physical specifications for devices. In particular, it defines the relationship between a device and a physical medium. Physical layer specifications define characteristics such as voltage levels, timing of voltage changes, physical data rates, maximum transmission distances, and physical connectors. Physical layer implementations can be categorized as either LAN or WAN specifications. The major functions and services performed by the Physical Layer are establishment and termination of a connection to a communications medium, Participation in the process whereby the communication resources are effectively shared among multiple users, modulation and conversion between the representation of digital data in user equipment and the corresponding signals transmitted over a communications channel.

II.

Data Link Layer: The data link layer provides reliable transit of data across a physical network link. Different data link layer specifications define different network and protocol characteristics, including physical addressing, network topology, error notification, sequencing of frames, and flow control.

III.

Physical addressing (as opposed to network addressing) defines how devices are addressed at the data link layer. Network topology consists of the data link layer specifications that often define how devices are to be physically connected, such as in a bus or a ring topology. Error notification alerts upper-layer protocols that a transmission error has occurred, and the sequencing of data frames reorders frames that are transmitted out of sequence. Finally, flow control moderates the transmission of data so that the receiving device is not overwhelmed with more traffic than it can handle at one time.

IV.

Network Layer: The network layer defines the network address, which differs from the MAC address. Some network layer implementations, such as the Internet Protocol (IP), define network addresses in a way that route selection can be determined systematically by comparing the source network address with the destination network address and applying the subnet mask. Because this layer defines the logical network layout, routers can use this layer to determine how to forward packets. Because of this, much of the design and configuration work for internetworks happens at Layer 3, the network layer.

V.

Transport Layer: The transport layer accepts data from the session layer and segments the data for transport across the network. Generally, the transport layer is responsible for making sure that the data is delivered error-free and in the proper sequence. Flow control generally occurs at the transport layer. Flow control manages data transmission between devices so that the transmitting device does not send more data than the receiving device can process. Multiplexing enables data from several applications to be transmitted onto a single physical link. Virtual circuits are established, maintained, and terminated by the transport layer. Error checking involves creating various mechanisms for detecting transmission errors, while error recovery involves acting, such as requesting that data be retransmitted, to resolve any errors that occur.

VI.

Session Layer: The session layer establishes, manages, and terminates communication sessions. Communication sessions consist of service requests and service responses that occur between applications located in different network devices. These requests and responses are coordinated by protocols implemented at the session layer. Some examples of session-layer implementations include Zone Information Protocol (ZIP), the AppleTalk protocol that coordinates the name binding process; and Session Control Protocol (SCP), the DECnet Phase IV session layer protocol.

VII.

Presentation Layer: The system. Some examples of presentation layer coding and conversion schemes include presentation layer provides a variety of coding and conversion functions that are applied to application layer data. These functions ensure that information sent from the application layer of one system would be readable by the application layer of another common data representation formats, conversion of character representation formats, common data compression schemes, and common data

VIII.

encryption schemes. Common data representation formats, or the use of standard image, sound, and video formats, enable the interchange of application data between different types of computer systems. Conversion schemes are used to exchange information with systems by using different text and data representations, such as EBCDIC and ASCII. Standard data compression schemes enable data that is compressed at the source device to be properly decompressed at the destination. Standard data encryption schemes enable data encrypted at the source device to be properly deciphered at the destination.

IX.

Application Layer: The application layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. Application layer functions typically include identifying communication partners, determining resource availability, and synchronizing communication.

2.1.3 OSI and TCP/IP layering differences:

The three top layers in the OSI modelthe Application Layer, the Presentation Layer and the Session Layer are not distinguished separately in the TCP/IP model where it is just the Application Layer. While some pure OSI protocol applications, such as X.400, also combined them, there is no requirement that a TCP/IP protocol stack needs to impose monolithic architecture above the Transport Layer. For example, the Network File System (NFS) application protocol runs over the Xternal Data Representation (XDR) presentation protocol, which, in turn, runs over a protocol with Session Layer functionality, Remote Procedure Call (RPC). RPC provides reliable record transmission, so it can run safely over the best-effort User Datagram Protocol (UDP) transport. The Session Layer roughly corresponds to the Telnet virtual terminal functionality which is part of text based protocols such as the HTTP and SMTP TCP/IP model Application Layer protocols. It also corresponds to TCP and UDP port numbering, which is considered as part of the transport layer in the TCP/IP model. Some functions that would have been performed by an OSI presentation layer are realized at the Internet application layer using the MIME standard, which is used in application layer protocols such as HTTP and SMTP.

1.3 GENERAL CONCEPTS :SWITCH

Hubs are capable of joining more than two PC but having some demerits like if two PC would want to communicate at a time then there would be a collision and the both PC would have to send the data once again. This shortcoming of Hub is overcame by Switches. Switches are intelligent devices which work on the Layer2 of the OSI model. Basically a switch keeps a record of MAC addresses of all the devices connected to it. Using this information, it builds a MAC address table. So when a frame is received, it knows exactly which port to send it to, which increases the network response time. Basic Working Principle of Switch. 1. At the time of initializing the switch the MAC address table is yet to be built up. When a frame is send by some of the PC, it recognises the source MAC address and update the MAC address table. 2. If the destination is available in the MAC table then forward to the corresponding PC.

If the destination MAC address is not present in the table then forwards in all the port available expect the incoming one. The designated PC will respond for the data and it will send the acknowledge for the data received. This acknowledged data will be examined by the switch and the MAC address table would be up dated accordingly.If two PC simultaneously transmit there data packets and both are connected to a SWITCH, then collision will not occur, so we can say, it creates a multiple collision domain.The switch supports broadcast. Hence we can call switches create single broadcast domain and multiple collision domains.A 100/1000Mbps switch will allocate a full 100/1000 Mbps to each of its ports. So regardless of the no of PCs transmitting user will always have access to max amt of bandwidth. They are usually Full-Duplex in nature.

Different switching Principles:1. Store-and-forward:- The switch fully receives all bits in the frame (store) before forwarding the frame (forward). This allows the switch to check the FCS before forwarding the frame. (FCS is in the Ethernet trailer.) 2. Cut-through:- The switch performs the address table lookup as soon as the destination address field in the header is received. The first bits in the frame can be sent out the outbound port before the final bits in the

incoming frame are received. This does not allow the switch to discard frames that fail the FCS check. (FCS is in the Ethernet trailer.)

3. Fragment Free:- This performs like cut-through switching, but the switch waits for 64 bytes to be received before forwarding the first bytes of the outgoing frame. According to Ethernet specifications, collisions should be detected during the first 64 bytes of the frame; frames in error because of a collision will not be forwarded. The FCS still cannot be checked. Bridge is another device like switch which also operates basing on the MAC address. But the Basic difference between the bridge and the switch is that bridge works on software bases, but the switch works on hardware basic. The Switch works on ASICs ( Application Specific Integrated Circuits)

Port Security :-So just how do you stop someone from simply plugging a host into one of your switch
ports or worse, adding a hub, switch, or access point into the Ethernet jack in their office? By default, MAC addresses will just dynamically appear in your MAC forward/filter database. You can stop them in their tracks by using port security. Here are your options:

Switch#config t Switch(config)#int f0/1 Switch(config-if)#switchport port-security ? aging mac-address maximum violation <cr> You can see clearly in the preceding output that the switchport portsecurity command can be used with four options. Personally, I like the portsecurity command because it allows me to easily control users on my network. You can use the switchport port-security macaddress mac-address command to assign individual MAC addresses to each switch port, but if you choose to go there, youd better have a lot of time on your hands! If you want to set up a switch port to allow only one host per port, and to shut down the port if this rule is violated, use the following commands: Port-security aging commands Secure mac address Max secure addresses Security violation mode

Switch#config t Switch(config)#int f0/1

Switch(config-if)#switchport port-security maximum 1

Switch(config-if)#switchport port-security violation shutdown These commands are probably the most popular because they prevent users from connecting to a switch or access point thats in their office. The maximum setting of 1 means only one MAC address can be used on that port; if the user tries to add another host on that segment, the switch port will shut down. If that happens, youd have to manually go into the switch and enable the port with a no shutdown command.Probably one of my favorite commands is the sticky command. Not only does it perform a cool function, its got a cool name! You can find this command under the mac-address command: Switch(config-if)#switchport port-security macaddress sticky Switch(config-if)#switchport portsecurity maximum 2 Switch(config-if)#switchport port-security violation shutdown Basically, what this does is provide static MAC address security without having to type in everyones MAC address on the network. As I saidcool! In the preceding example, the first two MAC addresses into the port stick as static addresses and will stay that way for however long you set the aging command for. Why did I set it to 2? Well, I needed one for the PC/data and one for telephony/phone. Ill cover this type of configuration more in the next chapter, which is about VLANs.

ROUTING
Routing (or routing) is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network, electronic data networks (such as the Internet), and transportation networks. Here we are concerned primarily with routing in electronic data networks using packet switching technology In packet switching networks, routing directs packet forwarding, the transit of logically addressed packets from their source toward their ultimate destination through intermediate nodes; typically hardware devices called routers, bridges, gateways, firewalls, or switches. General-purpose computers with multiple network cards can also forward packets and perform routing, though they are not specialized hardware and may suffer from limited performance. The routing process usually directs forwarding on the basis of routing tables which maintain a record of the routes to various network destinations. Thus, constructing routing tables, which are held in the routers' memory, is very important for efficient routing. Most routing algorithms use only one network path at a time, but multipath routing techniques enable the use of multiple alternative paths. In more narrow sense of term, Routing is often contrasted with bridging in its assumption that network addresses are structured and that similar addresses imply proximity within the network. Because structured addresses allow a single routing table entry to represent the route to a group of devices, structured addressing (routing, in the narrow sense) outperforms unstructured addressing (bridging) in large networks, and has become the dominant form of addressing on the Internet, though bridging is still widely used within localized environment. Routing Schemes: There are the following types of schemes with which we can select the routes from our source to the destination network. They are as follows: Any cast delivers a message to any one out of a group of nodes, typically the one nearest to the system

Fig: Any cast Broadcast delivers a message to all nodes in the network

Fig: Broadcast Multicast delivers a message to a group of nodes that have expressed interest in receiving the message

Fig: Multicast Unicast delivers a message to a single specified node

Fig: Unicast Geocast sends or delivers data packets into all nodes in a specified geographic area.

Fig Geocast

Classification of Routing:
Routing can be classified on the basis of route telling scheme to the router about neighbouring networks. This can be done in two ways, either we can tell the router about the neighbouring networks statically or they can be told dynamically. Hence the classification comes out to be: Static routing Dynamic routing

Static routing:
Small networks may involve manually configured routing tables (static routing) or Non-Adaptive routing, while larger networks involve complex topologies and may change rapidly, making the manual construction of routing tables unfeasible. Nevertheless, most of the public switched telephone network (PSTN) uses pre-computed routing tables, with fallback routes if the most direct route becomes blocked (see routing in the PSTN). For (static routing) or Non-Adaptive routing there is no algorithm, and is manually engineered. The advantage of this routing type is maximum computing resources are saved but are conditioned. Networks have to be prepared for disaster, by additional planning.

Dynamic routing:
Adaptive routing or Dynamic routing attempts to solve this problem by constructing routing tables automatically, based on information carried by routing protocols, and allowing the network to act nearly autonomously in avoiding network failures and blockages. For larger networks, static routing is avoided. Examples for (Dynamic routing) or Adaptive routing algorithms are Routing Information Protocol (RIP), Open Shortest Path First (OSPF). Dynamic routing dominates the Internet. However, the configuration of the routing protocols often requires a skilled touch; one should not suppose that networking technology has developed to the point of the complete automation of routing. Dynamic routing is further classified into different algorithms which can be classified on the basis of the method on which any routing protocol decides the path either on the basis of distance or on the basis of processing done by CPU.

Major Routing Protocols: RIP

The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. As such it is classified as an interior gateway protocol (IGP). It uses the distance-vector routing algorithm. It was first defined in RFC 1058 (1988). The protocol has since been extended several times, resulting in RIP Version 2 (RFC 2453). Both versions are still in use today, however, they are considered to have been made technically obsolete by more advanced techniques such as Open Shortest Path First (OSPF) and the OSI protocol IS-IS. RIP has also been adapted for use in IPv6 networks, a standard known as RIPng (RIP next generation), published in RFC 2080 (1997).

History
The routing algorithm used in RIP, the Bellman-Ford algorithm, was first deployed in a computer network in 1967, as the initial routing algorithm of the ARPANET. The earliest version of the specific protocol that became RIP was the Gateway Information Protocol, part of the PARC Universal Packet internetworking protocol suite, developed at Xerox Parc. A later version, named the Routing Information Protocol, was part of Xerox Network Systems. A version of RIP which supported the Internet Protocol (IP) was later included in the Berkeley Software Distribution (BSD) of the UNIX operating system. It was known as the routed daemon. Various other vendors would create their own implementations of the routing protocol. Eventually, RFC 1058 unified the various implementations under a single standard.

Technical details
RIP is a distance-vector routing protocol, which employs the hop count as a routing metric. The hold down time is 180 seconds. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible, inoperable, or otherwise undesirable routes in the selection process. RIP implements the split horizon, route poisoning and hold down mechanisms to prevent incorrect routing information from being propagated. These are some of the stability features of RIP. It is also possible to use the so called RIP-MTI algorithm to cope with the count to infinity problem. With its help, it's possible to detect every possible loop with a very small computation effort. Originally each RIP router transmitted full updates every 30 seconds. In the early deployments, routing tables were small enough that the traffic was not significant. As networks grew in size, however, it became evident there could be a massive traffic burst every 30 seconds, even if the routers had been initialized at random times. RIP is implemented on top of the User Datagram Protocol as its transport protocol. It is assigned the reserved port number 520.

Versions
There are two versions of the Routing Information Protocol: RIPv1, RIPv2

RIP version 1
The original specification of RIP, defined in RFC 1058, uses classful routing. The periodic routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must have the same size. There is also no support for router authentication, making RIP vulnerable to various attacks. The RIP version 1 works when there is only 16 hop counts (0-15).If there is more than 16 hops between two routers it fails to send data packets to the destination address.

RIP version 2
Due to the deficiencies of the original RIP specification, RIP version 2 (RIPv2) was developed in 1993 and last standardized in 1998. It included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). To maintain backward compatibility, the hop count limit of 15 remained. RIPv2 has facilities to fully interoperate with the earlier specification if all Must Be Zero protocol fields in the RIPv1 messages are properly specified. In addition, a compatibility switch feature allows fine-grained interoperability adjustments. In an effort to avoid unnecessary load on hosts that do not participate in routing,

RIPv2 multicasts the entire routing table to all adjacent routers at the address 224.0.0.9, as opposed to RIPv1 which uses broadcast. Unicast addressing is still allowed for special applications.

Limitations

Without using RIP-MTI, Hop count cannot exceed 15, in case if it exceeds it will be considered invalid. Most RIP networks are flat. There is no concept of areas or boundaries in RIP networks. Variable Length Subnet Masks were not supported by RIP version 1. Without using RIP-MTI, RIP has slow convergence and count to infinity problems.

OPEN SHORTEST PATH FIRST (OSPF):Open Shortest Path First (OSPF) is a dynamic routing protocol for use in Internet Protocol (IP) networks. Specifically, it is a link-state routing protocol and falls into the group of interior gateway protocols, operating within a single autonomous system (AS). It is defined as OSPF Version 2 in RFC 2328 (1998) for IPv4. The updates for IPv6 are specified as OSPF Version 3 in RFC 5340 (2008).

Overview
OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a single routing domain (autonomous system). It gathers link state information from available routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP datagrams. OSPF was designed to support variable-length subnet masking (VLSM) or Classless Inter-Domain Routing (CIDR) addressing models. OSPF detects changes in the topology, such as link failures, very quickly and converges on a new loopfree routing structure within seconds. It computes the shortest path tree for each route using a method based on Dijkstra's algorithm, a shortest path first algorithm. The link-state information is maintained on each router as a link-state database (LSDB) which is a tree-image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF routers. An OSPF network may be structured, or subdivided, into routing areas to simplify administration and optimize traffic and resource utilization. Areas are identified by 32-bit numbers, expressed either simply in decimal, or often in octet-based dot-decimal notation, familiar from IPv4 address notation. By convention, area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF network. The identifications of other areas may be chosen at will, often, administrators select the IP address of a main router in an area as the area's identification. Each additional area must have a direct or virtual connection to the backbone OSPF area. Such

connections are maintained by an interconnecting router, known as area border router (ABR). An ABR maintains separate link state databases for each area it serves and maintains summarized routes for all areas in the network.

Neighbour relationships :Routers in the same broadcast domain or at each end of a point-to-point telecommunications link form adjacencies when they have detected each other. This detection occurs when a router identifies itself in a hello OSPF protocol packet. This is called a two way state and is the most basic relationship. The routers in an Ethernet or frame relay network select a designated router (DR) and a backup designated router (BDR) which act as a hub to reduce traffic between routers. OSPF uses both Unicast and multicast to send "hello packets" and link state updates. As a link state routing protocol, OSPF establishes and maintains neighbour relationships in order to exchange routing updates with other routers. The neighbour relationship table is called an adjacency database in OSPF. Provided that OSPF is configured correctly, OSPF forms neighbour relationships only with the routers directly connected to it. In order to form a neighbour relationship between two routers, the interfaces used to form the relationship must be in the same area. An interface can only belong to a single area.

Area types in OSPF:-

Backbone area
The backbone area (also known as area 0 or area 0.0.0.0) forms the core of an OSPF network. All other areas are connected to it, and inter-area routing happens via routers connected to the backbone area and to their own associated areas. It is the logical and physical structure for the 'OSPF domain' and is attached to all nonzero areas in the OSPF domain. Note that in OSPF the term Autonomous System Boundary Router (ASBR) is historic, in the sense that many OSPF domains can coexist in the same Internet-visible autonomous system, RFC1996.

Stub area
A stub area is an area which does not receive route advertisements external to the autonomous system (AS) and routing from within the area is based entirely on a default route. This reduces the size of the routing databases for the area's internal routers.

Modifications to the basic concept of stub areas exist in the not-so-stubby area (NSSA). In addition, several other proprietary variation have been implemented by systems vendors, such as the totally stubby area (TSA) and the NSSA totally stubby area, both an extension in Cisco Systems routing equipment.

Access list:There are a few important rules that a packet follows when its being compared with an access list: Its always compared with each line of the access list in sequential orderthat is, itll always start with the first line of the access list, then go to line 2, then line 3, and so on. Its compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place. There is an implicit deny at the end of each access listthis means that if a packet doesnt match the condition on any of the lines in the access list, the packet will be discarded. Each of these rules has some powerful implications when filtering IP packets with access lists, so keep in mind that creating effective access lists truly takes some practice.

There are two main types of access lists:

Standard access lists These use only the source IP address in an IP packet as the condition test. All decisions are made based on the source IP address. This means that standard access lists basically permit or deny an entire suite of protocols. They dont distinguish between any of the many types of IP traffic such as web, Telnet, UDP, and so on. Extended access lists Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer header, and the port number at the Transport layer header. This gives extended access lists the ability to make much more granular decisions when controlling traffic. Inbound access lists When an access list is applied to inbound packets on an interface, those packets are processed through the access list before being routed to the outbound interface. Any packets that are denied wont be routed because theyre discarded before the routing process is invoked. Outbound access lists When an access list is applied to outbound packets on an interface, those packets are routed to the outbound interface and then processed through the access list before being queued.

Standard Access Lists

Standard IP access lists filter network traffic by examining the source IP address in a packet. You create a standard IP access list by using the access-list numbers 199 or 13001999 (expanded range). Access-list types are generally differentiated using a number. Based on the number used when the access list is created, the router knows which type of syntax to expect as the list is entered. By using numbers 199 or 13001999, youre telling the router that you want to create a standard IP access list, so the router will expect syntax specifying only the source IP address in the test lines. The following is an example of the many access-list number ranges that you can use to filter traffic on your network (the protocols for which you can specify access lists depend on your IOS version): Corp(config)#access-list ? <1-99> <100-199> <1100-1199> <1300-1999> <200-299> <2000-2699> <700-799> compiled dynamic-extended rate-limit IP standard access list IP extended access list Extended 48-bit MAC address access list IP standard access list (expanded range) Protocol type-code access list IP extended access list (expanded range) 48-bit MAC address access list Enable IP access-list compilation Extend the dynamic ACL absolute timer Simple rate-limit specific access list

Lets take a look at the syntax used when creating a standard access list: Corp(config)#access-list 10 ? deny permit remark Specify packets to reject Specify packets to forward Access list entry comment

As I said, by using the access-list numbers 199 or 13001999, youre telling the router that you want to create a standard IP access list. After you choose the access-list number, you need to decide whether youre creating a permit or deny statement. For this example, you will create a deny statement: Corp(config)#access-list 10 deny ? Hostname or A.B.C.D Address to match

any host

Any source host A single host address

The next step requires a more detailed explanation. There are three options available. You can use the any parameter to permit or deny any host or network, you can use an IP address to specify either a single host or a range of them, or you can use the host command to specify a specific host only. The any command is pretty obviousany source address matches the statement, so every packet compared against this line will match. The host command is relatively simple. Heres an example using it: Corp(config)#access-list 10 deny host ? Hostname or A.B.C.D Host address Corp(config)#access-list 10 deny host 172.16.30.2

This tells the list to deny any packets from host 172.16.30.2. The default parameter is host. In other words, if you type access-list 10 deny 172.16.30.2, the router assumes you mean host 172.16.30.2. But theres another way to specify either a particular host or a range of hostsyou can use wildcard masking. In fact, to specify any range of hosts, you have to use wildcard masking in the access list. Whats wildcard masking? Youll learn all about it using a standard access list example, as well as how to control access to a virtual terminal, in the following sections.

Wildcard Masking
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. To understand a wildcard, you need to understand what a block size is; its used to specify a range of addresses. Some of the different block sizes available are 64, 32, 16, 8, and 4. When you need to specify a range of addresses, you choose the next-largest block size for your needs. For example, if you need to specify 34 networks, you need a block size of 64. If you want to specify 18 hosts, you need a block size of 32. If you only specify 2 networks, then a block size of 4 would work. Wildcards are used with the host or network address to tell the router a range of available addresses to filter. To specify a host, the address would look like this: 172.16.30.5 0.0.0.0

The four zeros represent each octet of the address. Whenever a zero is present, it means that octet in the address must match exactly. To specify that an octet can be any value, the value of 255 is used. As an example, heres how a /24 subnet is specified with a wildcard: 172.16.30.0 0.0.0.255 This tells the router to match up the first three octets exactly, but the fourth octet can be any value. Now, that was the easy part. What if you want to specify only a small range of subnets? This is where the block sizes come in. You have to specify the range of values in a block size. In other words, you cant choose to specify 20 networks. You can only specify the exact amount as the block size value. For example, the range would have to be either 16 or 32, but not 20. Lets say that you want to block access to part of the network that is in the range from 172.16.8.0 through 172.16.15.0. That is a block size of 8. Your network number would be172.16.8.0, and the wildcard would be 0.0.7.255. Whoa! What is that? The 7.255 is what the router uses to determine the block size. The network and wildcard tell the router to start at 172.16.8.0 and go up a block size of eight addresses to network 172.16.15.0. Seriouslyit really is easier than it looksreally! I could certainly go through the binary math for you, but no one needs that. Actually, all you have to do is remember that the wildcard is always one number less than the block size. So, in our example, the wildcard would be 7 since our block size is 8. If you used a block size of 16, the wildcard would be 15. Easy, huh? But just in case, well go through some examples to help you nail it. The following example tells the router to match the first three octets exactly but that the fourth octet can be anything: Corp(config)#access-list 10 deny 172.16.10.0 0.0.0.255

The next example tells the router to match the first two octets and that the last two octets can be any value: Corp(config)#access-list 10 deny 172.16.0.0 0.0.255.255 Try to figure out this next line: Corp(config)#access-list 10 deny 172.16.16.0 0.0.3.255

This configuration tells the router to start at network 172.16.16.0 and use a block size of 4.The range would then be 172.16.16.0 through 172.16.19.0. The following example shows an access list starting at 172.16.16.0 and going up a block size of 8 to 172.16.23.0: Corp(config)#access-list 10 deny 172.16.16.0 0.0.7.255

The next example starts at network 172.16.32.0 and goes up a block size of 16 to 172.16.47.0: Corp(config)#access-list 10 deny 172.16.32.0 0.0.15.255

The next example starts at network 172.16.64.0 and goes up a block size of 64 to 172.16.127.0: Corp(config)#access-list 10 deny 172.16.64.0 0.0.63.255

The last example starts at network 192.168.160.0 and goes up a block size of 32 to 192.168.191.255: Corp(config)#access-list 10 deny 192.168.160.0 0.0.31.255

Here are two more things to keep in mind when working with block sizes and wildcards: Each block size must start at 0 or a multiple of the block size. For example, you cant say that you want a block size of 8 and then start at 12. You must use 07, 815, 1623, etc. For a block size of 32, the ranges are 031, 3263, 6495, etc. The command any is the same thing as writing out the wildcard 0.0.0.0 255.255.255.255 Extended Access Lists In the standard IP access list example earlier, notice how you had to block all access from the Sales LAN to the finance department. What if you needed Sales to gain access to a certain server on the Finance LAN but not to other network services, for security reasons? With a standard IP access list, you cant allow users to get to one network service and not another.Said another way, when you need to make decisions based on both source and destination addresses, a standard access list wont allow you to do that since it only makes decisions based on source address. But an extended access list will hook you up. Thats because extended access lists allow you to specify source and destination address as well as the protocol and port number that identify the upperlayer protocol or application. By using extended access lists, you can effectively allow users access to a physical LAN and stop them from accessing specific hostsor even specific services on those hosts. Heres an example of an extended IP access list: Corp(config)#access-list ? <1-99> <100-199> <1100-1199> <1300-1999> IP standard access list IP extended access list Extended 48-bit MAC address access list IP standard access list (expanded range)

<200-299> <2000-2699> <700-799> compiled dynamic-extended rate-limit

Protocol type-code access list IP extended access list (expanded range) 48-bit MAC address access list Enable IP access-list compilation Extend the dynamic ACL absolute timer Simple rate-limit specific access list

CHAPTER 2: DEATAILS OF TECHNOLOGY USED

2.1

The Cisco Router User Interface

Cisco Internetwork Operating System (IOS) is the kernel of Cisco routers and most switches. A kernel is the basic, indispensable part of an operating system that allocates resources and manage things such as low-level hardware interfaces and security. Cisco has created something called Cisco Router IOS The Cisco IOS was created to deliver network services and enable networked applications. Itruns on most Cisco routers and on some Cisco Catalyst switches, such as the Catalyst 2950.These are some of the important things the Cisco router IOS software is responsible for: 1. Carrying network protocols and functions 2. Connecting high-speed traffic between devices 3. Adding security to control access and stop unauthorized network use\ 4. Providing scalability for ease of network growth and redundancy 5. Supplying network reliability for connecting to network resources 6. You can access the Cisco IOS through the console port of a router, from a modem into the 7. auxiliary (or Aux) port, or even through Telnet. Access to the IOS command line is called an EXEC session

2.1.1 Connecting to a Cisco Router

You can connect to a Cisco router to configure it, verify its configuration, and check statistics.There are different ways to do this, but most often, the first place you would connect to is the console port. The console port is usually an RJ-45 (8-p Modular) connection located at the back of the routerby default, theres no password set.in

2.1.2 Bringing Up a Router

When you first bring up a Cisco router, it will run a power-on self-test (POST). If it passes, it will then look for and load the Cisco IOS from flash memoryif an IOS file is present. In case you dont know, flash memory is an electronically erasable programmable read-only memory an EEPROM. The IOS then proceeds to load and looks for a valid configurationthe startupconfig thats stored by default in nonvolatile RAM, or NVRAM

2.1.3 Versioning
Cisco IOS is versioned using three numbers and some letters, in the general form a.b(c.d)e, where:

a is the major version number. b is the minor version number. c is the release number, which begins at one and increments as new releases. d (omitted from general releases) is the interim build number. e (zero, one or two letters) is the release train identifier

Rebuilds - Often a rebuild is compiled to fix a single specific problem or vulnerability for a given IOS version. For example, 12.1(8)E14 is a Rebuild, the 14 denoting the 14th rebuild of 12.1(8)E. Rebuilds are produced to either quickly repair a defect, or to satisfy customers who do not want to upgrade to a later major revision because they may be running critical infrastructure on their devices, and hence prefer to minimise change and risk. Interim releases - Are usually produced on a weekly basis, and form a roll-up of current development effort. The Cisco advisory web site may list more than one possible interim to fix an associated issue (the reason for this is unknown to the general public).

Maintenance releases - Rigorously tested releases that are made available and include enhancements and bug fixes. Cisco recommend upgrading to Maintenance releases where possible, over Interim and Rebuild releases.

2.1.4 Trains
Cisco IOS releases are split into several "trains", each containing a different set of features. Trains more or less map onto distinct markets or groups of customers that Cisco is targeting.

The mainline train is designed to be the most stable release the company can offer, and its feature set never expands during its lifetime. Updates are released only to address bugs in the product. The previous technology train becomes the source for the current mainline train for example, the 12.1T train becomes the basis for the 12.2 mainline. Therefore, to determine the features available in a particular mainline release, look at the previous T train release.

The T - Technology train, gets new features and bug fixes throughout its life, and is therefore less stable than the mainline. (In releases prior to Cisco IOS Release 12.0, the P train served as the Technology train.) Cisco doesn't recommend usage of T train in production environments unless there is urgency to implement a certain T train's new IOS feature.

The S - Service Provider train, runs only on the company's core router products and is heavily customized for Service Provider customers.

The E - Enterprise train, is customized for implementation in enterprise environments. The B - broadband train, support internet based broadband features. The X* - The XA, XB ... special functionality train, needs to be documented

There are other trains from time to time, designed for specific needs for example, the 12.0AA train contained new code required for Cisco's AS5800 product

2.1.5 Packaging set

Most Cisco products that run IOS also have one or more "feature sets" or "packages", typically eight packages for Cisco routers and five packages for Cisco network switches. For example, Cisco IOS releases meant for use on Catalyst switches are available as "standard" versions (providing only basic IP routing), "enhanced" versions, which provide full IPv4 routing support, and "advanced IP services" versions, which provide the enhanced features as well as IPv6 support. Each individual package corresponds to one service category, such as

IP data

Converged voice and data Security and VPN

The exact feature set required for a particular function can be determined. Beginning with the 1900, 2900 and 3900 series of ISR Routers, Cisco have revised the licensing model of IOS. Routers come with IP Base installed, and additional feature pack licenses can be installed as bolt-on additions to expand the feature set of the device. The available feature packs are:

Data adds features like BFD, IP SLAs, IPX, L2TPv3, Mobile IP, MPLS. Security adds features like VPN, Firewall, IP SLAs, NAC Unified Comms adds features like CallManager Express

2.1.6 Architecture
In all versions of Cisco IOS, packet routing and forwarding (switching) are distinct functions. Routing and other protocols run as Cisco IOS processes and contribute to the Routing Information Base (RIB). This is processed to generate the final IP forwarding table (FIB, Forwarding Information Base), which is used by the forwarding function of the router. On router platforms with software-only forwarding (e.g., Cisco 7200) most traffic handling, including access control list filtering and forwarding, is done at interrupt level using Cisco Express Forwarding (CEF) or DCEF (Distributed CEF). This means IOS does not have to do a process context switch to forward a packet. Routing functions such as OSPF or BGP run at the process level. In routers with hardwarebased forwarding, such as the Cisco 12000 series, IOS computes the FIB in software and loads it into the forwarding hardware (such as an ASIC or network processor), which performs the actual packet forwarding function. Cisco IOS has a "monolithic" architecture, which means that it runs as a single image and all processes share the same memory space. There is no memory protection between processes, which means that bugs in IOS code can potentially corrupt data used by other processes. It also has a run to completion scheduler, which means that the kernel does not pre-empt a running process the process must make a kernel call before other processes get a chance to run. For Cisco products that required very high availability, such as the Cisco CRS-1, these limitations were not acceptable. In addition, competitive router operating systems that emerged 10-20 years after IOS, such as Juniper's JUNOS, were designed not to have these limitations. Cisco's response was to develop a new version of Cisco IOS called IOS XR that offered modularity and memory protection between processes, lightweight threads, pre-emptive scheduling and the ability to independently re-start failed processes. IOS XR uses a 3rd party real-time operating system microkernel (QNX), and a large part of the current IOS code was re-written to take advantage of the features offered by the new kernel a massive undertaking. But the kernel architecture removes from the kernel all processes that are not absolutely required to run in the

kernel, and executes them as processes similar to the application processes. Through this method, IOS XR is able to achieve the high availability desired for the new router platform. Thus IOS and IOS XR are very different codebases, though related in functionality and design. In 2005, Cisco introduced IOS XR on the Cisco 12000 series platform, extending the microkernel architecture from the CRS-1 to Cisco's widely deployed core router. In 2006, Cisco has made available IOS Software Modularity which extends the QNX microkernel into a more traditional IOS environment, but still providing the software upgrade capabilities that customers are demanding. It is currently available on the Catalyst 6500 enterprise switch.

ROUTER INTERNAL COMPONENTS

Like a computer, a router has a CPU that varies in performance and capabilities depending upon router platform. It has typically 4 types of memory in it.: ROM- It is used to store the routers bootstrap startup program, operating system software, and power-on diagnostic tests programs. We can also upgrade our ROM

FLASH MEMORY- It holds operating systems image(s). Flash memory is erasable, reprogrammable ROM. Our IOS software is present in this memory and we can upgrade it also. Flash content is retained even when we switch off or restart the router. RAM- It is used to store operational information such as routing tables, routers running configuration file. RAM also provides caching and packet buffering capabilities. Its content is lost when we switch off or restart the router. When we configure the router at that time actually we are writing in RAM. NVRAM- It is used to store the routers startup configuration file. It does not lose data when power is switched off. So the contents of startup configuration files are maintained even when we switch off or restart the router.

2.2 Network Simulator & Router Simulator

The Cisco Packet Tracer network simulator is an application that simulates Cisco Systems' networking hardware and software and is designed to aid the user in learning the Cisco IOS command.Cisco packet tracer utilizes Ciscos proprietary Network Simulator, Router Simulator and router software technologies, along with the Cisco Virtual Packet Technology engine, to create individual packets. These packets are routed and switched through the simulated network, allowing packet tracer to build an appropriate virtual routing table and simulate true networking. Other simulation products on the market do not support this level of functionality. Packet tracer provides more versatility and support than any other aftermarket software. Packet tracer software also includes a comprehensive lab menu that contains lessons and labs covering routing protocols, Cisco devices, switching, topological design and much more.

Advantages of Software-Based Training

Cisco Packet Tracer is a versatile tool and valuable asset, both in a classroom and for corporate use, as well as a self-paced learning tool. For many individuals, the availability of Cisco Routers and Switches is often limited. The cost and fragility of equipment makes rack rentals impractical at this level. Ciso packet tracer makes it possible to design and configure a network with 47 different router models and 3 different switch models to choose from - without having to pay a lot of money, or worrying about transporting and damaging valuable equipment. Ciscos router, switch and station sim components contained within the software are the most advanced in the industry. We include simulation of Routers, Switches and PCs into a completely customizable drag and drop network-sim package. Furthermore, Cisco packet tracer simulates both switching bridge tables and routing protocol tables, to allow you to go outside of the labs and create your own labs using the Cisco packet tracer network designer.

CHAPTER 3 : SCREEN SHOTS

SECURITY IN COLLEGE NERWORKING:-

BEFORE ACL PING FROM COMPUTER DEPARTMENT:-

BEFORE ACL RESPONSE FROM COMPUTER DEPARTMENT:-

AFTER ACL PING FROM COMPUTER DEPARTMENT:-

AFTER ACL RESPONSE FROM COMPUTER DEPARTMENT:-

PING USING DNS FROM COMPUTER DEPARTMENT:-

RESPONSE USING DNS FROM COMPUTER DEPARTMENT:-

SYSTEM CONFIGURATION ON COMPUTER DEPARTMENT:-

BEFORE ACL PING FOR GOOGLE FROM DEPARTMENT ELECTRONIC:-

BEFORE ACL RESPONSE FROM GOOGLE FOR ELECTRONIC DEPARTMENT:-

AFTER ACL PING FOR FACEBOOK FROM ELECTRONIC DEPARTMENT USING DNS:-

AFTER ACL RESPONSE FROM FACEBOOK FOR ELECTRONIC DEPARTMENT:-

SOURCE & DESTINATION IP WHEN REQUEST FROM DEPT. ELECTRONIC:-

SOURCE & DESTINATION IP WHEN RESPONSE FROM DEPT. ELECTRONIC:-

PORT SECURITY IN COMPUTER DEPARTMENT:-

PING REQUEST FROM MECHANICAL DEPARTMENT FOR YAHOO:-

MESSAGE SENDING FROM MECHANICAL DEPARTMENT:-

REAPONSE FROM YAHOO FOR MECHANICAL DEPARTMENT:-

OPEN URL IN WEB BROWSER:-

CHAPTER 4 : RESULTS

4.1 CONCLUSION :

That time it is necessary to improve the performance of college networking because in past we have shortage of ip addresses .this is the only reason we cant connect more computer in one department and also we dnt have mant security alogorithm so now we overcome the shortage of ip addresses by subnetting and using ip v6 addresses and also use various security algorithm that helps to secure our information.we connect many system in a netwak in that way thart can be easily understand by any one and easily communicate user with one another without any problem.we can also remove the broadcasting problem in switch by making vlan that send our data in particular addresses.we also use various device and cables in connecting computer to each other in a network that send data wit each other in fastest speed because in thats time user want to do their work in fastest, cheapest and efficient manner.we use access control list and proxies to restrict access internet services by unauthorized user .

4.2 FUTURE SCOPE

Scope of this project in future are: 1. We can reduce shortage of ipV4 addresses via subnetting and using ipV6 addresses . 2. Multiple users can access the internet services via switches on diff. network. 3. We restrict the unauthorized user to access the network by port security and ACL. 4.We remove the broadcasting problem in switch by making vlan.

APPLICATION OF PROJECT
a. Secure b. Load sharing c. Avoid shortage of ip address d. More pcs can be connected to at same time e. Easy to use f. Sharing data with fast speed

REFERENCES :
www.toddlammle.com www.ccna/study.com www.networkingsolutions.com www.wikipedia.com www.howstuffworks.com